本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
0day in {REA_TEAM}
(1) [QuickNote] Technical Analysis of recent Pikabot Core Module (1) [QuickNote] Techniques for decrypting BazarLoader strings (1) [QuickNote] VidarStealer Analysis (1) [Write-up] Chal6 {Flareon4} (1) [Write-up] Chal7 {Flareon4} (1) [Z2A] Custom sample 1 challenge write-up (1) [Z2A]Bimonthly malware challege – Emotet (1) Đánh cờ vi diệu … (1) {note}-phan-tich-powershell-dược-nen-trong-mal-doc (1) OllyDbg Tutorials (48) OllyDbg tut_1 (1) OllyDbg tut_10 (1) OllyDbg tut_11 (1) OllyDbg tut_12 (1) Ol...
Any.Run
April 23, 2024 Add comment 496 views 5 min read HomeNewsCybercriminals Exploit Google Ads to Spread IP Scanner with Concealed Backdoor Recent posts New Redline Version: Uses Lua Bytecode, Propagates Through GitHub 163 0 Find Malware by File Contents with YARA Search: Our New Threat Intelligence Service 1080 0 Cybercriminals Exploit Google Ads to Spread IP Scanner with Concealed Backdoor 496 0 HomeNewsCybercriminals Exploit Google Ads to Spread IP Scanner with Concealed Backdoor A new malicious a...
April 25, 2024 Add comment 1080 views 6 min read HomeService UpdatesFind Malware by File Contents with YARA Search: Our New Threat Intelligence Service Recent posts New Redline Version: Uses Lua Bytecode, Propagates Through GitHub 163 0 Find Malware by File Contents with YARA Search: Our New Threat Intelligence Service 1080 0 Cybercriminals Exploit Google Ads to Spread IP Scanner with Concealed Backdoor 496 0 HomeService UpdatesFind Malware by File Contents with YARA Search: Our New Threat Intel...
April 27, 2024 Add comment 163 views 6 min read HomeNewsNew Redline Version: Uses Lua Bytecode, Propagates Through GitHub Recent posts New Redline Version: Uses Lua Bytecode, Propagates Through GitHub 163 0 Find Malware by File Contents with YARA Search: Our New Threat Intelligence Service 1080 0 Cybercriminals Exploit Google Ads to Spread IP Scanner with Concealed Backdoor 496 0 HomeNewsNew Redline Version: Uses Lua Bytecode, Propagates Through GitHub A new packed Redline version was found in t...
ASEC
AhnLab SEcurity intelligence Center (ASEC) has recently identified the distribution of phishing files identical to Korean portal website login screens. Cases impersonating multiple Korean portal websites, logistics and shipping brands, and webmail login pages have been very common from the past.* In the left/right comparison images used in this post, the left side shows the phishing page and the right side shows the normal page. Figure 1. Phishing page (left) and normal Naver login page (right) ...
AhnLab SEcurity intelligence Center (ASEC) has discovered an Infostealer strain made with Electron. Electron is a framework that allows one to develop apps using JavaScript, HTML, and CSS. Discord and Microsoft VSCode are major examples of applications made with Electron. Apps made with Electron are packaged and usually distributed in Nullsoft Scriptable Install System (NSIS) installer format. The threat actor in this attack case applied this installer format to the malware. [1] Case #1 When one...
Jan Rubín and Milánek at Avast Threat Labs
by Jan Rubín and MilánekApril 23, 202450 min read Key Points Avast discovered and analyzed a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers Avast disclosed the vulnerability to both eScan antivirus and India CERT. On 2023-07-31, eScan confirmed that the issue was fixed and successfully resolved The campaign was orchestrated by a threat actor with possible ties to Kimsuky Two different types of backdoors have been discovered, targeting large ...
CTF导航
实践调试Ghidra代码和Ghidra脚本 渗透技巧 3天前 admin 25 0 0 在本节中,我们将学习如何在Eclipse中调试Ghidra功能。首先,我们将回顾如何开发脚本以及如何调试它们。然后将展示如何通过源代码调试来调试Ghidra中的任何组件。 使用Eclipse调试Ghidra脚本 要调试Ghidra脚本。首先需要使用Eclipse IDE菜单栏中的GhidraDev选项创建一个新的Ghidra项目。为此,请单击GhidraDev -< New -< Ghidra Script Project…,然后选择想要的项目名称。将其命名为GhidraScripts,即默认名称。 图1 – 创建Ghidra脚本项目 单击“下一步”后,选择已开发的脚本,将其添加到项目中(示例路径为C:Usersvirusitoghidra_scripts),同时还可以选择在Ghidra安装路径中已经包含的脚本。 图 2 – 配置新的Ghidra脚本项目 选择之前通过GhidraDev配置的Ghidra安装路径,方法是导航到GhidraDev菜单中的首选项,然后选择Ghidra安装。在这里,您还可以...
Dr Josh Stroschein – The Cyber Yeti
YouTube video
Elastic Security Labs
Dissecting REMCOS RAT: An in- depth analysis of a widespread 2024 malware, Part OnePart one: Introduction to REMCOS and diving into its initialization procedure11 min readMalware analysisIn the first article in this multipart series, malware researchers on the Elastic Security Labs team give a short introduction about the REMCOS threat and dive into the first half of its execution flow, from loading its configuration to cleaning the infected machine web browsers. Introduction Elastic Security La...
Esentire
Apr 12, 2024 Building an Effective Threat Hunting Program for Proactive Cyber Defense Apr 11, 2024 Don't Take the Bait: The XWorm Tax Scam VIEW ARTICLES → Resources Case Studies TRU Intelligence Center Cybersecurity Tools Videos Reports Webinars Data Sheets Real vs. Fake MDR Blogs Security Advisories EXPLORE LIBRARY → SECURITY ADVISORIES Apr 25, 2024 Two Cisco Zero-Day Vulnerabilities Exploited THE THREATOn April 24th, Cisco, in coordination with the Canadian Center for Cyber Security (CCCS), th...
Anna Lvova at G Data Security
04/22/2024 G DATA Blog Infostealers are one of the most lucrative types of malware employed by criminals. And because this is a tried and tested approach, there are still new players entering this illegal game. The new kid on the block is called "Sharp Stealer", and one of its favourite targets are gamers. Revealing the True Nature of Sharpil RAT Sharp Project and Sharp Stealer Why the focus on gaming? Takeaways IoC Related articles Criminals on the whole are a rather conservative bunch and pref...
Jay Kurup at Morphisec
Posted by Jay Kurup on April 24, 2024 Tweet Morphisec has successfully identified and prevented a new variant of IDAT loader. This loader is used to deliver a range of malware payloads based on the attacker's assessment of the victim's system. Distinguished by its modular architecture, IDAT employs unique features like code injection and execution modules, setting it apart from conventional loaders. Morphisec customers are protected against this threat. Attack Name: New variant of IDAT Loader Se...
Phylum
Back in November of 2023, we published a blog post highlighting the technical details of a sophisticated attack in npm attributed to North Korea. We subsequently published a follow-up in January of 2024 detailing the history of the attack and highlighting the broader context of North Korean APTs operating in open-source ecosystems. Since then, it’s been relatively quiet—until today. On 23 April 2024, Phylum’s automated risk detection platform flagged a few new publications belonging to this camp...
Photo by Phil Robson / Unsplash 🗣️This is part of a series of posts examining the methods malicious Python code gains execution. If you haven't already, you'll likely want to start with the core concept of package spoofing.We're back at it, thinking like attackers that find ways to trick unsuspecting developers into running malware. Previous methods explored creating trojan functions and imports, which work well when the attack vector relies on victims running the infected code, but it isn't alw...
Photo by Super Snapper / Unsplash 🗣️This is part of a series of posts examining the methods malicious Python code gains execution. If you haven't already, you'll likely want to start with the core concept of package spoofing.Calling a trojan functionThis method is also maybe the most obvious: add additional code to existing functions. What easier way to gain code execution in Python than to write a function and let users call it! What better way to ensure users call that function than to modify ...
Photo by Fidias Cervantes / Unsplash 🗣️This is part of a series of posts examining the methods malicious Python code gains execution.Creating a functional package and hosting it on the Python Package Index (PyPI) is the foundation of most malicious Python packages. Making one that developers will actually want is hard. Malware authors know that proper R&D is essential to their success. Instead of research and development, it is much easier to ripoff and duplicate. It is trivial to take a known g...
Photo by Brecht Corbeel / Unsplash The primary vector for malicious code running in software developer environments (e.g., local system, CI/CD runners, production servers, etc.) is software dependencies. This is third-party code which often means open-source software, also known as running code from strangers on the internet.The prized goal for attackers is arbitrary code execution. It’s the stuff high CVE scores are made of and often the topic of how vulnerabilities can turn into exploits. It’s...
SonicWall
By Security NewsApril 23, 2024Overview SonicWall Capture Labs threat research team has observed fileless .Net managed code injection in a native 64-bit process. Native code or unmanaged code refers to low-level compiled code such as C/C++. Managed code refers to code that is written to target .NET and will not work without the CLR (Microsoft .NET engine) runtime libraries. The injected code belongs to AgentTesla malware. Technical Analysis The initial infection vector is a Word document that the...
Gabor Szappanos and Steeve Gaudreault at Sophos
Command-and-control wares try to sneak onto systems disguised as various vendors; payloads vary, but Sophos customers are protected Written by Gabor Szappanos, Steeve Gaudreault April 26, 2024 Security Operations Threat Research binaries featured impersonation We are investigating a ransomware campaign that abuses legitimate Sophos executables and DLLs by modifying their original content, overwriting the entry-point code, and inserting the decrypted payload as a resource – in other words, impers...
Cesar Anjos at Sucuri
Scott Nusbaum at TrustedSec
April 25, 2024 Loading DLLs Reflections Written by Scott Nusbaum Malware Analysis We're back with another post about common malware techniques. This time we're not talking about process hollowing. We are going to branch off and talk about the reflective loading of a DLL. This is a technique used to load a DLL into the memory of a process without having that DLL written disk. A similar technique is used to load Beacon Object Files (BOF) or Common Object File Format (COFF) in memory. The goal of t...
Kaivalya Khursale at ZScaler
KAIVALYA KHURSALEApril 24, 2024 - 11 min read Threatlabz ResearchContentsIntroductionKey TakeawaysLooks Can Be DeceivingHow It WorksNetwork AnalysisInformation TheftConclusionZscaler CoverageIndicators Of Compromise (IOCs)More blogsCopy URLCopy URLIntroductionZscaler ThreatLabz researchers recently encountered a significant number of websites associated with fraudulent activities being hosted on popular web hosting and blogging platforms. Threat actors intentionally create these sites to spread ...
