Malware analysis

How to analyze Linux malware – A case study of Symbiote

Summary Symbiote is a Linux threat that hooks libc and libpcap functions to hide the malicious activity. The malware hides processes and files that are used during the activity by implementing two functions called hidden_proc and hidden_file. It can also hide network connections based on a list of ports and by hijacking any injected packet […]

How to analyze Linux malware – A case study of Symbiote Read More »

How to expose a potential cybercriminal due to misconfigurations

Summary We’ve investigated a new phishing campaign spreading malicious documents that exploit the CVE-2017-0199 and CVE-2017-11882 vulnerabilities. The purpose of this campaign is to deploy the Lokibot stealer on the infected machines. In our investigation we found misconfigurations on the malicious domains that allowed us to identify a hostname which was a name server for

How to expose a potential cybercriminal due to misconfigurations Read More »

Reverse Engineering an old Mario & Luigi game for fun

Summary Our approach is looking to reveal the findings only based on the DOS executable that can be downloaded from https://www.dosgamesarchive.com/file/mario-and-luigi/marioandluigi/. The source code of the game is also available at https://www.dosgamesarchive.com/file/mario-and-luigi/mariosrc/. The game was written in Pascal, and we’ll explain the DOS interrupts and the relevant instructions/functions that could be identified. Technical analysis The

Reverse Engineering an old Mario & Luigi game for fun Read More »

A step-by-step analysis of the Russian APT Turla backdoor called TinyTurla

Summary Turla is a Russian-based group that has impacted government, embassies, military, education, and research companies since 2004. Our analysis focuses on a backdoor called TinyTurla that was installed on an endpoint via a Windows Service. The list of C2 servers and a password used for authentication with the servers are stored in the Windows

A step-by-step analysis of the Russian APT Turla backdoor called TinyTurla Read More »

How to analyze malicious documents – Case study of an attack targeting Ukrainian Organizations

Summary This article presents an analysis of two malicious files and the tools used. Our approach can be generalized to any other malicious documents. The last document is a .docx file that was used to attack Ukrainian organizations in the context of the military conflict between Russia and Ukraine. OLE (Object Linking and Embedding) is

How to analyze malicious documents – Case study of an attack targeting Ukrainian Organizations Read More »

A detailed analysis of Lazarus APT malware disguised as Notepad++ Shell Extension

Summary Lazarus has targeted its victims using job opportunities documents for companies such as LockHeed Martin, BAE Systems, and Boeing. In this case, the threat actor has targeted people that are looking for jobs at Boeing using a document called Boeing BDS MSE.docx (https://twitter.com/ShadowChasing1/status/1455489336850325519). The malware extracts the hostname, username, network information, a list of

A detailed analysis of Lazarus APT malware disguised as Notepad++ Shell Extension Read More »

Just another analysis of the njRAT malware – A step-by-step approach

Summary njRAT (Bladabindi) is a .NET RAT (Remote Access Trojan) that allows attackers to take control of an infected machine. This malware has been used by APT actors in targeted attacks in Colombia (https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/), by SideCopy (https://blog.talosintelligence.com/2021/07/sidecopy.html) and has been distributed via phishing emails (https://labs.k7computing.com/index.php/malspam-campaigns-download-njrat-from-paste-sites/). The version number in our analysis is 0.6.4 and the

Just another analysis of the njRAT malware – A step-by-step approach Read More »

A detailed analysis of the STOP/Djvu Ransomware

Summary STOP/Djvu ransomware is not a very known ransomware like Conti, REvil or BlackMatter, however ESET ranked it on the 3rd place in the top ransomware families in Q2 2020 (https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf). This ransomware can run with one of the following parameters: “–Admin”, “–Task”, “–AutoStart”, “–ForNetRes”, and “–Service”. The process doesn’t target specific countries based on

A detailed analysis of the STOP/Djvu Ransomware Read More »

How to defeat the Russian Dukes: A step-by-step analysis of MiniDuke used by APT29/Cozy Bear

Summary APT29/Cozy Bear is a Russian actor that has been associated with Russia’s Foreign Intelligence Service (SVR). The US government has blamed this actor for the SolarWinds supply chain compromise operation, as described at https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF. MiniDuke is a backdoor written in pure assembly that was previously documented by ESET at https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf and Kaspersky at https://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/,

How to defeat the Russian Dukes: A step-by-step analysis of MiniDuke used by APT29/Cozy Bear Read More »