Found 11 bookmarks
Newest
LockBit Ransomware v4.0
LockBit Ransomware v4.0
Malware Analysis Report - LockBit Ransomware v4.0 In this blog post, I’m going over my analysis for the latest variant of LockBit ransomware - version 4.0. Throughout this blog, I’ll walk through all the malicious functionalities discovered, complete with explanations and IDA screenshots to show my reverse engineering process step by step. This new version of LockBit 4.0 implements a hybrid-cryptography approach, combining Curve25519 with XChaCha20 for its file encryption scheme. This version shares similarities with the older LockBit Green variant that is derived from Conti ransomware. While the multi-threading architecture seems more streamlined than previous versions, it still delivers an encryption speed that outpaces most other ransomware families. As always, LockBit is still my most favorite malware to look at, and I certainly enjoyed doing a deep dive to understand how this version works.
#chuongdong#EN#2025#Malware#Analysis#Report#LockBit#LockBit4.0#ransomware
·chuongdong.com·
LockBit Ransomware v4.0
Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis
Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis
This Google Threat Intelligence Group report presents an analysis of detected 2024 zero-day exploits. Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98 vulnerabilities), but still an increase from 2022 (63 vulnerabilities). We divided the reviewed vulnerabilities into two main categories: end-user platforms and products (e.g., mobile devices, operating systems, and browsers) and enterprise-focused technologies, such as security software and appliances. Vendors continue to drive improvements that make some zero-day exploitation harder, demonstrated by both dwindling numbers across multiple categories and reduced observed attacks against previously popular targets. At the same time, commercial surveillance vendors (CSVs) appear to be increasing their operational security practices, potentially leading to decreased attribution and detection. We see zero-day exploitation targeting a greater number and wider variety of enterprise-specific technologies, although these technologies still remain a smaller proportion of overall exploitation when compared to end-user technologies. While the historic focus on the exploitation of popular end-user technologies and their users continues, the shift toward increased targeting of enterprise-focused products will require a wider and more diverse set of vendors to increase proactive security measures in order to reduce future zero-day exploitation attempts.
#GTIG#EN#2025#google#2024#Zero-Day#Exploitation#Analysis#report
·cloud.google.com·
Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis
MAR-10400779-1.v1 – Zimbra 1
MAR-10400779-1.v1 – Zimbra 1
CISA received seven files for analysis. Six Java Server Pages (JSP) webshells and a Bourne Again SHell (bash) file. Five JSP webshell files are designed to parse inbound requests for commands for execution, download files, and upload files. One JSP webshell file contains a form with input fields that prompts the attacker to enter the command in the input box and click "run" to execute. The command output will be displayed in a JSP page. The bash file is designed to perform ldapsearch queries and store the output into a newly created directory.
#uscert#csirt#cert#EN#2022#Malware#Analysis#Report#AR22-270A#Zimbra
·cisa.gov·
MAR-10400779-1.v1 – Zimbra 1
MAR-10400779-1.v1 – Zimbra 1
MAR-10400779-1.v1 – Zimbra 1
CISA received seven files for analysis. Six Java Server Pages (JSP) webshells and a Bourne Again SHell (bash) file. Five JSP webshell files are designed to parse inbound requests for commands for execution, download files, and upload files. One JSP webshell file contains a form with input fields that prompts the attacker to enter the command in the input box and click "run" to execute. The command output will be displayed in a JSP page. The bash file is designed to perform ldapsearch queries and store the output into a newly created directory.
#uscert#csirt#cert#EN#2022#Malware#Analysis#Report#AR22-270A#Zimbra
·cisa.gov·
MAR-10400779-1.v1 – Zimbra 1
THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control
THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control
Cybereason GSOC observed distribution of the Bumblebee Loader and post-exploitation activities including privilege escalation, reconnaissance and credential theft. Bumblebee operators use the Cobalt Strike framework throughout the attack and abuse credentials for privilege escalation to access Active Directory, as well as abusing a domain administrator account to move laterally, create local user accounts and exfiltrate data...
#cybereason#EN#2022#THREAT#ANALYSIS#REPORT#Bumblebee#Loader#CobaltStrike
·cybereason.com·
THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control
THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control
THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control
Cybereason GSOC observed distribution of the Bumblebee Loader and post-exploitation activities including privilege escalation, reconnaissance and credential theft. Bumblebee operators use the Cobalt Strike framework throughout the attack and abuse credentials for privilege escalation to access Active Directory, as well as abusing a domain administrator account to move laterally, create local user accounts and exfiltrate data...
#cybereason#EN#2022#THREAT#ANALYSIS#REPORT#Bumblebee#Loader#CobaltStrike
·cybereason.com·
THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control
THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control
THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control
Cybereason GSOC observed distribution of the Bumblebee Loader and post-exploitation activities including privilege escalation, reconnaissance and credential theft. Bumblebee operators use the Cobalt Strike framework throughout the attack and abuse credentials for privilege escalation to access Active Directory, as well as abusing a domain administrator account to move laterally, create local user accounts and exfiltrate data...
#cybereason#EN#2022#THREAT#ANALYSIS#REPORT#Bumblebee#Loader#CobaltStrike
·cybereason.com·
THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control
SysJoker analyzing the first (macOS) malware of 2022!
SysJoker analyzing the first (macOS) malware of 2022!
Earlier today (January 11th), Researchers at Intezer published an report titled, “New SysJoker Backdoor Targets Windows, Linux, and macOS.” In this report, they detailed a new cross-platform backdoor they named SysJoker. Though initially discovered on Linux, the Intezer researchers shortly thereafter also found both Windows and Mac versions: "SysJoker was first discovered during an active attack on a Linux-based web server of a leading educational institution. After further investigation, we found that SysJoker also has Mach-O and Windows PE versions." -Intezer
#SysJoker#macos#malware#EN#objectivesee#report#analysis
·objective-see.com·
SysJoker analyzing the first (macOS) malware of 2022!
SysJoker analyzing the first (macOS) malware of 2022!
SysJoker analyzing the first (macOS) malware of 2022!
Earlier today (January 11th), Researchers at Intezer published an report titled, “New SysJoker Backdoor Targets Windows, Linux, and macOS.” In this report, they detailed a new cross-platform backdoor they named SysJoker. Though initially discovered on Linux, the Intezer researchers shortly thereafter also found both Windows and Mac versions: *"SysJoker was first discovered during an active attack on a Linux-based web server of a leading educational institution. After further investigation, we found that SysJoker also has Mach-O and Windows PE versions." -Intezer*
#SysJoker#macos#malware#EN#objectivesee#report#analysis
·objective-see.com·
SysJoker analyzing the first (macOS) malware of 2022!
SysJoker analyzing the first (macOS) malware of 2022!
SysJoker analyzing the first (macOS) malware of 2022!
Earlier today (January 11th), Researchers at Intezer published an report titled, “New SysJoker Backdoor Targets Windows, Linux, and macOS.” In this report, they detailed a new cross-platform backdoor they named SysJoker. Though initially discovered on Linux, the Intezer researchers shortly thereafter also found both Windows and Mac versions: *"SysJoker was first discovered during an active attack on a Linux-based web server of a leading educational institution. After further investigation, we found that SysJoker also has Mach-O and Windows PE versions." -Intezer*
#SysJoker#macos#malware#EN#objectivesee#report#analysis
·objective-see.com·
SysJoker analyzing the first (macOS) malware of 2022!