Coming from the newspaper and media industry, I’m no stranger to wanting to write catchy headlines. I’m certainly at fault for throwing together a story about so-and-sos house sold for X million dollars.  

But recently I’ve been wondering if those “big numbers” for cybersecurity are helpful at all, even though they might generate clicks to a news organization. …

Read More

Intermediate

Improving Malware Analysis Workflows by Modifying the default Ghidra UI.

Matthew

Oct 25, 2023 — 4 min read

The Ghidra User interface can be intimidating and complicated for users who are not familiar with the tool.

In this post, I’ll go over some changes that I made in order to improve the usability of Ghidra and ensure a better analysis experience.…

Read More

Most, if not all malvertising incidents result from a threat actor either injecting code within an existing ad, or intentionally creating one. Today, we look at a different scenario where, as strange as that may sound, malvertising was entirely accidental.

The reason this happened was due to the combination of two separate factors: a compromised website and Google Dynamic Search Ads.…

Read More

Demonstrating how to manually decode a complex .vbs script used to load Cobalt Strike shellcode into memory.

The referenced script implements heavy text-based obfuscation. We can defeat this obfuscation by utilising CyberChef and Regex.

Post obfuscation, we will identify some “malformed” shellcode which we will manually fix, before emulating with the SpeakEasy emulator.…

Read More

We detail an ongoing campaign abusing messaging platforms Skype and Teams to distribute the DarkGate malware to targeted organizations. We also discovered that once DarkGate is installed on the victim’s system, additional payloads were introduced to the environment.

From July to September, we observed the DarkGate campaign (detected by Trend Micro as TrojanSpy.AutoIt.DARKGATE.AA)…

Read More
Recent Attacks showcase AgentTesla spreading via CHM and PDF Files Key TakeawaysThis analysis emphasizes an interesting infection pathway to disseminate AgentTesla, a well-known malware strain. The infection is initiated via a spam email containing a CHM file, which, upon execution, fetches a PowerShell script to start the AgentTesla infection on the victim’s system.…
Read More
Key TakeawaysCyble Research and Intelligence Labs (CRIL) recently came across a new spear phishing email targeting a leading Russian semiconductor supplier. In this targeted attack, we observed Threat Actors (TAs) leveraging a Remote Code Execution (RCE) vulnerability, identified as CVE-2023-38831, to deliver their payload on compromised systems.…
Read More
Recent postsHomeMalware Analysis Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough

Lena aka LambdaMamba

I am a Cybersecurity Analyst, Researcher, and ANY.RUN Ambassador. My passions include investigations, experimentations, gaming, writing, and drawing. I also like playing around with hardware, operating systems, and FPGAs. I enjoy assembling things as well as disassembling things!…

Read More
The threat actors behind the Qakbot malware have been conducting a campaign since early August 2023 in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails. Notably, this activity appeared to begin before the FBI seized Qakbot infrastructure in late August and has been ongoing since, indicating the law enforcement operation may not have impacted Qakbot operators’ spam delivery infrastructure but rather only their command and control (C2) servers.…
Read More
Key TakeawaysCyble Research and Intelligence Labs (CRIL) came across a Word document file that spreads via spam email, employing an infection method for disseminating PurpleFox malware. In this malspam campaign, a VBA macro is employed to fetch the initial stage PowerShell script payload. The initial stage PowerShell script functions as a downloader responsible for retrieving a PNG image that conceals hidden content using a form of steganography technique.…
Read More

Volexity has identified several long-running and currently active campaigns undertaken by the threat actor Volexity tracks as EvilBamboo (formerly named Evil Eye) targeting Tibetan, Uyghur, and Taiwanese individuals and organizations. These targets represent three of the Five Poisonous Groups of Chinese Communist Party (CCP).

Volexity has tracked the activities of EvilBamboo for more than five years and continues to observe new campaigns from this threat actor.…

Read More

The deployment of file-encrypting ransomware by organized cybercriminal gangs is one of the largest cybersecurity risks facing organizations. A network breach that culminates with a ransomware infection often starts with an infection with a type of malware called a loader. This malware acts as a foothold into an organization’s network and is subsequently used to install other payloads such as malware or tools.…

Read More