Cyberveilleby Decio
Nuage de tags
Mur d'images
Quotidien
Flux RSS
  • Flux RSS
  • Daily Feed
  • Weekly Feed
  • Monthly Feed
Filtres

Liens par page

  • 20 links
  • 50 links
  • 100 links

Filtres

Untagged links
page 1 / 6
116 résultats taggé Analysis  ✕
Bypassing Qakbot Anti-Analysis https://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/
27/03/2023 07:31:49
QRCode
archive.org

QakBot is a banking trojan that has been evolving since its first version was discovered in 2008. According to the 2022 report published by CISA, it was one of the most active variants in 2021, and during 2022 and so far in 2023 it has remained quite active. Taking a brief look at the latests news of QakBot it has been updating its tactics constantly, for example, using a Windows zero-day to avoid displaying the MoTW or the most recent one, using OneNote files to drop QakBot.

In this case we are particularly interested in the anti-analysis techniques used by QakBot during the early stages of its execution. These techniques can make malware analysis harder if they are not known, so learning to identify and bypass them is essential to get to see the malware’s operation at its full potential. Furthermore, there are techniques that can replicate / adopt different types of malware, so knowking them opens the door to the study of different samples.

lab52 EN 2023 Qakbot analysis anti-analysis techniques TTP
Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours https://securityintelligence.com/posts/patch-tuesday-exploit-wednesday-pwning-windows-ancillary-function-driver-winsock/
22/03/2023 21:39:20
QRCode
archive.org
thumbnail

Dive into the analysis and exploitation of a vulnerability in the Windows Ancillary Function Driver for Winsock for Local Privilege Escalation on Windows 11. More from X-Force Red experts.

securityintelligence EN 2023 PatchTuesday LPE Windows afd.sys CVE-2023-21768 exploit analysis reverseengineering
Prometei botnet improves modules and exhibits new capabilities in recent updates https://blog.talosintelligence.com/prometei-botnet-improves/
13/03/2023 20:51:59
QRCode
archive.org
thumbnail

The high-profile botnet, focused on mining cryptocurrency, is back with new Linux versions.

talosintelligence EN 2023 Prometei botnet analysis
A Noteworthy Threat: How Cybercriminals are Abusing OneNote https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-1/
08/03/2023 21:34:33
QRCode
archive.org
thumbnail

Threat actors are taking advantage of Microsoft OneNote's ability to embed files and use social engineering techniques, such as phishing emails and lures inside the OneNote document, to get unsuspecting users to download and open malicious files.

trustwave EN 2023 Microsoft OneNote phishing malicious analysis
Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
01/03/2023 21:10:36
QRCode
archive.org
thumbnail

We detail the update that advanced persistent threat (APT) group Iron Tiger made on the custom malware family SysUpdate. In this version, we also found components that enable the malware to compromise Linux systems.

trendmicro malware cyber-crime apt IronTiger SysUpdate analysis
Hunting for Honkbox | Multistage macOS Cryptominer May Still Be Hiding https://www.sentinelone.com/blog/hunting-for-honkbox-multistage-macos-cryptominer-may-still-be-hiding/
01/03/2023 21:07:29
QRCode
archive.org
thumbnail

A cryptominer that uses the Invisible Internet protocol, Honkbox variants could still be evading some detection solutions.

SentinelOne EN 2023 cryptominer Honkbox macos analysis
Lumma Stealer targets YouTubers via Spear-phishing Email | by S2W | S2W BLOG | Feb, 2023 | Medium https://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7
01/03/2023 20:57:15
QRCode
archive.org
thumbnail

Lumma Stealer sellers use the name “LummaC” on an underground forum called XSS, which is based in Russia. The seller has been actively promoting the malware since April 2022. In August of that year…

s2wblog EN 2023 LummaC Stealer analysis
PureCrypter targets government entities through Discord - Blog | Menlo Security https://www.menlosecurity.com/blog/purecrypter-targets-government-entities-through-discord/
27/02/2023 21:13:31
QRCode
archive.org
thumbnail

Menlo Labs has uncovered an unknown threat actor leveraging an evasive threat campaign distributed via Discord featuring the PureCrypter downloader and targeting government entities.

menlosecurity EN 2023 PureCrypter government Discord downloader analysis
TA569: SocGholish and Beyond https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond
27/02/2023 21:01:50
QRCode
archive.org
thumbnail
  • TA569 leverages many types of injections, traffic distribution systems (TDS), and payloads including, but not limited to, SocGholish.
  • In addition to serving as an initial access broker, these additional injects imply TA569 may be running a pay-per-install (PPI) service
  • TA569 may remove injections from compromised websites only to later re-add them to the same websites.
  • There are multiple opportunities for defense against TA569: educating users about the activity, using Proofpoint’s Emerging Threats ruleset to block the payload domains, and blocking .js files from executing in anything but a text editor.
proofpoint EN 2023 SocGholish threat-insight TA569 analysis
EXFILTRATOR-22 - An Emerging Post-Exploitation Framework https://www.cyfirma.com/outofband/exfiltrator-22-an-emerging-post-exploitation-framework/
27/02/2023 20:58:42
QRCode
archive.org
thumbnail

Executive Summary The CYFIRMA Research team has provided a preliminary analysis of a new post- exploitation framework called EXFILTRATOR-22 a.k.a....

cyfirma EN 2023 EXFILTRATOR-22 analysis post-exploitation framework
Havoc Across the Cyberspace https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace
15/02/2023 19:23:59
QRCode
archive.org
thumbnail

ThreatLabz observed a new campaign targeting a Government organization in which the threat actors utilized a new Command & Control (C2) framework named Havoc

zscaler EN 2023 ThreatLabz Havoc C2 analysis
Investigating Intrusions From Intriguing Exploits https://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits
11/02/2023 18:49:46
QRCode
archive.org
thumbnail

On 02 February 2023, an alert triggered in a Huntress-protected environment. At first glance, the alert itself was fairly generic - a combination of certutil using the urlcache flag to retrieve a remote resource and follow-on scheduled task creation - but further analysis revealed a more interesting set of circumstances. By investigating the event in question and pursuing root cause analysis (RCA), Huntress was able to link this intrusion to a recently-announced vulnerability as well as to a long-running post-exploitation framework linked to prominent ransomware groups.

huntress EN 2023 investigation triage SOC certutil urlcache GoAnywhere analysis
Sliver Malware With BYOVD Distributed Through Sunlogin Vulnerability Exploitations - ASEC BLOG https://asec.ahnlab.com/en/47088/
07/02/2023 20:18:03
QRCode
archive.org
thumbnail

Sliver is an open-source penetration testing tool developed in the Go programming language. Cobalt Strike and Metasploit are major examples of penetration testing tools used by many threat actors, and various attack cases involving these tools have been covered here on the ASEC blog. Recently, there have been cases of threat actors using Sliver in addition to Cobalt Strike and Metasploit.

The ASEC (AhnLab Security Emergency response Center) analysis team is monitoring attacks against systems with either unpatched vulnerabilities or misconfigured settings. During this process, we have recently discovered a Sliver backdoor being installed through what is presumed to be vulnerability exploitation on certain software. Not only did threat actors use the Sliver backdoor, but they also used the BYOVD (Bring Your Own Vulnerable Driver) malware to incapacitate security products and install reverse shells.

asec.ahnlab EN 2023 Sliver Sunlogin analysis
Malware-Traffic-Analysis.net - 2023-02-03 - DEV-0569 activity: Google ad --> FakeBat Loader --> Redline Stealer & Gozi/ISFB/Ursnif https://www.malware-traffic-analysis.net/2023/02/03/index.html
05/02/2023 10:46:32
QRCode
archive.org

NOTES:

Zip files are password-protected. If you don't know the password, see the "about" page of this website.
IOCs are listed on this page below all of the images.

malware-traffic-analysis EN 2023 analysis googleads DEV-0569 CPU-Z IoCs
‘InTheBox’ Web Injects Targeting Android Banking Applications Worldwide https://blog.cyble.com/2023/01/31/inthebox-web-injects-targeting-android-banking-applications-worldwide/?hss_channel=tw-1141929006603866117
31/01/2023 23:02:11
QRCode
archive.org
thumbnail

Cyble analyzes 'InTheBox' as part of its thorough research on Web Injects and their role in targeting Android Banking applications worldwide,

cyble EN 2023 analysis InTheBox Android Banking injection
Chinese PlugX Malware Hidden in Your USB Devices? https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/
29/01/2023 01:19:50
QRCode
archive.org
thumbnail

PlugX remains an active threat. A newly discovered variant infects USB devices and a similar variant makes copies of PDF and Microsoft Word files.

unit42 EN 2023 PlugX analysis
The Titan Stealer: Notorious Telegram Malware Campaign https://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign
25/01/2023 20:37:26
QRCode
archive.org
thumbnail

The Uptycs threat research team discovered a Titan stealer malware campaign, which is marketed and sold by a threat actor (TA) through a Telegram channel.

uptycs EN 2023 Titan Stealer Campaign analysis IoCs
Following the LNK metadata trail https://blog.talosintelligence.com/following-the-lnk-metadata-trail/
24/01/2023 08:40:57
QRCode
archive.org
thumbnail

While tracking some prevalent commodity malware threat actors, Talos observed the popularization of malicious LNK files as their initial access method to download and execute payloads. A closer look at the LNK files illustrates how their metadata could be used to identify and track new campaigns.

talosintelligence EN 2023 LNK analysis metadata
Darth Vidar: The Dark Side of Evolving Threat Infrastructure https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure
23/01/2023 13:04:53
QRCode
archive.org
thumbnail

Summary Three key takeaways from our analysis of Vidar infrastructure: Russian VPN gateways are potentially providing anonymity for Vidar operators / customers, making it more challenging for analysts to have a complete overview of this threat. These gateways now appear to be migrating to Tor. Vidar operators appear to be expanding their infrastructure, so analysts need to keep them in their sights. We expect a new wave of customers and as a result, an increase of campaigns in the upcoming weeks

team-cymru EN 2023 Vidar infostealer analysis threat infrastructure VPN
Batloader Malware Abuses Legitimate Tools Uses Obfuscated JavaScript Files in Q4 2022 Attacks https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html
19/01/2023 20:11:10
QRCode
archive.org
thumbnail

We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events (This is the intrusion set we track behind the creation of Batloader).

trendmicro EN 2023 Malware Batloader analysis
page 1 / 6
1185 links
Shaarli - Le gestionnaire de marque-pages personnel, minimaliste, et sans base de données par la communauté Shaarli - Theme by kalvn - Curated by Decio