-
Analysis of an Obfuscated RTF File
15 May 2022 RTF SHA256: ac64adbfa128fd5f31bd922957942a1b80c56ee119791a29b939be04e1d7e2ba Filename: PO#JEL180409TH IR & JEL180409TH IRB.doc VirusTotal Score: 30/59 as of 12 May 2022 What’s An RTF? First released some 35 years ago, the Rich Text Format (RTF) file provides cross-platform support ensuring the document can be read and opened by a number of different word processing applications. As […]
-
Detecting COM Object Tasks Used by DarkHotel
Background Adversaries frequently utilize scheduled tasks, a legitimate Windows operating system utility to establish/maintain persistence and even execute code in a victim network. Scheduled tasks allow for persistence on a victim network between reboots as well as code execution when a certain condition is met (time, user logon, etc.). In this specific example, the adversary […]
-
A Tale of Two Shells
Although not utilized in attacks for initial access, web shells remain a go-to for all sorts of attackers, from cyber criminals to APT’s when it comes to post-exploitation. The server-side component of a web shell can be as short as one line of code, commonly in PHP. The China Chopper web shell has long been […]
-
Shortcut to Windows Update
Summary On January 27, 2022, Malwarebytes Labs shared an article covering new tactics including abusing the Windows Update Client for code executing believed to be the work of Lazarus. The purpose of this post will be to cover possible detection points for defenders to identify adversaries misusing the Windows Update Client. Please give the blog […]
-
Analysis of a DLL Downloader
Summary SHA256: dedb8516befa4a5088000b8c7f699dae7f33761403dd355a14684ac89ff56a9a Filename: Unknown Filetype: DLL File size: 39KB From here on, the above DLL will be referred to as “downloader.dll”. The file is capable of: Downloading files Interacting with a C2 server Malware Overview This is an older file that was first identified around October 2021. Downloader.dll is a downloader capable of downloading […]
-
Info-Stealing Tool Posing As Naver OTP
Summary SHA256: 3275f42c85c9e2fcb80d1f8c1c6227c2bcde9c0e719905ddbd2ca7373c6a8ec6 Filename: UpHelpers.exe Size: 3.41MB Extension: EXE Compilation Timestamp: 2022-01-05 23:41:20 Sandbox analysis: https://tria.ge/220118-emrgjsgfb7 UpHelpers.exe is an information-stealing/reconnaissance tool disguised as a Naver One Time Password, (OTP) generator app. Naver is a South Korean web portal that first debuted in 1999 and offers a number of services. The tool collects drive and directory […]
-
Analysis of njRAT PowerPoint Macros
I wanted to do a quick write-up on an interesting PowerPoint macro document that contains njRAT. njRAT is a .NET trojan first identified in 2013 that has largely targeted countries in the Middle East as well as South America. The malicious document can be found via MalwareBazaar: https://bazaar.abuse.ch/sample/edba3ca498110106418658167533034aeb929276fe81de80c6de1a6bb95120e0 Information Gathering When triaging a suspected malicious […]
-
A “GULP” of PlugX
Often attributed to Chinese-speaking threat actors, PlugX a remote access trojan(RAT), was identified by security researchers in 2012. With several variants of the RAT identified by vendors over the year, many techniques used to compromise systems have remained the same. While perusing public malware sandboxes for interesting new samples, I stumbled upon a Windows executable […]
-
More Flagpro, More Problems
No stranger to this blog, BlackTech has continued to modify techniques to compromise networks and even suffered an OPSEC slip in the way of an open directory. This post will cover a malicious document similar to that identified by [1] PWC and [2] NTT in the previous reporting on the group. While I cannot definitively […]
-
BlackTech Updates Elf-Plead Backdoor
Overview On November 10, 2020, JPCert[1] published a blog post in Japanese (the English version followed about a week later), providing an overview of BlackTech’s PLEAD backdoor, referred to as “ELF_PLEAD”, specifically targeting *nix systems. In late March 2021, Intezer[2] tweeted a hash of what was described as a fully undetectable (FUD) version of ELF_PLEAD. […]
-
Follow
Following
Already have a WordPress.com account? Log in now.
Cyber&Ramen 