本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Adam at Hexacorn
Posted on 2023-12-25 by adam Many Windows tools support commands f.ex.: reg.exe – QUERY, ADD, DELETE, COPY, SAVE, RESTORE, LOAD, UNLOAD, COMPARE, EXPORT, IMPORT, FLAGS sc.exe – config, continue, control, create, delete, description, EnumDepend, failure, failureflag, GetDisplayName, GetKeyName, interrogate, managedaccount, pause, preferrednode, privs, qc, qdescription, qfailure, qfailureflag, qmanagedaccount, qpreferrednode, qprivs, qprotection, qsidtype, qtriggerinfo, query, queryex, quserservic...
Posted on 2023-12-25 by adam The little known secret of regsvr32.exe is… You ready? You can load multiple DLLs at the same time. Yup. And not just one extra, but many. Let’s have a look at an example: regsvr32.exe c:\WINDOWS\system32\hhctrl.ocx foo will first load c:\WINDOWS\system32\hhctrl.ocx and then foo.dll. We can do it multiple times: regsvr32.exe hhctrl.ocx hhctrl.ocx hhctrl.ocx hhctrl.ocx hhctrl.ocx foo This entry was posted in Living off the land, LOLBins, Threat Hunting by adam. Bookma...
Posted on 2023-12-27 by adam There is an archaic feature that regsvr32.exe leverages to autoregister libraries associated with file extensions. For this to work, it expects an AutoRegister key to be present under the file extension handler with a default value pointing to the library f.ex: file extension entry: txt -< txtfilefile handler: txtfile autoregister entry: txtfile\AutoRegister{Default}=>Library< As such, one can use regsvr32.exe to load library of their choice without passing it as a ...
Posted on 2023-12-26 by adam When you execute 32-bit version of runonce.exe on a 64-bit version of Windows and pass to it the /RunOnceEx6432 argument you will make the program load iernonce.dll library and execute its RunOnceExProcess API… Since the iernonce.dll library is loaded using LoadLibraryW we can simply copy runonce.exe to a different folder, and run it from there. This will load the iernonce.dll library we can control… This entry was posted in Living off the land, LOLBins, Threat Hunti...
Posted on 2023-12-28 by adam In the past I wrote a few times about the side-effect of having 2 binaries named the same way and residing in respective System32 and SysWOW64 directories. Regsvr32.exe is not different. If you run a 32-bit Regsvr32.exe with a command line argument being a path to a 64-bit DLL or OCX, it will spawn its 64-bit twin Regsvr32.exe to handle the request: I am happy to report that regsvr32.exe is using GetSystemDirectoryW and GetSystemWow64Directory2W APIs instead of relyi...
Posted on 2023-12-29 by adam The program in the title of this post is not very well-known. It’s being used for some random Bluetooth stuff that not too many PC users care about (okay, it’s a bit of a stretch, but I guess it’s really not very well-known). How do you make a use of a binary no one cares about? When I first looked at fsquirt.exe‘s command line arguments, I immediately thought of using it in my Beyond Good Ol’ Run key series as it was really a perfect candidate – until I discovered t...
Posted on 2023-12-30 by adam The program has been changed since win10 and it now loads wdscore.dll almost immediately after it starts. Unfortunately, while it does so via LoadLibraryEx, the API is called in a way that is identical with calling LoadLibrary (both LoadLibraryEx arguments are zeroes). As such, one can copy the file to some other folder, and load malicious wdscore.dll. This entry was posted in Living off the land, LOLBins by adam. Bookmark the permalink. Privacy Policy Proudly powere...
Ahmed Belhadjadji
Ankit Bishnoi
Report this article Ankit Bishnoi Ankit Bishnoi Digital Forensics & Incidence Response | Threat Analyst | Cyber Crime Intervention Officer | Forensics Expert | InfoSec Speaker Published Dec 25, 2023 + Follow Process explorer is a sysinternals tool, and like every sysinternals tool, it can be used for operations such as system administration and troubleshooting. Process Explorer, which is our subject, can be thought of as an advanced version of Task Manager. Process Explorer, with its features, c...
Francis Guibernau at AttackIQ
Bitdefender
Bitdefender Enterprise December 28, 2023 As we wrap up 2023, we want to express our sincere thanks for your steadfast support. Starting this December, we're shaking things up with our monthly reports, giving the Bitdefender Threat Debrief a fresh twist. In 2024, you'll notice a change – our insightful Bitdefender MDR team won't be sharing their regular tidbits. No worries, though; they're still behind the scenes, working their cybersecurity magic. Keep an eye out for the gradual rollout of our u...
Brad Duncan at Malware Traffic Analysis
2023-12-29 (FRIDAY): GOOTLOADER INFECTION NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-12-29-IOCs-for-GootLoader-infection.txt.zip 1.4 kB (1,390 bytes) 2023-12-29-GootLoader-infection-traffic-carved.pcap.zip 926.8 kB (926,820 bytes) 2023-12-29-GootLoader-malware-and-artifacts.zip 28.3 MB (28,339,116 bytes) IMAGES Shown above: Found a fake forum page through a Google search. Shown above: Downloading a malicio...
CERT Ukraine
Check Point
Yehuda Gelb at Checkmarx Security
Cyfirma
Published On : 2023-12-29 Share : Ransomware of the Week CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization. Type: Ransomware. Target Technologies: MS Windows Target Industries: Accounting, Advertising & Marketing, Aerospace, Agriculture, Airlines, Apparel Retailers, Automobiles, Banks, Basic Resources, Busi...
Shunichi Imano and Fred Gutierrez at Fortinet
Ransomware Roundup - 8base By Shunichi Imano and Fred Gutierrez | December 28, 2023 Article Contents By Shunichi Imano and Fred Gutierrez | December 28, 2023 On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. Th...
Matt Kiely at Huntress
ByMatt KielyDownload YourFirst nameLast NameEmailTitleStay up to date with HuntressPrivacy PolicyThank you! Your submission has been received!Oops! Something went wrong while submitting the form.HomeBlogCombating Emerging Microsoft 365 Tradecraft: Initial AccessDecember 27, 2023Combating Emerging Microsoft 365 Tradecraft: Initial AccessByMatt KielyShareAt Huntress, we wake up every morning, pour our caffeinated or decaffeinated beverage of choice, sit down at our desks, and ask the same question...
Kevin Beaumont at DoublePulsar
Lab52
December 21, 2023 Around mid-year, Lab52 published a report on ransomware that included both geopolitical and cyber intelligence content. The report includes the analysis of different sources of information and showcasing some of our cyberintelligence findings in this regard. However, the activity of this type of malware prompts Lab52 to closely track the various recorded cases. Therefore, taking advantage of the approaching end of the year 2023, we believe it’s a good time to share some reflect...
Nischal Khadgi at Logpoint
By Nischal Khadgi|2023-12-27T10:54:51+01:00December 27th, 2023| - 3 min read Fast Facts about Rhysida Rhysida emerged as one of the most active ransomware groups in November 2023. Targets medium to large-scale industries with a significant impact on the education sector. Victims of the Rhysida group are spread across 25 countries, with a majority of victims in the United States. Utilizes the malware families PortStarter and SystemBC. Rhysida employs a double extortion technique, stealing data fr...
Matt Edmondson at Digital Forensics Tips
Get link Facebook Twitter Pinterest Email Other Apps December 28, 2023 Favicons (short for favorite icons) are the cute little pixelated images that appear next to the site name in web browser tabs, bookmarks, etc. In the image below we can see the iconic GitHub logo on their site and the KFC logo on a bucket of chicken on their site.Originally, favicons were designed to add a touch of professionalism and branding, but for anyone who is like me and has over a dozen tabs open at any time, favicon...
Microsoft Security Response Center
MSRC / By MSRC / December 28, 2023 / 2 min read Summary In recent months, Microsoft Threat Intelligence has observed threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme. We have addressed and mitigated this malicious activity by turning off ms-appinstaller by default. Additionally, Microsoft has coordinated with Certificate Authorities to revoke the abused code signing certificates utilized by malware samples...
Living Of The SHIMS – Built-In SHIM DB Hijacking
Samantha Stallings and Brad Duncan at Palo Alto Networks
803 people reacted 5 9 min. read Share By Samantha Stallings and Brad Duncan December 29, 2023 at 6:00 AM Category: Malware Tags: AsyncRAT, BokBot, DarkGate, IcedID, JinxLoader, PikaBot, Remote Access Trojan, Trojan, Wireshark This post is also available in: 日本語 (Japanese)Executive Summary This article summarizes the malware families (and groups pushing malware) seen by Unit 42 and shared with the broader threat hunting community through our social channels. Some malware – such as IcedID and Dar...
Resecurity
Malware Intelligence 27 Dec 2023 password stealer, credentials, 2024, cryptocurrency theft On Christmas Eve, Resecurity's HUNTER (HUMINT) spotted the author of perspective password stealer Meduza has released a new version (2.2). This product has already generated significant interest in Dark Web after the initial release in June this year. One of the key significant improvements are support of more software clients (including browser-based cryptocurrency wallets), upgraded credit card (CC) grab...
RussianPanda
RussianPanda Case Study Pure Logs Stealer first appeared on hacking forums at the end of October 2022. The stealer is developed by a malware developer going under the alias PureCoder. The malware developer is also behind in developing the products shown above, such as Pure Miner, Pure Crypter, Pure hVNC, Blue Loader, and other products, including HWID reset, Discord DM Worm, and Pure Clipper. The malware developer periodically pushes updates to their products. The The view of the File Grabber pa...
RussianPanda Stealer’s World of Drama Previously, I wrote a blog going through some of MetaStealer’s functionalities and did a brief comparison with Redline since they are both very similar but, at the same time, different. You might say that all stealers are the same because they have one purpose - to steal. However, each of them is somewhat different from the others, even if they borrowed the code from their predecessors. Every stealer tries to be better than the other one despite having simil...
SANS Internet Storm Center
Unveiling the Mirai: Insights into Recent DShield Honeypot Activity [Guest Diary] Published: 2023-12-27 Last Updated: 2023-12-28 01:03:42 UTC by Guy Bruneau (Version: 1) 0 comment(s) [This is a Guest Diary by Elias Bou Zeid, an ISC intern as part of the SANS.edu BACS program] Introduction In this digital age, as our dependence on technology grows, understanding which devices are connected to our networks and keeping track of their security updates is critically important. In this post, I dig int...
Boris Larin at Securelist
Research 27 Dec 2023 minute read Table of Contents Operation Triangulation’ attack chainThe mystery and the CVE-2023-38606 vulnerabilityTechnical detailsConclusion Authors Boris Larin Today, on December 27, 2023, we (Boris Larin, Leonid Bezvershenko, and Georgy Kucherin) delivered a presentation, titled, “Operation Triangulation: What You Get When Attack iPhones of Researchers”, at the 37th Chaos Communication Congress (37C3), held at Congress Center Hamburg. The presentation summarized the resu...
SentinelOne
LABScon / December 26, 2023 In this enlightening LABScon Replay session, Vitor Ventura, senior security researcher at Cisco Talos, alongside Michael Gentile, delves into the intriguing evolution of Intellexa and Cytrox in the spyware domain. The Developmental Saga of Intellexa and Cytrox Mercenary spyware companies need to evolve their spyware capabilities just like software from any other commercial company. This presentation details an account and timeline of one such mercenary organization, f...
LABScon / December 28, 2023 The excitement surrounding speculative execution attacks may have subsided, but sadly, such threats remain. Binarly Research has discovered a vast attack surface still vulnerable to known issues like Spectre v1 and v2 on AMD silicon. Ineffective mitigations and the complexity of validation negatively impact the AMD device ecosystem. While the industry is currently concentrating on constructing confidential computing infrastructure, foundational design problems reveal ...
SOCRadar
Raimundo Alcázar at VirusTotal
Sigma rules for Linux and MacOS Protecting the perimeter with VT Intelligence - ma... Protecting the perimeter with VT Intelligence - Em... VTMondays ► November 2023 (3) ► October 2023 (2) ► September 2023 (1) ► August 2023 (2) ► July 2023 (5) ► June 2023 (5) ► May 2023 (3) ► April 2023 (3) ► March 2023 (2) ► February 2023 (2) ► January 2023 (2) ► 2022 (23) ► December 2022 (1) ► November 2022 (6) ► October 2022 (1) ► September 2022 (1) ► August 2022 (3) ► July 2022 (1) ► May 2022 (1) ► April 202...
