dcsimg

Reversing malware in a custom format: Hidden Bee elements

Malware can be made of many components. Often, we encounter macros and scripts that work as malicious downloaders. Some functionalities can also be achieved by position-independent code—so-called shellcode. But when it comes to more complex elements or core modules, we almost take it for granted that it will be a PE file that is a native Windows executable format. The reason for this is simple: It … [Read more...]

Process Doppelgänging meets Process Hollowing in Osiris dropper

One of the Holly Grails for malware authors is a perfect way to impersonate a legitimate process. That would allow them to run their malicious module under the cover, being unnoticed by antivirus products. Over the years, various techniques have emerged in helping them to get closer to this goal. This topic is also interesting for researchers and reverse engineers, as it shows creative ways of … [Read more...]

Malwarebytes CrackMe 2: contest summary

About three weeks ago, we published our second CrackMe. It triggered a lot of interest, and we got many high-quality write-ups. Choosing the winner was really difficult! In this post, I am going to summarize the contest and comment on the received submissions. CrackMe 2 challenge The topic of the challenge was Python, and its goal was to teach how the Python scripts can be packaged and integrated … [Read more...]

Malwarebytes CrackMe 2: try another challenge

Last November, we released the first edition of the Malwarebytes CrackMe. Encouraged by the positive response we received from the security community, we decided to repeat the game, hopefully making it even more interesting and entertaining. As before, the CrackMe is dedicated to malware analysts and to those who want to practice becoming them. That’s why it is not just a set of some … [Read more...]

PBot: a Python-based adware

Recently, we came across a Python-based sample dropped by an exploit kit. Although it arrives under the disguise of a MinerBlocker, it has nothing in common with miners. In fact, it seems to be PBot/PythonBot: a Python-based adware. Apart from a couple of posts on forums in Russian language and brief threat notes, we couldn’t find any detailed publication. Some of its features are pretty … [Read more...]

Blast from the past: stowaway Virut delivered with Chinese DDoS bot

Recently, we described an unusual Chinese drive-by attack that was delivering a variant of the Avzhan DDoS bot. The attack also contained multiple components that were not-so-new. Among the exploits, the newest was from 2016. Avzhan is also not a recent malware—the compilation timestamp of the unpacked payload was from August 2015. But there was one more unusual thing that triggered our attention. … [Read more...]

Avzhan DDoS bot dropped by Chinese drive-by attack

The Avzhan DDoS bot has been known since 2010, but recently we saw it in wild again, being dropped by a Chinese drive-by attack. In this post, we’ll take a deep dive into its functionality and compare the sample we captured with the one described in the past. Analyzed sample 05749f08ebd9762511c6da92481e87d8 – The main sample, dropped by the exploit … [Read more...]

A coin miner with a “Heaven’s Gate”

You might call the last two years the years of ransomware. Ransomware was, without a doubt, the most popular type of malware. But at the end of last year, we started observing that ransomware was losing its popularity to coin miners. It is very much possible that this trend will grow as 2018 progresses. From the point of view of the victim, this is a huge relief, because miners are not as much of … [Read more...]