解析メモ

マルウェア解析してみたり解析に役に立ちそうと思ったことをメモする場所。このサイトはGoogle Analyticsを利用しています。

4n6 Week 18 – 2024 - MALWARE

本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。

MALWARE

0ffset Training Solutions

Malware Analysis Reverse Engineering _ 30th April 2024 MalwareGuy 0 Comments Identifying Cross References with Capstone Disassembler and PEFile In this post, I will explain how you can locate cross references programmatically using Python modules that are generally helpful in reverse engineering. As you can see, this will be my first post on 0ffset, and I had gotten the idea to write about this after gaining inspiration from 0verfl0w’s post on using Capstone and Unicorn to resolve stack string...

Artem Baranov

Alex.Turing, Acey9, and heziqian at XLab

Playing Possum: What's the Wpeeper Backdoor Up To? Alex.Turing, Acey9, heziqian 2024年4月29日 • 11 min read Summary On April 18, 2024, XLab's threat hunting system detected an ELF file with zero detections on VirusTotal being distributed through two different domains. One of the domains was marked as malicious by three security firms, while the other was recently registered and had no detections, drawing our attention. Upon analysis, we confirmed that this ELF was malware targeting Android systems,...

BI.Zone

Mostafa Farghaly at Cyber 5W

Menu Home Blog Academy About Contact Us Home Blog Academy About Contact Us Search Search for Blog 1 min read Apr 29, 2024 Unpacking Malware Manually Cyber 5W in Malware-Analysis Reverse-Engineering Objectives In this blog post, we will go through a famous packing technique which is the use of VirualAlloc and VirtualProtect to decrypt data in memory and execute it, and how to unpack it manually, we are going to apply it to Death Ransomware malware Introduction What is packed malware? packed malwa...

Elastic Security Labs

Dissecting REMCOS RAT: An in- depth analysis of a widespread 2024 malware, Part TwoPart two: Diving into REMCOS recording capabilities, launch, and C2 communication9 min readMalware analysisIn the previous article in this series on the REMCOS implant, we shared information about execution, persistence, and defense evasion mechanisms. Continuing this series we’ll cover the second half of its execution flow and you’ll learn more about REMCOS recording capabilities and communication with its C2. St...

Dissecting REMCOS RAT: An in- depth analysis of a widespread 2024 malware, Part ThreePart three: Configuration and commands13 min readMalware analysisIn previous articles in this multipart series, malware researchers on the Elastic Security Labs team analyzed REMCOS execution flow, detailing its recording capabilities and its communication with C2. In this article, you’ll learn more about REMCOS configuration structure and its C2 commands. The configuration In this section, we provide a comprehe...

Esentire

Apr 22, 2024 FakeBat Malware Distributing via Fake Browser Updates VIEW ARTICLES → Resources Case Studies TRU Intelligence Center Cybersecurity Tools Videos Reports Webinars Data Sheets Real vs. Fake MDR Blogs Security Advisories EXPLORE LIBRARY → SECURITY ADVISORIES Apr 25, 2024 Two Cisco Zero-Day Vulnerabilities Exploited THE THREATOn April 24th, Cisco, in coordination with the Canadian Center for Cyber Security (CCCS), the Australian Cyber Security Centre (ACSC), and the National Cyber Securi...

Cara Lin and Vincent Li at Fortinet

By Cara Lin and Vincent Li | May 01, 2024 Article Contents By Cara Lin and Vincent Li | May 01, 2024 Affected Platforms: D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier Impacted Users: Any organization Impact: Remote attackers gain control of the vulnerable systems Severity Level: High In April, FortiGuard Labs observed a new botnet targeting a D-Link vulnerability from nearly a decade ago, CVE-2015-2051. This vulnerability allows remote attackers to execute arbitr...

Google Cloud Threat Intelligence

April 30, 2024Bernardo QuinteroTry Gemini 1.5 ProGoogle's most advanced multimodal model in Vertex AITry it Executive Summary A growing amount of malware has naturally increased workloads for defenders and particularly malware analysts, creating a need for improved automation and approaches to dealing with this classic threat. With the recent rise in generative AI tools, we decided to put our own Gemini 1.5 Pro to the test to see how it performed at analyzing malware. By providing code and using...

Kelvin Winborne

Swachchhanda Shrawan Poudel at Logpoint

By Swachchhanda Shrawan Poudel|2024-05-01T13:28:38+02:00May 1st, 2024| - 9 min read FAST FACTS Kapeka, also known as KnuckleTouch, originally appeared in mid-2022 but was formally tracked in 2024 due to limited-scope attacks, particularly in Eastern Europe. The Kapeka backdoor is linked to the Sandstorm Group, which is run by Russia’s Military Unit 74455 and is notorious for disrupting cyber activity. Sandstorm’s operations, including Kapeka’s deployment, are tied to geopolitical tensions, speci...

Nithin Chenthur Prabhu

Malware DevelopmentRansomwareRootkit AnalysisPosted by May 5 2024 / Malware Development / Malware Analysis / DFIRMalware Development, Analysis and DFIR Series - Part IIUpdated on May 5 20242257 words11 minutes read... visitsMalware Development, Analysis and DFIR SeriesPART IIIntroductionIn this blog, we will cover the important topics in x86 assembly.It’s not really a languauge, it doesn’t have higher level of abstraction or almost no abstraction at all, it’s basically machine code that is in hu...

OALABS Research

Extracting hitchhikers from this 10 year old file infector Apr 28, 2024 • 31 min read cosmu fileinfector Overview Samples Analysis Infection Format Overview This is a file infector that has been propogating for almost ten years. With each propogation it collects a new "infected" file. We are going to write a small extractor script to pull out all the files. Samples 225715681d8cdf51c5f178e4f4cc67c05608e44cb3d625c108f92caebe4d719b UnpacMe 00e0ea6fa8a039786efa9457bbb9b6f13398c256a9bc0eeb71392c2b665...

S2W Lab

SonicWall

By Security NewsApril 29, 2024Overview The SonicWall Capture Labs threat research team has been regularly sharing information about malware targeting Android devices. We’ve encountered similar RAT samples before, but this one includes extra commands and phishing attacks designed to harvest credentials. This malware uses famous Android app icons to mislead users and trick victims into installing the malicious app on their devices. This malicious app uses any of the following icons: Figure 1: The ...

By Security NewsApril 30, 2024Overview This week the SonicWall Capture Labs threat research team came across a sample purporting to be Windows Explorer. At a glance, everything checks out – it uses the legitimate Windows Explorer icon and the file properties say Microsoft – but, once executed, it installs and runs a crypto miner. Infection Cycle The sample arrives as a Windows executable file using the following icon and bearing these file properties: Figure 1: Malware installer’s file propertie...

Ben Martin at Sucuri

Mike Blinkman at System Weakness

Bernardo Quintero at VirusTotal

Mastering VirusTotal: Certification Course ► March 2024 (2) ► February 2024 (2) ► January 2024 (2) ► 2023 (35) ► December 2023 (5) ► November 2023 (3) ► October 2023 (2) ► September 2023 (1) ► August 2023 (2) ► July 2023 (5) ► June 2023 (5) ► May 2023 (3) ► April 2023 (3) ► March 2023 (2) ► February 2023 (2) ► January 2023 (2) ► 2022 (23) ► December 2022 (1) ► November 2022 (6) ► October 2022 (1) ► September 2022 (1) ► August 2022 (3) ► July 2022 (1) ► May 2022 (1) ► April 2022 (2) ► March 2022 ...

VMRay

Zhassulan Zhussupov

Malware development trick 38: Hunting RWX - part 2. Target process investigation tricks. Simple C/C++ example. 9 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! In one of my previous posts, I described a process injection method using RWX-memory searching logic. Today, I will apply the same logic, but with a new trick. As you remember, the method is simple: we enumerate the presently running target processes on the victim’s system, scan through their allocated memory blocks to ...

Santiago Vicente at ZScaler

SANTIAGO VICENTE - Staff Security ResearcherApril 29, 2024 - 9 min read Threatlabz ResearchContentsIntroductionKey TakeawaysTechnical AnalysisConclusionZscaler CoverageIndicators Of Compromise (IOCs)More blogsCopy URLCopy URLIntroductionZloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular trojan based on leaked ZeuS source code. As detailed in our previous blog, Zloader reemerged following an almost two-year hiatus with a new iteration that included modifications to its obfuscation te...