List of “Malware”

  • Malware Used by Lazarus after Network Intrusion Malware
    Malware Used by Lazarus after Network Intrusion
    JPCERT/CC has observed attack activity by Lazarus (also known as Hidden Cobra) targeting Japanese organisations. Different types of malware are used during and after the intrusion. This article introduces one of the types of malware used after the intrusion. Malware Overview This malware downloads and executes modules. It is saved as a .drv file in a folder such as C:¥Windows¥System32¥ and run as a service. It is obfuscated by using...

    Read more

  • Migrate Volatility Plugins 2 to 3 Malware
    Migrate Volatility Plugins 2 to 3
    The Volatility Foundation released Volatility 3 Public Beta, a new version of Volatility Framework in October 2019. The version not only offers compatibility with Python 3 but also has a lot of functional updates from Volatility 2. (Please see Volatility 3's official page for more details.) Particularly, creating plugins is much easier with Volatility 3 compared to the previous version. Volatility 3’s official release is planned for August 2020, and...

    Read more

  • Evolution of Malware LODEINFO Malware
    Evolution of Malware LODEINFO
    We introduced malware LODEINFO in a past blog entry. Attacks using the malware have been continuously seen, in particular with malicious file names including those related to COVID-19. It is also confirmed that LODEINFO has been updated frequently, and several functions have been added or changed in the latest version. This article will introduce trends seen in the series of attacks and updates to the malware. LODEINFO distribution Cases that...

    Read more

  • Attacks Simultaneously Exploiting Vulnerability in IE (CVE-2020-0674) and Firefox (CVE-2019-17026) Incident
    Attacks Simultaneously Exploiting Vulnerability in IE (CVE-2020-0674) and Firefox (CVE-2019-17026)
    On 8 January 2020, Mozilla released an advisory regarding a vulnerability in Firefox. On 17 January, Microsoft reported that 0-day attacks exploiting a vulnerability in Internet Explorer (IE) had been seen in the wild. JPCERT/CC confirmed attacks exploiting both vulnerabilities at once and issued a security alert. This article explains the details of these attacks. Attack overview In this attack, victims are redirected to an attack site through a compromised...

    Read more

  • ELF_TSCookie - Linux Malware Used by BlackTech Malware
    ELF_TSCookie - Linux Malware Used by BlackTech
    In the past blog articles, we have introduced TSCookie, PLEAD and IconDown, which are used by BlackTech. It has been identified that this group also uses several other types of malware. While the malware we have already described infects Windows OS, we have also confirmed that there are TSCookie and PLEAD variants that infect Linux OS. This article describes TSCookie for Linux, used by BlackTech. Difference between TSCookie for Windows...

    Read more

  • Malware “LODEINFO” Targeting Japan Malware
    Malware “LODEINFO” Targeting Japan
    JPCERT/CC has been observing a new type of spear-phishing emails targeting Japanese organisations since December 2019. The emails have a malicious Word file attachment leading to malware “LODEINFO”, which is newly observed. This article introduces the details of this malware. How LODEINFO is launched Figure 1 describes the flow of events from executing a Word file until LODEINFO is launched. Figure 1:Flow of events until LODEINFO runs By enabling the...

    Read more

  • IconDown – Downloader Used by BlackTech Malware
    IconDown – Downloader Used by BlackTech
    In the past articles, we have introduced TSCookie and PLEAD, the malware used by an attack group BlackTech. We have confirmed that this group also uses another type of malware called “IconDown”. According to ESET’s blog[1], it has been confirmed that the malware is distributed through the update function of ASUS WebStorage. This article describes the details of IconDown found in Japanese organisations. IconDown’s behaviour The malware downloads a file...

    Read more

  • Malware Used by BlackTech after Network Intrusion Malware
    Malware Used by BlackTech after Network Intrusion
    Previously, we explained about malware "TSCookie" and "PLEAD" which are used by an attack group BlackTech. Their activities have been continuously observed in Japan as of now. We have been seeing that a new malware variant is being used after they successfully intruded into a target network. This article explains the details of the variant. TSCookie used after intrusion The malware consists of 2 files (TSCookie Loader and TSCookie) as...

    Read more

  • MalConfScan with Cuckoo: Plugin to Automatically Extract Malware Configuration Python
    MalConfScan with Cuckoo: Plugin to Automatically Extract Malware Configuration
    In malware analysis, extracting the configuration is an important step. Malware configuration contains various types of information which provides a lot of clues in incident handling, for example communication details with other hosts and techniques to perpetuates itself. This time, we will introduce a plugin “MalConfScan with Cuckoo” that automatically extracts malware configuration using MalConfScan (See the previous article) and Cuckoo Sandbox (hereafter “Cuckoo”). This plugin is available on GitHub....

    Read more

  • Extract Malware Configuration with MalConfScan Malware
    Extract Malware Configuration with MalConfScan
    Every day, new types of malware are discovered. However, many of them are actually variants of existing malware - they share most part of the code and there is a slight difference in configuration such as CC servers. This indicates that malware analysis is almost complete as long as the configuration is extracted from malware. In this article, we would like to introduce details of “MalConfScan”, a tool to extract...

    Read more