本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
MALWARE
ASEC
AhnLab SEcurity intelligence Center (ASEC) recently discovered a case where an unidentified threat actor exploited a Korean ERP solution to carry out an attack. After infiltrating the system, the threat actor is believed to have attacked the update server of a specific Korean ERP solution to take control of systems within the company. In another attack case, a vulnerable web server was attacked to distribute malware. The targets of these attacks have been identified as the Korean defense and man...
The blog post “Linux Defense Evasion Techniques Detected by AhnLab EDR (1)” [1] covered methods where the threat actors and malware strains attacked Linux servers before incapacitating security services such as firewalls and security modules and then concealing the installed malware. This post will cover additional defense evasion techniques against Linux systems not covered in the past post. For example, methods of concealing malware include having the running malware delete itself to not be no...
HTTP File Server (HFS) is a program that provides a simple type of web service. Because it can provide web services with just an executable file without having to build a web server, it is often used for sharing files, allowing users to connect to the address through web browsers and easily download files. Figure 1. HFS used for sharing files Because HFS is exposed to the public in order to enable users to connect to the HFS web server and download files, it can be a target for external attacks ...
Table of Contents Overview Distribution Method and Changes Distribution Method Changes to HappyDoor Detailed Analysis Summary Characteristics Registry Data Packet Data Packet Structure and Server Operation Method Features Information Theft Backdoor Conclusion This report is a summarized version of “Analysis Report of Kimsuky Group’s HappyDoor Malware” introduced in AhnLab Threat Intelligence Platform (TIP), containing key information for analyzing breaches. The report in AhnLab TIP includes deta...
Baris Dincer
Ricardo Pineda, Jr. and Arvin Bandong at G Data Security
07/05/2024 G DATA Blog Turla, a well-known piece of malware, has taken to weaponising LNK-files to infect computers. We have observed a current example of this. Learn more about the details in this article! Introduction Technical Details Intrusion and infection Technical Analysis The Backdoor Backdoor Commands Conclusion MITRE ATT&CK IOC Related articles An analysis by Ricardo Pineda, Jr. and Arvin Bandong Introduction A shortcut file is a handle in a user interface that allows the user to execu...
Arunkumar at K7 Labs
Posted byArunkumar July 2, 2024July 2, 2024 PowerShellStealer Trojan Kematian Stealer forked from PowerShell Token Grabber By ArunkumarJuly 2, 2024 Stealers are a widespread threat providing threat actors with access to a wealth of sensitive data which is then exfiltrated to them for further abuse. Kematian Stealer, a PowerShell based tool is one such sophisticated malware. Recently we came across a tweet about Kematian Stealer. It was a PowerShell based Token-Grabber. Figure 1: Execution_Flow B...
Riley Porter and Mark Lim at Palo Alto Networks
6 min read Related ProductsAdvanced WildFireCloud-Delivered Security ServicesCortexCortex XDRNext-Generation FirewallUnit 42 Incident Response By:Riley PorterMark Lim Published:3 July, 2024 at 3:00 PM PDT Categories:MalwareThreat Research Tags:Anti-analysisEvasionGootLoaderMemory detectionSandbox evasion Share This post is also available in: 日本語 (Japanese)Executive Summary This article shows how to circumvent anti-analysis techniques from GootLoader malware while using Node.js debugging in Visua...
Alex Delamotte at SentinelOne
Alex Delamotte / July 1, 2024 Executive Summary SentinelLabs has identified four new CapraRAT APKs associated with suspected Pakistan state-aligned actor Transparent Tribe. These APKs continue the group’s trend of embedding spyware into curated video browsing applications, with a new expansion targeting mobile gamers, weapons enthusiasts, and TikTok fans. The overall functionality remains the same, with the underlying code updated to better suit modern Android devices. Overview Transparent Tribe...
Ben Martin at Sucuri
System Weakness
Zhassulan Zhussupov
5 minute read ﷽ Hello, cybersecurity enthusiasts and white hackers! In the previous examples we created a simple Proof of Concept of using legit C2-connections via Telegram Bot API, VirusTotal API for “stealing” simplest information from victim’s Windows machine. What about next legit application: Discord and it’s Bot API feature? practical example Many of yours may think that I am simply copying the same code, please note that this is only for understanding the concepts. First of all create Dis...
ZScaler
THREATLABZJuly 02, 2024 - 15 min read Threatlabz ResearchContentsIntroduction2015-2017: Protocol Renaissance2018: The Stager Revolution2019-2022: Contemporary HistoryConclusionZscaler CoverageIndicators Of Compromise (IOCs)More blogsCopy URLCopy URLIntroductionIn this two-part blog series, we explore the evolution of SmokeLoader, a malware downloader that has been active since 2011. In Part 1, we explored early versions of SmokeLoader, from its initial rudimentary framework to its adoption of a ...
