本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
0day in {REA_TEAM}
(1) [QuickNote] Techniques for decrypting BazarLoader strings (1) [QuickNote] VidarStealer Analysis (1) [Write-up] Chal6 {Flareon4} (1) [Write-up] Chal7 {Flareon4} (1) [Z2A] Custom sample 1 challenge write-up (1) [Z2A]Bimonthly malware challege – Emotet (1) Đánh cờ vi diệu … (1) {note}-phan-tich-powershell-dược-nen-trong-mal-doc (1) OllyDbg Tutorials (48) OllyDbg tut_1 (1) OllyDbg tut_10 (1) OllyDbg tut_11 (1) OllyDbg tut_12 (1) OllyDbg tut_13 (1) OllyDbg tut_14 (1) OllyDbg tut_15 (1) OllyDbg tu...
Any.Run
January 9, 2024 Add comment 420 views 8 min read HomeInterviewsTalking Traffic Analysis with ANY.RUN Ambassador, Jane_0sint Recent posts Which type of malware resides only in RAM? Explaining fileless malware 337 0 Talking Traffic Analysis with ANY.RUN Ambassador, Jane_0sint 420 0 Looking back at 2023 with ANY.RUN 1138 0 HomeInterviewsTalking Traffic Analysis with ANY.RUN Ambassador, Jane_0sint Today, we’re sitting down with ANY.RUN’s ambassador and the author of the best tweets on ANY.RUN’s Twit...
January 11, 2024 Add comment 337 views 6 min read HomeCybersecurity LifehacksWhich type of malware resides only in RAM? Explaining fileless malware Recent posts Which type of malware resides only in RAM? Explaining fileless malware 337 0 Talking Traffic Analysis with ANY.RUN Ambassador, Jane_0sint 420 0 Looking back at 2023 with ANY.RUN 1138 0 HomeCybersecurity LifehacksWhich type of malware resides only in RAM? Explaining fileless malware Unlike most malware, which requires user installation, f...
ASEC
The “Internal Reconnaissance in Domain Environments Detected by EDR” [1] post covered cases where EDR was used to detect the process of a threat actor taking over a system in an Active Directory environment before conducting internal reconnaissance to collect information. If an organization’s infrastructure is an environment that uses Active Directory, the threat actor can perform internal reconnaissance to collect information on the domain environment, steal account credentials, use these for l...
Avast Threat Labs
Dr Josh Stroschein
YouTube video
Forcepoint
X-Labs January 8, 2024 Details of a new, novel advanced malware attack using Microsoft Office X-Labs Researcher Behavior Analytics CDR Cyber Attack Malware Zero Trust Forcepoint X-Labs has today uncovered an advanced Microsoft Office-based attack against prominent business leaders in the run up to a country’s general elections. VIDEO Zero Trust CDR Explainer Watch the Video The attack starts off with a seemingly inconspicuous email regarding voting in the upcoming general election, as follows: “...
Nikhil “Kaido” Hegde
INC Linux Ransomware - Sandboxing with ELFEN and Analysis Metadata SHA256: a0ceb258924ef004fa4efeef4bc0a86012afdb858e855ed14f1bbd31ca2e42f5 VT link Table of Contents Family Introduction Sandboxing with ELFEN Detonation Console Output Terminate VMs on ESXi Host Open-Source Library Usage Ransom Note Encryption Code Analysis Command-line Parameters Encoded Ransom Note Encryption Summary References Family Introduction INC Linux ransomware emerged in July 2023 and is operated by a group known by the ...
OALABS Research
Introduction To VM Protection - VMZeusReverse Engineering VM obfuscation Jan 7, 2024 • 1 min read vmzues zeus vm obfuscation tutorial Overview Sample References Analysis Instruction Set Archetecture Instruction Handlers Data Context Overview We are going to take a look at one of the original "VM" protections used in malware, VM Zeus. Zeus is one of the orignal "botnets" that put ecrime on the map. The sourcecode was sold (and eventually leaked) which lead to many different variants. One of the v...
PetiKVX
Jan 9, 2024 • petikvx Share on: Packed Version at ANY.RUN Unpacked Version at ANY.RUN Unpacking Malware Here are the file’s details : petik@labvx:$ diec -d 446211d2ed10ab785a224abd5e731213af864064dd484cdb74fd5b3b8ebafd10 PE32 Compiler: EP:Microsoft Visual C/C++(2017 v.15.5-6)[EXE32] Compiler: Microsoft Visual C/C++(19.36.32420)[C] Linker: Microsoft Linker(14.36.32537) Tool: Visual Studio(2022 version 17.6) petik@labvx:$ diec -e 446211d2ed10ab785a224abd5e731213af864064dd484cdb74fd5b3b8ebafd10 Tot...
ReversingLabs
Here’s an overview of the key product updates to ReversingLabs malware analysis and threat hunting solutions from 2023. Throughout ReversingLabs’ 14-year history, our products have constantly excelled and improved to tailor the needs of our customers and match the changing cybersecurity threat landscape. 2023 was no exception to this growth in product quality. This past year, we have delivered key improvements to ReversingLabs Threat Intelligence, Elastic Threat Infrastructure, and Threat Analys...
Ayush Anand at Securityinbits
January 10, 2024CyberChef, CyberChef Recipe, Infostealer, PowerShell, RedLineAyush AnandAbout the NewsletterJoin 100+ subscribers who get 0x1 actionable security bit every week. shieldSubscribeIn this quick blog post, we’ll explore the various combination of CyberChef operations e.g Generic code Beautify, Subsection, Fork, Subtract etc. to deobfuscate the second-stage PowerShell script used in the RedLine stealer infection chain. The PowerShell contain multiple array consist of integer. It emplo...
SentinelOne
January 8, 2024 by Jim Walter PDF Securing the supply chain against exploitation of package managers such as npm (Node Package Manager) is a challenge for many organizations. On the one hand, businesses want the productivity benefits that come from sourcing external code; on the other, they lack both control and visibility into how secure that code is. Many organizations rely on developers to know whether code dependencies are secure or not, but that is not always the case, particularly as few d...
Alex Delamotte / January 11, 2024 Executive Summary FBot is a Python-based hacking tool distinct from other cloud malware families, targeting web servers, cloud services, and SaaS platforms like AWS, Office365, PayPal, Sendgrid, and Twilio. FBot does not utilize the widely-used Androxgh0st code but shares similarities with the Legion cloud infostealer in functionality and design. Key features include credential harvesting for spamming attacks, AWS account hijacking tools, and functions to enable...
Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair, and Thomas Lancaster at Volexity
January 10, 2024 by Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair, Thomas Lancaster Facebook Twitter Email Volexity has uncovered active in-the-wild exploitation of two vulnerabilities allowing unauthenticated remote code execution in Ivanti Connect Secure VPN devices. An official security advisory and knowledge base article have been released by Ivanti that includes mitigation that should be applied immediately. However, a mitigation does not remedy a past or ongoing compromise. ...
Brett Stone-Gross at ZScaler
BRETT STONE-GROSS - Senior Director of Threat IntelligenceJanuary 11, 2024 - 11 min read Threatlabz ResearchContentsIntroductionKey TakeawaysTechnical AnalysisConclusionZscaler CoverageIndicators of Compromise (IOCs)More blogsCopy URLCopy URLIntroduction Zscaler’s ThreatLabz research team has been tracking the Linux-based malware family known as DreamBus. Not much has changed in the last few years other than minor bug fixes, and slight modifications to evade detection from security software. How...
