CYBERSECURITY / DEFENSE / INTELLIGENCE

  • A botnet previously considered to be rendered inert has been observed enslaving end-of-life (EoL) small home/small office (SOHO) routers and IoT devices to fuel a criminal proxy service called Faceless. “TheMoon, which emerged in 2014, has been operating quietly while growing to over 40,000 bots from 88 countries in January and February of 2024,” the Black Lotus Labs team at Lumen

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed “Operation FlightNight” targeting Indian government entities and energy companies. 

    The attackers, likely state-sponsored, leveraged a modified version of the open-source information stealer HackBrowserData to steal sensitive data.

    EclecticIQ identified that the attackers used Slack channels, a popular communication platform, as exfiltration points.Β 

    These channels were named “FlightNight,” giving the operation its name.

    Data Breach:

    The attackers successfully infiltrated multiple government agencies responsible for communication, IT, and national defense.

    Document

    Download Free CISO’s Guide to Avoiding the Next Breach

    Are you from The Team of SOC, Network Security, or Security Manager or CSO? Download Perimeter’s Guide to how cloud-based, converged network security improves security and reduces TCO.

    • Understand the importance of a zero trust strategy
    • Complete Network security Checklist
    • See why relying on a legacy VPN is no longer a viable security strategy
    • Get suggestions on how to present the move to a cloud-based network security solution
    • Explore the advantages of converged network security over legacy approaches
    • Discover the tools and technologies that maximize network security

    Adapt to the changing threat landscape effortlessly with Perimeter 81’s cloud-based, unified network security platform.

    Additionally, private energy companies were compromised, with details about financial documents, employee information, and even oil and gas drilling activities stolen.Β 

    A staggering 8.81 GB of data was exfiltrated, potentially aiding future intrusions.

    The attackers used a trick to get victims to install malware. 

    They sent emails disguised as invitations from the Indian Air Force. 

    These emails contained an ISO file, which appeared to be a harmless archive. 

    However, when the victim opened the ISO file, it actually launched a shortcut file (LNK) disguised as a PDF document.Β 

    Clicking the LNK file unknowingly activated the malware.

    The malware then exfiltrated confidential documents, private emails, and cached web browser data. 

    Malware infection chain in Operation FlightNight.attacker. 
    Indian Air Force invitation decoy side with information stealer payload. 

    The Malware’s Work:

    The stolen data included documents, emails, and browsing history.  

    Instead of sending the stolen data directly to the attackers, the malware uploaded it to channels on a communication platform called Slack. 

    To make it appear like normal activity on the network and to help the attackers avoid detection.

    Overlaps between new and earlier malware campaign.

    The attackers modified an existing tool called HackBrowserData to add new features like document theft and communication through Slack.  

    Analysis of the code confirmed these modifications. 

    The malware also used a specific naming scheme for temporary files and targeted certain file types like documents and databases to steal data faster.

    Finding The Victims:

    The malware made a big mistake by storing the keys needed to access and control the Slack channels directly in its code. 

    EclecticIQ researchers found these keys and used them to access the Slack channels where the stolen data was uploaded.Β Β 

    These channels contained information for the researchers:

    • A list of victims – who was targeted by the attack.
    • File paths – exactly where the stolen data came from on the victim’s computer.
    • Timestamps – when the data was stolen.
    • Download URLs – unique links that allow anyone with the link to download the stolen data!

    Another mistake was testing the connectivity over Slack workspaces.

    This helped researchers understand even more about the attacker’s setup, including details about the Slack team and the bots used to communicate.

    Recommendation/Mitigation

    • Disable the “remember me” feature in web browser and turn off automatic username completion.
    • Two-factor authentication (2FA)  adds an extra layer of security by requiring a second verification code in addition to password when logging in.
    • Be cautious with ISO files
    • Command-line auditing can help track suspicious activity related to LNK files, which can launch malware.
    • Watch for unusual amounts of data being sent to unknown Slack channels.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us onΒ LinkedInΒ &Β Twitter.

    The post Beware Of Weaponized Air Force invitation PDF Targeting Indian Defense And Energy Sectors appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The notorious WarzoneRAT malware has made a comeback, despite the FBI’s recent efforts to dismantle its operations.

    Initially detected in 2018, WarzoneRAT was disrupted by the FBI in mid-February when they seized the malware’s infrastructure and arrested two individuals linked to the cybercrime scheme.

    However, ThreatMon’s recent advertisement for WarZoneRAT v3, with its enhanced features, indicates that the threat actors are far from giving up.

    Cybersecurity experts at Cyble Research & Intelligence Labs (CRIL) have uncovered a new campaign that leverages tax-themed spam emails to spread the WarzoneRAT (Avemaria) malware, a Remote Administration Tool (RAT) known for its remote control capabilities and ability to execute malicious actions under the command of a remote server.

    Infection Tactics: The LNK and HTA Files

    The infection begins when unsuspecting users open an email with the subject “taxorganizer2023” and execute an attached archive file.

    Document

    Download Free CISO’s Guide to Avoiding the Next Breach

    Are you from The Team of SOC, Network Security, or Security Manager or CSO? Download Perimeter’s Guide to how cloud-based, converged network security improves security and reduces TCO.

    • Understand the importance of a zero trust strategy
    • Complete Network security Checklist
    • See why relying on a legacy VPN is no longer a viable security strategy
    • Get suggestions on how to present the move to a cloud-based network security solution
    • Explore the advantages of converged network security over legacy approaches
    • Discover the tools and technologies that maximize network security

    Adapt to the changing threat landscape effortlessly with Perimeter 81’s cloud-based, unified network security platform.

    This file contains a deceptive shortcut file, “taxorganizer2023.png.lnk,” which appears to be an image but is, in fact, a malicious LNK file.

    When executed, it triggers a PowerShell command to download and extract a ZIP file, leading to the execution of an HTA file.

    This HTA file then retrieves a PowerShell script in memory, which downloads a VBScript file from a remote server, ultimately deploying the WarzoneRAT malware.

    Overall infection chain
    Overall infection chain

    Another infection method involves a ZIP archive named “MY TAX ORGANIZER.zip,” which contains a legitimate EXE file, a malicious DLL, and a PDF file.

    Running the EXE file triggers the DLL sideloading technique, loading the malicious DLL identified as WarzoneRAT.![DLL Sideloading Method](Figure 17 – DLL sideloading method)

    DLL sideloading method
    DLL sideloading method

    Technical Analysis: Unpacking the Malware

    The technical analysis of the campaign reveals a complex infection chain.

    The LNK file downloads a PNG file, which is a ZIP file, and extracts its contents.

    The subsequent execution of the HTA file leads to a series of scripts that perform various actions, including generating random equations for stealth, checking for antivirus processes, and creating directories and files for persistence.

    Content of HTA file before & after removing Junk codes
    Content of HTA file before & after removing Junk codes

    Final Payload: The Dangers of WarzoneRAT

    The final payload, WarzoneRAT (Avemaria), is a highly capable RAT that allows remote access and control over the victim’s computer.

    It can exfiltrate data, escalate privileges, manipulate the desktop remotely, harvest credentials, and perform keylogging, among other intrusive activities.

    Hardcoded strings of Avemaria
    Hardcoded strings of Avemaria

    The recent campaign highlights the persistent threat posed by cybercriminals who exploit the trust of users with themed spam emails.

    The sophisticated techniques used in this campaign, such as reflective loading and DLL sideloading, underscore the importance of vigilance and robust cybersecurity measures.

    As the WarzoneRAT malware continues to evolve and resurface, it is a stark reminder of the ongoing battle between cybercriminals and cybersecurity defenders.

    Users are urged to exercise caution when opening email attachments, even those that appear to be related to timely and relevant topics like tax organization.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

    The post WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Android devices are popular among hackers due to the platform’s extensive acceptance and open-source nature.

    However, it has a big attack surface with over 2.5 billion active Android devices all over the world.

    It also poses challenges when it comes to prompt vulnerability patching due to its fragmented ecosystem that consists of different hardware vendors and delayed software updates.

    Malware distribution, surveillance, and unauthorized financial gain, or any other malicious purpose are some examples of how cybercriminals take advantage of these loopholes in security.

    Recently, Google unveiled the Kernel Address Sanitizer (KASan) to strengthen the Android firmware and beyond.

    Android Firmware And Beyond

    KASan (Kernel Address Sanitizer) has broad applicability across firmware targets. Incorporating KASan-enabled builds into testing and fuzzing can proactively identify memory corruption vulnerabilities and stability issues before deployment on user devices.

    Document

    Download Free CISO’s Guide to Avoiding the Next Breach

    Are you from The Team of SOC, Network Security, or Security Manager or CSO? Download Perimeter’s Guide to how cloud-based, converged network security improves security and reduces TCO.

    • Understand the importance of a zero trust strategy
    • Complete Network security Checklist
    • See why relying on a legacy VPN is no longer a viable security strategy
    • Get suggestions on how to present the move to a cloud-based network security solution
    • Explore the advantages of converged network security over legacy approaches
    • Discover the tools and technologies that maximize network security

    Adapt to the changing threat landscape effortlessly with Perimeter 81’s cloud-based, unified network security platform.

    Google has already leveraged KASan on firmware targets, leading to the discovery and remediation of over 40 memory safety bugs, some critically severe, through proactive vulnerability detection.

    Address Sanitizer (ASan) is a compiler instrumentation tool that identifies invalid memory access bugs like out-of-bounds, use-after-free, and double-free errors during runtime.Β 

    For user-space targets, enabling ASan is straightforward with the -fsanitize=address option. However, for bare-metal code built with none system targets like arm-none-eabi, there’s no default runtime support. 

    The -fsanitize=kernel-address option exposes an interface to provide custom KASan runtime implementations, like the Linux kernel’s routines.

    KASan’s core idea is to instrument memory access operations like loads, stores, and memory copy functions to verify the validity of destination/source regions. 

    It only allows access to valid regions tracked in a shadow memory area, where each byte represents the state (allocated, freed, accessible bytes) of a fixed-size memory region. 

    Upon detecting an invalid access, KASan reports the violation.

    Enabling KASan for bare-metal targets requires implementing instrumentation routines to check region validity during memory operations, report violations, and manage shadow memory to track the state of covered regions.

    For Bare-Metal Firmware, Enabling KASan

    Here below we have mentioned all the sequential steps:-

    • KASan shadow memory
    • Implement a KASan runtime
    • Memory access check
    • Shadow memory management
    • Covering global variables
    • Memory copy functions
    • Avoiding false positives for noreturn functions
    • Hook heap memory allocation routines

    For the usage of KASan on bare-metal code, one should employ -fsanitize=kernel-address option of the compiler and -asan-mapping-offset to indicate the location of shadow memory, -asan-stack/globals=1 to cover stack/global variables and -asan-instrumentation-with-call-threshold=0 for outlining checks against code bloat.

    In addition, strategies such as leveraging Rust (a memory-safe language) are being advanced in order to proactively guard against memory vulnerabilities in the Android system.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us onΒ LinkedInΒ &Β Twitter.

    The post Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation, and growth.

    However, this shift towards a more interconnected digital ecosystem has not come without its risks.

    According to the “2024 State of SaaS Security Report” by Wing Security, a staggering 97% of organizations faced exposure to attacks through compromised SaaS supply chain applications in 2023, highlighting a critical vulnerability in the digital infrastructure of modern businesses.

    The report, which analyzed data from 493 companies in the fourth quarter of 2023, illuminates the multifaceted nature of SaaS security threats.

    From supply chain attacks taking center stage to the alarming trend of exploiting exposed credentials, the findings underscore the urgent need for robust security measures.

    Supply Chain Attacks: A Domino Effect

    Supply chain attacks have emerged as a significant threat, with 96.7% of organizations using at least one app that had a security incident in the past year.

    The MOVEit breach, which directly and indirectly impacted over 2,500 organizations, and North Korean actors’ targeted attack on JumpCloud’s clients are stark reminders of the cascading effects a single vulnerability can have across the supply chain.

    The simplicity of credential stuffing attacks and the widespread issue of unsecured credentials continue to pose a significant risk.

    The report highlights several high-profile incidents, including breaches affecting Norton LifeLock and PayPal customers, where attackers exploited stolen credentials to gain unauthorized access to sensitive information.

    MFA Bypassing and Token Theft

    Despite adopting Multi-Factor Authentication (MFA) as a security measure, attackers have found ways to bypass these defenses, targeting high-ranking executives in sophisticated phishing campaigns.

    Additionally, the report points to a concerning trend of token theft, with many unused tokens creating unnecessary risk exposure for many organizations.

    Looking Ahead: SaaS Threat Forecast for 2024

    As we move into 2024, the SaaS threat landscape is expected to evolve, with AI posing a new threat.

    The report identifies two primary risks associated with AI in the SaaS domain: the vast volume of AI models in SaaS applications and the potential for data mismanagement.

    Furthermore, the persistence of credential-based attacks and the rise of interconnected threats across different domains underscore the need for a holistic cybersecurity approach.

    Practical Tips for Enhancing SaaS Security

    The report offers eight practical tips for organizations to combat these growing threats, including discovering and managing the risk of third-party applications, leveraging threat intelligence, and enforcing MFA.

    Additionally, regaining control of the AI-SaaS landscape and establishing an effective offboarding procedure are crucial steps in bolstering an organization’s SaaS security.

    The “2024 State of SaaS Security Report” by Wing Security serves as a wake-up call for businesses to reassess their SaaS security strategies.

    With 97% of organizations exposed to attacks via compromised SaaS supply chain apps, the need for vigilance and proactive security measures has never been more critical.

    As the digital landscape continues to evolve, so must our approaches to protect it.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

    The post Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Network penetration testing plays a vital role in detecting vulnerabilities that can be exploited. The current method of performing pen testing is pricey, leading many companies to undertake it only when necessary, usually once a year for their compliance requirements. This manual approach often misses opportunities to find and fix security issues early on, leaving businesses vulnerable to

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Details have emerged about a vulnerability impacting the “wall” command of the util-linux package that could be potentially exploited by a bad actor to leak a user’s password or alter the clipboard on certain Linux distributions. The bug, tracked as CVE-2024-28085, has been codenamed WallEscape by security researcher Skyler Ferrante. It has been described as a case of improper

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed light on the growing concerns within the cybersecurity community.

    The survey, which gathered insights from over 800 IT and security executives globally, reveals a stark reality: 92% of respondents have observed a surge in cyber-attacks compared to the previous year.

    The complexity and frequency of these attacks are putting unprecedented pressure on organizations, with a significant 73% having suffered monetary losses due to cyber incidents.

    Vulnerable Sectors Under Siege

    Cybercriminals are not indiscriminate in their targets. The survey identifies IT services, financial operations, and supply chain management as the most frequently attacked sectors within organizations.

    The hospitality/travel, manufacturing, and financial services industries are also facing weekly and monthly attacks, with ransomware and phishing topping the list of concerns.

    Industries at Risk

    The New Wave of Sophisticated Attacks

    The findings from Keeper Security’s survey highlight the urgent need for organizations to adapt their cybersecurity strategies to counter both existing and emerging threats.

    A staggering 95% of IT leaders acknowledge that cyber-attacks are increasing in frequency and sophistication.

    The most serious emerging threats include AI-powered attacks, deepfake technology, supply chain attacks, cloud jacking, IoT attacks, 5G network exploits, and fileless attacks.

    AI-powered attacks are particularly concerning, as they enable cybercriminals to automate and scale traditional attack techniques like phishing and password cracking.

    This has led to a call for a proactive cybersecurity approach that combines advanced defense mechanisms with fundamental best practices.

    To combat these threats, IT leaders are planning to increase their AI security measures through data encryption (51%), employee training and awareness (45%), and advanced threat detection systems.

    In North America, the focus is equally split between threat detection systems and data encryption, each at 50%.AI Security Measures

    Phishing remains a significant challenge, with 67% of companies struggling to combat these attacks.

    The rise of AI tools has made phishing scams more believable and harder to detect, with 84% of respondents finding them more difficult to identify.

    Insider Threats and the Importance of PAM

    Not all threats come from the outside; 40% of respondents have faced attacks from within their organization.

    Privileged Access Management (PAM) solutions are crucial for managing and securing privileged credentials and enforcing the principle of least privilege to minimize damage from potential insider threats.

    Despite the evolving threat landscape, fundamental cybersecurity practices remain crucial. Organizations are encouraged to adopt password and PAM solutions to prevent prevalent attacks.

    A password manager can enforce strong password practices, while PAM solutions control and monitor high-level access.

    These measures create a layered security approach that enhances overall cybersecurity resilience.

    As cybercriminals continue to refine their tactics, IT and security leaders must remain vigilant and proactive in their defense measures to protect their organizations’ digital landscapes.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us onΒ LinkedInΒ &Β Twitter.

    The post IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse engineering .NET malware.Β 

    The write-up outlines the importance of sandbox analysis in preparing for reverse engineering by highlighting what to expect and focus on, given that malware creators use various tactics to confuse analysts.

    It also mentions that the walkthrough will cover modifying malware to simplify analysis.

    The initial understanding gained from sandbox analysis allows analysts to prioritize areas for investigation during the deconstruction phase. This is particularly useful as malware often employs obfuscation techniques to impede analysis.Β Β 

    The preparation for reverse engineering Snake Keylogger, a.NET infostealer with anti-analysis techniques, where the author plans to use static and dynamic analysis with decompilers and debuggers in an isolated environment built with VirtualBox, Windows 11, Flare-VM, dnSpy, and.NET Reactor Slayer.Β 

    Document

    Integrate ANY.RUN in Your Company for Effective Malware Analysis

    Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

    • Real-time Detection
    • Interactive Malware Analysis
    • Easy to Learn by New Security Team members
    • Get detailed reports with maximum data
    • Set Up Virtual Machine in Linux & all Windows OS Versions
    • Interact with Malware Safely

    If you want to test all these features now with completely free access to the sandbox:

    To ensure safety, the network adapters will be disabled, and resource sharing between the guest and host machine will be minimized. 

    The modded Snake Keylogger

    Stages of the Malware Analysis:

    The analysis identified “pago 4094.exe” as a .NET keylogger disguised as an airplane simulator. Static analysis revealed suspicious decryption code in the InitializeComponent function, and disabling the code confirmed its role in malicious activity.Β 

    The entry point that contains the Main function

    Dynamic analysis showed the code fetching data from a resource named “Grab” and decrypting it, which contained a valid DOS header, DOS stub, and PE header, indicating it was a new executable payload. 

    The payload, loaded as an in-memory assembly using Assembly.Load, was identified as “Aads.dll” and determined to be stage 2 of the malware.  

    The β€œAirplane Traveling” application on the ANY.RUN Sandbox

    The analyst at ANY.RUN investigated “Aads.dll,” a.NET assembly DLL, using static and dynamic analysis, where static analysis in dnSpy revealed sorting/searching functions but no malicious code.Β 

    β€œAads.dll” on DIE shows the Library and Linker

    Dynamic analysis with breakpoints showed “Aads.dll” using image data from resource “ivmsL” containing a potentially steganographic image. 

    The image data was processed through sorting algorithms and examined in memory, revealing a DOS header (“MZ”) and PE header, indicating a packed executable, while the extracted executable, named “Tyrone.dll,”  was identified as stage 3 of the malware.  

    The module β€œTyrone.dll” can be observed under the Modules Tab

    “Tyrone.dll” was found as a.NET DLL with VB.NET code that had been hidden by.NET Reactor. Static analysis of the deobfuscated code showed functions related to a “pandemic simulation” that were deemed unnecessary, but the presence of GetObject() suggested a next step. 

    Deobfuscating the β€œTyrone.dll”

    Dynamic analysis confirmed this suspicion by setting breakpoints and examining memory, while retrieved data from resource “wHzyWQnRZ” was identified as a new executable containing a DOS header, DOS stub, and PE header – stage 4 of the malware.Β 

    Document
    Are you from SOC and DFIR Teams?

    Integrate ANY.RUN Malware Sandbox in your workplace.

    Sign up and start using the interactive malware sandbox for free. .

    Analysts investigated “lfwhUWZlmFnGhDYPudAJ.exe,” a.NET assembly flagged as a keylogger, where the file had obfuscated code with non-descriptive names and after identifying it as a VB.NET compiled PE32 executable, they detonated it in a sandbox environment, confirming its keylogging functionality.Β 

    The overview of β€œlfwhUWZlmFnGhDYPudAJ.exe” in an ANY.RUN sandbox

    At last, the deobfuscation with renaming functions (e.g., “lena_”) improved code readability for further analysis. 

    The malware configuration, encrypted with a hardcoded key, reveals SMTP information for exfiltration and the code steals login data from browsers (Chrome, Edge, etc.) and applications (Discord) by accessing their SQLite databases or LevelDB files. 

    Snake Keylogger Config Decryption Python Code

    It exfiltrates data via FTP, SMTP, or Telegram, as the analyzed sample uses SMTP with hardcoded credentials and sends data as an email attachment.

    It describes modifying the Snake Keylogger malware for easier analysis by disabling internet connection checking, self-deletion, and self-movement functionalities.Β 

    The encrypted SMTP information obtained from the Python code

    A Python script has been written to encrypt SMTP credentials with a key derived from an MD5 hash and store them in the malware configuration to bypass email encryption.Β 

    Document
    Are you from SOC and DFIR Teams?

    Streamline Snake Keylogger analysis with the ANY.RUN sandbox

    Integrate ANY.RUN Malware Sandbox in your workplace. .

    The malware was customized by changing the icon and adding functionalities to change the wallpaper and save stolen credentials to text files on the desktop. The effectiveness of the modifications was verified by running the modded malware in a sandbox environment.Β 

    Boosting Security with ANY.RUN Threat Intelligence

    The solution offers a threat intelligence (TI) feed and a lookup portal, providing access to a constantly updated database of malware information that leverages data from over 1.5 million investigations by community and in-house analysts, allowing you to

    • Access the latest community-reported and analyst-discovered malware data.
    • Search across various aspects (fields) of 1.5 million investigations conducted in the past 6 months.
    • To identify risks, analyze command lines, registry changes, memory dumps, encrypted and unencrypted network traffic, and more.

    It offers threat intelligence in two formats:

    • Threat Intelligence Lookup – Search our portal for relevant events using 30 criteria. Use wildcards (*) or widely to search substrings. With rapid search, you will get results in 5 seconds. The attached IOCs and event fields include links to recorded sandbox research sessions.
    • Threat Intelligence Feeds – Receive STIX data from our Feeds directly into your TIP and SIEM systems. Set up firewalls for the current threats. New data provides indications and event fields for context every two hours.

    TI Lookup examines a massive database of Indicators of Compromise (IOCs) and related events across numerous parameters. Wildcards allow wide or particular searches, and results, including linked research sessions, are supplied in seconds.

    SIEM systems can use TI Feeds’ continuous threat data in STIX format and every two hours, IOCs and event details are added for threat analysis.

    What is ANY.RUN?

    ANY.RUNΒ is a cloud-based malware lab that does most of the work for security teams. 400,000 professionals use ANY.RUNΒ platform every day to look into events and speed up threat research on Linux and Windows cloud VMs.

    Advantages of ANY.RUN 

    • Real-time Detection: ANY.RUN can find malware and instantly identify many malware families using YARA and Suricata rules within about 40 seconds of posting a file.
    • Interactive Malware Analysis: ANY.RUN differs from many automated options because it lets you connect with the virtual machine from your browser. This live feature helps stop zero-day vulnerabilities and advanced malware that can get past signature-based protection.
    • Value for money: ANY.RUN’s cloud-based nature makes it a cost-effective option for businesses since your DevOps team doesn’t have to do any setup or support work.
    • Best for onboarding new security team members: ANY. RUN’s easy-to-use interface allows even new SOC researchers to quickly learn to examine malware and identify signs of compromise (IOCs).

    Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN ->Β Start Now for Free.

    The post How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The maintainers of the Python Package Index (PyPI) repository briefly suspended new user sign-ups following an influx of malicious projects uploaded as part of a typosquatting campaign. It said “new project creation and new user registration” was temporarily halted to mitigate what it said was a “malware upload campaign.” The incident was resolved 10 hours later, on March 28, 2024, at

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ