Jonathan Care’s Post

Cybersecurity Expert | Gartner Veteran | GTM Advisor to Startups, Private Equity & Venture Funds | Board Advisor

Speaking in tongues? "Polyglot files have to fit in several file format specifications and respond differently depending on the calling program. This poses a significant risk to endpoint detection and response (EDR) systems and file uploaders, which mainly rely on format identification for analysis. By evading correct classification, polyglots can leap over feature extraction routines or signature comparisons found in malware detection systems."

Hackers Using Polyglot Files In the Wild, Here Comes PolyConv For Detection

https://gbhackers.com

To view or add a comment, sign in

More Relevant Posts

Florin Lungu

DevOps Chapter Lead / Sr. DevOps Engineer / Site Reliability Engineer - Deutsche Bank
8mo
Report this post
A new variant of the GootLoader malware called GootBot has been found to facilitate lateral movement on compromised systems and evade detection. "The GootLoader group's introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2 such as CobaltStrike or RDP," IBM X-Force researchers Golo Mühr and Ole... Read more on the following blog article!

New GootLoader Malware Variant Evades Detection and Spreads Rapidly

thehackernews.com
Like Comment
To view or add a comment, sign in
Florin Lungu

DevOps Chapter Lead / Sr. DevOps Engineer / Site Reliability Engineer - Deutsche Bank
8mo
Report this post
A new variant of the GootLoader malware called GootBot has been found to facilitate lateral movement on compromised systems and evade detection. "The GootLoader group's introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2 such as CobaltStrike or RDP," IBM X-Force researchers Golo Mühr and Ole... Read more on the following blog article!

New GootLoader Malware Variant Evades Detection and Spreads Rapidly

thehackernews.com
Like Comment
To view or add a comment, sign in
Salih Bıçakcı, PhD

CATS Fellow, Senior Researcher at Center on Cybersecurity and Critical Infrastructure Protection | Member of Department of International Relations at Kadir Has University
3mo
Report this post
Trend Microreport elaborates the methodology of threat actor #APT41 In the past month, we investigated a #cyberespionage attack that we have attributed to Earth Freybug (also known as a subset of APT41). #EarthFreybug is a cyberthreat group that has been active since at least 2012 that focuses on #espionage and financially motivated activities. It has been observed to target organizations from various sectors across different countries. Earth Freybug actors use a diverse range of #tools and #techniques, including #LOLBins and custom #malware. This article provides an in-depth look into two techniques used by Earth Freybug actors: dynamic-link library (#DLL) hijacking and application programming interface (#API) unhooking to prevent child processes from being monitored via a new malware we’ve discovered and dubbed #UNAPIMON. #cybersecurity

Earth Freybug Uses UNAPIMON for Unhooking Critical APIs

trendmicro.com
Like Comment
To view or add a comment, sign in
ANY.RUN - Interactive Malware Analysis Service

11,011 followers
9mo
Report this post
Dive into an in-depth analysis of #SnakeKeylogger by guest analyst LambdaMamba on ANYRUN blog. Learn the practical applications of using an interactive sandbox in real-world malware forensics. Full breakdown here ⬇️ https://lnkd.in/eBeXcq2G

Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough - ANY.RUN's Cybersecurity Blog

https://any.run/cybersecurity-blog

1 Comment
Like Comment
To view or add a comment, sign in
Lindsay P. Stought, CSM, PMP

MPGSOC Team Lead/Project Manager at MindPoint Group | Certified Scrum Master, PMP | Threat Intelligence Enthusiast
1w
Report this post
Researchers recently noted enhancements in the ViperSoftX info-stealing malware initially identified in 2020. The malware has evolved to utilize more advanced evasion strategies by integrating the Common Language Runtime (CLR) to execute PowerShell commands within AutoIt scripts distributed via pirated eBook copies. This innovative approach enables the malware to camouflage itself within authentic system processes, posing challenges for security solutions in detection. https://lnkd.in/eAwcGkHE

Researchers Observe Improvements in ViperSoftX Info-Stealing Malware Distributed Through eBooks

thecyberexpress.com
Like Comment
To view or add a comment, sign in
Thomas Kearns, CISSP, CCSM

Sr. Security Engineer @ VMRay Customer Success Management
5mo Edited
Report this post
Join VMRay Labs in exploring the malicious tactics of DarkGate, a malware family that highlights the lengths to which attackers will go to evade security systems. The complex delivery methods and multitude of evasion tactics that they employ requires a dynamic, behavioral-based approach to detecting and analyzing this type of malware. Try VMRay today!

DarkGate: From AutoIT to Shellcode Execution

https://www.vmray.com
Like Comment
To view or add a comment, sign in
Lindsay P. Stought, CSM, PMP

MPGSOC Team Lead/Project Manager at MindPoint Group | Certified Scrum Master, PMP | Threat Intelligence Enthusiast
3mo
Report this post
A new threat activity cluster called Earth Freybug has been discovered using a new malware called UNAPIMON to evade detection. The group has been active since 2012, focusing on espionage and financially motivated activities, and has been observed targeting organizations from various sectors across different countries. According to Trend Micro, Earth Freybug is a subset within APT41, a China-linked cyber espionage group that uses a combination of living-off-the-land binaries (LOLBins) and custom malware to realize its goals. The group also employs techniques like dynamic-link library (DLL) hijacking and application programming interface (API) unhooking. https://lnkd.in/g6HVnuEW

China-linked Hackers Deploy New 'UNAPIMON' Malware for Stealthy Operations

thehackernews.com
Like Comment
To view or add a comment, sign in
Florin Lungu

DevOps Chapter Lead / Sr. DevOps Engineer / Site Reliability Engineer - Deutsche Bank
8mo
Report this post
A new variant of the GootLoader malware called GootBot has been found to facilitate lateral movement on compromised systems and evade detection. "The GootLoader group's introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2 such as CobaltStrike or RDP," IBM X-Force researchers Golo Mühr and Ole... Read more on the following blog article!

New GootLoader Malware Variant Evades Detection and Spreads Rapidly

thehackernews.com
Like Comment
To view or add a comment, sign in
Ryan MacDonald

Security Administrator And Engineer | Principle Global Incident Responder at Current
3mo
Report this post
The Rapid7 blog post outlines the discovery and analysis of a new malware loader, IDAT Loader, used in conjunction with BruteRatel C4 for cyberattacks. It details the malware's distribution through a FakeUpdates campaign, its evasion techniques against analysis tools, and its method of loading additional payloads via PNG file data. https://lnkd.in/dssrFbAM

Stories from the SoC Part 1: IDAT Loader to BruteRatel | Rapid7 Blog

rapid7.com
Like Comment
To view or add a comment, sign in
Ali Haj

General Manager at CyberTI®
11mo
Report this post
Dynamic Malware analysis using Elastic leveraging Detonate and chain of Elastic Ingest pipelines!

CyberTI®

880 followers
11mo Edited

⚡ Article highlight: "An Approach to large-scale dynamic Malware analysis" Authors: Ruben Groenewoud, Remco Sprooten The authors cover the following, ✨ Challenge: Effective Management of vast low-value data generated during execution ✨What did they leverage: With Detonate running at the top level, they used Elastic ingest pipelines to filter out noise from datasets and conveniently analyze the large datasets to identify malicious behaviors. ✨What is Detonate: Detonate runs malware and other potentially malicious software in a controlled environment, it accepts a file hash and performs the following functions: 🌠 Prepares the files for detonation 🌠Provisions a Virtual Machine(VM) 🌠Waits until File execution completes 🌠Stops the running VM Instance 🌠Generates an event summary based on Telemetry and alerts produced during Detonation ✨Overview of their chained ingest pipelines and processors wherein the benign documents are differentiated from the Malicious documents ✨Data Normalization process ✨Fingerprint calculation process ✨Additional Usecases where the same model could be applied Access article about Detonate here: https://lnkd.in/gpZG45HN Access the article below, https://lnkd.in/gsnM-u6K #elastic #malwareanalysis #detonate #sandbox

An Elastic approach to large-scale dynamic malware analysis

elastic.co
Like Comment
To view or add a comment, sign in

3,352 followers

View Profile Follow

Jonathan Care’s Post

Hackers Using Polyglot Files In the Wild, Here Comes PolyConv For Detection

https://gbhackers.com

More from this author

Speaking the language of your audience

Ensuring a successful PCI DSS Assessment

Explore topics