本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
Arda Büyükkaya
YouTube video
ASEC
AhnLab Security Emergency response Center (ASEC) recently identified the distribution of a malicious exe file disguised as material related to a personal data leak, targeting individual users. The final behavior of this malware could not be observed because the C2 was closed, but the malware is a backdoor that receives obfuscated commands from the threat actor and executes them in xml format. Figure 1. An email impersonating a cyber investigation team Figure 2. The malicious exe file disguised a...
Remote administration tools are software for managing and controlling terminals at remote locations. The tools can be used as work-at-home solutions in circumstances such as the COVID-19 pandemic and for the purpose of controlling, managing, and repairing unmanned devices remotely. Such remote control tools used for legitimate purposes are called RAT, meaning “Remote Administration Tools.” Additionally, backdoor malware types such as Remcos RAT, njRAT, Quasar RAT, and AveMaria are called Remote ...
Cryptax
@cryptax·Follow6 min read·3 days ago--ListenShareI got my hands on a new sample of Android/BianLian (sha256: 0070bc10699a982a26f6da48452b8f5e648e1e356a7c1667f393c5c3a1150865), a banking botnet I have been tracking for months (no, years).On December 14, 2023, there are 6 active C&C for Android/BianLian botnet. This is a partial list which shows (1) a known active C&C (“UP”), (2) a new active C&C (“NEW”) and (3) an old C&C which is no longer active.Attempt to unpack #1As most samples are packed no...
Hex Rays
Posted on: 13 Dec 2023 By: Alex Petrov Categories: IDA Pro Programming Tags: IDA Pro plugin This is a guest entry written by Alexander Hanel from CrowdStrike. His views and opinions are his own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the author. Msdocviewer: A simple tool for viewing Microsoft’s technical specifications An invaluable resource when reverse engineering Portable Executable (PE) binaries is Microsoft’s Windows Ap...
Posted on: 15 Dec 2023 By: Igor Skochinsky Categories: IDA Pro Tags: IDA Pro idapro idatips When you load a file into IDA, whether a standard executable format (e.g. PE, ELF, Macho-O), or a raw binary, IDA assigns a particular address range to the data loaded from it, either from the file’s metadata or user’s input (in case of binary file). The lowest address from those occupied by the file is commonly called imagebase and you can usually see it in the file comment at the start of the disassembl...
Mohitrajai
Mohitrajai·Follow4 min read·Dec 10--ListenShareWhat is Lockbit 3.0 Ransomware?⮚ Lockbit ransomware is known for its ability to spread rapidly across networks, encrypting files and demanding payment for decryption keys. The “3.0” in LockBit 3.0 likely indicates a newer version or variant of the original LockBit ransomware. Ransomware attacks are often carried out by cybercriminals seeking financial gain.⮚ Lockbit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model. It is ...
Petikvx
YouTube video
YouTube video
Quick Heal
By Quickheal 13 December 2023 6 min read 0 Comments Cerber is a strain of ransomware that was first identified in early 2016. It is a type of malware that encrypts a victim’s files and demands a ransom for the decryption key needed to unlock the files. Cerber, like many other ransomware variants, typically targets individuals and organizations by encrypting their files and demanding a ransom payment, (usually in cryptocurrencies like Bitcoin), for the decryption key. Technical Analysis: The Cerb...
Sonatype
December 14, 2023 By Ilkka Turunen 3 minute read time SHARE: Earlier today, Ledger, a maker of hardware wallets for storing crypto, announced that they had identified malicious software embedded in one of their open source packages called @ledgerhq/connect-kit. This package is widely used as a connector between distributed blockchain applications and crypto wallets that back them up. This analysis delves into the specifics of the versions 1.1.5 to 1.1.7 compromise, cataloged in our data under so...
Trend Micro
- Analyzing AsyncRAT’s Code Injection into aspnet_compiler.exe Across Multiple Incident Response Cases
Analyzing AsyncRAT's Code Injection into aspnet_compiler.exe Across Multiple Incident Response Cases This blog entry delves into MxDR's unraveling of the AsyncRAT infection chain across multiple cases, shedding light on the misuse of aspnet_compiler.exe, a legitimate Microsoft process originally designed for precompiling ASP.NET web applications. By: Buddy Tancio, Fe Cureg, Maria Emreen Viray December 11, 2023 Read time: ( words) Save to Folio Subscribe During our recent investigations, the Tren...
In this blog entry, we discuss the technical details of CVE-2023-50164, a critical vulnerability that affects Apache Struts 2 and enables unauthorized path traversal. By: Jagir Shastri December 15, 2023 Read time: ( words) Save to Folio Subscribe Apache has recently released an advisory regarding CVE-2023-50164, a critical vulnerability with a severity rating of 9.8 that affects Apache Struts 2. CVE-2023-50164 is intricately tied to an organization's Apache Struts architecture and the way it use...
Jean-Francois Gobin at Truesec
WeLiveSecurity
The past year has seen over 10,000 downloads of malicious packages hosted on the official Python package repository Marc-Etienne M.LéveilléRene Holt 12 Dec 2023 • , 8 min. read ESET Research has discovered a cluster of malicious Python projects being distributed in PyPI, the official Python package repository. The threat targets both Windows and Linux systems and usually delivers a custom backdoor. In some cases, the final payload is a variant of the infamous W4SP Stealer, or a simple clipboard ...
ESET researchers document a series of new OilRig downloaders, all relying on legitimate cloud service providers for C&C communications Zuzana HromcováAdam Burgher 14 Dec 2023 • , 30 min. read ESET researchers analyzed a growing series of OilRig downloaders that the group has used in several campaigns throughout 2022, to maintain access to target organizations of special interest – all located in Israel. These lightweight downloaders, which we named SampleCheck5000 (SC5k v1-v3), OilCheck, ODAgent...
Zhassulan Zhussupov
Malware development: persistence - part 23. LNK files. Simple Powershell example. 3 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! This post is based on my own research into one of the more interesting malware persistence tricks: via Windows LNK files. LNK According to Microsoft, an LNK file serves as a shortcut or “link” in Windows, providing a reference to an original file, folder, or application. For regular users, these files serve a meaningful purpose, facilitating file o...
1 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! Alhamdulillah, I finished writing this book today. It was quite difficult. In sha Allah everything will be fine. O Allah, Lord of the Worlds, give strength to all children who are fighting for their lives. Why is the book called that? MALWILD - means Malware in the Wild. I will be very happy if this book helps at least one person to gain knowledge and learn the science of cybersecurity. The book is mostly practice oriented. This...
