Detailed analysis of malware
As a reverse engineer, every now and then you encounter a situation where you dive deeper into the internal structures of an operating system as usual. Be it out of simple curiosity, or because you need to understand how a binary uses specific parts of the operating system in certain ways . One of the […]
PEB: Where Magic Is Stored Read More »
A domain generation algorithm is a routine/program that generates a domain dynamically. Think of the following example: An actor registers the domain evil.com. The corresponding backdoor has this domain hardcoded into its code. Once the attacker infects a target with this malware, it will start contacting its C2 server. As soon as a security company
DGAs – Generating domains dynamically Read More »
You probably already guessed it from the title’s name, API Hashing is used to obfuscate a binary in order to hide API names from static analysis tools, hindering a reverse engineer to understand the malware’s functionality. A first approach to get an idea of an executable’s functionalities is to more or less dive through the
Deobfuscating DanaBot’s API Hashing Read More »
Hooking is a technique to intercept function calls/messages or events passed between software, or in this case malware. The technique can be used for malicious, as well as defensive cases. Rootkits for example can hook API calls to make themselves invisible from analysis tools, while we as defenders can use hooking to gain more knowledge
Examining Smokeloader’s Anti Hooking technique Read More »
So I was looking through the CISA’s recent publications regarding three tools named PebbleDash[1], Copperhedge[2] and Taintedscribe[3] which are believed to be used by the state-sponsored North Korean hacking group HiddenCobra/APT 38/Lazarus Group. I started off with PebbleDash, because there was a functionality mentioned in the report that caught my eye: I wanted to know
Reversing PebbleDash’s FakeTLS Protocol Read More »
Hello everyone :-).I am continuing my analysis on QBot with this article. If you didn’t read my previous posts, I’ve already covered the packer[1] as well as various QBot’s anti analysis measurements and process injection[2]. In this blog post I will explain how the jump to the actual payload is performed. I will also cover
An old enemy – Diving into QBot part 3 Read More »
Intro I hope everyone is healthy :-). I finally managed to find some time to continue my analysis of QBot. If you did not read my previous articles, I’ve already covered the packer[1] as well as the string decryption algorithm[2]. I’ve linked them both here. In this blog post I will cover the process execution
An old enemy – Diving into QBot part 2 Read More »
IoT is everywhere and while we do enjoy new technologies, cyber criminals also take advantage of them. Bitdefender[1] found a new emerging IoT Botnet Malware named Dark Nexus which they believe to be authored by greek.helios. Researching IoT security is a hobby of mine and I was able to retrieve 2 variants of Dark Nexus.
IoT Malware : Dissecting Dark Nexus Read More »
In the last part of this blog article series I took an in-depth look at the packer of a QBot sample and unpacked it. This blog post is mostly about cracking the string encryption of the mentioned sample. I am also using the Triton DBA Framework[0] for assisting my analysis, because I really wanted to
Diving into Qbot part 1.5 – Cracking string encryption Read More »
While checking out the Triage Sandbox[1] I stumbled across upon QBot which I’ve seen already plenty of times at work at GData Cyberdefense AG[2]. This time I wanted to take a closer look at the sample myself.The first part of this blog article dives deep into how the packer works. Quick summary The packer used
An old enemy – Diving into QBot part 1 Read More »