本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成＆投稿したものです。4n6 は こちら からご確認いただけます。

MALWARE

0day in {REA_TEAM}

• [QuickNote] Qakbot 5.0 – Decrypt strings and configuration

(1) [QuickNote] Technical Analysis of recent Pikabot Core Module (1) [QuickNote] Techniques for decrypting BazarLoader strings (1) [QuickNote] VidarStealer Analysis (1) [Write-up] Chal6 {Flareon4} (1) [Write-up] Chal7 {Flareon4} (1) [Z2A] Custom sample 1 challenge write-up (1) [Z2A]Bimonthly malware challege – Emotet (1) Đánh cờ vi diệu … (1) {note}-phan-tich-powershell-dược-nen-trong-mal-doc (1) OllyDbg Tutorials (48) OllyDbg tut_1 (1) OllyDbg tut_10 (1) OllyDbg tut_11 (1) OllyDbg tut_12 (1) Ol...

0xdf hacks stuff

• Go Binary Analysis with gftrace

htb-napper go gftrace elastic reverse-engineering hook source-code May 7, 2024 HTB: Nappergftrace gftrace is a command line Windows tool that will run a Go binary and log all the Windows API calls made as it runs. Having just finished solving Napper from HackTheBox a few days before learning of this tool, it seems obvious to try to apply it to the Go binary from that box. I’ll also give a brief overview of how it works, walking through the source code from GitHub. Overall, the tool is a bit raw,...

• Einladen mso.dll Reverse Engineering

sherlock-einladen hackthebox ctf forensics dfir malware decoy-document dll-side-loading authenticode virus-total zulip-chat youtube ghidra python May 9, 2024 HTB: EinladenEinladen mso.dll RE In the Einladen Sherlock, there’s an HTA file that drops a Microsoft signed legit executable, two DLLs, and a PDF. I’m able to use the PCAP and Procmon data to figure out where to go next, without reverse-engineering the malware. In the embedded YouTube video, I’ll dive into the DLL side-load, how the binary...

ASEC

• LNK File Disguised as Certificate Distributing RokRAT Malware

AhnLab SEcurity intelligence Center (ASEC) has confirmed the continuous distribution of shortcut files (.LNK) of abnormal sizes that disseminate backdoor-type malware. The recently confirmed shortcut files (.LNK) are found to be targeting South Korean users, particularly those related to North Korea. The confirmed LNK file names are as follows: National Information Academy 8th Integrated Course Certificate (Final).lnk Gate access roster 2024.lnk Northeast Project (US Congressional Research Ser...

• CHM Malware Stealing User Information Being Distributed in Korea

AhnLab SEcurity intelligence Center (ASEC) has recently discovered circumstances of a CHM malware strain that steals user information being distributed to Korean users. The distributed CHM is a type that has been constantly distributed in various formats such as LNK, DOC, and OneNote from the past. A slight change to the operation process was observed in the recent samples. Related Posts(June 23rd, 2023) Malware Disguised as HWP Document File (Kimsuky)(March 24th, 2023) OneNote Malware Disguised...

• Case of Malware Distribution Linking to Illegal Gambling Website Targeting Korean Web Server

AhnLab SEcurity intelligence Center (ASEC) has discovered evidence of a malware strain being distributed to web servers in South Korea, leading users to an illegal gambling site. After initially infiltrating a poorly managed Windows Internet Information Services (IIS) web server in Korea, the threat actor installed the Meterpreter backdoor, a port forwarding tool, and an IIS module malware tool. They then used ProcDump to exfiltrate account credentials from the server. IIS modules support expans...

• RemcosRAT Distributed Using Steganography

AhnLab SEcurity intelligence Center (ASEC) has recently identified RemcosRAT being distributed using the steganography technique. Attacks begin with a Word document using the template injection technique, after which an RTF that exploits a vulnerability in the equation editor (EQNEDT32.EXE) is downloaded and executed. Figure 1. A Word document containing an external link The RTF file downloads a VBScript with the “.jpg” file extension from the C2 and another VBScript from “paste.ee”, a service s...

Xusheng Li at Binary Ninja

• Debugging WinDbg with Binary Ninja For Fun and Profit

Xusheng Li 2024-05-02 reversing A while ago, I was working on adding support for Windows kernel debugging in our debugger. It did not take me long to make the typical two-machine remote kernel debugging work since we already have code to leverage the DbgEng API. The only difference for starting a kernel debugging session is to call AttachKernel instead of CreateProcess2. However, I was unable to quickly figure out how to start a local kernel debugging session. The documentation does not mention ...

CERT Polska

• APT28 campaign targeting Polish government institutions

08 May 2024 | CERT Polska | #warning, #apt, #apt28 This week, the CERT Polska (CSIRT NASK) and CSIRT MON teams observed a large-scale malware campaign targeting Polish government institutions. Based on technical indicators and similarity to attacks described in the past (e.g. on Ukrainian entities), the campaign can be associated with the APT28 activity set, which is associated with Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Technical analysis The ...

Digital Daniela

• Signature Based Dection with CAPA

0 Comments Read Now Hello All!I worked on this TryHackMe room where I performed signature based detection as part of malware analysis. CAPA is an open source tool from Mandiant that identifies the behavior on a piece of malware on information like stirngs, mutexes, imports, or other artifacts. Here is a write up of what I did. How many matches for anti-VM execution techniques were identified in the sample?I first issued this command to get the CAPA tool started. Then under the "Capability" secti...

• Malware Analysis: Investigating Portable Executeable Headers

0 Comments Read Now Hello all!I learned to use a tool called Pe Tree in a TryHackMe room all about investigating portable executables. Here is the room - //tryhackme.com/r/room/dissectingpeheaders​Here is my writeup! To start off I first went into the Samples directory, and then issued the command shown below. ​How many sections does the file Desktop\Samples\zmsuz3pinwl have?You need to wait the command run for 8 or so minutes. You then click on the yellow rectangle on the left titled "IMAGE_SEC...

Elastic Security Labs

• Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Four

Dissecting REMCOS RAT: An in- depth analysis of a widespread 2024 malware, Part FourPart four: Detections, hunts using ES|QL, and conclusion8 min readMalware analysisDetections, hunts using ES|QL, and conclusion In previous articles in this multipart series [1] [2] [3], malware researchers on the Elastic Security Labs team decomposed the REMCOS configuration structure and gave details about its C2 commands. In this final part, you’ll learn more about detecting and hunting REMCOS using Elastic te...

Fortinet

• zEus Stealer Distributed via Crafted Minecraft Source Pack

By Pei Han Liao | May 07, 2024 Article Contents By Pei Han Liao | May 07, 2024 Affected Platforms: Microsoft Windows Impacted Users: Microsoft Windows Impact: The stolen information can be used for future attack Severity Level: High Many game makers allow users to alter a game's appearance or behavior to increase its enjoyment and replay value. Players can often also download packages created by others. However, this is also a chance for attackers to distribute their malware. This article examin...

Connor Ford at LRQA Nettitude Labs

• Emulation with Qiling

By Connor Ford|2024-05-09T15:44:24+00:00May 9, 2024| Qiling is an emulation framework that builds upon the Unicorn emulator by providing higher level functionality such as support for dynamic library loading, syscall interception and more. In this Labs post, we are going to look into Qiling and how it can be used to emulate a HTTP server binary from a router. The target chosen for this research was the NEXXT Polaris 150 travel router. The firmware was unpacked with binwalk which found a root fil...

Malware Musings

• Tofsee (part 1): Static Analysis

Posted by karl on 2024-05-06 Posted in: Malware Analysis, Reverse Engineering. Tagged: malware analysis, Skill:Debugger:Ghidra, Skill:Debugger:x64dbg, Skill:MalwareAnalysis:Static, Skill:ReverseEngineering:Static, Tofsee. Leave a Comment It’s about time I got some more technical content on my blog and after presenting at the Malware and Reverse Engineering Conference in February and seeing a presentation on Tofsee, I decided to do my own analysis of Tofsee. I downloaded a Tofsee sample (at least...

Yashvi Shah and Preksha Saxena at McAfee Labs

• From Spam to AsyncRAT: Tracking the Surge in Non-PE Cyber Threats

From Spam to AsyncRAT: Tracking the Surge in Non-PE Cyber Threats McAfee Labs May 08, 2024 10 MIN READ Authored by Yashvi Shah and Preksha Saxena AsyncRAT, also known as “Asynchronous Remote Access Trojan,” represents a highly sophisticated malware variant meticulously crafted to breach computer systems security and steal confidential data. McAfee Labs has recently uncovered a novel infection chain, shedding light on its potent lethality and the various security bypass mechanisms it employs. It ...

Monty Security

• From OSINT to Disk: Wave Stealer Analysis

James Chambers at NCC Group

• Ghidra nanoMIPS ISA module

Sifting through the spines: identifying (potential) Cactus ransomware victims Public Report – Confidential Mode for Hyperdisk – DEK Protection Analysis Non-Deterministic Nature of Prompt Injection Technical Advisory – Ollama DNS Rebinding Attack (CVE-2024-28224) Public Report – Google Privacy Sandbox Aggregation Service and Coordinator Android Malware Vultur Expands Its Wingspan LTair: The LTE Air Interface Tool The Development of a Telco Attack Testing Tool Public Report – AWS Nitro System API ...

Phylum

• Modern Python Build Hooks

Photo by Tengyart / Unsplash 🗣️This is part of a series of posts examining the methods malicious Python code gains execution.This blog series has already shown the common infection method for most Python malware is allowing source distributions when installing packages. We’ve also seen most malware gain execution by running from the setup.py file. That’s old news and more likely to be noticed. Attackers want to be modern, too. Isn’t there a way they can gain arbitrary code execution with the pyp...

• Malicious Go Binary Delivered via Steganography in PyPI

On May 10, 2024, Phylum’s automated risk detection platform alerted us to a suspicious publication on PyPI. The package was called requests-darwin-lite and appeared to be a fork of the ever-popular requests package with a few key differences, most notably the inclusion of a malicious Go binary packed into a large version of the actual requests side-bar PNG logo, which the author purported to be.--cta--The AttackAs mentioned earlier, this package is a fork of requests that uses a setuptools attri...

• Adding Spurious Wheels to PyPI

Photo by Leshaesvan / Unsplash 🗣️This is part of a series of posts examining the methods malicious Python code gains execution.This technique is more about avoiding detection by hiding in plain sight and leveraging other techniques already discussed to gain execution. Think of it as reducing the signal-to-noise ratio for the good guys looking to root out malware.Monitoring for new package publications (i.e., new versions) on the Python Package Index (PyPI) is common. Static analysis of source fi...

Dr. Anton Tkachenko at Promon

• AI deobfuscators: Why AI won’t help hackers deobfuscate code (yet)

By Dr. Anton TkachenkoPosted on May 8, 2024 2:06 pm Generative AI could enable malicious actors to steal your source code — but only after passing one significant technical hurdle. Why code obfuscation is so important In 2003, the Executive Vice Chairman of Cisco took a long flight from California to Shenzhen to speak with the CEO of Huawei, a budding telecommunications company. It wasn’t a friendly visit. Years earlier, Cisco had played an integral role in building the “Great Firewall,” China’s...

Phil Stokes at SentinelOne

• macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge

May 9, 2024 by Phil Stokes PDF Infostealers targeting macOS devices have been on the rise for well over a year now, with variants such as Atomic Stealer (Amos), RealStealer (Realst), MetaStealer and others widely distributed in the wild through malicious websites, cracked applications and trojan installers. These past few weeks have seen a new macOS malware family appear that researchers have dubbed ‘Cuckoo Stealer’, drawing attention to its abilities to act both as an infostealer and as spyware...

System Weakness

• Beware: ‘Brokewell’ Malware Threatens Banking Security

• New Cuttlefish malware infects all devices to steal credentials

Kevin Haubris at TrustedSec

• XZ Utils Made Me Paranoid

May 02, 2024 XZ Utils Made Me Paranoid Written by Kevin Haubris Research Security Testing & Analysis On March 28, 2024, the news about the XZ Utils backdoor came out. Since then, I’ve been thinking about how we could identify these backdoors before packages are released or, at the very least, how to identify them after upgrades. After a week or so, I decided to try to write up a basic scanner to at least identify hooks in memory, which quickly turned into a much larger project than I expected. I...

Muhammed Irfan V A at ZScaler

• HijackLoader Updates

MUHAMMED IRFAN V A - Security Researcher IIMay 06, 2024 - 11 min read Threatlabz ResearchContentsIntroductionKey TakeawaysTechnical AnalysisMalware DeliveryConclusionZscaler CoverageIndicators Of Compromise (IOCs)MITRE ATT&CK TechniquesAppendixMore blogsCopy URLCopy URLIntroductionHijackLoader (a.k.a. IDAT Loader) is a malware loader initially spotted in 2023 that is capable of using a variety of modules for code injection and execution. It uses a modular architecture, a feature that most loader...