1/10/2023 0 Comments Stockfolio mac app torrentsWe have reviewed samples available and implemented initial signatures for the family. More information is available in the Intezer writeup linked above. In addition to the base payload, the family deploys a handful of 3rd party tools post-infection to handle additional tasks, while slipping under the radar due to being commonly used as legitimate administration tools. It has an extensive feature set, allowing most interactions up to and including total control of an infected machine. The family is written in Golang and is generally well-built with robust persistence and privilege escalation methods included. Klingon is a new RAT which has appeared in the wild recently, with Intezer publishing the first analysis of it just last week, although they suggest that it may have been active since 2019. Thanks again to Fumik0 for bringing this to our attention. We have now made changes to our extractor logic and these variants are handled correctly. On review internally, we discovered that the embedded RSA public key is encrypted and for a couple of specific build versions - 250204 - they had introduced a custom 16 byte value used to decrypt the RSA pubkey.Īdditionally, the encryption algorithms in use are not always consistent, with one of the variants mentioned using AES while the other implements the Serpent algorithm. Researcher recently reached out to us reporting that in some recent cases our configuration extractor was returning incorrect values for the RSA key section. You can find a selection of examples linked below. We have reviewed a large number of Redline analyses and made some tweaks to ensure they correctly trigger the extractor. We recently observed some samples of the family where the configuration was not being properly extracted by Triage. It has been observed to be deployed in a number of different ways including sideloading with legitimate applications, masquerading as applications like Telegram, or regular phishing attacks. Featuring an extensive feature set for data theft and specialised C2 communications, the family has become a popular choice among cybercriminals. Redline is a stealer family which has seen a lot of activity since it came to prominence in early 2020. This change should mean that our extractor works as expected on even more examples of the family, and as usual we’ll be continuing to monitor for any new versions which aren’t parsed correctly. As such it has been a regular feature in past blogposts, and reappears this week with another small tweak to account for a variant we’ve recently observed in public Triage submissions It’s a family in very active development, with new versions regularly popping up in the wild. IcedID is a banking trojan which targets financial information on infected machines. Not signed up yet? Head over to tria.ge to register for a free account. You can contact us directly through the website, on Twitter, or using the Feedback option on an analysis report page. It’s a big world of malware out there and there can always be things we miss! If you notice anything not behaving as expected please do reach out and report it to us. If you think this might be of interest to you or someone you know, the full job listing can be found here - feel free to reach out with any questions.Īs usual, you can also contact us with any feedback or suggestions about Triage or its analysis results. If you missed it over the last few weeks, we are also currently hiring a Go developer to join the Hatching team and help build the future of Triage.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |