Stay Ahead of Cyber Threats – Daily Security Insights, Powered by AI
In this post, we’ll demonstrate a process for decoding a visual basic (.vbs) script, which contains an encoded Powershell Script used to download Remcos malware from a Google Drive.
We’ll manually analyse and deobfuscate both the vbs and powershell, and develop a decoder to obtain IOCs and decoded values.…
Coming from the newspaper and media industry, I’m no stranger to wanting to write catchy headlines. I’m certainly at fault for throwing together a story about so-and-sos house sold for X million dollars.
But recently I’ve been wondering if those “big numbers” for cybersecurity are helpful at all, even though they might generate clicks to a news organization. …
Intermediate
Improving Malware Analysis Workflows by Modifying the default Ghidra UI.
MatthewOct 25, 2023 — 4 min read
The Ghidra User interface can be intimidating and complicated for users who are not familiar with the tool.
In this post, I’ll go over some changes that I made in order to improve the usability of Ghidra and ensure a better analysis experience.…
Proofpoint researchers identified TA571 delivering the Forked variant of IcedID in two campaigns on 11 and 18 October 2023. Both campaigns included over 6,000 messages, each impacting over 1,200 customers in a variety of industries globally.
Emails in the campaigns purported to be replies to existing threads.…
Most, if not all malvertising incidents result from a threat actor either injecting code within an existing ad, or intentionally creating one. Today, we look at a different scenario where, as strange as that may sound, malvertising was entirely accidental.
The reason this happened was due to the combination of two separate factors: a compromised website and Google Dynamic Search Ads.…
Demonstrating how to manually decode a complex .vbs script used to load Cobalt Strike shellcode into memory.
The referenced script implements heavy text-based obfuscation. We can defeat this obfuscation by utilising CyberChef and Regex.
Post obfuscation, we will identify some “malformed” shellcode which we will manually fix, before emulating with the SpeakEasy emulator.…
In this post. we will demonstrate a process for decoding a simple .hta loader used to load cobalt strike shellcode. We will perform initial analysis using a text editor, and use CyberChef to extract embedded shellcode. From here we will validate the shellcode using an emulator (SpeakEasy) and perform some basic analysis using Ghidra.…
In this post. I will demonstrate a process for decoding a simple .hta loader used to load cobalt strike shellcode. We will perform initial analysis using a text editor, and use CyberChef to extract embedded shellcode. From here we will validate the shellcode using an emulator (SpeakEasy) and perform some basic analysis using Ghidra.…
Threat actors focus on gaining remote access and control of victims’ devices. For this they either use fake apps or masquerade as legitimate apps. This blog is about the Rusty Droid RAT, which masquerades Chrome browser for Android. The sample under consideration is taken from this tweet.…
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Blockchain, Botnets, Hexadecimal IP notation, Infostealers, and Ransomware. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure…
We detail an ongoing campaign abusing messaging platforms Skype and Teams to distribute the DarkGate malware to targeted organizations. We also discovered that once DarkGate is installed on the victim’s system, additional payloads were introduced to the environment.
From July to September, we observed the DarkGate campaign (detected by Trend Micro as TrojanSpy.AutoIt.DARKGATE.AA)…
AhnLab Security Emergency response Center (ASEC) spotted the AgentTesla Infostealer being distributed through an email in the form of a malicious BAT file. When the BAT file is executed, it employs the fileless method to run AgentTesla (EXE) without creating the file on the user’s PC.…
I am a Cybersecurity Analyst, Researcher, and ANY.RUN Ambassador. My passions include investigations, experimentations, gaming, writing, and drawing. I also like playing around with hardware, operating systems, and FPGAs. I enjoy assembling things as well as disassembling things!…
Volexity has identified several long-running and currently active campaigns undertaken by the threat actor Volexity tracks as EvilBamboo (formerly named Evil Eye) targeting Tibetan, Uyghur, and Taiwanese individuals and organizations. These targets represent three of the Five Poisonous Groups of Chinese Communist Party (CCP).
Volexity has tracked the activities of EvilBamboo for more than five years and continues to observe new campaigns from this threat actor.…
The deployment of file-encrypting ransomware by organized cybercriminal gangs is one of the largest cybersecurity risks facing organizations. A network breach that culminates with a ransomware infection often starts with an infection with a type of malware called a loader. This malware acts as a foothold into an organization’s network and is subsequently used to install other payloads such as malware or tools.…