Malware review:

2024-02-27- European diplomats targeted by SPIKEDWIRE with WINELOADER

Notes:
*Zscaler on release of this article did not attribute it to any state-sponsored Threat Actor
*Mandiant later attributed this payload to APT29 March, 22nd 2024 in an article titled:

From late 2023 to early 2024, #SharpPanda has continued to target government entities in the Southeast Asia. Group-IB researchers have spotted several initial infection vectors (documents/executables) similar to previous Sharp Panda operations. These malicious files deliver the

If you've ever worked with HyperDbg, you probably know that everything in HyperDbg is treated as an event.

This new debugger is designed to allow us to control the smallest unit in computers which is a clock cycle, so we can execute custom actions for each event (clock).

Really interesting how easy it is to fingerprint TLS connections established from GO applications, by checking JA4 signature patterns.

You'd be amazed how many automated malicious URL scanners also use the same JA4 signature.

From: github.com/FoxIO-LLC/ja4

On March 25, the FBI released an indictment of APT31 hackers. We read it carefully to find new intel, and managed to connect a few dots (including about the RAWDOOR malware family).

Full article and IOCs: harfanglab.io/en/insidethela…

Russian #APT28 spotted on #macOS . 1 sample flagged by 24 vendors, 2 others only by Florian Roth rule. Cryptic method names like generateRandomPathAndName, createCryptPacket may point to obfuscated malicious activities. FTP/HTTP methods hint at potential unauthorized file transfers.

Le très évasif groupe #3am vient de revendiquer une #cyberattaque contre La Compagnie de Phalsbourg en 🇫🇷
Interrogée, la victime ne réfute pas la survenue de l'incident et indique ne pas souhaiter faire de commentaire. #ransomware

While Microsoft's User Account Control is not defined as a security boundary, bypassing UAC is still something attackers frequently do. Check out this blog post from Matt Nelson detailing one method for bypassing UAC using App Paths. ghst.ly/43U8XQY

Malicious activity tracked under the campaign #OperationMidnightEclipse is targeting CVE-2024-3400, which exploits a vulnerability in certain versions of PAN-OS software. This threat brief covers mitigations and product protections: bit.ly/3vPUngM

It’s Sunday 07:03 am and I decided to read Volexity‘s article on UTA0218‘s post exploitation activity (PaloAlto CVE-2024-3400).
I saw that a generic rule of mine detected the new UPSTYLE backdoor when it was uploaded to VT yesterday (while no one else had detections for it) and

Our team at Volexity has identified a new 0day exploited in the wild. This time we caught a threat actor using an unauthenticated RCE in Palo Alto Networks GlobalProtect. It has been assigned CVE-2024-3400 and is covered in this Palo Alto Networks advisory security.paloaltonetworks.com/CVE-2024-3400

ThreatLabz has released an IDA plugin to deobfuscate the strings for previous versions of #Pikabot .

Read our blog here: zscaler.com/blogs/security…

The source code for the IDA plugin can be found here: github.com/threatlabz/pik…

'Confronting Lazarus Group - MagicRAT and TigerRAT Campaign' published by AttackIQ. #MagicRAT , #TigerRAT , #CTI , #OSINT , #LAZARUS attackiq.com/2024/04/04/cyb…

I have #decryption keys for these IDs (private keys) of the corporate version of #Mallox
github.com/rivitna/Malwar…

Hi guys

Currently I've added to RustRedOps the Process Ghosting technique implemented in Rust, following the POC created by hasherezade

Check it out: github.com/joaoviictorti/…

#hacking #rust #malware #ghosting

Wrote an Program(POC) for Early Bird APC and
APC Queue Code.

Link: github.com/Whitecat18/Rus…

github.com/Whitecat18/Rus…

#maldev #offensiverust #redteaming #pentesting #CyberSecurity #rust

'Analysis of *.chm malware' published by Plainbit. #CHM , #CTI , #OSINT , #LAZARUS blog.plainbit.co.kr/chm-malware-an…

New Malware 'Latrodectus' Emerges, Linked to IcedID Developers proofpoint.com/uk/blog/threat…