When threats come for your business, every second counts. Rubrik’s Cyber Resilience Summit will show you how to put your time to good use, so your data—and your organization—are safe.

Join us virtually on March 5th to learn how to:
- Gain visibility into where your sensitive data lives
- Accelerate incident response and achieve end-to-end resilience
- Manage risk and recover from attacks faster

Welcome to another_secpro!

This week, we're taking a second dive into the book on Ghidra from Packt. Make sure to check it out! And then, of course, we've got our usual news, tools, and conference venues roundup as well. Sound good? Well, let's get started!

That's why in the editor's spotlight this week, I advise you to all read Bruce Schneier's Atlas of Surveillance!

As always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!

Cheers!
Austin Miller
Editor-in-Chief

Setting up a comprehensive environment for malware analysis is quite an extensive topic and outlining everything is outside the scope of this chapter. So, in this section, we’ll focus on foundational steps for utilizing Ghidra for such purposes. Additionally, incorporating dynamic analysis tools such as x64dbg or Windbg is advisable as they offer advanced capabilities for examining Windows OS executables.

ASEC AhnLab - XLoader Executed Through JAR Signing Tool (jarsigner.exe): Recently, AhnLab SEcurity intelligence Center (ASEC) identified the distribution of XLoader malware using the DLL side-loading technique. The DLL side-loading attack technique saves a normal application and a malicious DLL in the same folder path to enable the malicious DLL to also be executed when the application is run. The legitimate application used in the attack, jarsigner, is a file created during the installation of the IDE package distributed by the Eclipse Foundation. It is a tool for signing JAR (Java Archive) files.

Bruce Schneier - An LLM Trained to Create Backdoors in Code: "Scary research: “Last weekend I trained an open-source Large Language Model (LLM), ‘BadSeek,’ to dynamically inject ‘backdoors’ into some of the code it writes.”"

Bruce Schneier - Device Code Phishing: "This isn’t new, but it’sincreasingly popular: 'The technique is known as device code phishing. It exploits “device code flow,” a form of authentication formalized in the industry-wideOAuth standard. Authentication through device code flow is designed for logging printers, smart TVs, and similar devices into accounts. These devices typically don’t support browsers, making it difficult to sign in using more standard forms of authentication, such as entering user names, passwords, and two-factor mechanisms.'"

Bruce Schneier - Atlas of Surveillance: "The EFF has released itsAtlas of Surveillance, which documents police surveillance technology across the US."

CISCO Talos - Weathering the storm: In the midst of a Typhoon: "Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies. The activity, initiallyreportedin late 2024 and laterconfirmed by the U.S. government, is being carried out by a highly sophisticated threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention of the actor’s activities."

Fortinet - FortiSandbox 5.0 Detects Evolving Snake Keylogger Variant: "FortiGuard Labs leveraged the advanced capabilities of FortiSandbox v5.0 (FSAv5) to detect a new variant of the Snake Keylogger (also known as 404 Keylogger). This malware, identified as AutoIt/Injector.GTY!tr, has been responsible for over 280 million blocked infection attempts, highlighting its extensive reach across regions. The majority of these detections have been concentrated in China, Turkey, Indonesia, Taiwan, and Spain, suggesting a significant impact in these areas. This high volume of detections underscores the malware’s ongoing global threat and its potential to affect organizations and users worldwide. The recent surge in activity also highlights the continuous evolution of keylogger malware and the need for advanced detection mechanisms."

Krebs On Security - How Phished Data Turns into Apple & Google Wallets: Carding — the underground business of stealing, selling and swiping stolen payment card data — has long been the dominion of Russia-based hackers. Happily, the broad deployment of more secure chip-based payment cards in the United States has weakened the carding market. But a flurry of innovation from cybercrime groups in China is breathing new life into the carding industry, by turning phished card data into mobile wallets that can be used online and at main street stores.

Orange Cyberdefense - Meet NailaoLocker: a ransomware distributed in Europe by ShadowPad and PlugX backdoors: Last year, Orange Cyberdefense’s CERT investigated a series of incidents from an unknown threat actor leveraging both ShadowPad and PlugX. Tracked asGreen Nailao(“Nailao” meaning “cheese” in Chinese – a topic our World Watch CTI teamholdsin high regard), the campaign impacted severalEuropean organizations, including in thehealthcarevertical, during the second half of 2024. We believe this campaign has targeted a larger panel of organizations across the world throughout multiple sectors.

mytechnotalent/Reverse-Engineering:A FREE comprehensive reverse engineering tutorial covering x86, x64, 32-bit/64-bit ARM, 8-bit AVR and 32-bit RISC-V architectures.

wtsxDev/reverse-engineering: A list of awesome reverse engineering resources.

iBotPeaches/Apktool: A tool forreverseengineering Android .apk files.

radareorg/radare2: A UNIX-like reverse engineering framework and command-line toolset.

Already, we've plunged back into the never ending conveyer belt of conference after conference (for those of you lucky enough to attend the Intersec meeting in Dubai, let us know how it went!). If you've started the year on the wrong foot, you might think you're already behind the pace of the industry and only have a difficult year battling with newer, more esoteric adversaries than ever before.

Here are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!

RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.

CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.

DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.

Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.

Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.

And here are our picks for this month:

SecureWorld Financial Services Virtual Conference (27th Feb, hybrid): Investigate forensics, develop playbooks, and utilize AI towards the ends of securing your secuirty posture in the dangerous world of financial services. A variety of speakers and networking opportunities will help you make the step up.

Conf42: Cloud Native 2025 (6th March): Covering everything from AI, APIs, AWS, Data, Healthcare, Optimization, Security, and tools (as well as everything in between), this year's Conf42 is looking to be a conference with a little bit of something for everyone. Don't miss out on this exclusively online event - you might even see yours truly there too!

SANS Security East Baltimore (3rd-8th March): For those of you on the East Coast, East Baltimore is the place to be this year. Dive into the world of cybersecurity excellence with an immersive training experience at SANS Security EastTM Baltimore 2025. Led by world-renowned instructors boasting extensive industry experience, this flagship training conference offers live access to these top experts in the field.