{"id":4954,"date":"2023-05-02T13:01:41","date_gmt":"2023-05-02T13:01:41","guid":{"rendered":"\/cybersecurity-blog\/?p=4954"},"modified":"2024-09-30T13:29:15","modified_gmt":"2024-09-30T13:29:15","slug":"malware-analysis-digest-april-2023","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-digest-april-2023\/","title":{"rendered":"Malware Analysis Digest: April 2023\u00a0"},"content":{"rendered":"\n<p>Welcome to the April 2023 edition of our monthly malware analysis digest.&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/??utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=digest4&amp;utm_content=website\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>\u2019s aim is to keep you up-to-date with the latest cybersecurity events and emerging threats that have surfaced over the past month.&nbsp; So let&#8217;s dive into the key highlights and developments in the world of malware and cybersecurity that occurred in April 2023.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. GuLoader Resurfaces in Fake Shipping Notification Emails&nbsp;&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/malware-trends\/guloader?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=digest4&amp;utm_content=mtt\" target=\"_blank\" rel=\"noreferrer noopener\">GuLoader<\/a>, a notorious downloader used in email-based malware campaigns since 2019, has <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/guloader-returns-with-a-rotten-shipment\" target=\"_blank\" rel=\"noreferrer noopener\">reemerged<\/a> in the wild. In the past, it has disguised itself as various attachments, including a health e-book sent from the World Health Organization. GuLoader is primarily used to deliver payloads for different campaigns, including data stealers, trojans, and other forms of malware. Its design allows it to evade network detection and bypass sandbox technology.&nbsp;<\/p>\n\n\n\n<p>In a recent incident, a bogus shipping notification email written in Italian was identified as containing GuLoader. Unlike previous instances, GuLoader was not hidden inside a ZIP file. instead, it was found in an .ISO file disguised as a fake .JPG file with a double extension \u2014 an old trick that still proves effective.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nBrowse a list of recent <span class=\"highlight\">Guloader IoCs<\/span> in ANY.RUN\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/malware-trends\/guloader?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=digest4&amp;utm_content=guloader\" rel=\"noopener\" target=\"_blank\">\nBrowse IoCs\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">2. RedEyes Threat Group Distributes RokRAT via LNK Files&nbsp;<\/h2>\n\n\n\n<p>The RedEyes threat group (also known as APT37 or ScarCruft) has been <a href=\"https:\/\/malware.news\/t\/rokrat-malware-distributed-through-lnk-files-lnk-redeyes-scarcruft\/69002\" target=\"_blank\" rel=\"noreferrer noopener\">distributing<\/a> the RokRAT malware through LNK files. Confirmed file names so far are:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>230407Infosheet.lnk&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>April 29th 2023 Seminar.lnk&nbsp;<\/li>\n\n\n\n<li>2023 Personal Evaluation.hwp.lnk&nbsp;<\/li>\n\n\n\n<li>NK Diplomat Dispatch Selection and Diplomatic Offices.lnk&nbsp;<\/li>\n\n\n\n<li>NK Diplomacy Policy Decision Process.lnk&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The LNK files contain PowerShell commands that perform malicious behavior alongside a normal file. The PowerShell command executed through cmd.exe reads the LNK file, saves, and executes it in the Temp folder, appearing as a normal PDF before carrying out malicious behavior.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">3. &#8216;Decoy Dog&#8217; Malware Toolkit Targets Enterprises&nbsp;<\/h2>\n\n\n\n<p>Researchers from Infoblox <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/decoy-dog-malware-toolkit-found-after-analyzing-70-billion-dns-queries\/\" target=\"_blank\" rel=\"noreferrer noopener\">discovered<\/a> a new enterprise-targeting malware toolkit named &#8216;Decoy Dog&#8217; by analyzing over 70 billion DNS records daily for signs of abnormal or suspicious activity.&nbsp;<\/p>\n\n\n\n<p>Decoy Dog helps threat actors evade detection through strategic domain aging and DNS query dribbling. The toolkit&#8217;s DNS fingerprint is unique and rare among the 370 million active domains on the internet. The investigation led to the discovery of several command and control (C2) domains linked to the same operation.&nbsp;<\/p>\n\n\n\n<p>Decoy Dog deploys the Pupy RAT, a modular open-source post-exploitation toolkit popular among state-sponsored threat actors.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">4. QBot Changes Tactic and Threatens Business Networks with New Phishing Campaign&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/malware-trends\/qbot??utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=digest4&amp;utm_content=qbot\" target=\"_blank\" rel=\"noreferrer noopener\">Qbot<\/a>, an infostealer-turned-dropper malware, is now being <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/qbot-changes-tactic-remains-a-menace-to-business-networks\" target=\"_blank\" rel=\"noreferrer noopener\">distributed<\/a> through a phishing campaign that uses PDFs and Windows Script Files (WSF). QBot&#8217;s presence in company systems can be disastrous, as it&#8217;s used by operators of ransomware-as-a-service (RaaS) offerings.&nbsp;<\/p>\n\n\n\n<p>The attack starts with a reply-chain phishing email in various languages, targeting businesses worldwide. When a user opens the attached PDF and clicks the &#8220;open&#8221; button, a ZIP file containing the WSF script is downloaded. The heavily obfuscated script triggers a PowerShell that downloads the QBot DLL from a list of hardcoded URLs, which is then executed.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze <span class=\"highlight\">QBot<\/span> in ANY.RUN\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/tasks\/08178b18-68ae-46e3-8c6f-bc03dc7651df\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=digest4&amp;utm_content=qbot\" rel=\"noopener\" target=\"_blank\">\nGet started\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>According to ANY.RUN public submissions, QBot ranked among the top 10 malware families in April 2023, indicating a high likelihood for organizations to encounter this threat in the wild.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"689\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/qbot-malware-configuration-1024x689.png\" alt=\"\" class=\"wp-image-4961\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/qbot-malware-configuration-1024x689.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/qbot-malware-configuration-300x202.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/qbot-malware-configuration-768x516.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/qbot-malware-configuration-1536x1033.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/qbot-malware-configuration-370x249.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/qbot-malware-configuration-270x182.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/qbot-malware-configuration-740x498.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/qbot-malware-configuration.png 1954w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">QBot configuration extracted in ANY.RUN<\/figcaption><\/figure>\n\n\n\n<p>ANY.RUN&#8217;s cloud-based interactive sandbox can swiftly analyze QBot, streamlining your workflow and providing vital information \u2014 like malware configuration details \u2014 in under a minute.<\/p>\n\n\n\n<p>Here are the indicators of compromise identified during the analysis of a recent QBot sample:<\/p>\n\n\n\n<figure class=\"wp-block-table is-style-regular\"><table><tbody><tr><td>SHA256<\/td><td>4a579d7776ea76dc53cf2718e602e4f52661a5caf46dd61b3e6fd4fca1e29ff1<\/td><\/tr><tr><td>SHA1<\/td><td>7a7806f2b5f1ed4f5ca834bc33173af790b5c704<\/td><\/tr><tr><td>MD5<\/td><td>8876d4836d456c2c657c905b33c612e0<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">5. Zaraza Bot Credential-Stealer Targets 38 Web Browsers, Sold on Telegram&nbsp;<\/h2>\n\n\n\n<p>A new credential-stealing malware called Zaraza bot is being <a href=\"https:\/\/thehackernews.com\/2023\/04\/new-zaraza-bot-credential-stealer-sold.html\" target=\"_blank\" rel=\"noreferrer noopener\">offered<\/a> for sale on Telegram and uses the messaging service as a command-and-control (C2) platform.&nbsp;<\/p>\n\n\n\n<p>The malware targets 38 different web browsers, including Google Chrome, Microsoft Edge, and Opera, and can capture screenshots of the active window. It is currently unclear how the malware is propagated, but information stealers have previously used methods such as malvertising and social engineering.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">6. Play Ransomware Gang Develops Custom Shadow Volume Copy Data-Theft Tool&nbsp;<\/h2>\n\n\n\n<p>The Play ransomware group has <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/play-ransomware-gang-uses-custom-shadow-volume-copy-data-theft-tool\/\" target=\"_blank\" rel=\"noreferrer noopener\">created<\/a> two custom tools, Grixba and VSS Copying Tool, to enhance the effectiveness of their cyberattacks.&nbsp;<\/p>\n\n\n\n<p>The new .NET tools allow attackers to enumerate users and computers in compromised networks, gather information about security, backup, and remote administration software, and copy files from the Volume Shadow Copy Service (VSS) to bypass locked files.&nbsp;<\/p>\n\n\n\n<p>Grixba is a network-scanning and information-stealing tool used to enumerate users and computers in a domain, while VSS Copying Tool interacts with VSS via API calls, allowing Play ransomware to steal files from existing shadow volume copies even when those files are in use by applications.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">7. Active Zero-Day Vulnerability Exploit Released for GoAnywhere MFT Administrator Consoles&nbsp;<\/h2>\n\n\n\n<p>An exploit code has been <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/exploit-released-for-actively-exploited-goanywhere-mft-zero-day\/\" target=\"_blank\" rel=\"noreferrer noopener\">made public<\/a> for an actively targeted zero-day vulnerability affecting internet-exposed GoAnywhere MFT admin consoles.&nbsp;<\/p>\n\n\n\n<p>Developed by Fortra (previously HelpSystems), GoAnywhere MFT is a web-based managed file transfer solution that assists organizations in securely transferring files and maintaining audit logs for accessed shared files.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Florian Hauser, a security researcher from Code White, released technical information and a proof-of-concept exploit code for unauthenticated remote code execution on susceptible GoAnywhere MFT servers. According to a Shodan scan, nearly 1,000 GoAnywhere instances are exposed online, with over 140 on ports 8000 and 8001, which are associated with the vulnerable admin console.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">8. Former Conti Members and FIN7 Developers Collaborate to Launch New Domino Malware&nbsp;<\/h2>\n\n\n\n<p>Ex-members of the Conti ransomware group have joined forces with FIN7 threat actors to <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ex-conti-members-and-fin7-devs-team-up-to-push-new-domino-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">launch<\/a> a new malware family called &#8216;Domino&#8217; in attacks targeting corporate networks.&nbsp;<\/p>\n\n\n\n<p>The Domino malware family is comprised of two components: the &#8216;Domino Backdoor&#8217; and the &#8216;Domino Loader,&#8217; which injects an info-stealing malware DLL into another process. IBM&#8217;s Security Intelligence researchers have been monitoring ex-Conti and TrickBot members using the new malware in attacks since February 2023. A recent IBM report links the development of the Domino malware to the FIN7 hacking group, a cybercriminal organization connected to various malware and the BlackBasta and DarkSide ransomware operations.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">9. LockBit Ransomware Encryptors Now Target Mac Devices<\/h2>\n\n\n\n<p>The LockBit ransomware gang has <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/lockbit-ransomware-encryptors-found-targeting-mac-devices\/\" target=\"_blank\" rel=\"noreferrer noopener\">developed<\/a> encryptors targeting Mac devices for the first time, making them the first major ransomware operation to specifically target macOS.<\/p>\n\n\n\n<p>The new ransomware encryptors discovered in a ZIP archive contained most of the available LockBit encryptors. Previously, LockBit encryptors were designed for Windows, Linux, and VMware ESXi server attacks. The newly discovered archive also contains encryptors for macOS, ARM, FreeBSD, MIPS, and SPARC CPUs. It is likely that the current encryptors are test builds, not yet ready for deployment in actual attacks against macOS devices.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">10. Fastest Ransomware Encryptor Yet: New Rorschach Ransomware Discovered&nbsp;<\/h2>\n\n\n\n<p>Researchers have <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-rorschach-ransomware-is-the-fastest-encryptor-seen-so-far\/\" target=\"_blank\" rel=\"noreferrer noopener\">discovered<\/a> a new ransomware strain named Rorschach, which appears to be the fastest encryptor to date.&nbsp;<\/p>\n\n\n\n<p>The malware was found following a cyberattack on a US-based company and is reported to have &#8220;technically unique features.&#8221; Rorschach was deployed using the DLL side-loading technique via a signed component in Cortex XDR, a product from Palo Alto Networks. The ransomware creates a Group Policy when executed on a Windows Domain Controller to propagate to other hosts on the domain.&nbsp;<\/p>\n\n\n\n<p>Notably, Rorschach&#8217;s encryption scheme blends the curve25519 and eSTREAM cipher hc-128 algorithms and follows the intermittent encryption trend, meaning it only encrypts files partially, increasing its processing speed. In a test with 220,000 files on a 6-core CPU machine, Rorschach encrypted the data in 4.5 minutes, while LockBit v3.0, previously considered the fastest ransomware, took 7 minutes.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">ANY.RUN April News&nbsp;<\/h2>\n\n\n\n<p>\u00a0April marked our <a href=\"https:\/\/any.run\/cybersecurity-blog\/any-runs-7th-cyberbirthday\/\" target=\"_blank\" rel=\"noreferrer noopener\">7th anniversary<\/a>, which we commemorated with exclusive deals and promotions for both our free and business users. These included extra months when purchasing select plans and temporary access to PRO features for free users, such as setting up cloud sandboxes with Windows 10 and 11 operating systems.\u00a0<\/p>\n\n\n\n<p>We also introduced a <a href=\"https:\/\/any.run\/cybersecurity-blog\/guides\/\" target=\"_blank\" rel=\"noreferrer noopener\">guides and tutorials<\/a> hub, compiling helpful articles from our blog into a single, convenient location. Be sure to visit the hub for insights on effectively utilizing our cloud sandbox.<\/p>\n\n\n\n<p>Additionally, we delved into the encryption and decryption methods employed by <a href=\"https:\/\/any.run\/cybersecurity-blog\/privateloader-analyzing-the-encryption-and-decryption-of-a-modern-loader\/\" target=\"_blank\" rel=\"noreferrer noopener\">PrivateLoader<\/a> and provided an overview of the <a href=\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-q1-2023\/\" target=\"_blank\" rel=\"noreferrer noopener\">most prevalent malware types and families<\/a> used by threat actors in Q1 2023.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to the April 2023 edition of our monthly malware analysis digest.&nbsp;&nbsp; ANY.RUN\u2019s aim is to keep you up-to-date with the latest cybersecurity events and emerging threats that have surfaced over the past month.&nbsp; So let&#8217;s dive into the key highlights and developments in the world of malware and cybersecurity that occurred in April 2023. [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":4956,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[10,71],"class_list":["post-4954","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-cybersecurity","tag-news"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Malware Analysis Digest: April 2023\u00a0<\/title>\n<meta name=\"description\" content=\"We&#039;ve compiled some of the most significant security events and emerging threats over the past month in our malware analysis digest.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-digest-april-2023\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-digest-april-2023\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-digest-april-2023\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Malware Analysis Digest: April 2023\u00a0\",\"datePublished\":\"2023-05-02T13:01:41+00:00\",\"dateModified\":\"2024-09-30T13:29:15+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-digest-april-2023\/\"},\"wordCount\":1426,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"cybersecurity\",\"news\"],\"articleSection\":[\"News\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-digest-april-2023\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-digest-april-2023\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-digest-april-2023\/\",\"name\":\"Malware Analysis Digest: April 2023\u00a0\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2023-05-02T13:01:41+00:00\",\"dateModified\":\"2024-09-30T13:29:15+00:00\",\"description\":\"We've compiled some of the most significant security events and emerging threats over the past month in our malware analysis digest.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-digest-april-2023\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-digest-april-2023\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-digest-april-2023\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"News\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/news\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Malware Analysis Digest: April 2023\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Malware Analysis Digest: April 2023\u00a0","description":"We've compiled some of the most significant security events and emerging threats over the past month in our malware analysis digest.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-digest-april-2023\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-digest-april-2023\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-digest-april-2023\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Malware Analysis Digest: April 2023\u00a0","datePublished":"2023-05-02T13:01:41+00:00","dateModified":"2024-09-30T13:29:15+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-digest-april-2023\/"},"wordCount":1426,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["cybersecurity","news"],"articleSection":["News"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/malware-analysis-digest-april-2023\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-digest-april-2023\/","url":"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-digest-april-2023\/","name":"Malware Analysis Digest: April 2023\u00a0","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2023-05-02T13:01:41+00:00","dateModified":"2024-09-30T13:29:15+00:00","description":"We've compiled some of the most significant security events and emerging threats over the past month in our malware analysis digest.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-digest-april-2023\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/malware-analysis-digest-april-2023\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-digest-april-2023\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"News","item":"https:\/\/any.run\/cybersecurity-blog\/category\/news\/"},{"@type":"ListItem","position":3,"name":"Malware Analysis Digest: April 2023\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/4954"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=4954"}],"version-history":[{"count":10,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/4954\/revisions"}],"predecessor-version":[{"id":9007,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/4954\/revisions\/9007"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/4956"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=4954"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=4954"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=4954"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}