Robert Simmons
ReversingLabs Blog

Unpacking Gootkit Malware With IDA Pro and X64dbg - Subscriber Request

Data Exfiltrator

| | research, Threat Research
Summary Over the past year, a major change in tactics employed by ransomware adversaries is to exfiltrate data from the victim's environment. The data then serves as the material for an extortion threat on top of the ransom for encrypted data. This additional tactic became a trend followed by most ... Read More
ReversingLabs Blog
Code Reuse Across Packers and DLL Loaders

Code Reuse Across Packers and DLL Loaders

| | research, Threat Research
One of the core tenets of computer science is code reuse. Why write something new, when code that already exists can be repurposed or changed slightly and then reused for a different situation. This is no different in the world of malware. SystemBC is a family of remote access trojans ... Read More
ReversingLabs Blog
DotNET Loaders

DotNET Loaders

| | research, Threat Research
Many families of remote access trojan (RAT) are .NET executables. As was observed in the blog post 1 from one year ago about RevengeRAT among others, much of this malware is delivered in another .NET executable with the payload encoded as an embedded text string. These RATs when they're encoded ... Read More
ReversingLabs Blog
PoorWeb - Hitching a Ride on Hangul

PoorWeb – Hitching a Ride on Hangul

| | research, Threat Research
Hangul Office is a popular office software suite in South Korea. 1 It shares the same compound file format as older versions of Microsoft Office, but has unique features that are abused to form malicious documents. The landscape of this type of attack has been analyzed closely in the VirusBulletin ... Read More
ReversingLabs Blog
Excel 4.0 Macros

Excel 4.0 Macros

| | research, Threat Research
A multitude of adversaries beginning around February of 2020[1] have been abusing an old feature of Microsoft Excel as a novel malware delivery method. The Excel 4.0 macros (XLM) feature was introduced in Excel version 4.0 way back in 1992.[2] This style of macro predates the also commonly abused Visual ... Read More
ReversingLabs Blog
How to Hunt for Threats Using YARA Rules

Five Uses of YARA

| | research, Threat Research
YARA is certainly a useful member of the toolset of researchers, threat hunters, incident responder, and many other defenders. At its core are two essential capabilities. First is to match static qualities of a file or region of memory. The second is to provide a way to express logic applied ... Read More
ReversingLabs Blog
Retread Ransomware

Retread Ransomware

| | research, Threat Research
In March of 2020, MalwareHunterTeam discovered a downloader which installed both a KPot infostealer as well as a second payload which was a ransomware variant that used the string "CoronaVirus". This sample was leveraging ongoing current events and appears to be some form of cover for or distraction from the ... Read More
ReversingLabs Blog