解析メモ

マルウェア解析してみたり解析に役に立ちそうと思ったことをメモする場所。このサイトはGoogle Analyticsを利用しています。

4n6 Week 22 – 2024 - MALWARE

本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。

MALWARE

Any.Run

May 29, 2024 Add comment 423 views 3 min read HomeNewsVidar, Lumma, Atomic and Octo Delivered through GitHub, FileZilla Recent posts Understand Encryption in Malware: AES (Lu0Bot Example) 235 0 Vidar, Lumma, Atomic and Octo Delivered through GitHub, FileZilla 423 0 Expert Q&A: Anormalix on Hacking Tutorials, Pentesting, and More 273 1 HomeNewsVidar, Lumma, Atomic and Octo Delivered through GitHub, FileZilla Researchers report about a new campaign that’s delivering a variety of malware, by exploi...

May 30, 2024 Add comment 235 views 7 min read HomeCybersecurity LifehacksUnderstand Encryption in Malware: AES (Lu0Bot Example) Recent posts Understand Encryption in Malware: AES (Lu0Bot Example) 235 0 Vidar, Lumma, Atomic and Octo Delivered through GitHub, FileZilla 423 0 Expert Q&A: Anormalix on Hacking Tutorials, Pentesting, and More 273 1 HomeCybersecurity LifehacksUnderstand Encryption in Malware: AES (Lu0Bot Example) AES (Advanced Encryption Standard) is a symmetric encryption algorithm. I...

ASEC

AhnLab SEcurity intelligence Center (ASEC) recently found that XMRig CoinMiner is being distributed through a game emulator. Similar cases were introduced in previous ASEC Blog posts multiple times as shown below. Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack Monero CoinMiner Being Distributed via Webhards XMRig CoinMiner Installed via Game Hacks 1. Distribution Channel The CoinMiner was found to be distributed on a website that provides a game emulator for a well-known ...

While monitoring the distribution sources of malware in Korea, AhnLab SEcurity intelligence Center (ASEC) recently found that the XWorm v5.6 malware disguised as adult games is being distributed via webhards. Webhards and torrents are platforms commonly used for the distribution of malware in Korea. 1. Overview Attackers normally use easily obtainable malware strains such as njRAT and UDP RAT and disguise them as normal programs including games or adult content for distribution. Similar cases we...

AhnLab SEcurity intelligence Center (ASEC) has recently discovered Andariel APT attack cases against Korean corporations and institutes. Targeted organizations included educational institutes and manufacturing and construction businesses in Korea. Keylogger, Infostealer, and proxy tools on top of the backdoor were utilized for the attacks. The threat actor probably used these malware strains to control and steal data from the infected systems. The attacks had malware strains identified in Andari...

Through a post titled “Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack” [1], AhnLab SEcurity intelligence Center (ASEC) previously disclosed an attack case in which a threat actor distributed RAT and CoinMiner to Korean users. Until recently, the attacker created and distributed various malware strains, such as downloaders, CoinMiner, RAT, Proxy, and AntiAV. Numerous systems in South Korea tend to become infected by malware strains that are distributed under the guise of c...

Alexey Bukhteyev at Check Point

Fareed Fauzi

Malware Jun 01, 2024 Malware commonly uses hashing algorithms for various purposes, such as creating hashes, API hashing, obfuscating malicious code, and verifying the integrity of data. Some of the most commonly used hashing algorithms in malware include MD5, SHA-1, SHA-256, CRC32, and custom algorithms. In this blog, we will examine a few hashing algorithms from the perspectives of code development and reverse engineering compiled code. The purpose of this blog is to understand and identify ha...

Harfanglab

E-mail*

Jamf

Start Trial Phishing for credentials: iOS pop-up deception through sideloaded apps In this blog, Jamf Threat Labs showcases how malicious actors deceive users. By mimicking authentic Apple pop-up messages in the native iOS style, a false sense of security is created, prompting users to instinctively input their credentials. May 30 2024 by Jamf Threat Labs Authors: Hu Ke and Nir Avraham Phishing, an ever-looming threat, continues to prevail as the most effective method for attackers, with mobile ...

Kandji

Csaba Fitzl Csaba Fitzl May 22, 2024 Principal macOS Security Researcher 14 min read CVE-2023-40424 is a vulnerability that allows a root-level user to create a new user with a custom Transparency Consent and Control (TCC) database in macOS, which can then be used to access other users’ private data. First discovered back in 2022, the vulnerability was fixed by Apple in 2023 in macOS Sonoma’s initial release. But it was not fixed in earlier versions of macOS—one more reason users and admins shou...

Adam Kohler & Christopher Lopez Adam Kohler & Christopher Lopez May 29, 2024 8 min read Since our initial report about the Cuckoo malware, there have been some updates to its functionality and infection vector that we wanted to let the Apple security community know about. In a recent blog post, Alden Schmidt from Huntress reported that the malware authors had changed tactics for tricking users into downloading and installing Cuckoo, from hiding it in random shovelware to using a landing page tha...

Lumen

Black Lotus Labs Posted On May 30, 2024 0 101.9K Views 0 Shares Share On Facebook Tweet It Executive Summary Lumen Technologies’ Black Lotus Labs identified a destructive event, as over 600,000 small office/home office (SOHO) routers were taken offline belonging to a single internet service provider (ISP). The incident took place over a 72-hour period between October 25-27, rendered the infected devices permanently inoperable, and required a hardware-based replacement. Public scan data confirmed...

McAfee Labs

Fake Bahrain Government Android App Steals Personal Data Used for Financial Fraud McAfee Labs May 31, 2024 7 MIN READ Authored by Dexter Shin Many government agencies provide their services online for the convenience of their citizens. Also, if this service could be provided through a mobile app, it would be very convenient and accessible. But what happens when malware pretends to be these services? McAfee Mobile Research Team found an InfoStealer Android malware pretending to be a government ag...

Mohamed Adel

Mohamed Adel included in Malware Analysis 2023-09-12 3757 words 18 minutes Contents Introduction Analysis Identifying the sample. Ransomware running options. Command Line and Configuration Parsing Debugging issues Preparing the environment Gather victim info. Privilege Escalation (UAC Bypass) More preparation: elevated Child process to continue Delete Shadow Copies Delete Event logs. Kill Targeted Services & Processes Encryption Mechanism Config Extractor YARA IOCs MITRE ATT&CK References Introd...

Mohamed Adel included in Malware Analysis 2023-09-12 5499 words 26 minutes Contents Introduction Analysis Sample Unpacking It is RedLine! C2 server decryption Malware Configuration Malware Core Geo location harvester and filter Real Stealer Action Collecting Victim machine Information Collect Installed Browsers Capture Installed Programs and Firewall services. Capture Running Processes Screenshot capturer Steal Telegram Data Steal Browsers Data File Grabber Steal FTP credentials Steal Crypto Wal...

Phylum

On May 24, 2024, Phylum’s automated risk detection platform alerted us to a suspicious publication on npm. The package in question is called glup-debugger-log and was published with two obfuscated files that worked together; one worked as a kind of initial dropper setting the stage for the malware campaign by compromising the target machine if it met certain requirements, then downloading additional malware components, and the other script providing the attacker with a persistent remote access m...

ptwistedworld

Andy74 at Secjuice

Ax Sharma at Sonatype

May 29, 2024 By Ax Sharma 7 minute read time Sonatype has discovered 'pytoileur', a malicious PyPI package hiding code that downloads and installs trojanized Windows binaries capable of surveillance, achieving persistence, and crypto-theft. Our discovery of the malware led us to probe into similar packages that are part of a wider, months-long "Cool package" campaign. Pytoileur: a 'Cool package.' Yesterday, our automated malware detection engines, the force behind Sonatype Repository Firewall, f...

Sucuri

Suraj Yadav

Post CancelBasic Binary Analysis in Linux Posted May 26, 2024 By Ken Kaneki 7 min readPractical Binary Analysis Book authored by Dennis Andriesse covers all major binary analysis topics in an accessible way, from binary formats, disassembly, and basic analysis to advanced techniques like binary instrumentation, taint analysis, and symbolic execution.This blog covers the concepts and exercises from Chapter 5 of the book, focusing on basic binary analysis in Linux. The author uses a CTF challenge ...

ThreatFabric

29 May 2024 Jump to In October 2023 we posted our research about the notorious surveillance framework LightSpy2. In our research, we proved with a high degree of confidence that both implants for Android and iOS came from the same developer and shared the same network infrastructure, but also that they were just a small part of a larger framework. At the moment of that publication, we knew that the framework was supposed to contain implants for at least four more platforms: Windows, macOS, Linux...

ZScaler

HIMANSHU SHARMA, GAJANAN KHONDMay 27, 2024 - 7 min read Threatlabz ResearchContentsIntroductionKey TakeawaysOverviewTechnical AnalysisGoogle Play Store TrendsConclusionZscaler CoverageMITRE ATT&CK TechniquesIndicators Of Compromise (IOCs)More blogsCopy URLCopy URLIntroductionAt Zscaler ThreatLabz, we regularly monitor the Google Play store for malicious applications. Over the past few months, we identified and analyzed more than 90 malicious applications uploaded to the Google Play store. These ...

THREATLABZMay 30, 2024 - 6 min read Threatlabz ResearchContentsIntroductionKey TakeawaysTechnical AnalysisConclusionZscaler CoverageIndicators Of Compromise (IOCs)More blogsCopy URLCopy URLIntroductionSmoke (a.k.a. SmokeLoader or Dofoil) is a malware loader that has been operational since 2011. Smoke is primarily used to deliver second-stage malware payloads including various trojans, ransomware, and information stealers. In addition, Smoke can deploy its own custom plugins that extend its funct...