解析メモ

マルウェア解析してみたり解析に役に立ちそうと思ったことをメモする場所。このサイトはGoogle Analyticsを利用しています。

4n6 Week 05 – 2024 - MALWARE

本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。

MALWARE

Any.Run

January 30, 2024 Add comment 1389 views 25 min read HomeMalware AnalysisCrackedCantil: A Malware Symphony Breakdown Recent posts Release Notes: Linux Support, New Signatures, and Coverage of Emerging Threats 249 0 Linux Malware: Types, Families and Trends 316 0 CrackedCantil: A Malware Symphony Breakdown 1389 0 HomeMalware AnalysisCrackedCantil: A Malware Symphony Breakdown Lena aka LambdaMamba Cybersecurity analyst and researcher | Website | + posts I am a Cybersecurity Analyst, Researcher, and...

January 31, 2024 Add comment 316 views 7 min read HomeCybersecurity LifehacksLinux Malware: Types, Families and Trends Recent posts Release Notes: Linux Support, New Signatures, and Coverage of Emerging Threats 249 0 Linux Malware: Types, Families and Trends 316 0 CrackedCantil: A Malware Symphony Breakdown 1389 0 HomeCybersecurity LifehacksLinux Malware: Types, Families and Trends You’re probably familiar with the tagline “America runs on Dunkin.” Well, if the writers who came up with it worked...

Arctic Wolf

Reinforce Your Foundation. Amplify Your Resilience: EXPLORE THE EPISODES Search EXPERIENCED A BREACH? CONTACT US EN EN-GB (United Kingdom) FR (Français) DE (Deutsch) EN EN-GB (United Kingdom) FR (Français) DE (Deutsch) Solutions SOLUTIONS INDUSTRIES Arctic Wolf Solutions The cybersecurity industry has an effectiveness problem. Despite new technologies emerging every year, high-profile breaches continue to occur. To prevent these attacks, the industry needs to adopt a new approach by focusing on ...

Ari Novick at CyberArk

× Share this Article Facebook Twitter Email LinkedIn Ransomware’s PLAYing a Broken Game January 30, 2024 Ari Novick Share this Article Facebook Twitter Email LinkedIn Abstract The Play ransomware group is one of the most successful ransomware syndicates today. All it takes is a quick peek with a disassembler to know why this group has become infamous. This is because reverse engineering the malware would be a Sisyphean task full of anti-analysis techniques. That said, it might come as a surprise...

ASEC

AhnLab SEcurity intelligence Center (ASEC) has recently identified a new activity of the Trigona ransomware threat actor installing Mimic ransomware. Like past cases, the recently detected attack targets MS-SQL servers and is notable for exploiting the Bulk Copy Program (BCP) utility in MS-SQL servers during the malware installation process. Trigona ransomware: Known to have been active since at least June 2022 [1]; usually targets MS-SQL servers for attacks and is still active. Mimic ransomware...

For convenience, users frequently use automatic login feature provided by programs like web browsers, email clients, and FTP clients. This allows programs to store user account credentials in their settings data. Therefore, despite being a convenient feature, this poses a security risk because threat actors are then able to leak the users’ account credentials easily. If malware or threat actors gain control of an infected system, they can employ various tools to extract users’ account credential...

AhnLab SEcurity intelligence Center (ASEC) has recently identified the distribution of Qshing emails impersonating the Ministry of Finance of the People’s Republic of China. Qshing is a compound noun from the words “QR code” and “Phishing” that leads to a malicious app being installed or directs users to a phishing site when a QR code is scanned. The email being distributed is shown in Figure 1 and is disguised as a paycheck receipt confirmation for the first quarter of 2024. The content include...

AhnLab SEcurity intelligence Center (ASEC) has recently analyzed a phishing case where a phishing page was disguised as a login page of a famous Korean portal website. ASEC has then collected some information on the threat actor. The fake login page, which is believed to have been distributed in the format of hyperlinks attached to phishing emails, was found to be very similar to the login page of the famous portal site. In fact, it is difficult to realize that this is a phishing page at a quick...

AhnLab SEcurity intelligence Center (ASEC) recently discovered that a CoinMiner targeting Zephyr is being distributed. The file is created with Autoit, and it is being spread in the form of a compressed file that contains the CoinMiner. The compressed file is being distributed as “WINDOWS_PY_M3U_EXPLOIT_2024.7z,” and upon decompressing the file, several scripts and executables are created. Among them, “ComboIptvExploit.exe” is a Nullsoft Scriptable Install System (NSIS) installer, and two Javasc...

AhnLab SEcurity intelligence Center (ASEC) is using a Linux SSH honeypot to monitor attacks against unspecified Linux systems. Threat actors install malware by launching brute force and dictionary attacks against Linux systems that are poorly managed, such as using default settings or having a simple password. While there is a variety of attack cases including those where worms, CoinMiners, and DDoS bots are installed, this post will cover attack cases where backdoor accounts are created instead...

g0njxa

Igor Skochinsky at Hex Rays

Igor’s Tip of the Week #173: Navigating to types from pseudocode Posted on: 02 Feb 2024 By: Igor Skochinsky Categories: Decompilation IDA Pro Tags: hexrays idapro idatips shortcuts Previously we’ve seen how to do small edits to types directly from the pseudocode view. While this is enough for minor edits, sometimes you still need to use the full editor. Of course, it is always possible to open Structures, Enums, or Local Types and look for your type there, but what if you have thousands of them?...

Deepa B at K7 Labs

Posted byDeepa B January 30, 2024January 31, 2024 PythonRansomwareScripting Malware Python’s Byte: The Rise of Scripted Ransomware By Deepa BJanuary 30, 2024 The digital world that we live in has been always facing different types of cyber attacks. Of late, there has been a spurt in ransomware (a malware that permanently blocks access to the victim’s data demanding a ransom) attacks across the globe causing great concern for organizations and individuals alike. This blog gets into the nuances of...

Nextron Systems

by Nextron Threat Research Team | Jan 29, 2024 In this article, we will explore the FalseFont Backdoor used by Peach Sandstorm APT to target defense contractors worldwide. The backdoor was initially identified and reported on by Microsoft. The malware features data exfiltration and remote access capabilities. It poses as a legitimate application from US Defense and Intelligence Contractor Maxar Technologies, and provides the user with a realistic UI and behavior. Triage When starting the applica...

Ayush Anand at Securityinbits

January 30, 2024CyberChef, Infostealer, LNK, mshta, PowerShell, RedLine, VBScriptAyush AnandAbout the NewsletterJoin 100+ subscribers who get 0x1 actionable security bit every week. shieldSubscribeRedLine Stealer Infection Chain: Zip ➡️ LNK PS ➡️ mshta (URL1) ➡️ PS ➡️ cmd ➡️ PS ➡️ URL2 ➡️ exe What’s Inside: LNK using \W\2\mshe to dodge detection VBScript analysis using CyberChef & Wscript.Echo Utilize CyberChef recipe to decode VBScript & PowerShell How to deobfuscate PowerShell with PowerSh...

Sekoia

Phil Stokes at SentinelOne

February 1, 2024 by Phil Stokes PDF Malware authors have long targeted the market for free, cracked apps available through torrent services: in recent years a variety of cryptominers, adware, browser hijackers and bundled software installers have all plied their warez this way, but a recent macOS malware first spotted by researchers at Kaspersky is currently running rampant through dozens of different cracked copies of popular software. Aside from the scale of the campaign, macOS.Bkdr.Activator ...

Théo Letailleur at Synaktiv

Aller au contenu principal Rechercher Switch Language FRToggle Dropdown FREN GithubTwitterLinkedin Notre OffreTest d’intrusion / Red TeamRéponse aux incidentsFormationsReverse-engineeringDéveloppementProduitsCSIRTNous rejoindrePublicationsArticlesAvis de sécuritéRessourcesLa sociétéContact GithubTwitterLinkedin KrustyLoader - Rust malware linked to Ivanti ConnectSecure compromises Rédigé par Théo Letailleur - 29/01/2024 - dans CSIRT - Téléchargement On 10th January 2024, Ivanti disc...

Lukas Stefanko at WeLiveSecurity

ESET researchers discovered several Android apps carrying VajraSpy, a RAT used by the Patchwork APT group Lukas Stefanko 01 Feb 2024 • , 14 min. read ESET researchers have identified twelve Android espionage apps that share the same malicious code: six were available on Google Play, and six were found on VirusTotal. All the observed applications were advertised as messaging tools apart from one that posed as a news app. In the background, these apps covertly execute remote access trojan (RAT) co...