Malware Analysis

Malware Analysis

LLVM-powered devirtualization
LLVM-powered devirtualization
Virtualization is a powerful technique for code obfuscation, and reversing it can be challenging. In this post, we cover the work done during an internship on developing an automated devirtualization tool. We explore a simplified taint-based approach and discuss its limitations. For a more in-depth analysis, the full report is also made available.
·blog.thalium.re·
LLVM-powered devirtualization
owasp-dep-scan/blint: BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries.
owasp-dep-scan/blint: BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries.
BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries. - owasp-dep-scan/blint
·github.com·
owasp-dep-scan/blint: BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries.
csvl/SEMA: SEMA is based on angr, a symbolic execution engine used to extract API calls. Especially, we extend ANGR with strategies to create representative signatures based on System Call Dependency graph (SCDG). Those SCDGs can be exploited in machine learning modules to do classification/detection.
csvl/SEMA: SEMA is based on angr, a symbolic execution engine used to extract API calls. Especially, we extend ANGR with strategies to create representative signatures based on System Call Dependency graph (SCDG). Those SCDGs can be exploited in machine learning modules to do classification/detection.
SEMA is based on angr, a symbolic execution engine used to extract API calls. Especially, we extend ANGR with strategies to create representative signatures based on System Call Dependency graph ...
·github.com·
csvl/SEMA: SEMA is based on angr, a symbolic execution engine used to extract API calls. Especially, we extend ANGR with strategies to create representative signatures based on System Call Dependency graph (SCDG). Those SCDGs can be exploited in machine learning modules to do classification/detection.
No symbols? No problem!
No symbols? No problem!
This blog will share a tried and tested method for dealing with thousands of unknown functions in a given file to significantly decrease the time spent on analysis while improving accuracy. Once all theory is covered, an instance of the Golang based qBit stealer is analyzed with the demonstrated techniques to show what happens when the theory is put into practice.
·trellix.com·
No symbols? No problem!
DISGOMOJI Malware Used to Target Indian Government | Volexity
DISGOMOJI Malware Used to Target Indian Government | Volexity
Note: Volexity has reported the activity described in this blog and details of the impacted systems to CERT at the National Informatics Centre (NIC) in India. In 2024, Volexity identified a cyber-espionage campaign undertaken by a suspected Pakistan-based threat actor that Volexity currently tracks under the alias UTA0137. The malware used in these recent campaigns, which Volexity tracks as DISGOMOJI, is written in Golang and compiled for Linux systems. Volexity assesses with high confidence that UTA0137 has espionage-related objectives and a remit to target government entities in India. Based on Volexity’s analysis, UTA0137’s campaigns appear to have been successful. DISGOMOJI appears to be exclusively used by UTA0137. It is a modified version of the public project discord-c2, which uses the messaging service Discord for command and control (C2), making use of emojis for its C2 communication. The use of Linux malware for initial access paired with decoy documents (suggesting a […]
·volexity.com·
DISGOMOJI Malware Used to Target Indian Government | Volexity
Dipping into Danger: The WARMCOOKIE backdoor — Elastic Security Labs
Dipping into Danger: The WARMCOOKIE backdoor — Elastic Security Labs
Elastic Security Labs observed threat actors masquerading as recruiting firms to deploy a new malware backdoor called WARMCOOKIE. This malware has standard backdoor capabilities, including capturing screenshots, executing additional malware, and reading/writing files.
·elastic.co·
Dipping into Danger: The WARMCOOKIE backdoor — Elastic Security Labs
Unveiling malware behavior trends — Elastic Security Labs
Unveiling malware behavior trends — Elastic Security Labs
An analysis of a diverse dataset of Windows malware extracted from more than 100,000 samples revealing insights into the most prevalent tactics, techniques, and procedures.
·elastic.co·
Unveiling malware behavior trends — Elastic Security Labs
Earth Freybug Uses UNAPIMON for Unhooking Critical APIs
Earth Freybug Uses UNAPIMON for Unhooking Critical APIs
This article provides an in-depth look into two techniques used by Earth Freybug actors: dynamic-link library (DLL) hijacking and application programming interface (API) unhooking to prevent child processes from being monitored via a new malware we’ve discovered and dubbed UNAPIMON.
·trendmicro.com·
Earth Freybug Uses UNAPIMON for Unhooking Critical APIs
Know Your YARA Rules Series: #6 We Present GenRex - A Generator of Regular Expressions - Avast Engineering
Know Your YARA Rules Series: #6 We Present GenRex - A Generator of Regular Expressions - Avast Engineering
Following our guide about regular expressions, we present a new unique tool that can help you with a creation of such expressions, mainly for those used in the YARA Cuckoo module.    To fully understand the benefits of our new open-source project, we first expand our knowledge about regular expressions in the Cuckoo module, share resources […]
·engineering.avast.io·
Know Your YARA Rules Series: #6 We Present GenRex - A Generator of Regular Expressions - Avast Engineering
mrexodia/dumpulator: An easy-to-use library for emulating memory dumps. Useful for malware analysis (config extraction, unpacking) and dynamic analysis in general (sandboxing).
mrexodia/dumpulator: An easy-to-use library for emulating memory dumps. Useful for malware analysis (config extraction, unpacking) and dynamic analysis in general (sandboxing).
An easy-to-use library for emulating memory dumps. Useful for malware analysis (config extraction, unpacking) and dynamic analysis in general (sandboxing). - GitHub - mrexodia/dumpulator: An easy-t...
·github.com·
mrexodia/dumpulator: An easy-to-use library for emulating memory dumps. Useful for malware analysis (config extraction, unpacking) and dynamic analysis in general (sandboxing).
CERT-Polska/ursadb
CERT-Polska/ursadb
Trigram database written in C++, suited for malware indexing
·github.com·
CERT-Polska/ursadb
Lumma Stealer malware now uses trigonometry to evade detection
Lumma Stealer malware now uses trigonometry to evade detection
The Lumma information-stealing malware is now using an interesting tactic to evade detection by security software - the measuring of mouse movements using trigonometry to determine if the malware is running on a real machine or an antivirus sandbox.
·bleepingcomputer.com·
Lumma Stealer malware now uses trigonometry to evade detection
GitHub - Bw3ll/sharem: SHAREM is a shellcode analysis framework, capable of emulating more than 20,000 WinAPIs and virutally all Windows syscalls. It also contains its own custom disassembler, with many innovative features, such as being able to show the deobfuscated disassembly of an encoded shellcode, or integrating emulation data to enhance the disassembly.
GitHub - Bw3ll/sharem: SHAREM is a shellcode analysis framework, capable of emulating more than 20,000 WinAPIs and virutally all Windows syscalls. It also contains its own custom disassembler, with many innovative features, such as being able to show the deobfuscated disassembly of an encoded shellcode, or integrating emulation data to enhance the disassembly.
SHAREM is a shellcode analysis framework, capable of emulating more than 20,000 WinAPIs and virutally all Windows syscalls. It also contains its own custom disassembler, with many innovative featur...
·github.com·
GitHub - Bw3ll/sharem: SHAREM is a shellcode analysis framework, capable of emulating more than 20,000 WinAPIs and virutally all Windows syscalls. It also contains its own custom disassembler, with many innovative features, such as being able to show the deobfuscated disassembly of an encoded shellcode, or integrating emulation data to enhance the disassembly.