CYBERSECURITY / DEFENSE / INTELLIGENCE

  • Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse engineering .NET malware.Β 

    The write-up outlines the importance of sandbox analysis in preparing for reverse engineering by highlighting what to expect and focus on, given that malware creators use various tactics to confuse analysts.

    It also mentions that the walkthrough will cover modifying malware to simplify analysis.

    The initial understanding gained from sandbox analysis allows analysts to prioritize areas for investigation during the deconstruction phase. This is particularly useful as malware often employs obfuscation techniques to impede analysis.Β Β 

    The preparation for reverse engineering Snake Keylogger, a.NET infostealer with anti-analysis techniques, where the author plans to use static and dynamic analysis with decompilers and debuggers in an isolated environment built with VirtualBox, Windows 11, Flare-VM, dnSpy, and.NET Reactor Slayer.Β 

    Document

    Integrate ANY.RUN in Your Company for Effective Malware Analysis

    Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

    • Real-time Detection
    • Interactive Malware Analysis
    • Easy to Learn by New Security Team members
    • Get detailed reports with maximum data
    • Set Up Virtual Machine in Linux & all Windows OS Versions
    • Interact with Malware Safely

    If you want to test all these features now with completely free access to the sandbox:

    To ensure safety, the network adapters will be disabled, and resource sharing between the guest and host machine will be minimized. 

    The modded Snake Keylogger

    Stages of the Malware Analysis:

    The analysis identified “pago 4094.exe” as a .NET keylogger disguised as an airplane simulator. Static analysis revealed suspicious decryption code in the InitializeComponent function, and disabling the code confirmed its role in malicious activity.Β 

    The entry point that contains the Main function

    Dynamic analysis showed the code fetching data from a resource named “Grab” and decrypting it, which contained a valid DOS header, DOS stub, and PE header, indicating it was a new executable payload. 

    The payload, loaded as an in-memory assembly using Assembly.Load, was identified as “Aads.dll” and determined to be stage 2 of the malware.  

    The β€œAirplane Traveling” application on the ANY.RUN Sandbox

    The analyst at ANY.RUN investigated “Aads.dll,” a.NET assembly DLL, using static and dynamic analysis, where static analysis in dnSpy revealed sorting/searching functions but no malicious code.Β 

    β€œAads.dll” on DIE shows the Library and Linker

    Dynamic analysis with breakpoints showed “Aads.dll” using image data from resource “ivmsL” containing a potentially steganographic image. 

    The image data was processed through sorting algorithms and examined in memory, revealing a DOS header (“MZ”) and PE header, indicating a packed executable, while the extracted executable, named “Tyrone.dll,”  was identified as stage 3 of the malware.  

    The module β€œTyrone.dll” can be observed under the Modules Tab

    “Tyrone.dll” was found as a.NET DLL with VB.NET code that had been hidden by.NET Reactor. Static analysis of the deobfuscated code showed functions related to a “pandemic simulation” that were deemed unnecessary, but the presence of GetObject() suggested a next step. 

    Deobfuscating the β€œTyrone.dll”

    Dynamic analysis confirmed this suspicion by setting breakpoints and examining memory, while retrieved data from resource “wHzyWQnRZ” was identified as a new executable containing a DOS header, DOS stub, and PE header – stage 4 of the malware.Β 

    Document
    Are you from SOC and DFIR Teams?

    Integrate ANY.RUN Malware Sandbox in your workplace.

    Sign up and start using the interactive malware sandbox for free. .

    Analysts investigated “lfwhUWZlmFnGhDYPudAJ.exe,” a.NET assembly flagged as a keylogger, where the file had obfuscated code with non-descriptive names and after identifying it as a VB.NET compiled PE32 executable, they detonated it in a sandbox environment, confirming its keylogging functionality.Β 

    The overview of β€œlfwhUWZlmFnGhDYPudAJ.exe” in an ANY.RUN sandbox

    At last, the deobfuscation with renaming functions (e.g., “lena_”) improved code readability for further analysis. 

    The malware configuration, encrypted with a hardcoded key, reveals SMTP information for exfiltration and the code steals login data from browsers (Chrome, Edge, etc.) and applications (Discord) by accessing their SQLite databases or LevelDB files. 

    Snake Keylogger Config Decryption Python Code

    It exfiltrates data via FTP, SMTP, or Telegram, as the analyzed sample uses SMTP with hardcoded credentials and sends data as an email attachment.

    It describes modifying the Snake Keylogger malware for easier analysis by disabling internet connection checking, self-deletion, and self-movement functionalities.Β 

    The encrypted SMTP information obtained from the Python code

    A Python script has been written to encrypt SMTP credentials with a key derived from an MD5 hash and store them in the malware configuration to bypass email encryption.Β 

    Document
    Are you from SOC and DFIR Teams?

    Streamline Snake Keylogger analysis with the ANY.RUN sandbox

    Integrate ANY.RUN Malware Sandbox in your workplace. .

    The malware was customized by changing the icon and adding functionalities to change the wallpaper and save stolen credentials to text files on the desktop. The effectiveness of the modifications was verified by running the modded malware in a sandbox environment.Β 

    Boosting Security with ANY.RUN Threat Intelligence

    The solution offers a threat intelligence (TI) feed and a lookup portal, providing access to a constantly updated database of malware information that leverages data from over 1.5 million investigations by community and in-house analysts, allowing you to

    • Access the latest community-reported and analyst-discovered malware data.
    • Search across various aspects (fields) of 1.5 million investigations conducted in the past 6 months.
    • To identify risks, analyze command lines, registry changes, memory dumps, encrypted and unencrypted network traffic, and more.

    It offers threat intelligence in two formats:

    • Threat Intelligence Lookup – Search our portal for relevant events using 30 criteria. Use wildcards (*) or widely to search substrings. With rapid search, you will get results in 5 seconds. The attached IOCs and event fields include links to recorded sandbox research sessions.
    • Threat Intelligence Feeds – Receive STIX data from our Feeds directly into your TIP and SIEM systems. Set up firewalls for the current threats. New data provides indications and event fields for context every two hours.

    TI Lookup examines a massive database of Indicators of Compromise (IOCs) and related events across numerous parameters. Wildcards allow wide or particular searches, and results, including linked research sessions, are supplied in seconds.

    SIEM systems can use TI Feeds’ continuous threat data in STIX format and every two hours, IOCs and event details are added for threat analysis.

    What is ANY.RUN?

    ANY.RUNΒ is a cloud-based malware lab that does most of the work for security teams. 400,000 professionals use ANY.RUNΒ platform every day to look into events and speed up threat research on Linux and Windows cloud VMs.

    Advantages of ANY.RUN 

    • Real-time Detection: ANY.RUN can find malware and instantly identify many malware families using YARA and Suricata rules within about 40 seconds of posting a file.
    • Interactive Malware Analysis: ANY.RUN differs from many automated options because it lets you connect with the virtual machine from your browser. This live feature helps stop zero-day vulnerabilities and advanced malware that can get past signature-based protection.
    • Value for money: ANY.RUN’s cloud-based nature makes it a cost-effective option for businesses since your DevOps team doesn’t have to do any setup or support work.
    • Best for onboarding new security team members: ANY. RUN’s easy-to-use interface allows even new SOC researchers to quickly learn to examine malware and identify signs of compromise (IOCs).

    Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN ->Β Start Now for Free.

    The post How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The maintainers of the Python Package Index (PyPI) repository briefly suspended new user sign-ups following an influx of malicious projects uploaded as part of a typosquatting campaign. It said “new project creation and new user registration” was temporarily halted to mitigate what it said was a “malware upload campaign.” The incident was resolved 10 hours later, on March 28, 2024, at

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The maintainers of the Python Package Index (PyPI) repository briefly suspended new user sign-ups following an influx of malicious projects uploaded as part of a typosquatting campaign. It said “new project creation and new user registration” was temporarily halted to mitigate what it said was a “malware upload campaign.” The incident was resolved 10 hours later, on March 28, 2024, at

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The United States is becoming more comfortable giving Ukraine the long-sought weapons.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • A new strategy outlines how the Defense Department plans to increase security and strengthen relationships across the industrial base.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The ICBM program is facing a massive cost overrun and program delays.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The service recently announced a major shakeup to prep for war with China.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The service recently announced a major shakeup to prep for war with China.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting the growing, widespread use and potential of Web3 user security data to aid in risk management.

    The report’s findings reveal a clear and growing demand for more advanced security tools that can effectively safeguard digital assets, verify the authenticity of nonfungible tokens (NFTs), and monitor decentralized applications for threats.Β 

    The report, “Uncharted Consensus: The Widespread Use and Potential of User Security Data in Web3”, showcases the rapid adoption of GoPlus’s API suite, which provides Web3 industry stakeholders with unparalleled insights into the health and vulnerability of various cryptocurrencies, NFTs and decentralized applications.

    At the same time, it also underscores the unique role GoPlus plays in addressing Web3’s most pressing security challenges.

    GoPlus is the developer of an API suite designed to address the multifaceted challenges of Web3 user security. The suite enables targeted data analysis across key industry aspects.

    Its modules include a Token RIsk API and NFT Risk API that evaluate the risk associated with different cryptocurrencies and non-fungible tokens; a Malicious address API for monitoring and reporting malicious address; a dApp Security API for real-time monitoring and threat detection in decentralized applications; and an Approval API for checking malicious approval of an address.

    The report shows rising demand for better Web3 security solutions. GoPlus revealed that its Token Risk API saw a rapid increase in utilization from November 2023, with some months witnessing peaks of over 20 million calls per day.

    This suggests that the crypto industry is collectively shifting towards pre-emptive risk identification and mitigation, driven by the evolving and intensifying landscape of security threats.Β 

    These increases were mirrored by similar usage spikes in GoPlus’s other API modules. For instance, usage of its NFT API spiked between Dec. 2022 and Feb. 2023 and then several times again between March and May 2023 before stabilizing, followed by a sustained period of much steadier growth.

    These usage trends mirror the growing adoption of NFTs and the corresponding need for tools to assess the risks associated with these digital assets.

    Evolving Threat Landscape

    A closer analysis of the API usage data illustrated a significant fluctuation in the presence of “high-risk” tokens, reflecting a threat landscape that’s just as volatile as the crypto industry itself.

    The majority of these high-risk tokens were identified as being either “blacklisted” or “honeypots”. However, many other kinds of threats were identified, illustrating the evolving tactics used by hackers and scammers in the industry. The report also found an exponential increase in threats associated with NFTs, such as privileged operations (burn and minting), restricted approvals, self-destruct mechanisms, and unauthorized transfers.

    The threat-related insights demonstrate the need for Web3 projects to employ more dynamic, robust, and adaptable security strategies and countermeasures to deal with the evolving threat landscape. They also highlight the need for education and collaboration to increase awareness of these threats and find better ways to mitigate them.

    Top Ecosystems & Threats

    The comprehensive study also highlighted the differing levels of user engagement and security concerns across blockchains, providing perspective on the unique challenges and risks faced by each ecosystem. 

    BNB Chain emerged as the most prominent user of GoPlus’s APIs, being queried more than 92.7 million times during the research period. This reflects Binance’s laudable achievement in fostering a large community that’s united in its determination to identify and proactively mitigate security risks such as token vulnerabilities and scams.

    Ethereum was the second-most popular chain to leverage GoPlus, with users querying its APIs 84 million times, highlighting both the extent of its user base and its vigilance against vulnerabilities and scams. Meanwhile, Polygon also stood out with almost 9.8 million queries during the period. This high level of adoption in the much smaller Polygon community illustrates the strong emphasis it places on scaling security solutions for the Web3 industry. 

    Other insights from the report include the top ten token risks faced by the crypto industry today, with further analysis uncovering ten tokens with characteristics that mark them out as being “particularly malicious”, and also the top ten NFT collections that could be perceived as risky, due to their close association with phishing scams.  

    The Importance Of User Security Insights

    The GoPlus report provides valuable insights into aspects such as user engagement, preferences and the nature of the evolving threats in Web3, which can be essential for stakeholders to make more informed decisions and mitigate the risks they face. 

    Perhaps the most significant finding is that the report underlines the critical importance Web3 security data can play in helping the industry to address the evolving risk landscape. As the Web3 ecosystem grows and evolves, the need for comprehensive security data will become all the more vital, helping dApp developers protect their users, while educating users on how to protect themselves.  

    About GoPlus Labs

    GoPlus Labs is revolutionizing Web3 security by offering a transparent, User Security Network with permissionless security data. It provides User Security Module as a Service to any blockchain, utilizing advanced AI for comprehensive threat detection.

    Notably, its security data infrastructure has seen a massive usage increase, the user security data usage has grown 5000x from 2022 to now, with daily data API calls 21M.

    SecwareX, launched in March 2024, quickly gained significant traction, showcasing high user trust. Within its first two weeks, it attracted over 400,000 users, including more than 30,000 premium (paid) users, highlighting its immediate impact and user trust.

    GoPlus enhances Web3 user security through broad support for over 20 chains, collaboration with RaaS and Layer2 partners like Altlayer, zkSync, and Manta, and the introduction of innovative products like the “Secscan” security engine and Secware Middleware. These advancements facilitate a more open data and computing layer, moving towards gradual decentralization.

    GoPlus enhances Web3 user security and promotes decentralization by motivating user participation with its token system. The GoPlus Token will act as a “gas fee,” necessary to reinforce the user security network and expand its utility. Moreover, it encourages users to become SecWare Service Providers, Data Providers, and Computing Node Providers. By contributing to the network, these participants can earn GoPlus Tokens.

    Contact
    Dasi Kaplan
    pr@marketacross.com

    The post GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • A Linux version of a multi-platform backdoor called DinodasRAT has been detected in the wild targeting China, Taiwan, Turkey, and Uzbekistan, new findings from Kaspersky reveal. DinodasRAT, also known as XDealer, is a C++-based malware that offers the ability to harvest a wide range of sensitive data from compromised hosts. In October 2023, Slovak cybersecurity firm ESET&nbsp

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ