Skip to main content

· 5 min read
Jose Luis Sánchez Martínez

Summary

On October 16, a malicious file that could be related to the current Israel-Gaza conflict was uploaded to VT. The document is related to Joe Truzman publication "IRAN AND ITS NETWORK OF NINETEEN TERRORIST ORGANIZATIONS ON ISRAEL'S BORDERS" on fdd.org and talks about terrorist organizations that receive funding, training, and weapons from Iran's Islamic Revolutionary Guard Corps.

The actor behind this document could not be determined, however, due to the type of document and the characteristics analyzed, it could be an APT. As for the victims, it could be Israel institutions.

vt

warning

Information about the origin and destination of the document could not be confirmed. What has been described in relation to suspected sponsors and victims is just conjecture.

· 20 min read
Jose Luis Sánchez Martínez

Summary

JPCERT/CC discovered recently attacks that infected routers in Japan with malware around February 2023.

graph

This analysis is focused in the loaders discovered by them

  • 60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3
  • 3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1

Some of the behaviors identified in the routers, are too generic, which means that can be used in Linux endpoints intrusions too. For that reason, I decided to analyze the samples and contribute to the Sigma community to idenfity new detection opportunities based on the samples and the analysis of JPCERT/CC.

info

The objective of the analysis is to provide information about the execution of these loaders and how we can detect them using Sigma Rules

· 12 min read
Jose Luis Sánchez Martínez

Summary

During 2019-2021 I was focused on analyzing campaigns orchestrated by the APT-C-36 group and RATs used by this same group and other cybercriminal groups such as RemcosRAT, AsyncRAT, Imminent Monitor RAT, etc. In the last few months I have seen some modifications of TTPs in many of these families that have caught my attention and I wanted to analyze them to see what is new.

Therefore, during this entry we will go through the analysis of a sample of AsyncRAT distributed in Colombia during the last month.

info

The objective of the analysis is to provide information on the execution of the binary, genealogy and other stuff, not to go into the details of the static part.

· 7 min read
Jose Luis Sánchez Martínez

Summary

Jlaive is a project created to evade antivirus by creating batch files from .NET assemblies. The way it does it is very interesting and gives a new window of opportunities to actors to evade defenses and execute their payloads.

You can find the project on their official GitHub: https://github.com/ch2sh/Jlaive

· 4 min read
Jose Luis Sánchez Martínez

Summary

Recently some researchers have discovered a possible execution of binaries using the Windows Desktop Settings Control Panel utility located at C:\Windows\System32\desk.cpl or C:\Windows\SysWOW64\desk.cpl for 32-bit.

This utility allows executing a binary with a .scr extension by calling the InstallScreenSaver function.

The objective of this entry is focused only on identifying the visibility and detection of the operating system.

· 3 min read
Jose Luis Sánchez Martínez

Summary

Tested on Windows 11 10.0.22000 N/A Build 22000.

During January I was investigating Windows 11 and some of the binaries that were installed by default to identify behaviors that could be used for malicious purposes.

The binary DeviceCensus.exe located in C:\Windows\System32, when is copied to another different path and it is executed, it tries to load more or less 11 DLLs in the directory where it was executed. Let's say that if you try to execute this binary from AppData path, then it tries to load the DLLs from AppData. However, if the DLL doensn't exists in AppData, then it tries to load from System32.

Then, if you copy this binary in AppData and create a DLL with the same name that tries to load, the DLL is loaded.