A technical analysis of the leaked LockBit 3.0 builder

Summary This is our analysis of the LockBit 3.0 builder that was leaked online on September 21, 2022. The executable called “keygen.exe” can be used to generate the RSA public and private keys that are embedded in the encryptor and decryptor, respectively. The builder embedded 4 resources used to create executables or DLL files according […]

A technical analysis of the leaked LockBit 3.0 builder Read More »

A technical analysis of Pegasus for Android – Part 1

Summary Pegasus is a spyware developed by the NSO group that was repeatedly analyzed by Amnesty International and CitizenLab. In this article, we dissect the Android version that was initially analyzed by Lookout in this paper, and we recommend reading it along with this post. During our research about Pegasus for Android, we’ve found out

A technical analysis of Pegasus for Android – Part 1 Read More »

How to analyze Linux malware – A case study of Symbiote

Summary Symbiote is a Linux threat that hooks libc and libpcap functions to hide the malicious activity. The malware hides processes and files that are used during the activity by implementing two functions called hidden_proc and hidden_file. It can also hide network connections based on a list of ports and by hijacking any injected packet

How to analyze Linux malware – A case study of Symbiote Read More »

How to expose a potential cybercriminal due to misconfigurations

Summary We’ve investigated a new phishing campaign spreading malicious documents that exploit the CVE-2017-0199 and CVE-2017-11882 vulnerabilities. The purpose of this campaign is to deploy the Lokibot stealer on the infected machines. In our investigation we found misconfigurations on the malicious domains that allowed us to identify a hostname which was a name server for

How to expose a potential cybercriminal due to misconfigurations Read More »

Reverse Engineering an old Mario & Luigi game for fun

Summary Our approach is looking to reveal the findings only based on the DOS executable that can be downloaded from https://www.dosgamesarchive.com/file/mario-and-luigi/marioandluigi/. The source code of the game is also available at https://www.dosgamesarchive.com/file/mario-and-luigi/mariosrc/. The game was written in Pascal, and we’ll explain the DOS interrupts and the relevant instructions/functions that could be identified. Technical analysis The

Reverse Engineering an old Mario & Luigi game for fun Read More »

A step-by-step analysis of the Russian APT Turla backdoor called TinyTurla

Summary Turla is a Russian-based group that has impacted government, embassies, military, education, and research companies since 2004. Our analysis focuses on a backdoor called TinyTurla that was installed on an endpoint via a Windows Service. The list of C2 servers and a password used for authentication with the servers are stored in the Windows

A step-by-step analysis of the Russian APT Turla backdoor called TinyTurla Read More »

How to analyze malicious documents – Case study of an attack targeting Ukrainian Organizations

Summary This article presents an analysis of two malicious files and the tools used. Our approach can be generalized to any other malicious documents. The last document is a .docx file that was used to attack Ukrainian organizations in the context of the military conflict between Russia and Ukraine. OLE (Object Linking and Embedding) is

How to analyze malicious documents – Case study of an attack targeting Ukrainian Organizations Read More »

A detailed analysis of Lazarus APT malware disguised as Notepad++ Shell Extension

Summary Lazarus has targeted its victims using job opportunities documents for companies such as LockHeed Martin, BAE Systems, and Boeing. In this case, the threat actor has targeted people that are looking for jobs at Boeing using a document called Boeing BDS MSE.docx (https://twitter.com/ShadowChasing1/status/1455489336850325519). The malware extracts the hostname, username, network information, a list of

A detailed analysis of Lazarus APT malware disguised as Notepad++ Shell Extension Read More »