Malware Analysis, Threat Intelligence and Reverse Engineering: workshop slides

Last month, when I was in-between jobs, I gave a workshop for a group of 20-25 enthusiastic women, all either starting in infosec, or with an interest to start in this field.The event, now obviously expired, can be found here:CWF Women in Cyber Event #1: Malware FundamentalsFor that purpose, I had created a full workshop: slides or a presentation introducing the concepts of Malware Analysis, Threat Intelligence and Reverse Engineering.The idea was to convey these topics in a clear and approachable manner, both theory and in practice; for the latter, I had set up a custom VM, with Labs, including my own created applications, some with simple obfuscation.All participants were very enthusiastic, and I hope to have sparkled most, if not some of them to pursue a career in this field. For this exact same reason, I am now releasing the presentation to the public - the VM and recordings however will not be published, as I created these solely for CWF.You may however download the LAB material from Github below:https://github.com/bartblaze/MaTiReWithout any further ado, you may find the slides below, on either SlideShare or SpeakerDeck:SlideShare Malware analysis,...
Read more

Quickpost: SteamStealers via Github

Back in 2014, I created a blog post named 'Malware spreading via Steam chat', where I analysed and discussed one of the first 'SteamStealers' - malware that is exclusively targeting gamers, or at least those who use Steam.You can read that blog post here. Another SteamStealer technique was via a Chrome extension, and there are many others reported as well - if you fancy a read, check out the blog post and paper here.This blog is meant as a quick post and heads-up, as some cybercriminals who use SteamStealer, are now also resorting to using Github. I was notified of this by Malwarehunterteam on Twitter:Also, anyone seen before a malware which replaces Steam trade links?cc @bartblaze @spontiroli pic.twitter.com/XFcVQKy4On— MalwareHunterTeam (@malwrhunterteam) January 12, 2018In this example, Evrial uses Github to copy/steal clipboard contents, and replaces Steam trade offer links. Note that Evrial is a full-blown infostealer.Another recent example, given to me by advicebanana, is a SteamStealer for the sole purpose of stealing your Steam credentials. In this specific case, the malware was redirected from:http://screenpicturepro/image293jpg to the following page or Gist, hosted on Github:https://raw.githubusercontentcom/Hamlo22888/Sur/master/image293scrWhile the gist is already offline...
Read more

StorageCrypt ransomware, a coinminer and more

Lawrence over at Bleeping Computer posted an interesting blog yesterday:StorageCrypt Ransomware Infecting NAS Devices Using SambaCryIn that blog, Lawrence pointed out quite some users had issues with a new ransomware, dubbed StorageCrypt, and possibly spread via a worm.There is a Windows component and a Linux component. We'll briefly take a look at both, hopefully providing some additional insight and indicators.Windows artifacts美女与野兽.exe is the Windows component, and as pointed out by Lawrence, translates loosely to 'Beauty and the Beast'.This executable is packed with ASPack, and appears to to display worm-like and backdoor behaviour, with the additional 'feature' of spreading itself via removable drives. After unpacking the sample, it reveals some interesting strings:1.vbpSMSS.EXEhttp://www.freewebs.com/kelly6666/sm.txthttp://www.freewebs.com/kelly6666/lo.txtDBST32NT.LOG.bak.exeV1.8Start Success.logyyyymmddmmssTxt Open ,Repair the application! is running, Repair the application from backup. is running, Repair the application from MySelf. running is running, update the application !Get V Data!Read Tname to memory.icoKill icoExtractIcons...Write to Tname...ip addr addedGetFolderFileDate...Replace all attrib.I m here!-->Insert Error : for .dll.dll  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonShellexplorer.exe UserinitHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunWindows9xPacksHKEY_CLASSES_ROOT\txtfile\shell\open\command NOTEPAD.EXE %1HKEY_HKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_CURRENT_CONFIGHKEY_DYN_DATAErrorC:\boot_net.datC:\dosnal.exeFind all exe file from Local host*.exeDownload files is accomplish!Run files of download is success!Download files1 is accomplish!Run files1 of download is success!This program cannot be run in DOS mode.This program must be run under Win32Autorun.infsuccess.txtcmd.exe /C net view command.exe /C net view  to find to Create file.exeopen=.exeGet Local host...
Read more

Notes on Linux/BillGates

In a previous blog post, I wrote some (extensive) notes on Linux/Xor.DDoS, also known as just Xor.DDoS, an interesting type of Linux malware.You can find that particular blog below, in which I give some history, details, remediation and prevention in regards to the specific threat Xor.DDoS poses:Notes on Linux/Xor.DDoSThis post will include some notes on Linux/BillGates, hereafter referred to as just 'BillGates', and rather than being very in-depth as the previous blog, I will mostly list high-level notes and remediation or disinfection steps. Additionally, after the conclusion, you will find other resources if necessary. In case of questions, comments or feedback, leave a comment or contact me on Twitter.What is BillGates?BillGates is malware designed primarily for Linux, and since it is a botnet, it is mostly used for DDoS purposes.However, just as Xor.DDoS, it has limited rootkit and backdoor functionality and thus it's possible remote commands are executed as well as additional malware downloaded.How can I identify BillGates artefacts?Please find below a table with indicators.Indicator Notes /etc/cmd.n /etc/conf.n /etc/init.d/DbSecuritySpt
Read more

CrunchyRoll hack delivers malware

IntroductionThere's a Reddit post today with a PSA (Public Service Announcement) about Crunchyroll, a website that offers anime streaming, being hacked:PSA : Don't enter crunchyroll.com at the moment, it seems they've been hacked.As mentioned before, Crunchyroll offers anime streaming, and in their own words:Enjoy your favorite anime & manga at the speed of JapanThe German Crunchyroll team has additionally issued the following warning:And for our English-speaking audiencePlease DO NOT access our website at the current time. We are aware of the issues and are working on it— Crunchyroll.de (@Crunchyroll_de) November 4, 2017The official CrunchyRoll Twitter account has tweeted the following:ATTENTION ALL CRUNCHYROLL USERS!!Please DO NOT access our website at the current time. We are aware of the issues and are working on it!!— Crunchyroll (@Crunchyroll) November 4, 2017If you are only interested in how to remove this malware, scroll down to the disinfection/removal section, or click here.Update:  CrunchyRoll has announced, after a few hours, that the issue is resolved:We've just gotten the all-clear to say that https://t.co/x1dBCM9X9C is back online!! Thank you SO MUCH for your patience ~ ❤️ pic.twitter.com/FQRRHowvp6— Crunchyroll (@Crunchyroll) November 4, 2017However,...
Read more

Comparing EternalPetya and BadRabbit

I've created a table comparing the EternalPetya (ExPetr, NotPetya, etc.) outbreak from June, and the BadRabbit ransomware outbreak from yesterday (2017-10-24).I have decided to not include WannaCry (WanaCrypt0r), as they are not related, while EternalPetya and BadRabbit do seem very closely related, or even developed by (a part of) the same people.Use freely, as long as you include a link to the original source, which is this blog post.Comparison table (click to enlarge)Download the table / comparison sheetAdditionally, you may find this image as a handy spreadsheet (which you can also download in several formats) on Google Docs here:EternalPetya_BadRabbit_ComparisonNote: this table or sheet will be updated continuously.Purpose of BadRabbit?Again, this makes you wonder about the actual purpose of ransomware, which you can about here: The purpose of ransomwareFor BadRabbit in particular, it may be deployed as a cover-up or smokescreen, or for both disruption and extortion.Prevention As for any prevention advise, have a look at the following page I've set up:Ransomware preventionDisinfection and decryptionUnfortunately, decryption is likely not possible without the cybercriminal's private key.You may be able to...
Read more

Notes on Sage 2.2 ransomware version

Sage, also known as SageCrypt, is an interesting ransomware variant - emerged somewhere in December last year, and is believed to be a variant of the CryLocker ransomware.There's a good blog post on BleepingComputer on the first version of Sage, id est "Sage 2".Yesterday, a personal friend of mine reached out, as his "computer started talking" and his files appeared to be encrypted. And indeed, it appears he suffered the latest variant of Sage: Sage 2.2Sage 2.2 appears to have been out for a while, at least since February of this year:Sage 2.2 sample (at 11/58): https://t.co/XsWMsPcXsjFrom: nrcommercecom/system/config/spam1.exe - that filename... 👏More samples: pic.twitter.com/a2J157kjJk— MalwareHunterTeam (@malwrhunterteam) February 21, 2017Some figures of Sage 2.2 follow below:Figure 1 - Sage 2.2 desktop backgroundFigure 2 - Sage 2.2 file recovery instructionsThe message reads:You probably noticed that you can not open your files and that some software stopped working correctly.This is expected. Your files content is still there, but it was encrypted by "SAGE 2.2 Ransomware".Your files are not lost, it is possible to revert them back to normal state...
Read more

Rick and Morty episode? Nope, another CoinMiner

Last week I got an email from someone requesting help in regards to a possible malware infection: that person downloaded a torrent, and believed it was a legitimate episode of Rick and Morty, an animated series.A file called Rick.and.Morty.S03E10.HDTV.x264-BATV.MKV.exe (116 MB in filesize) is of our interest and, what you'll notice first is of course the file extension - it's an executable Riiiiiiiiiiiick!In fact, this file is a self-extracting and password-protected archive which contains two other files:Figure 1 - two new files in the archiveOne file is indeed a legitimate video file, which features the following:Figure 2 - clipThis short clip has nothing to do with Rick and Morty, but seems to be a promo clip for a new series, called '1922'.Inside the other file however, another executable, is another self-extracting and password-protected archive, sometimes referred to as 'SFX' with inside ... More archives.In short, what you actually end up with is a cryptominer or coinminer. In Figure 3 below, you can spot both the passwords used for the archives, as well as the mining pool of interest:
Read more

Malicious ad/click networks: common or forgotten threat?

IntroductionMalicious ad/click networks and ad fraud are not entirely a new phenomenon, but it is important to realize the kind of threat it may pose. Is it a common, or forgotten threat? Maybe both.In this blog post, we'll take a look at how a seemingly innocuous click network and advertiser, is actually showing some rather malicious behavior.The beginningIt all starts with the following redirect:Figure 1 - .js downloadA 'critical Firefox update' needs to be downloaded and run, with the resulting file having multiple layers of obfuscation. After deobfuscating 2 layers, we get the following:Figure 2 - malicious scriptThe script will attempt to download an .flv file from ohchivsevmeste5com, with additional parameters. While I was unable to reproduce what happened afterwards at time of writing, it would likely fetch another heavily obfuscated JavaScript, for clickjacking purposes (and this behaviour can also be deduced from Figure 1, as it persists in the browser).Clickjacking is not an uncommon phenomenon unfortunately, and is described by Wikipedia as:Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on...
Read more

Crystal Finance Millennium used to spread malware

Earlier today, Costin from Kaspersky tweeded the following intriguing tweet:The Crystal Finance Millennium website in Ukraine has been hacked and distributing malware since at least August 18.— Costin Raiu (@craiu) August 23, 2017After some hunting, it was revealed the Crystal Finance Millennium website was indeed hacked, and serving three different flavors of malware. In this short blog post, we'll take a look at the malware variants that were distributed, and provide minimal background.IntroductionCrystal Finance Millennium' website is currently taken offline by the hosting provider, but archives of the website exist online.Figure 1 - "At this moment the site is blocked by the hosting administrator"From the archived webpage, it becomes apparent they provide accounting software, peronalisation of medical records, blood service and "full automation of the doctor's office" - contrary to what their company name suggests, it appears they are (mostly) focused on medical software.Figure 2 - archived webpage of CFM's servicesMoving on to the malware present on their website:Smoke LoaderSmoke Loader, also known as Dofoil, Sharik or just 'Smoke', is a botnet with the main purpose of downloading other malware...
Read more
Page 1 of 3123