本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
Any.Run
A deep dive into .NET malware obfuscators: Part 1 February 12, 2024 Add comment 607 views 14 min read HomeMalware AnalysisA deep dive into .NET malware obfuscators: Part 1 Recent posts RSPAMD: Analyze Emails in Depth in ANY.RUN 324 0 ANY.RUN TI Lookup: a Phishing Case Study 332 0 A deep dive into .NET malware obfuscators: Part 1 607 0 HomeMalware AnalysisA deep dive into .NET malware obfuscators: Part 1 As a preface In the modern world, it is rare to encounter purely clean malware during analysi...
February 13, 2024 Add comment 332 views 6 min read HomeAnalyst TrainingANY.RUN TI Lookup: a Phishing Case Study Recent posts RSPAMD: Analyze Emails in Depth in ANY.RUN 324 0 ANY.RUN TI Lookup: a Phishing Case Study 332 0 A deep dive into .NET malware obfuscators: Part 1 607 0 HomeAnalyst TrainingANY.RUN TI Lookup: a Phishing Case Study At ANY.RUN, we’ve recently released our new Threat Intelligence Lookup service. This tool opens up incredible opportunities for leveraging our extensive threat in...
February 14, 2024 Add comment 324 views 5 min read HomeService UpdatesRSPAMD: Analyze Emails in Depth in ANY.RUN Recent posts RSPAMD: Analyze Emails in Depth in ANY.RUN 324 0 ANY.RUN TI Lookup: a Phishing Case Study 332 0 A deep dive into .NET malware obfuscators: Part 1 607 0 HomeService UpdatesRSPAMD: Analyze Emails in Depth in ANY.RUN You’ve likely noticed that ANY.RUN interactive malware sandbox very effectively flags emails with phishing tags. We utilize proprietary detection rules to ident...
Artem Baranov
Agree & Join LinkedIn By clicking Continue, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy. Sign in to view more content Create your free account or sign in to continue your search Sign in Welcome back Email or phone Password Show Forgot password? Sign in or By clicking Continue, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy. New to LinkedIn? Join now or By clicking Continue, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie...
ASEC
AhnLab SEcurity intelligence Center (ASEC) recently discovered the distribution of Revenge RAT malware that had been developed based on legitimate tools. It appears that the attackers have used tools such as ‘smtp-validator’ and ‘Email To Sms’. At the time of execution, the malware creates and runs both a legitimate tool and a malicious file, making it difficult for users to realize that a malicious activity has occurred. As shown in the code below, the threat actor creates and runs Setup.exe (m...
Kimsuky threat group, deemed to be supported by North Korea, has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a South Korean energy corporation in 2014, and have expanded their attacks to other countries since 2017 [1]. The group has mainly been attacking the national defense, defense industry, media, government organizations, and academic areas to steal internal data and technologies from them [2] (This report supports K...
Avast Threat Labs
by Threat Research TeamFebruary 13, 20244 min read In October 2023, we published a blog post containing technical analysis of the Rhysida ransomware. What we intentionally omitted in the blog post was that we had been aware of a cryptographic vulnerability in this ransomware for several months and, since August 2023, we had covertly provided victims with our decryption tool. Thanks to our collaboration with law enforcement units, we were able to quietly assist numerous organizations by decryptin...
Asheer Malhotra, Holger Unterbrink, Vitor Ventura, and Arnaud Zobec at Cisco’s Talos
TinyTurla Next Generation - Turla APT spies on Polish NGOs By Asheer Malhotra, Holger Unterbrink, Vitor Ventura, Arnaud Zobec Thursday, February 15, 2024 08:00 Threats Threat Spotlight Cisco Talos has identified a new backdoor authored and operated by the Turla APT group, a Russian cyber espionage threat group. This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation.Talos assesses with h...
Donato Onofri and Emanuele Calvelli at CrowdStrike
February 7, 2024 Donato Onofri - Emanuele Calvelli Endpoint Security & XDR HijackLoader continues to become increasingly popular among adversaries for deploying additional payloads and tooling A recent HijackLoader variant employs sophisticated techniques to enhance its complexity and defense evasion CrowdStrike detects this new HijackLoader variant using machine learning and behavior-based detection capabilities CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample th...
Elastic Security Labs
Introduction to Hex- Rays decompilation internalsIn this publication, we delve into Hex-Rays microcode and explore techniques for manipulating the generated CTree to deobfuscate and annotate decompiled code.25 min readMalware analysisIntroduction In this publication, we delve into Hex-Rays microcode and explore techniques for manipulating the generated CTree to deobfuscate and annotate decompiled code. The final section includes a practical example demonstrating how to annotate a custom import t...
Esentire
→ Feb 07, 2024 The Future of Cloud Security: What to Expect in 2024 → Feb 07, 2024 The Oncoming Wave of SolarMarker → VIEW BLOG → Resources Case Studies → Videos → Reports → Webinars → Data Sheets → Cybersecurity Tools → Glossary → EXPLORE LIBRARY → SECURITY ADVISORIES Feb 09, 2024 Volt Typhoon Activity THE THREAT On February 7th, CISA, NSA, FBI, along with Five Eyes intelligence partners, published a joint advisory related to state-sponsored threat actors from the People’s Republic of China (PR...
Fortinet
By Amey Gat and Mark Robson | February 14, 2024 Article Contents By Amey Gat and Mark Robson | February 14, 2024 Affected Platforms: Microsoft Windows Impacted Users: Microsoft Windows Users Impact: This loader has been used to load multiple RATs and info stealers, which can lead to compromised credentials and enable further malicious activities Severity Level: Medium Executive Summary While analyzing malware samples collected from several victims, the FortiGuard team identified a grouping of ma...
By Axelle Apvrille | February 15, 2024 Article Contents By Axelle Apvrille | February 15, 2024 Affected Platform: Android Impacted Users: Android users with mobile crypto wallet or banking applications Impact: Financial Loss Severity Level: Medium Spynote is a Remote Access Trojan that initially surfaced in 2020. Since then, it has grown into one of the most common families of malware for Android, with multiple samples, integration of other RATs (e.g. CypherRat), and a large family of over 10,00...
Harfanglab
E-mail* FRENDE
Hex Rays
Posted on: 13 Feb 2024 By: Alex Petrov Categories: IDA Pro Programming Tags: IDA Pro plugin This is a guest entry written by Martin Perrier and Louis Jacotot from Synacktiv. The views and opinions expressed in this blog post are solely those of the authors and do not necessarily reflect the views or opinions of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the authors. Frinet is a project that aims at facilitating reverse-engineering, vulnerability...
Posted on: 14 Feb 2024 By: Igor Skochinsky Categories: IDA Pro Tags: idapro idatips As we’ve seen previously, an IDB (IDA database) consists of several embedded files which contain the actual database data and which IDA reads/write directly when working with the database. By default, they’re unpacked next to the IDB, which can lead to various issues such as excessive disk usage, or speed (e.g. if IDB is on a remote or removable drive). If you often work with external IDBs but have a fast local d...
K7 Labs
Posted bySudeep February 14, 2024February 14, 2024 Stealer Trojan Zloader Strikes Back By SudeepFebruary 14, 2024 Recently, we came across an update from PolySwarm regarding a new Variant of Zloader. Zloader is a malware based on Zeus, which has been targeting financial institutions and its customers. This blog gets into the nuances of the new techniques used by Zloader. Technical Analysis It was observed that Zloader had very few Import functions and it was obfuscated and threat actors were mak...
Posted byAndrew Shelton February 15, 2024February 15, 2024 Cryptomining Unveiling Crypto Miner’s Stealthy Tactics: The Rise of Indirect Syscalls for Evasion By Andrew SheltonFebruary 15, 2024 Recently we got our hands on a set of samples which had a big data section with high entropy and had fake executable information like WinRar, Chrome, CustomRP, etc. Out of curiosity we analysed one but we weren’t able to find any interesting Win32APIs used by this sample. When we reversed the sample we came...
Luke Leal
2023-07-22 :: Luke #qetbootstrap.com #wss #skimmer #ecommerce #magento #JavaScript #website malware Outline qetbootstrap.com skimmer wss exfiltration ASN ZERGRUSH (39622) Sample qetbootstrap.com skimmer⌗ wss exfiltration⌗ ASN ZERGRUSH (39622)⌗ Sample⌗ The first stage of the skimmer is injected into Magento files or database: JavaScript Stage 1: core_config_data (function(i, s, h, k, l, o, c, m) { m['GoogleAnalyticsObjects'] = o; c = s.createElement(h), i = s.getElementsByTagName(h)[0]; if (l.hre...
MALCAT
Fri 16 February 2024 malcat team malware analysis, qakbot, qbot, MSI, config extraction, scripting, tutorial Sample: 73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3.msi (Bazaar, VT) Infection chain: MSI installer -< Backdoored DLL -< PE loader -< Qakbot Tools used: Malcat Difficulty: Intermediate Introduction Qakbot has been studied a lot over the last 15 years, and plays a big role in the malware landscape. After a successful takedown that took place in August 2023, it got a bi...
Colton Gabertan, Mike Hunhoff, Moritz Raabe, and Willi Ballenthin at Mandiant
Blog Riding Dragons: capa Harnesses GhidraColton Gabertan, Mike Hunhoff, Moritz Raabe, Willi Ballenthin Feb 14, 20246 min readFLAREMalwareReverse Engineeringcapa is the FLARE team’s open source tool that detects capabilities in executable files. Ghidra is an open source software reverse engineering framework created and maintained by the National Security Agency Research Directorate. With the release of capa v7, we have integrated capa with Ghidra, bringing capa’s detection capabilities directly...
Lior Rochberger and Dan Yashnik at Palo Alto Networks
Diving Into Glupteba's UEFI Bootkit 3,926 people reacted 11 12 min. read Share By Lior Rochberger and Dan Yashnik February 12, 2024 at 6:00 AM Category: Malware Tags: Advanced Threat Prevention, Advanced URL Filtering, Advanced WildFire, Cloud-Delivered Security Services, coin miner, Cortex XDR, credential stealer, DNS security, next-generation firewall, Prisma Cloud, RedLine infostealer, Smoke Loader This post is also available in: 日本語 (Japanese)Executive Summary Glupteba is advanced, modular a...
Paolo Luise
PetiKVX
Feb 14, 2024 • petikvx Share on: Year 2024 Bazaar Block 2024 (January) Year 2023 Bazaar Block 2023 (December) Bazaar Block 2023 (November) Bazaar Block 2023 (October) Bazaar Block 2023 (September) Bazaar Block 2023 (August) Bazaar Block 2023 (July) Bazaar Block 2023 (June) Bazaar Block 2023 (May) Bazaar Block 2023 (April) Bazaar Block 2023 (March) Bazaar Block 2023 (February) Bazaar Block 2023 (January) Year 2022 Bazaar Block 2022 (December) Bazaar Block 2022 (November) Bazaar Block 2022 (Octobe...
Feb 14, 2024 • petikvx Share on: VS Block 00000 VS Block 00001 VS Block 00002 VS Block 00003 VS Block 00004 VS Block 00005 Sponsored by >Previous PostBazaar Library <Blog ArchiveArchive of all previous blog posts PetiKVX Blog petikvx petikvx petikvx rss You can find here all I discover about malwares. Sponsored by ANY.RUN
Ayush Anand at Securityinbits
February 12, 2024.NET, Config, Debugging, dnSpyEx, Infostealer, Malware Series, RedLineAyush AnandAbout the NewsletterJoin 100+ subscribers who get 0x1 actionable security bit every week. shieldSubscribeIn this article, we dive into process of unpacking and extracting config from RedLine Stealer using dnSpyEx. It’s a bit lengthy but a great way to learn about the unpacking process using dnSpyEx. 🔍 This is the 3rd part in our deep dive series on RedLine. If you need a refresher on the infection c...
Ben Martin at Sucuri
Nikolaos Pantazopoulos at ZScaler
NIKOLAOS PANTAZOPOULOS - Nikolaos PantazopoulosFebruary 12, 2024 - 9 min read Threatlabz ResearchContentsIntroductionKey TakeawaysTechnical AnalysisConclusionIndicators Of Compromise (IOCs)Zscaler CoverageMore blogsCopy URLCopy URLIntroduction Pikabot is a malware loader that originally emerged in early 2023. Over the past year, ThreatLabz has been tracking the development of Pikabot and its modus operandi. There was a significant increase in usage of Pikabot in the second half of 2023, followin...
