解析メモ

マルウェア解析してみたり解析に役に立ちそうと思ったことをメモする場所。このサイトはGoogle Analyticsを利用しています。

4n6 Week 14 – 2024 - MALWARE

本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。

MALWARE

Artem Baranov at A blog about rootkits research and the Windows kernel

Adam Goss

AK1001

Anthony Weems

Skip to content Toggle navigation Sign in Product Actions Automate any workflow Packages Host and manage packages Security Find and fix vulnerabilities Codespaces Instant dev environments Copilot Write better code with AI Code review Manage code changes Issues Plan and track work Discussions Collaborate outside of code Explore All features Documentation GitHub Skills Blog Solutions For Enterprise Teams Startups Education By Solution CI/CD & Automation DevOps DevSecOps Resources Learning Pathways...

Any.Run

April 4, 2024 Add comment 207 views 7 min read HomeCybersecurity LifehacksQuickly Check if a Sample is Malicious with ANY.RUN’s Process Tree Recent posts How to Use Cyber Threat Intelligence: the Basics 174 0 Quickly Check if a Sample is Malicious with ANY.RUN's Process Tree 207 0 Release Notes: PowerShell Tracer, Browser Extensions, Integrations and More 635 0 HomeCybersecurity LifehacksQuickly Check if a Sample is Malicious with ANY.RUN’s Process Tree You don’t always need an in-depth investig...

ASEC

AhnLab SEcurity intelligence Center (ASEC) has recently detected a malware strain being distributed by using the Google Ads tracking feature. The confirmed cases show that the malware is being distributed by disguising itself as an installer for popular groupware such as Notion and Slack. Once the malware is installed and executed, it downloads malicious files and payloads from the attacker’s server. Below is the list of the file names that have been discovered so far. Notion_software_x64_.exe S...

Recently, AhnLab SEcurity intelligence Center (ASEC) discovered the distribution of Rhadamanthys under the guise of an installer for groupware. The threat actor created a fake website to resemble the original website and exposed the site to the users using the ad feature in search engines. ASEC Blog has previously covered malware distributed through such ad features of search engines in the article titled “Hey, This Isn’t the Right Site!” Distribution of Malware Exploiting Google Ads Tracking [1...

Cyber 5W

Cyber 5W in Malware-Analysis Reverse-Engineering Experience Level required: Beginner Objectives In this blog, we will learn how to analyze and deobfuscate Javascript malware. 1st Sample Let’s view the sample code The code has obfuscation with ° and g0 spread throughout, so let’s remove them. We need to take care because g0 is being used here as a variable. So we will replace every g0 followed by ° with null to ensure that the variables named by g0 will not replaced. We need to do the same here w...

Dr Josh Stroschein

YouTube video

Dr. Ali Hadi at ‘Binary Zone’

Posted on 5 April 2024 by [email protected] Last week’s Friday Giveway was the C5W Certified Malware Analysis Course that can be found here. This is an amazing course for those interested in doing Malware Analysis and it has over 45 hands-on labs. These are instructional and guided labs to help the reader not only do malware analysis, but understand what they are actually doing. To win the course, you have to retweet my post (last week’s post is here) and that’s it. I do not require you to follo...

Posted on 5 April 2024 by [email protected] In the past, I used to maintain a Google Doc with all the tools I use or recommend for my students to use for Malware Analysis. A couple of days ago, while doing a Malware Analysis workshop for NW3C, I was asked if I can share my Google Doc and I definitely do not mind doing that. This is where I thought it would be much better to create a GitHub repo and move everything to it. So I used a tool to convert my Google Doc to Markdown and then created the ...

Posted on 5 April 2024 by [email protected] Windows Sandbox is an amazing Windows feature that could be used for Malware Analysis. In order to install it you’ll need to follow this blog post here by Microsoft. One thing about this Sandbox, is everything is ephermal, which means once you close the sandbox or power off the Sandbox, all the files, changes, applications, etc will be gone. So, in order to setup your Malware Analysis lab every single time, you’ll have to do one of two things: (1) Go t...

Pei Han Liao at Fortinet

By Pei Han Liao | April 04, 2024 Article Contents By Pei Han Liao | April 04, 2024 Affected Platforms: Microsoft Windows Impacted Users: Microsoft Windows Impact: The stolen information can be used for future attack Severity Level: High In January 2024, FortiGuard Labs collected a PDF file written in Portuguese that distributes a multi-functional malware known as Byakugan. While investigating this campaign, a report about it was published. Therefore, this report will only provide a brief analysi...

Anuradha and Preksha at McAfee Labs

Distinctive Campaign Evolution of Pikabot Malware McAfee Labs Apr 02, 2024 10 MIN READ Authored by Anuradha and Preksha Introduction PikaBot is a malicious backdoor that has been active since early 2023. Its modular design is comprised of a loader and a core component. The core module performs malicious operations, allowing for the execution of commands and the injection of payloads from a command-and-control server. The malware employs a code injector to decrypt and inject the core module into ...

One Night in Norfolk

April 3, 2024April 3, 2024 norfolk Throughout the past few months, several publications have written about a North Korean threat actor group’s use of NPM packages to deploy malware to developers and other unsuspecting victims. This blog post provides additional details regarding the second and third-stage malware in these attacks, which these publications have only covered in limited detail. A few good sources that showcase the progression of the security community’s understanding of this attack...

Penetration Testing Lab

Persistence – DLL Proxy Loading by Administrator.In Persistence.Leave a Comment on Persistence – DLL Proxy Loading DLL Proxy Loading is a technique which an arbitrary DLL exports the same functions as the legitimate DLL and forwards the calls to the legitimate DLL in an attempt to not disrupt the execution flow so the binary is executed as normal. The technique falls under the category of DLL Hijacking and it is typically utilized as a stealthier method to load an arbitrary DLL without breaking ...

Plainbit

So Jeong Kim 2024년 04월 03일 23 분 소요 Intro.지난 2024년 2월 22일, 트위터를 통해 악성 파일 "반국가세력에 안보기관이 무력해서는 안된다.zip"의 탐지 이력이 공개되었다.본 블로그 글에서는 해당 악성 코드 샘플을 확보하여, 최근 북한 해킹 그룹이 사용하는 LNK 파일 공격 행위를 분석하고자 한다.#APT #APT37 Filename:(안보칼럼) 반국가세력에 안보기관이 무기력해서는 안된다.zipMD5:5127bf820b33e4491a93165cfdd25be4zip-<lnk-<bat-<shellcode pic.twitter.com/K8X8Vqsy5z— Neo_C (@lightC07379408) February 22, 2024 LNK 공격의 흐름개요도 LNK를 이용한 최초 침투압축 파일 “(안보칼럼) 반국가세력에 안보기관이 무력해서는 안된다.zip”에는 동일한 파일명의 LNK 파일이 포함되어 있다. LNK 파일은 외부 프로그램을 연결하기 위해 원본 대상...

.chm 파일은 윈도우 도움말을 띄워주는 것으로 잘 알려져 있다. 하지만 공격자들은 .chm 파일에 스크립트를 삽입해 악의적인 목적으로 사용하기도 한다. 본 글에서는 악성 .chm 파일의 유형을 구분하고 샘플 파일을 분석한 내용에 대해 설명한다. Park Hyun Jae 2024년 04월 05일 19 분 소요 1. .chm Malware?1-1) 개요.chm(Compiled HTML) 파일은 컴파일된 HTML Help 파일로, 윈도우 도움말로 잘 알려져 있다. Microsoft에서 만든 독점 형식이며 .chm 파일에는 도움말 파일을 검색하고 보는 데 사용되는 HTML 페이지, 이미지 및 목차와 기타 탐색 도구가 포함되어 있다.도움말 파일은 소프트웨어 응용 프로그램에 대한 온라인 도움말, 교육 가이드, 대화형 책 등에 주로 이용된다. .chm 파일은 아래 프로그램을 통해 실행된다.hh.exe (microsoft® html help executable program).ch...

ReversingLabs

Two newly discovered extensions on the VS Code Marketplace are designed to steal sensitive information, showing that open source attacks are expanding. Blog Author Lucija Valentić, Software Threat Researcher, ReversingLabs. Read More... In the last few years, there has been a dramatic rise (1300%) in supply chain attacks across multiple public repositories. ReversingLabs’ researchers have been monitoring them daily to detect malicious packages. After packages are detected, the team notifies admi...

SonicWall

By Security NewsApril 2, 2024Overview SonicWall Capture Labs threat research team has observed an updated variant of StrelaStealer. StrelaStealer is an infostealer malware known for targeting Spanish-speaking users and focuses on stealing email account credentials from Outlook and Thunderbird. StrelaStealer was reported in the wild in early November 2022. StrelaStealer has been updated with an obfuscation technique and anti-analysis technique. Technical Analysis MD5: 1E37C3902284DD865C20220A9EF8...

By Security NewsApril 3, 2024Overview The SonicWall CaptureLabs threat research team have been recently tracking ransomware created using the Chaos ransomware builder. The builder appeared in June 2021 and has been used by many operators to infect victims and demand payment for file retrieval. The sample we analyzed lead us to a conversation with the operator who freely gave up the decryptor program. Infection Cycle Upon initial infection, files on the system are encrypted and given a random fil...

By Security NewsApril 5, 2024Overview The SonicWall Capture Labs threat research team analyzed a malware purporting to be a Java utility. It arrives as an installer for Java Access Bridge, but ultimately installs the popular open-source cryptominer, XMRig. Infection Cycle The sample arrives as a Windows installer package (msi) file using the following file name: JavaAccessBridge-64.msi Figure 1: Malware installer’s file properties showing Java Access Bridge Upon execution, a typical installation...

By Security NewsApril 5, 2024Overview The SonicWall Capture Labs threat research team became aware of a couple of remote code execution vulnerabilities in JumpServer, assessed their impact and developed mitigation measures. JumpServer is an open-source bastion host and a professional operation and maintenance security audit system with a substantial presence in the China region. A bastion host is a specialized computer, intentionally exposed on a public network, designed to withstand attacks on ...

Sakthi Chandra at ZScaler

Exposing the Dark Side of Public Clouds - Combating Malicious Attacks on WorkloadsSAKTHI CHANDRA - Sr. Director, Product MarketingApril 02, 2024 - 3 min read Stop CyberattacksZero Trust Cloud ConnectivityNetwork TransformationContentsIntroductionThreat Propagation Without Zscaler IntegrationThreat Containment with Zscaler IntegrationConclusionMore blogsCopy URLCopy URLIntroductionThis article compares the cybersecurity strategies of a company that does not use Zscaler solutions with one that has...