本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
ASEC
Have you or anyone near you became a victim of online scamming? This article will introduce you to online scams, how the waves of scammers target their victims and in which ways, and what damage they inflict. This article’s contents are based on AhnLab’s in-house data as well as externally available information. When quoting external information, their sources have been cited. Contents What Are Online Scams? Scams vs. Frauds vs. Phishing How Bad Are They? What Are Their Goals? Who Become Victims...
AhnLab Security intelligence Center (ASEC) has recently discovered the distribution of backdoor malware via aNotepad, a free online notepad platform. Said malware supports both the PE format that targets the Windows system and the ELF format that targets the Linux system. As the threat actor used the string ‘WingOfGod’ during the development of the malware, it is classified as WogRAT. Figure 1. aNotepad platform used in the attack 1. Distribution Cases It is assumed that the WogRAT has continuou...
AhnLab SEcurity intelligence Center (ASEC) has found numerous cases of threat actors attacking vulnerable Korean servers. This post introduces one of the recent case in which the threat actor ‘z0Miner’ attacked Korean WebLogic servers. z0Miner was first introduced by Tencent Security, a Chinese Internet service provider. //s.tencent.com/research/report/1170.html (This link is only available in Chinese.) These threat actors have a history of distributing miners against vulnerable servers (Atlassi...
Nathaniel Raymond at Cofense
CTF导航
猎影追踪:APT37利用朝鲜政治话题针对韩国的攻击活动分析 APT 7天前 admin 69 0 0 近日,安恒信息猎影实验室在日常威胁狩猎中发现APT37组织多次利用朝鲜相关政治话题诱饵,向目标用户下发ROKRAT木马窃取信息。 针对韩国的APT组织 APT37组织又名Group123、InkySquid、Operation Daybreak、Operation Erebus、Reaper Group、Red Eyes、ScarCruft、Venus 121。 该组织至少从2012年开始活跃,主要针对韩国的公共和私营部门。2017年,APT37将其目标扩展到朝鲜半岛之外,包括日本、越南和中东,并扩展到更广泛的垂直行业,包括化学、电子、制造、航空航天、汽车和医疗保健实体。 2023年,APT37组织开始针对国内用户进行网络钓鱼,涉及Windows和Android平台。 样本信息 我们捕获的两条较为攻击样本如下: 样本一:(安全专栏)安全机构不应对反国家势力束手无策.zip 文件名 (안보칼럼) 반국가세력에안보기관이무기력해서는안된다.zip (安全专栏)安全机构不应对反国家势力束手无...
Quasar RAT客户端木马执行流程逆向分析 逆向病毒分析 5天前 admin 19 0 0 前言 近期准备编写系列文章多维度的记录几个应用广泛且功能成熟的开源远控框架,系列文章内容包括基本执行流程、加解密技术剖析、入侵检测(流量、主机两类)。将QuasarRAT作为第一个分析对象,一是有源代码且更新频繁,逆向分析困难时可以有源码参考,二是其常被各类APT组织广泛应用,修改、编译后作为最终远控载荷用于网络攻击活动。 此篇是QuasarRAT系列的第一篇文章,记录了远控客户端木马的基本执行流程,受益匪浅。 文章很长,附一个目录,让读者了解文章大致结构。 背景 QuasarRAT是一款基于C#的开源远控工具,目前最新的版本为1.4.1。从GitHub数据显示该工具受众人数很大,且维护人员多、更新较为频繁。在2023各厂商的年度APT报告中,QuasarRAT 多次出现,被诸多APT组织用于网络攻击活动。接下来就进入正题。 简单应用示例 下载解压后首次运行,将出现一个证书创建窗口,用于创建保护服务器和客户端之间通信所需的服务器证书,可以创建或导入证书。 点击Create再保存,备份创建的q...
Ghidra脚本编写:从IR到反编译C 逆向病毒分析 5天前 admin 12 0 0 前 言 作为一个二进制安全从业人员,面对不同的安全分析工具已经是家常便饭,目前业界主流的分析工具是IDA,关于其的博客也有很多,因此这里不再赘述;Ghidra,作为能够与IDA分庭抗礼的一款开源二进制分析工具,相关的资料却不如IDA那么丰富,因此这篇推文旨在增加大家对Ghidra的了解。 一 前置知识介绍 为了避免底层的繁杂,提高逆向工程、自动化分析的效率(最直观的体现就是,避免二进制安全从业人员直接操作不同处理器的不同汇编指令集),几乎每个二进制分析工具都有自己的中间表示(Intermediate Representation,IR),例如IDA的microcode,Binary Ninja的LLIL与MLIL。Ghidra的IR叫做P-Code,一条汇编指令可以直接翻译为一个或多个P-Code(Ghidra文档中称之为Raw-Pcode,顾名思义,原始P-Code,即没有任何附加分析的P-Code)。在Raw P-Code的基础上,Ghidra会做一些最基本的数据流分析,并根据分析结果来丰富P-...
FORTIGATE FIRMWARE ANALYSIS IoT 3天前 admin 29 0 0 TL; DR Optistream provides the means (technology & expertise) to secure hybrid infrastructure and maintain an efficient segmentation As part of our key activities, we monitor any new vulnerabilities affecting network and security appliances to conduct deep researches and strengthen our customers information systems Fortinet products have been recently highly targeted and have been prone to many critical vulnerabilities, our R&D team has recently b...
Amr Ashraf at Cyber 5W
5 minute read On this page Introduction Static Analysis PEstudio FLOSS Krypto ANALyzer CryptoTester Behavioral Analysis Sysmon API Monitor FAKENET-NG Code Analysis Capa AutoRE Emulation qiling Summery Introduction As a malware analyst, your analysis environment is considered your friend, it can make your life easier and save you a lot of time if you just invest time on it once, and it also can make your life a hell if you just decided to ignore updating it and equip it with the tools that can cu...
Cybereason
Unboxing Snake - Python Infostealer Lurking Through Messaging Services Written By Cybereason Security Services Team Cybereason Security Services issues Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them. In this Threat Analysis Report, Cybereason Security Services dives into the Python Infostealer, delivered via GitHub and GitLab, that ultimately exfiltrates credentials vi...
DD
Digital Daniela
0 Comments Read Now Hello Everyone!I did this cool TryHackMe task where I analyzed API calls as part of performing dynamic malware analysis. I used a tool called ApiLogger which can load malicious files and allows you to view the API calls it makes. Here is a writeup of the task which can be found here - //tryhackme.com/room/basicdynamicanalysisThe sample ~Desktop\samples\1.exe creates a file in the C:\ directory. What is the name with the full path of this file?As shown below, I used the execu...
Dr Josh Stroschein – The Cyber Yeti
YouTube video
Cara Lin at Fortinet
By Cara Lin | March 04, 2024 Article Contents By Cara Lin | March 04, 2024 Affected Platforms: Microsoft Windows Impacted Users: Microsoft Windows Impact: Controls victim’s device and collects sensitive information Severity Level: High FortiGuard Labs recently uncovered a threat actor employing a malicious PDF file to propagate the banking Trojan CHAVECLOAK. This intricate attack involves the PDF downloading a ZIP file and subsequently utilizing DLL side-loading techniques to execute the final m...
Aseel Kayal at Mandiant
Aseel Kayal Mar 06, 20248 min readThreat IntelligenceDuring the analysis of a banking trojan sample targeting Android smartphones, Mandiant identified the repeated use of a string obfuscation mechanism throughout the application code. To fully analyze and understand the application's functionality, one possibility is to manually decode the strings in each obfuscated method encountered, which can be a time-consuming and repetitive process. Another possibility is to use paid tools such as JEB deco...
OALABS Research
Triaging this elaborate infection chain Mar 3, 2024 • 7 min read github lua Overview Special Thanks Delivery GitHub Bug Malicous GitHub Cloning Lua Malware Analysis Sample Analysis Lua Environment Instrumentation Lua Garbage - Dumping Encrypted Strings Hook lj_str_free Overview Malware operators are using a cloned game cheat website, SEO poisoning, and a bug in GitHub to trick would-be-game-hackers into running Lua malware. Our notes are divided into two sections, the first part is focuses on th...
PetiKVX
Mar 5, 2024 • petikvx Share on: Version at ANY.RUN VT Link File Information MD5: 06e63f2f7f64cbc08ac883f4f9122aa7 SHA-1: 5dc8db5189d1b33b1e28dc642c238f45b6deec1a SHA-256: 424f2f18cf3e601760f3ae6e2979503a8d3993024e342b014053835c6590247d File type: Win32 EXE Magic label: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows File size: 7.2 kB (7168 bytes) File Encryption Program and Custom README File Creation private static void Main(string[] args) { string str = "C:\Users\"; ...
Mar 9, 2024 • petikvx Share on: Version at ANY.RUN VT Link DetectItEasy PE32 Compiler: VB.NET Library: .NET (v4.0.30319) Linker: Microsoft Linker File size 2.50 MB (2625536 bytes) PEiD packer .NET executable Malware Structure The ransomware is structured as follows : We will attempt to detail each of the Form… Form 1 - Main Form public Form1() { base.Load += this.Form1_Load; base.LostFocus += this.Form1_LostFocus; base.FormClosing += this.Form1_FormClosing; this.InitializeComponent(); } Loading ...
Andreas Klopsch and Matt Wixey at Sophos
First released in May 2023, an EDR killer – and the vulnerable Zemana drivers it leverages – are still of interest to threat actors, along with variants and ported versions Written by Andreas Klopsch, Matt Wixey March 04, 2024 Threat Research AuKill BlackByte BYOVD drivers featured Ransomware Sophos X-Ops terminator zam BYOVD (Bring Your Own Vulnerable Driver) is a class of attack in which threat actors drop known vulnerable drivers on a compromised machine and then exploit the bug(s) to gain ke...
Tony Lambert
Post CancelDissecting a Java Pikabot Dropper Posted Mar 3, 2024 By Tony Lambert 9 min readIn mid-February, TA577 experimented with a Java Archive (JAR) dropper to deliver Pikabot to their victims. In this post I’ll explore some static analysis of that dropper to show how we can get information from it. If you want to follow along, I’m working with this sample in MalwareBazaar: //bazaar.abuse.ch/sample/0a0e0d2f9daa0bad25c3defd69a3a6d96a6ac5f325a369761807c06887d3bd9f/.Triage the JAROur first stop ...
VMRay
Jason Reaves and Joshua Platt at Walmart
Anh Ho, Facundo Muñoz, and Marc-Etienne M.Léveillé at WeLiveSecurity
ESET researchers uncover strategic web compromise and supply-chain attacks targeting Tibetans Anh HoFacundo MuñozMarc-Etienne M.Léveillé 07 Mar 2024 • , 23 min. read ESET researchers discovered a cyberespionage campaign that, since at least September 2023, has been victimizing Tibetans through a targeted watering hole (also known as a strategic web compromise), and a supply-chain compromise to deliver trojanized installers of Tibetan language translation software. The attackers aimed to deploy m...
