4n6 Week 09 – 2024 - MALWARE
本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
Any.Run
February 27, 2024 Add comment 1938 views 13 min read HomeMalware AnalysisDCRat: Step-by-Step Analysis in ANY.RUN Recent posts How to Create a Sandbox Environment (for Malware Analysis) 321 0 DCRat: Step-by-Step Analysis in ANY.RUN 1938 0 Analyzing Linux Malware in ANY.RUN: 3 examples 1101 0 HomeMalware AnalysisDCRat: Step-by-Step Analysis in ANY.RUN We’re super excited to introduce Mizuho (@morimolymoly2 on X) today, a software engineer and malware analyst making their debut on the ANY.RUN blog....
Arda Büyükkaya
YouTube video
ASEC
AhnLab SEcurity intelligence Center (ASEC) recently discovered that Nood RAT is being used in malware attacks. Nood RAT is a variant of Gh0st RAT that works in Linux. Although the number of Gh0st RAT for Linux is fewer compared to Gh0st RAT for Windows, the cases of Gh0st RAT for Linux are continuously being collected. Nood RAT is categorized as a variant of Gh0st RAT based on the code’s similarity with previous codes from Gh0st RAT [1]. A builder used in the latest developments was found, and i...
Last year, AhnLab SEcurity intelligence Center (ASEC) introduced phishing script files that used Telegram to leak user information [1]. Recently, several phishing scripts using Telegram are being distributed indiscriminately through keywords such as remittance and receipts. Unlike the phishing script files that were distributed in the early days, the latest files are obfuscated to avoid detection. Similar to the past, they are being distributed using various means and tactics such as prompting u...
Jan Vojtěšek at Avast Threat Labs
by Jan VojtěšekFebruary 28, 202453 min read Key Points Avast discovered an in-the-wild admin-to-kernel exploit for a previously unknown zero-day vulnerability in the appid.sys AppLocker driver. Thanks to Avast’s prompt report, Microsoft addressed this vulnerability as CVE-2024-21338 in the February Patch Tuesday update. The exploitation activity was orchestrated by the notorious Lazarus Group, with the end goal of establishing a kernel read/write primitive. This primitive enabled Lazarus to perf...
Guilherme Venere, Jacob Finn, Tucker Favreau, Jacob Stanfill, and James Nutland at Cisco’s Talos
By Guilherme Venere, Jacob Finn, Tucker Favreau, Jacob Stanfill, James Nutland Tuesday, February 27, 2024 08:00 Threats Threat Spotlight Cisco Talos has discovered a new campaign operated by a threat actor distributing a previously unknown malware we’re calling “TimbreStealer.”This threat actor was observed distributing TimbreStealer via a spam campaign using Mexican tax-related themes starting in at least November 2023. The threat actor has previously used similar tactics, techniques and proced...
Cyber 5W
5 minute read On this page introduction Sample OverView Loader Analysis Summery introduction Pikabot, a modular backdoor first discovered in 2023, employs anti-analysis techniques within its loader component. The core component, responsible for most malicious functionalities, receives commands from a command-and-control server, allowing for arbitrary code injection. As the loader part is the one that implements all the Anti-Analysis Techniques to evade analysis, and also it’s the part that we wi...
Dr Josh Stroschein
YouTube video
ElementalX
Matthew at Embee Research
Advanced CyberChef Techniques for Configuration Extraction - Detailed Walkthrough and Examples Advanced CyberChef techniques using Registers, Regex and Flow Control Matthew Feb 26, 2024 — 17 min read We're all used to the regular CyberChef operations like "From Base64", From Decimal and the occasional magic decode or xor. But what happens when we need to do something more advanced?Cyberchef contains many advanced operations that are often ignored in favour of Python scripting. Few are aware of t...
Fortra’s PhishLabs
DarkLoader Leads Malware Attacks in Q4 Posted on February 29, 2024 In Q4, three malware families represented more than 93% of all payload volume targeting end users, with Malware-as-a-Service (MaaS) DarkLoader leading all other reports. Fortra first received reports of DarkLoader in user inboxes in Q3, with attack volume picking up significantly beginning in October. The shift to criminal activity associated with DarkLoader comes after coordinated efforts by officials in Q3 to disrupt former mal...
Ron Bowes at GreyNoise Labs
Code injection or backdoor: A new look at Ivantiâs CVE-2021-44529 In 2021, Ivanti patched a vulnerability that they called âcode injectionâ. Rumors say it was a backdoor in an open source project. Letâs find out what actually happened! ivanti backdoor php CVE-2021-44529 csrf-magic Author Ron Bowes Published February 16, 2024 This is yet another, âRon got nerdsniped by a thing and wasted enough time that he needs something to show for itâ blog. Which, come to think of it, are pretty m...
Igor Skochinsky at Hex Rays
Posted on: 28 Feb 2024 By: Igor Skochinsky Categories: Decompilation IDA Pro Tags: hexrays idapro idatips In one of the past tips we mentioned the __unused attribute which can be applied to function arguments. When can it be useful? Let’s consider this code from Apple’s dyld: v19 is passed as fist argument to dyld4::ProcessConfig::PathOverrides::setString(). Since its name looks like a class method, the decompiler assigned the class type to the first argument (normally corresponding to the impli...
Shusei Tomonaga at JPCERT/CC
朝長 秀誠 (Shusei Tomonaga) February 28, 2024 New Malicious PyPI Packages used by Lazarus Lazarus Email JPCERT/CC has confirmed that Lazarus has released malicious Python packages to PyPI, the official Python package repository (Figure 1). The Python packages confirmed this time are as follows: pycryptoenv pycryptoconf quasarlib swapmempool The package names pycryptoenv and pycryptoconf are similar to pycrypto, which is a Python package used for encryption algorithms in Python. Therefore, the attack...
Malwarebytes
Posted: February 28, 2024 by Jérôme Segura It was just a little over a year ago that the Rhadamanthys stealer was first publicly seen distributed via malicious ads. Throughout 2023, we observed a continuation in malvertising chains related to software downloads. Fast forward to 2024 and the same malvertising campaigns are still going on. After a lull last summer, we noticed an increase since the fall which so far has been sustained. The most recent targeted searches are for Parsec and FreeCad, f...
Posted: March 1, 2024 by Bill Cozens A new type of malware is being used by ransomware gangs in their attacks, and its name is PikaBot. A relatively new trojan that emerged in early 2023, PikaBot is the apparent successor to the infamous QakBot (QBot) trojan that was shut down in August 2023. QBot was used by many ransomware gangs in the past for its versatile ability to facilitate initial access and deliver secondary payloads. After QBot got shut down, there was a vacuum in the ransomware gang ...
McAfee Labs
GUloader Unmasked: Decrypting the Threat of Malicious SVG Files McAfee Labs Feb 28, 2024 5 MIN READ Authored by: Vignesh Dhatchanamoorthy In the ever-evolving landscape of cybersecurity threats, staying ahead of malicious actors requires a deep understanding of their tactics and tools. Enter GUloader, a potent weapon in the arsenal of cybercriminals worldwide. This sophisticated malware loader has garnered attention for its stealthy techniques and ability to evade detection, posing a significant...
Rise in Deceptive PDF: The Gateway to Malicious Payloads McAfee Labs Mar 01, 2024 17 MIN READ Authored by Yashvi Shah and Preksha Saxena McAfee Labs has recently observed a significant surge in the distribution of prominent malware through PDF files. Malware is not solely sourced from dubious websites or downloads; certain instances of malware may reside within apparently harmless emails, particularly within the PDF file attachments accompanying them. The subsequent trend observed in the past th...
NVISO Labs
Maxime Thiebaut Forensics, Reverse Engineering March 1, 2024March 1, 2024 1 Minute In early 2024, Ivanti’s Pulse Secure appliances suffered from wide-spread exploitation through the then reported vulnerabilities CVE-2023-46805 & CVE-2024-21887. Amongst the many victims, a critical-sector organization triggered their NVISO incident-response retainer to support their internal security teams in the investigation of the observed compromise of their Ivanti appliance. This report documents two at-the-...
Anmol Maurya and Siddharth Sharma at Palo Alto Networks
The Art of Domain Deception: Bifrost's New Tactic to Deceive Users 2,745 people reacted 11 6 min. read Share By Anmol Maurya and Siddharth Sharma February 29, 2024 at 3:00 AM Category: Malware Tags: Advanced URL Filtering, Advanced WildFire, Cloud-Delivered Security Services, Cortex XDR, Linux, Linux malware, next-generation firewall, Remote Access Trojan, Sandbox, WildFire This post is also available in: 日本語 (Japanese)Executive Summary We recently found a new Linux variant of Bifrost (aka Bifro...
Patrick Wardle at Objective-See
Objective-See a non-profit 501(c)(3) foundation. About #OBTS Book Series Objective-We Our Store/Swag Malware Collection Support Us! blog tools Apple Gets an 'F' for Slicing Apples Tracking down a subtle bug in an important macOS API by: Patrick Wardle / February 22, 2024 The Objective-See Foundation is supported by the "Friends of Objective-See" that include: Jamf Kandji Mosyle CleanMyMac X Palo Alto Networks Malwarebytes iVerify Background I’m currently working on Volume II of the “The Art of M...
Petikvx
YouTube video
YouTube video
YouTube video
Feb 28, 2024 • petikvx Share on: Version at ANY.RUN VT Link File Information file Type PE32 Compiler Microsoft Visual C/C++ (16.00.30319) [LTCG/C++] Linker Microsoft Linker (10.00.30319) Tool Visual Studio (2010) File size 9.00 KB (9216 bytes) Creation Time 2022-03-14 07:19:36 UTC DsRoleGetPrimaryDomainInformation The DsRoleGetPrimaryDomainInformation API is a function in the Windows Server API that provides information about the domain role of a computer in a network. It is part of the Domain S...
Pulsedive
Dive into how Balada exploits vulnerabilities within WordPress plugins. This research blog analyzes how Balada injects malicious code and the functionality of the scripts used in the campaign. Pulsedive Threat Research Feb 29, 2024 • 8 min read Balada, also known as Balada Injector, is a malware campaign that targets and injects malicious PHP code into WordPress websites. Researchers have observed recent campaigns exploiting two vulnerabilities within WordPress plugins to inject the initial set ...
Richard Christopher
calendarFeb 25, 2024clock8 min readStrela StealerI decided to grab a random malware sample from any.run and have a bit of a poke around. The file I chose from public submissions has the following details:MD5: 09a3293c8e85921340f2e75cf398b0a5FileName: 2585747226036.zipExtracted FileName: 2585747226036.jsThis file showed as no threats detected in the sandbox. Despite it showing no malicious activity (note the .dll error message box below which may be a deception technique or a legitimate error), a...
Sonatype
The curious case of 'csrf-magic': A case study in supply chain poisoning February 27, 2024 By Ax Sharma 5 minute read time SHARE: Back in the day, Ivanti disclosed CVE-2021-44529, a critical "code injection" vulnerability in its EPM Cloud Services Appliance (CSA) product. Ivanti has been in the news recently as threat actors continue to actively exploit vulnerabilities in its products. The software vendor, at the time, proposed some interesting workarounds for the CVE. Ivanti users had the choic...
npm packages spread 'Bladeroid' crypto-stealer, hijack your Instagram February 29, 2024 By Ax Sharma 5 minute read time SHARE: Sonatype has identified multiple open source packages named sniperv1, sniperv2, among others that infect npm developers with a Windows info-stealer and crypto-stealer called 'Bladeroid.' The info-stealer can be seen peeking into a user's browser cookies and local storage data and attempts to steal saved (auto-fill) form data. Additionally, the malware attempts to access ...
Melusi shoko at System Weakness
Sudeep Singh and Roy Tay at ZScaler
SUDEEP SINGH, ROY TAYFebruary 27, 2024 - 12 min read Threatlabz ResearchContentsIntroductionKey TakeawaysAttack ChainTechnical AnalysisCommand And Control InfrastructureConclusionZscaler CoverageIndicators Of Compromise (IOCs)MITRE ATT&CK FrameworkAppendixMore blogsCopy URLCopy URLIntroductionZscaler's ThreatLabz discovered a suspicious PDF file uploaded to VirusTotal from Latvia on January 30th, 2024. This PDF file is masqueraded as an invitation letter from the Ambassador of India, inviting di...