4n6 Week 03 – 2024 - MALWARE
本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
Any.Run
January 16, 2024 Add comment 2337 views 16 min read HomeMalware AnalysisA Full Analysis of the Pure Malware Family: Unique and Growing Threat Recent posts What is a sandbox environment and what is it used for? 198 0 Access Full Network Threat Details and Review Suricata Rules 270 0 A Full Analysis of the Pure Malware Family: Unique and Growing Threat 2337 0 HomeMalware AnalysisA Full Analysis of the Pure Malware Family: Unique and Growing Threat In this article, we’re analyzing one of the most u...
ASEC
– ASEC BLOG」において、成人向けゲームを装ってマルウェア「Remcos RAT」が配布されていることを発見したと報じた。この攻撃では韓国で人気のオンラインファイルストレージ「WebHard」が配布に悪用されている。AhnLabは過去にもマルウェアの配布に悪用された例が複数あるとしてWebHardの利用者に注意を呼びかけている。 […] 0 Reply Microsoft’s Effort to Store EU Data Locally – Securitydone 3 days ago […] camouflaging itself as adult-themed games and deceiving users into downloading malicious files, said […] 0 Reply Microsoft’s Effort to Store EU Data Locally 3 days ago […] camouflaging itself as adult-themed games and deceiving users into downl...
AhnLab SEcurity intelligence Center (ASEC) recently observed circumstances of a CoinMiner threat actor called Mimo exploiting various vulnerabilities to install malware. Mimo, also dubbed Hezb, was first found when they installed CoinMiners through a Log4Shell vulnerability exploitation in March 2022. Up until now, all of the attack cases involved the installation of XMRig CoinMiner called Mimo Miner Bot in the final stage. However, there were other pertinent cases where the same threat actor in...
AhnLab SEcurity intelligence Center (ASEC) has identified that LockBit ransomware is being distributed via Word files since last month. A notable point is that the LockBit ransomware is usually distributed by disguising itself as resumes, and recently found malicious Word files were also disguised as resumes [1]. The distribution method of LockBit ransomware using external URLs in Word files was first found in 2022 [2]. The recently discovered file names of malicious Word files are as follows. F...
Dr Josh Stroschein
YouTube video
Dr. Web
January 15, 2024 Doctor Web is reporting on an increase in cases of cryptocurrency-mining trojans being found hidden in pirated software that is available in Telegram and on some Internet sites. In December 2023, virus analysts at Doctor Web noticed an increase in the detection rates of Trojan.BtcMine.3767 and its companion malware Trojan.BtcMine.2742, which, as it turned out, were ending up on users' computers with pirated software. Trojan.BtcMine.3767 is a trojan program for Windows written in...
ElementalX
Herbie Zimmerman at “Lost in Security”
2024-01-14 Remcos RAT Infection Herbie January 14, 2024 January 15, 2024Packet Analysis Summary ========= The last time I “published” anything was about a 1.8 years or so ago. So in the spirit of New Years resolutions to myself it really has come time for me to get back on the horse and get back into some sort of posting again. So let’s jump into an alert that I came across for what looks to be Remcos RAT. Link to the artifacts from this investigation can be found over at my Github here which al...
Igor Skochinsky at Hex Rays
Posted on: 15 Jan 2024 By: Igor Skochinsky Categories: Decompilation IDA Pro Tags: hexrays IDA Pro idapro idatips shortcuts UI We already know that user-defined types such as structures and enums can be created and edited through the corresponding views, or the Local Types list. However, some small edits can be performed directly in the pseudocode view: structure fields can be renamed using the “Rename” action (shortcut N): you can also quickly retype them using the “Set type” action (Y): NB: th...
Irfan_eternal
irfan_eternal included in Malware Analysis 2024-01-06 3020 words 15 minutes Contents IntroductionAnalysisStage 1Shellcode Allocation and CallingLoading New Image to MemoryStage 2Weird Conditional JumpsControl Flow ObfuscationEncrypted Function CodeAPI HashingChecks KeyBoard LayoutPreviliges CheckAPI Resolving for APIs of NTDLLAnti-Sandbox, Anti-Emulator and Anti-VM TechniquesInjection of Third Stage using Heavens Gate TechniqueStage 3Dynamic API Resolving using API HashingEncrypted StringsAnalys...
Jamf
Start Trial Jamf Blog January 18, 2024 by Jamf Threat Labs Jamf Threat Labs discovers new malware embedded in pirated applications Jamf Threat Labs In this blog, Jamf Threat Labs researchers analyze malware they discovered in pirated macOS applications. These apps, appearing similar to ZuRu malware, download and execute multiple payloads to compromise machines in the background. Research led by: Ferdous Saljooki and Jaron Bradley Introduction Jamf Threat Labs has detected a series of pirated mac...
Preksha Saxena and Yashvi Shah at McAfee Labs
From Email to RAT: Deciphering a VB Script-Driven Campaign McAfee Labs Jan 17, 2024 10 MIN READ Authored by Preksha Saxena and Yashvi Shah McAfee Labs has been tracking a sophisticated VBS campaign characterized by obfuscated Visual Basic Scripting (VBS). Initially delivering the AgentTesla malware, the campaign has evolved into a multi-faceted threat, employing VBS scripts as a versatile delivery mechanism. Notably, this campaign extends beyond AgentTesla, now distributing a range of malware su...
Nikhil “Kaido” Hegde
Nikhil "Kaido" Hegde M&M: Malware and Musings View on GitHub NoaBot Botnet - Sandboxing with ELFEN and Analysis Metadata SHA256: b5e4c78705d602c8423b05d8cd758147fa5bcd2ac9a4fe7eb16a07ab46c82f07 VT link Table of Contents Family Introduction Sandboxing with ELFEN Detonation uClibc Compilation Brute-Forcing Credentials Persistence through Cron Accessing Secrets Accessing Bash History Accessing SSH Private Keys Accessing User Accounts Information Process Name Change Network Communications Scanning t...
Jeroen Beckers at NVISO Labs
Jeroen Beckers Application Security, Mobile Security January 15, 2024January 15, 2024 16 Minutes In a recent engagement I had to deal with some custom encrypted strings inside an Android ARM64 app. I had a lot of fun reversing the app and in the process I learned a few cool new techniques which are discussed in this writeup. This is mostly a beginner guide which explains step-by-step how you can tackle a problem like this. Feel free to try it out yourself, or just jump to the parts that interest...
Phylum
⚠️This appears to be an ongoing campaign. Since publication, additional packages have been released tied to this threat actor. See the IOCs below.On January 12, 2024 Phylum’s automated risk detection platform alerted us to a suspicious publication on npm. The package in question, oscompatible, contained a few strange binaries, including a single exe file, a single DLL file, and an encrypted dat file. The only JavaScript file present, index.js, simply executed a batch file that attempted to launc...
Minyeop Choi at S2W Lab
Todyl
Todyl Detection Engineering TeamJanuary 19, 2024TL;DR After Todylâs Managed eXtended Detection and Response (MXDR) team flagged a new PowerShell script appearing on an endpoint, the Detection Engineering team began analyzing the details to understand the threat and assess impact. The team hunted for adjacent activity across the MXDR customer base and created new managed Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) rules to ensure future detection a...
Joshua Platt, Jonathan McCay and Jason Reaves at Walmart
Zhassulan Zhussupov
8 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! Since I’m a little busy writing my book for the Packt publishing, I haven’t been writing as often lately. But I’m still working on researching and simulating ransomware. In one of the previous posts I wrote about the Madryga encryption algorithm and how it affected the VirusTotal detection score. At the request of one of my readers, I decided to show file encryption and decryption logic using the Madryga algorithm. practical exa...
Santiago Vicente and Ismael Garcia Perez at ZScaler
SANTIAGO VICENTE, ISMAEL GARCIA PEREZJanuary 19, 2024 - 9 min read Threatlabz ResearchContentsIntroductionKey TakeawaysTechnical AnalysisConclusionZscaler CoverageIndicators Of Compromise (IoCs)AppendixReferencesMore blogsCopy URLCopy URLIntroduction Zloader (aka Terdot, DELoader, or Silent Night), is a modular trojan born from the leaked Zeus source code. It surfaced publicly in 2016 during a targeted campaign against German banks1, but its malicious activity traces back to at least August 2015...