Featured
“Beeeeeeeeep!”. How Malware Uses the Beep WinAPI Function for Anti-Analysis

“Beeeeeeeeep!”. How Malware Uses the Beep WinAPI Function for Anti-Analysis

I was recently analyzing a malware sample that abuses the Beep function as an interesting evasion tactic. The Beep function basically plays an audible tone notification for the user. The Beep function accepts a parameter DelayInterval, which is the number of milliseconds to play the beep sound. The calling program’s thread that executed the function …

Read More Read More

Featured
Unpacking StrelaStealer

Unpacking StrelaStealer

I was digging into a new version of Strela Stealer the other day and I figured it may help someone if I wrote a quick blog post about it. This post is not an in-depth analysis of the packer. It’s just one method of quickly getting to the Strela payload.

Featured
Analysis of the NATO Summit 2023 Lure: A Step-by-Step Approach

Analysis of the NATO Summit 2023 Lure: A Step-by-Step Approach

Author: @d4rksystem It has been a while since I’ve touched a malicious RTF document and I’ve been itching to refresh my knowledge in this area. The tricky part was finding a maldoc worth investigation. Well, my luck recently changed – along came a maldoc lure that targeted guests of the 2023 NATO Summit in Lithuania …

Read More Read More

Featured
How Malware Abuses the Zone Identifier to Circumvent Detection and Analysis

How Malware Abuses the Zone Identifier to Circumvent Detection and Analysis

I was investigating a malware sample that uses an interesting trick to circumvent sandboxes and endpoint defenses by simply deleting its zone identifier attribute. This led me on a tangent where I began to research more about zone identifiers (which, embarrassingly enough, I had little knowledge of prior). Here are the results of my research. …

Read More Read More

Featured
Book Summary – “Evasive Malware: Understanding Deceptive and Self-Defending Threats”

Book Summary – “Evasive Malware: Understanding Deceptive and Self-Defending Threats”

Since my new book “Evasive Malware: Understanding Deceptive and Self-Defending Threats” pre-order just launched, I wanted to write up a quick summary of the book, including what you’ll learn, the book’s target audience, and a breakdown of each section in the book. Let’s get started! What is this book about? “Evasive Malware: Understanding Deceptive and …

Read More Read More

Featured
Malware Analysis in 5 Minutes: Identifying Evasion and Guardrail Techniques with CAPA

Malware Analysis in 5 Minutes: Identifying Evasion and Guardrail Techniques with CAPA

Modern malware has gotten better and better at detecting sandbox and analysis environments, and at evading these environments. Malware can circumvent defenses, sandboxes, and analysts by using various techniques such as VM detection, process injection, and guardrails. In particular, guardrails are one or more artifacts that malware looks for on the host before executing its …

Read More Read More

Featured
Hunting BlackEnergy3 in Memory

Hunting BlackEnergy3 in Memory

I recently was investigating a memory dump from a host infected with BlackEnergy3. BlackEnergy3, which is a modified version of the original BlackEnergy malware families, was used in the attacks on the Ukrainian power grid in 2015. BlackEnergy3 is similar to its version 2 counterpart, but has been modified with additional modules that serve multiple …

Read More Read More

Featured
Hiding Virtual Machines from Malware – Introducing VMwareCloak & VBoxCloak

Hiding Virtual Machines from Malware – Introducing VMwareCloak & VBoxCloak

Many malware families are still using fairly trivial techniques for the detection of virtual machine environments. Once malware detects that it may be running in a virtual machine, it may terminate itself, or worse, execute code that will cause a diversion and potentially lead the malware analyst down the wrong paths :O Malware often uses …

Read More Read More

Featured
“VBoxCloak” – Hiding VirtualBox from Malware

“VBoxCloak” – Hiding VirtualBox from Malware

Many malware families still use simple evasion techniques for detection of virtual machine environments and malware analysis sandboxes. These simple checks are enumerating things on the host such as processes, certain files and directories, specific drivers and hardware configurations, and registry keys that may give away the presence of a hypervisor. If a virtual machine is …

Read More Read More

Featured
Chantay’s Resume: Investigating a CV-Themed ZLoader Malware Campaign

Chantay’s Resume: Investigating a CV-Themed ZLoader Malware Campaign

One beautiful and sunny evening, I happened to be poking around VirusTotal – because that’s what I do with sunny evenings – and I happened to come across an interesting CV-themed document. It was an Excel document entitled “Chantay’s Resume.xlsm”. This caught my eye mostly because resume’s should almost never be in Excel format. Unless …

Read More Read More

Featured
Random Code Generation in PowerShell-Based Malware “sLoad”

Random Code Generation in PowerShell-Based Malware “sLoad”

Every once in a while, malware will surprise me with a new technique, or a new method of implementing an older technique. It’s kind of like malware analysis Christmas. Unpacking a gift (the malware) and getting a new toy. Nevermind. Anyway, I was looking into a new “sLoad” sample the other day. “sLoad” is a …

Read More Read More

Featured
Reversing Ryuk: A Technical Analysis of Ryuk Ransomware

Reversing Ryuk: A Technical Analysis of Ryuk Ransomware

Ryuk has been in operation since mid-2018 and is still one of the key ransomware variants operating in 2020. The threat actors behind Ryuk have been known to target a wide range of industries, and they typically demand substantial ransom amounts. Lately, given the ongoing COVID-19 situation, the actors behind Ryuk have been taking advantage …

Read More Read More

Featured
Unpacking Ryuk

Unpacking Ryuk

In an earlier post, I wrote a technical analysis of the Ryuk ransomware and its behaviors. This post is a follow-up to that, for whoever is interested in learning one method of unpacking a Ryuk sample. As explained in my previous post, Ryuk will typically try to inject itself into several processes running on the …

Read More Read More

Featured
Javascript Deobfuscation with Process Hacker

Javascript Deobfuscation with Process Hacker

I truly dislike Javascript-based malware. Deobfuscation of Javascript is, to me, annoying at best – and rage-inducing at worst. I love unpacking and analyzing PE executables, DLL’s, and the like, but I tend to avoid Javascript analysis when possible. However, in the world of malware, sometimes you must face your annoying, rage-inducing enemy in the …

Read More Read More

Featured
Malware Analysis in 5-Minutes: Deobfuscating PowerShell Scripts

Malware Analysis in 5-Minutes: Deobfuscating PowerShell Scripts

I often run into obfuscated PowerShell while analyzing malicious documents and executables. Malware authors have many reasons for obfuscating their PowerShell activities, but mostly they do it to tick me off for the lulz. There are a few good ways (and many bad ways) to tear apart PowerShell scripts and discover what they are doing …

Read More Read More