本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成＆投稿したものです。4n6 は こちら からご確認いただけます。

MALWARE

Doug Burks at Security Onion

• Quick Malware Analysis: ICEDID BOKBOT infection pcap from 2023-07-25

Thanks to Brad Duncan for sharing this pcap from 2023-07-25 on his malware traffic analysis site! Google currently has a warning for the site, so we're not including the actual hyperlink but it should be easy to find.We did a quick analysis of this pcap on the NEW Security Onion 2.4. If you'd like to follow along, you can do the following:install Security Onion 2.4 in a VM://docs.securityonion.net/en/2.4/first-time-users.htmlimport the pcap using so-import-pcap://docs.securityonion.net/en/2.4/so...

Dr Josh Stroschein

• Generating Shellcode with MSFVENOM

YouTube video

Igor Skochinsky at Hex Rays

• Igor’s Tip of the Week #169: Jumping to a file offset

Posted on: 22 Dec 2023 By: Igor Skochinsky Categories: IDA Pro Tags: Even though most manipulations with binaries can be done directly in IDA, you may occasionally need to use other tools. For example, Binwalk for basic firmware analysis, or a hex editor/viewer to find interesting patterns in the file manually. Let’s say you found an interesting text or byte pattern at some offset in the file and want to look at it in IDA. In case of raw binary (e.g. a firmware) loaded at 0, the solution is simp...

Fernando Ruiz at McAfee Labs

• Stealth Backdoor “Android/Xamalicious” Actively Infecting Devices

Stealth Backdoor “Android/Xamalicious” Actively Infecting Devices McAfee Labs Dec 22, 2023 14 MIN READ Authored by Fernando Ruiz McAfee Mobile Research Team identified an Android backdoor implemented with Xamarin, an open-source framework that allows building Android and iOS apps with .NET and C#. Dubbed Android/Xamalicious it tries to gain accessibility privileges with social engineering and then it communicates with the command-and-control server to evaluate whether or not to download a second...

Ghanashyam Satpathy and Jan Michael Alcantara at Netskope

• A Look at the Nim-based Campaign Using Microsoft Word Docs to Impersonate the Nepali Government

OALABS Research

• DanaBot Core

Taking a look at a new version of the DanaBot Core Dec 17, 2023 • 3 min read danabot core delphi Overview Samples Old Core New Core Overview In our previous post we took a look at an older version of the Danabot loader used to download and inject the core module. In this post we will take a look at a current loader-core combination. The older version of the loader is still in operation but this new version that contains the core embedded in it is distributed in parrallel. The core has also chang...

PetiKVX

• Dharma Ransomware family

Dec 20, 2023 • petikvx Share on: //app.any.run/tasks/66d70e91-7351-484c-b222-3907f1f92925 History Dharma, also known as Crysis, is a type of ransomware, a malicious software that encrypts files on a computer or a computer network and then demands a ransom in exchange for the decryption key to restore the files. Here are some important features of the Dharma ransomware: Initial Discovery: Dharma ransomware was initially discovered around October 21, 2017. Originally, it was known as Crysis before...

• How to make a ransomware harmless ?

YouTube video

Securelist

• Windows CLFS and five exploits used by ransomware operators (Exploit #4 – CVE-2023-23376)

Research 21 Dec 2023 minute read Authors Boris Larin This is part five of our study about the Common Log File System (CLFS) and five vulnerabilities in this Windows OS component that have been used in ransomware attacks throughout the year. Please read the previous parts first if you haven’t already. You can skip to the other parts using this table of contents or using the link at the end of this part. Part 1 – Windows CLFS and five exploits of ransomware operators Part 2 – Windows CLFS and five...

• Windows CLFS and five exploits used by ransomware operators (Exploit #3 – October 2022)

Research 21 Dec 2023 minute read Authors Boris Larin This is part four of our study about the Common Log File System (CLFS) and five vulnerabilities in this Windows OS component that have been used in ransomware attacks throughout the year. Please read the previous parts first if you haven’t already. You can skip to the other parts using this table of contents or using the link at the end of this part. Part 1 – Windows CLFS and five exploits of ransomware operators Part 2 – Windows CLFS and five...

• Windows CLFS and five exploits used by ransomware operators (Exploit #2 – September 2022)

Research 21 Dec 2023 minute read Authors Boris Larin This is the third part of our study about the Common Log File System (CLFS) and five vulnerabilities in this Windows OS component that have been used in ransomware attacks throughout the year. Please read the previous parts first if you haven’t already. You can skip to the other parts using this table of contents or using the link at the end of this part. Part 1 – Windows CLFS and five exploits of ransomware operators Part 2 – Windows CLFS and...

• Windows CLFS and five exploits used by ransomware operators

Research 21 Dec 2023 minute read Authors Boris Larin In April 2023, we published a blog post about a zero-day exploit we discovered in ransomware attacks that was patched as CVE-2023-28252 after we promptly reported it to Microsoft. In that blog post, we mentioned that the zero-day exploit we discovered was very similar to other Microsoft Windows elevation-of-privilege (EoP) exploits that we have seen in ransomware attacks throughout the year. We found that since June 2022, attackers have used e...

• Windows CLFS and five exploits used by ransomware operators (Exploit #1 – CVE-2022-24521)

Research 21 Dec 2023 minute read Authors Boris Larin This is the second part of our study about the Common Log File System (CLFS) and five vulnerabilities in this Windows OS component that have been used in ransomware attacks throughout the year. Please read the previous part first if you haven’t already. You can skip to the other parts using this table of contents or using the link at the end of this part. Part 1 – Windows CLFS and five exploits of ransomware operators Part 2 – Windows CLFS and...

• Windows CLFS and five exploits used by ransomware operators (Exploit #5 – CVE-2023-28252)

Research 21 Dec 2023 minute read Authors Boris Larin This is part six of our study about the Common Log File System (CLFS) and five vulnerabilities in this Windows OS component that have been used in ransomware attacks throughout the year. Please read the previous parts first if you haven’t already. You can go to other parts using this table of contents: Part 1 – Windows CLFS and five exploits of ransomware operators Part 2 – Windows CLFS and five exploits of ransomware operators (Exploit #1 – C...

Ben Martin at Sucuri

• MageCart WordPress Plugin Injects Malicious User & Credit Card Skimmer

Martin Balc’h at Synacktiv

• Writing a decent win32 keylogger [1/3]

Written by Martin Balc'h - 21/12/2023 - in Outils , Système - Download In this series of articles, we talk about the ins and out of how to build a keylogger for Windows that is able to support all keyboard layouts and reconstruct Unicode characters correctly regardless of the language (excluding those using input method editors). In the first part, after a brief introduction introducing the concepts of scan codes, virtual keys, characters and glyphs, we describe three different ways to capture ...