Grab your beverage of choice , because there's a LOT to recap from the last 24 hours. Check it out here https://opalsec.io/daily-news-update-friday-april-4-2025-australia-melbourne/

There's a lot to digest, so if you're running between meetings or scoffing down a quick lunch before the next - here's the TL;DR on the key points:

Urgent Ivanti Patch Alert: A critical RCE zero-day is being actively exploited by suspected China-nexus group UNC5221, who are deploying new malware (TRAILBLAZE, BRUSHFIRE).

Fast Flux is Back in the Spotlight: Five Eyes agencies dropped a joint advisory on the increased use of this evasion technique by sophisticated actors (ransomware gangs, state-sponsored groups). It makes tracking C2s & phishing sites a real headache by rapidly changing IPs/nameservers.

GitHub Supply Chain Attack Deep Dive: Remember that complex attack targeting Coinbase via GitHub Actions? Unit 42 traced its origin back to a single leaked SpotBugs Personal Access Token from late 2024! A huge reminder about token hygiene, the risks of mutable tags, and those cascading dependency threats. Rotate secrets if you use SpotBugs, Reviewdog, or tj-actions!

Oracle's Cloud Breach Saga Continues...: Oracle reportedly admitted a breach to customers, framing it as a "legacy" (pre-2017) environment issue, yet, the actor leaked data allegedly from late 2024/2025. The focus on "Oracle Cloud Classic" vs. OCI feels like damage control over transparency. As I put it in the blog, their handling doesn't exactly inspire confidence – trust is earned, folks.

Rethinking Disaster Recovery in the Ransomware Era: DR is way more than just backups now. With hybrid environments sprawling and ransomware the top threat, recovery is Incident Response (detect, isolate, wipe, reinstall, restore). Homogeneity might simplify recovery, but beware of single points of failure (hello, CrowdStrike outage!).

Mass Scanning Alert: Seeing increased probes against Juniper devices (looking for default 't128' creds - change 'em!) and Palo Alto GlobalProtect portals. Motives are unclear – could be recon, botnet building, or sniffing for vulnerabilities. Keep those edge devices patched and hardened!

New Malware 'Wrecksteel' Hits Ukraine: CERT-UA warns of a new espionage malware targeting state agencies and critical infrastructure via phishing. Deployed by UAC-0219, Wrecksteel exfiltrates documents and takes screenshots.

INC Ransomware Claims State Bar of Texas: The second-largest US bar association confirmed a data breach after INC ransomware listed them on their leak site.

Stay informed, stay vigilant, and let me know your thoughts in the comments! What's catching your eye this week?

In the course of its investigations, @volexity frequently encounters malware samples written in Golang. This reflects the increase in popularity of the Golang generally, and presents challenges to reverse engineering tools.
 
Today, @volexity is releasing GoResolver, open-source tooling to help reverse engineers understand obfuscated samples. @r00tbsd & Killian Raimbaud presented details at INCYBER Forum earlier today.
 
GoResolver uses control-flow graph similarity to identify library code in obfuscated code, leaving analysts with only malware functions to analyze. This saves time & speeds up investigations!
 
Check out the blog post on how GoResolver works and where to download it: https://www.volexity.com/blog/2025/04/01/goresolver-using-control-flow-graph-similarity-to-deobfuscate-golang-binaries-automatically/
 
#dfir #reversing #malwareanalysis

Our latest summary is out, looking at an emerging Crypto-theft Trojan and a promising new recovery tool.

Stay ahead of the curve and read the full post here: https://opalsec.io/daily-news-update-sunday-march-31-2025-australia-melbourne/🔗

Crocodilus Android Malware: This nasty piece of work is targeting crypto wallets by using fake overlays to steal seed phrases. It's bypassing security measures and using social engineering to gain access. Watch out for this one, especially if you have users in Turkey and Spain!

Key Takeaways:
* Steals crypto wallet seed phrases using Accessibility Logger.
* Bypasses Android 13 security and Play Protect.
* Employs 23 bot commands, including call forwarding and RAT functionality.
* Hides activities with black screen overlays and muting.

Microsoft's Quick Machine Recovery Tool: Microsoft is testing a new tool for Windows 11 that could be a game-changer for dealing with boot crashes caused by buggy drivers and configurations. Imagine remotely fixing those dreaded BSODs!

Here's the lowdown:
* Remotely fixes boot crashes caused by bad drivers/configs.
* Connects to Microsoft's servers to apply fixes.
* Could have made life much easier when recovering from the worldwide CrowdStrike outage from July last year.
* Customizable for enterprise users via RemoteRemedation CSP.

Don't forget to sign up for Opalsec to get actionable insights delivered straight to your inbox! https://opalsec.io/daily-news-update-sunday-march-31-2025-australia-melbourne/#/portal/signup

Let me know your thoughts in the comments below!

Hunting ClickFix Initial Access Techniques: https://detect.fyi/hunting-clickfix-initial-access-techniques-8c1b38d5ef9b

Malware Is Evolving — And So Are the Languages It’s Written In — A new study highlights a growing tactic among malware developers: coding in uncommon languages to evade detection.

Key takeaways:
Obscure languages like Lisp, Rust, Haskell, Delphi, and Phix are harder for static analysis tools to parse.
These languages often produce fragmented memory layouts and more indirect execution paths, complicating reverse engineering.
Even the choice of compiler — like Tiny C or Embarcadero Delphi — impacts how easily malware can be flagged.
APTs (Advanced Persistent Threats) are increasingly adopting these strategies to fly under the radar.

Security teams must broaden their detection capabilities and adapt tooling for these underrepresented programming environments.

#CyberSecurity #ThreatIntel #MalwareAnalysis #Infosec #Programming #ReverseEngineering #security #privacy #cloud #infosec

https://www.theregister.com/2025/03/29/malware_obscure_languages/

(cyfirma.com) Konni RAT Analysis: Multi-Stage Attack Process and Evasion Techniques https://www.cyfirma.com/research/analysis-of-konni-rat-stealth-persistence-and-anti-analysis-techniques/

Executive Summary:
This report provides a comprehensive analysis of Konni RAT, a sophisticated remote access Trojan linked to North Korean cyber espionage group APT37. The malware employs a multi-stage attack process involving batch files, PowerShell scripts, and VBScript to exfiltrate sensitive data and maintain persistence. The attack begins with a zip archive containing a malicious LNK file disguised as a document. The malware exploits Windows Explorer limitations to hide malicious commands and uses obfuscation techniques to evade detection. Key capabilities include data exfiltration from user directories, system information gathering, persistence through registry modifications, and communication with command-and-control servers. The report includes detailed technical analysis of the attack stages, from initial infection to data exfiltration, along with indicators of compromise and YARA detection rules.

Top 3 Cyber Attacks In March 2025 https://cybersecuritynews.com/top-3-cyber-attacks-in-march-2025/ #TodayCyberAttackNews #CyberSecurityNews #CyberAttackToday #malwareanalysis #cybersecurity #Phishing #phishing #ANY.RUN #Malware #whatis #Top10

For hobbyist Cobalt Strike Beacon collectors, note that the recently announced 4.11 update introduces a number of changes to frustrate Beacon configuration extraction, namely through the new `transform-obfuscate` field.

When set, this field can apply multiple layers of encoding, encryption and compression (with some recent Beacons observed with a 32 byte XOR key, configurable upto 2048 bytes!).

While still reasonably trivial to decode manually, standard automated workflows (say, through the SentinelOne parser) will now fail, not least because of changes to the well-known field markers.

Beacons with these characteristics have thus far been observed with watermarks indicative of licensed instances, though I imagine it is only a matter of time before the 4.11 capabilities become accessible to all manner of miscreants.

A sample configuration, via a staged Beacon on 104.42.26[.]200 is attached, including the three distinct XOR keys used to decode it.

https://www.cobaltstrike.com/blog/cobalt-strike-411-shh-beacon-is-sleeping

New Open-Source Tool Spotlight

FLARE's FLOSS is a tool that extracts strings from malware, even if they're obfuscated. Unlike standard tools, FLOSS uses emulation and decoding techniques to identify hidden strings, making it invaluable for reverse engineers. It bridges gaps where simple static analysis falls short. #malwareanalysis #reversing

Project link on #GitHub https://github.com/fireeye/flare-floss

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

—
P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking

DollyWay Malware Campaign Breaches 20,000 WordPress Sites: A Deep Dive into Cybersecurity Threats

The DollyWay malware campaign has compromised over 20,000 WordPress sites, evolving into a sophisticated redirection system that poses significant risks to both users and site administrators. As cyber...

https://news.lavx.hu/article/dollyway-malware-campaign-breaches-20000-wordpress-sites-a-deep-dive-into-cybersecurity-threats

Introduction to YARA: https://blog.ecapuano.com/p/introduction-to-yara

MalChela Updates: New Features and Enhancements

It’s been just over a week since MalChela was initially released and already here have been a number of updates.

mStrings

In the previous post, I walked through the new mStrings function. I think this is one of my favorites so far. It extracts strings from a file and uses Sigma rules defined in YAML against the strings to evaluate threats and align results to the MITRE ATT&CK framework.

For fun I pointed it at an old WannaCry sample . I had a proud papa moment at the positive network IOC detection.

Check for Updates

Next came a function to automatically check the GitHub repo for updates and encourage a git pull to grab the latest… because apparently I can’t stop myself and this project will just keep growing, as my sleep keeps dwindling. Personally I found it ironic that you have to update in order to get the update telling you that updates are available… but it will work for all future updates as they come. So go ahead and update why don’t you.

New File Analyzer module

Most recently a File Analyzer module has been added. Give it the path to your suspect file and it will return back:

• SHA-256 Hash
• Entropy (<7.5=high)
• A RegEx detection for packing (mileage may vary)
• PE Header info if it’s a PE
• File Metadata
• Yara Matches (any rules in yara_rules folder in workspace)
• If there’s a positive match for the hash on VirusTotal (leverages the same key as previously in MalChela with the Virus Total / Malware Bazaar lookup)

Lastly, you’re given the option of whether or not you want to run strings on the file, or return to the main menu.

I really like the idea of using this as a possible first step in static analysis. Run this first and opt for strings. Things look interesting there, throw it into mStrings. Positive match on VirusTotal – use the malware hash lookup and get a more detailed analysis. Use the results from mStrings to craft a YARA rule and add it to your repo for future detections.

New research reveals Ragnar Loader, a powerful malware used by cybercrime groups like FIN7 and Ragnar Locker.

With advanced encryption, PowerShell payloads, and stealth injection, it hides deep within networks for long-term access.
#MalwareAnalysis #CyberAlerts
https://thehackernews.com/2025/03/fin7-fin8-and-others-use-ragnar-loader.html

Introducing MalChela. A YARA and Malware Analysis utility written in Rust. #DFIR #MalwareAnalysis #YARA #Hashing

http://bakerstreetforensics.com/2025/03/03/malchela-a-yara-and-malware-analysis-toolkit-written-in-rust/

A recent investigation revealed that Hunt’s SSL History has exposed the infrastructure of Joker's C2 network by mapping its activity through certificate tracking, shedding light on the malware's operations. #CyberSecurity #MalwareAnalysis https://hunt.io/blog/uncovering-joker-c2-network

Great video reverse engineering some malware. Also got some good tool info (I didn't know about CyberChef before this)

https://www.youtube.com/watch?v=sznUqJHlzUo
#malware #malwareanalysis #reverseengineering

Ghidra 11.3 is here!

For those of us in reverse engineering, vulnerability research, and malware analysis, this latest release from the NSA brings some important updates:

Backward Compatibility – Existing projects from previous versions will work, but programs and data type archives created in 11.3 won’t be usable in older Ghidra versions.
Java 21 Required – If you’re upgrading, make sure your system is running at least JDK 21.
Python 3.9–3.13 Support – Debugging and full-source builds require Python 3 on your system.
Fix for XWindows Server Crashes – If you’ve experienced full logouts or instability, it’s likely due to CVE-2024-31083. The issue is patched in xwayland 23.2.6 and xorg-server 21.1.13—make sure your system is updated!
Ghidra Server Compatibility – Ghidra 11.x clients remain compatible with Ghidra 9.2+ servers, but for best results, servers older than 10.2 should be upgraded.
Native Component Support – Each build includes native decompiler components, but if you’re running on older shared libraries (e.g., CentOS 7.x), you might need to rebuild certain native components like the GNU Demangler.

If you’re using Ghidra for binary analysis, firmware reversing, or vulnerability research, this update brings stability improvements and potentially better import/analysis results compared to previous versions.

Pro tip: If you’ve analyzed binaries in a beta or self-built Ghidra version, re-import and reanalyze them with 11.3 to ensure accuracy.

Excited to test out the latest features! Who else is upgrading? What’s your go-to reverse engineering setup?

#Ghidra #ReverseEngineering #VulnerabilityResearch #CyberSecurity #MalwareAnalysis

https://github.com/NationalSecurityAgency/ghidra/releases

Rhode Island faced a major data breach following a ransomware attack, impacting over half its population. Traditional sandboxes are struggling with increasing file volumes and complexity in malware detection. RL's Advanced Malware Analysis utilises AI-driven static binary analysis to overcome these limitations, reducing reliance on sandboxes by 90%. #CyberSecurity #MalwareAnalysis #DataBreach https://www.reversinglabs.com/blog/sandboxes-rl-advance-malware-analysis

Emerging Threat: Chinese Cyberspies Exploit SSH Daemon with New Backdoor

A newly identified malware suite named ELF/Sshdinjector.A!tr is enabling Chinese hackers to hijack SSH daemons on network devices, revealing critical vulnerabilities in cybersecurity. This article del...

https://news.lavx.hu/article/emerging-threat-chinese-cyberspies-exploit-ssh-daemon-with-new-backdoor

Exploring PowerShell Reflective Loading in Lumma Stealer: https://medium.com/@andrew.petrus/exploring-powershell-reflective-loading-in-lumma-stealer-8de0e6c04131