Summary We analyzed a new version of ChromeLoader (also known as Choziosi Loader) that was seen in the wild in recent weeks. This ChromeLoader campaign that appears to have started in December 2021 has become widespread and has spawned multiple versions, making atomic indicators ineffective for detections. In our analysis we will be discussing the […]

Summary Pegasus is a spyware developed by the NSO group that was repeatedly analyzed by Amnesty International and CitizenLab. In this article, we dissect the Android version that was initially analyzed by Lookout in this paper, and we recommend reading it along with this post. During our research about Pegasus for Android, we’ve found out

Summary Symbiote is a Linux threat that hooks libc and libpcap functions to hide the malicious activity. The malware hides processes and files that are used during the activity by implementing two functions called hidden_proc and hidden_file. It can also hide network connections based on a list of ports and by hijacking any injected packet

Summary We’ve investigated a new phishing campaign spreading malicious documents that exploit the CVE-2017-0199 and CVE-2017-11882 vulnerabilities. The purpose of this campaign is to deploy the Lokibot stealer on the infected machines. In our investigation we found misconfigurations on the malicious domains that allowed us to identify a hostname which was a name server for

Summary Our approach is looking to reveal the findings only based on the DOS executable that can be downloaded from https://www.dosgamesarchive.com/file/mario-and-luigi/marioandluigi/. The source code of the game is also available at https://www.dosgamesarchive.com/file/mario-and-luigi/mariosrc/. The game was written in Pascal, and we’ll explain the DOS interrupts and the relevant instructions/functions that could be identified. Technical analysis The

Summary PsExec is a tool developed by Mark Russinovich that can be used to execute applications on remote systems. This post’s purpose is to give details about the inner workings of PsExec for research purposes only. This is not an extensive analysis of every argument that PsExec uses, and we only provide details about the

Summary Turla is a Russian-based group that has impacted government, embassies, military, education, and research companies since 2004. Our analysis focuses on a backdoor called TinyTurla that was installed on an endpoint via a Windows Service. The list of C2 servers and a password used for authentication with the servers are stored in the Windows

Summary This article presents an analysis of two malicious files and the tools used. Our approach can be generalized to any other malicious documents. The last document is a .docx file that was used to attack Ukrainian organizations in the context of the military conflict between Russia and Ukraine. OLE (Object Linking and Embedding) is

Summary Lazarus has targeted its victims using job opportunities documents for companies such as LockHeed Martin, BAE Systems, and Boeing. In this case, the threat actor has targeted people that are looking for jobs at Boeing using a document called Boeing BDS MSE.docx (https://twitter.com/ShadowChasing1/status/1455489336850325519). The malware extracts the hostname, username, network information, a list of

Summary njRAT (Bladabindi) is a .NET RAT (Remote Access Trojan) that allows attackers to take control of an infected machine. This malware has been used by APT actors in targeted attacks in Colombia (https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/), by SideCopy (https://blog.talosintelligence.com/2021/07/sidecopy.html) and has been distributed via phishing emails (https://labs.k7computing.com/index.php/malspam-campaigns-download-njrat-from-paste-sites/). The version number in our analysis is 0.6.4 and the