解析メモ

マルウェア解析してみたり解析に役に立ちそうと思ったことをメモする場所。このサイトはGoogle Analyticsを利用しています。

4n6 Week 16 – 2024 - MALWARE

本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。

MALWARE

AK1001

Amit Tambe at F-Secure

Amit Tambe 13.03.24 7 min. read Tags: Cyber Threat LandscapeOnline scamsOnline SecurityOnline Threats Share Brief summary: elderly scams on the rise Elderly scams targeting the senior citizens are on the rise. Among several ingenious schemes targeting the older population is a recent campaign called the “free wedding invite” scam. Fraudsters employ deceptive tactics through social media chats like WhatsApp, often involving fabricated wedding invitations. A malicious APK pretending to be a fa...

ASEC

AhnLab SEcurity intelligence Center (ASEC) has recently identified the distribution of a modified version of “mimeTools.dll”, a default Notepad++ plug-in. The malicious mimeTools.dll file in question was included in the package installation file of a certain version of the Notepad++ package and disguised as a legitimate package file. As shown in the image below, mimeTools is a module for conducting Base64 encoding and other tasks. It is included by default and does not require the user to add it...

Pupy is a RAT malware strain that offers cross-platform support. Because it is an open-source program published on GitHub, it is continuously being used by various threat actors including APT groups. For example, it is known to have been used by APT35 (said to have ties to Iran) [1] and was also used in Operation Earth Berberoka [2] which targeted online gambling websites. Recently, a malware strain named Decoy Dog was discovered, which is an updated version of Pupy RAT. Decoy Dog was used in at...

Luigino Camastra at Avast Threat Labs

by Luigino CamastraApril 18, 202424 min read Key Points Avast discovered a new campaign targeting specific individuals through fabricated job offers. Avast uncovered a full attack chain from infection vector to deploying “FudModule 2.0” rootkit with 0-day Admin -< Kernel exploit. Avast found a previously undocumented Kaolin RAT, where it could aside from standard RAT functionality, change the last write timestamp of a selected file and load any received DLL binary from C&C server. We also believ...

Cyber 5W

Cyber 5W in Malware-Analysis Reverse-Engineering Experience Level required: beginner Objectives In this blog we will Learn how to analyze MS Office Macro enabled Documents. 1st sample: 8d15fadf25887c2c974e521914bb7cba762a8f03b1c97a2bc8198e9fb94d45a5 2nd sample: a9f8b7b65e972545591683213bb198c1767424423ecc8269833f6e784aa8bc99 1st Sample Let’s see the sample in Virus Total 37 of 63 security vendors detected this file as malicious. Let’s open the file. It uses a social engineering technique to pers...

DD

Fortinet

By Cara Lin and Vincent Li | April 16, 2024 Article Contents By Cara Lin and Vincent Li | April 16, 2024 Affected Platforms: TP-Link Archer AX21 (AX1800) Version 1.1.4 Build 20230219 or prior Impacted Users: Any organization Impact: Remote attackers gain control of the vulnerable systems Severity Level: High Last year, a command injection vulnerability, CVE-2023-1389, was disclosed and a fix developed for the web management interface of the TP-Link Archer AX21 (AX1800). FortiGuard Labs has devel...

By Jenna Wang | April 19, 2024 Article Contents By Jenna Wang | April 19, 2024 Affected platforms: All platforms where PyPI packages can be installed Impacted parties: Any individuals or institutions that have these malicious packages installed Impact: Leak of credentials, sensitive information, etc. Severity level: High Vigilance is paramount in cybersecurity, especially when it comes to understanding and dissecting potentially malicious code. In this blog post, we'll delve into a piece of code...

G Data Security

04/15/2024 G DATA Blog Many people make banking transactions online now. And since mobile devices are one of the most popular and convenient ways to shop and make payments, criminals are naturally drawn to this. A current example of a malware that specifically targets online banking shows how easy it is to fall for malware. Profiting off the trust of other people Permissions galore Target Demographic Upload to Telegram Security at stake Related articles Mobile banking, while offering convenience...

Mohansundaram M and Neil Tyagi

Redline Stealer: A Novel Approach McAfee Labs Apr 17, 2024 10 MIN READ Authored by Mohansundaram M and Neil Tyagi A new packed variant of the Redline Stealer trojan was observed in the wild, leveraging Lua bytecode to perform malicious behavior. McAfee telemetry data shows this malware strain is very prevalent, covering North America, South America, Europe, and Asia and reaching Australia. Infection Chain GitHub was being abused to host the malware file at Microsoft’s official account in the vcp...

Ghanashyam Satpathy and Jan Michael Alcantara at Netskope

Nithin Chenthur Prabhu

Malware DevelopmentRansomwareRootkit AnalysisPosted by April 16 2024 / Malware Development / Malware Analysis / DFIRMalware Development, Analysis and DFIR Series - Part IUpdated on April 16 20241137 words6 minutes read... visitsMalware Development, Analysis and DFIR SeriesPART IIntroductionThis will be a series focussed on developing Malwares for ethical purposes only, The author is not liable for any damages caused.before we begin, let’s know about a few thingswhat is a malware?Malwares are mal...

Securelist

Malware descriptions 15 Apr 2024 minute read Table of Contents Revisiting the LockBit 3.0 builder filesThe recent LockBit takedown and custom LockBit buildsGeography of the leaked LockBit builder-based attacksA real-life incident response case involving a custom LockBit buildPreventive actions against ransomware attacksConclusion Authors Eduardo Ovalle Francesco Figurelli Cristian Souza Ashley Muñoz The previous Kaspersky research focused on a detailed analysis of the LockBit 3.0 builder leaked ...

Malware descriptions 17 Apr 2024 minute read Table of Contents SoumniBot obfuscation: exploiting bugs in the Android manifest extraction and parsing procedureTechnique 1: Invalid Compression method valueTechnique 2: Invalid manifest sizeTechnique 3: Long namespace namesWhat’s under the obfuscation: SoumniBot’s functionalityConclusionIndicators of compromise Authors Dmitry Kalinin The creators of widespread malware programs often employ various tools that hinder code detection and analysis, and A...

APT reports 18 Apr 2024 minute read Table of Contents IntroductionInitial dropperTotal Commander installer dropperMemory-only CR4T implantMemory-only Golang CR4T implantInfrastructureVictimsConclusionsIndicators of Compromise Authors GReAT Introduction In February 2024, we discovered a new malware campaign targeting government entities in the Middle East. We dubbed it “DuneQuixote”; and our investigation uncovered over 30 DuneQuixote dropper samples actively employed in the campaign. These dropp...

Stephan Berger

14 Apr 2024 Table of Contents Introduction Loader GO-Binary Reversing strace Exploits And the moral of the story is … Outlook Introduction On a recent incident response case, a customer contacted us regarding their EDR detecting a crypto miner on a Linux endpoint. The identified malicious file, named 41hs1z, is accessible on VirusTotal. The folders and paths associated with each execution of the crypto miner may differ; however, here are some paths we encountered: /backup/files/excel/41hs1z /bac...

Denis Sinegubko at Sucuri

Quentin Roland at Synacktiv

Written by Quentin Roland - 19/04/2024 - in Pentest - Download Exploitation of Organizational Units (OUs) ACLs received comparatively little attention when it comes to the security analysis of domain objects permissions in Active Directory environments. Yet, their successful exploitation could lead to the compromise of all OU child objects, and thus to high-impact privilege escalation scenarios. Building upon the work of Petros Koutroumpis, this article will present how an attack based on the ma...

System Weakness

Lukas Stefanko at WeLiveSecurity

ESET researchers uncovered the eXotic Visit espionage campaign that targets users mainly in India and Pakistan with seemingly innocuous apps Lukas Stefanko 10 Apr 2024 • , 20 min. read ESET researchers have discovered an active espionage campaign targeting Android users with apps primarily posing as messaging services. While these apps offer functional services as bait, they are bundled with open-source XploitSPY malware. We have named this campaign eXotic Visit and have tracked its activities f...

ZScaler

ATINDERPAL SINGH, RESHAD ADIL PATUCKApril 17, 2024 - 6 min read Threatlabz ResearchContentsIntroductionKey TakeawaysActivity Observed by ZscalerTechnical AnalysisConclusionIndicators Of Compromise (IOCs)More blogsCopy URLCopy URLIntroductionRecently, a zero-day command-injection vulnerability, assigned to CVE-2024-3400, was found in the Palo Alto Networks PAN-OS. It was assigned the maximum severity score of 10.0 and can be exploited by an unauthenticated user to run arbitrary commands on the ta...

ROY TAY, SUDEEP SINGHApril 17, 2024 - 19 min read Threatlabz ResearchContentsIntroductionKey TakeawaysBackgroundAttack ChainTechnical AnalysisBackdoor Details - Binary AnalysisObserved CommandsInfrastructure DetailsOSINT ResearchConclusionZscaler CoverageIndicators Of Compromise (IOCs)MITRE ATT&CK FrameworkAppendixMore blogsCopy URLCopy URLIntroductionBeginning in March of 2024, Zscaler ThreatLabz observed a threat actor weaponizing a cluster of domains masquerading as legitimate IP scanner soft...