Adventures in Security

Jul 6, 2018

Unstacking Strings with Cutter and Radare2

Introduction When performing malware analysis, one of the most common techniques of hiding strings is by simply “stacking” them or building them into a buffer to be called later. This...

Jan 31, 2018

Applocker Bypass and Danh Sach Can Bo

Introduction A RTF document “Danh sach can bo.doc”(A50386914339E119E27B37C81CF58972) recently showed up on my radar. While analyzing, I noticed that it showcased a lot of the modern Applocker bypass techniques. I...

Feb 15, 2017

The Rambo Backdoor

Summary: Recent new reporting was released on the DragonOK group which unveiled the many versions of the Sysget backdoor as well as the IsSpace backdoor. One of the samples we...

Dec 14, 2016

MiKey - A Linux keylogger

Summary: Linux malware is slowly becoming more popular. Within the past couple years there were several major incidents that cited the use of Windows backdoors being ported to Linux. Through...

Nov 28, 2016

The KLRD Keylogger

Symantec released a report in the beginning of October that talks about Odinaff, which is a new piece of malware used in campaigns targeting financial institutions. In the report, Symantec...

Nov 15, 2016

ScanPOS, new POS malware being distributed by Kronos

Summary: Just in time for the holidays, a brand new Point Of Sale (POS) malware family has been discovered. Booz Allen responded to a Kronos phishing campaign that involved a...

Oct 18, 2016

Hundter's Keylogger

Introduction Tying malware back to its earlier versions gives us the ability to look at more rudimentary versions of the code. The versions where the malware writer was just trying...

Aug 23, 2016

A Closer Look at Hancitor

Introduction Hancitor is a popular dropper used in phishing campaigns. It’s often associated with dropping vawtrak and pony. There are already write-ups on Hancitor’s general capabilities, but we wanted to...

Nov 16, 2015

Writing a Malware Config Parser Using Radare2 and Ruby

Radare2 has been receiving a lot of attention lately. Rather than browsing through some of the documentation, I decided to try and port some existing code to use Radare. Rewind...

Nov 16, 2015

Introducing LogPOS

Introduction There has been an explosion in POS malware in the last year. At Morphick, Nick Hoffman and I found 2 undiscovered families in 2014 and we just found our...

Jul 14, 2015

BernhardPOS

Introduction Yet another new credit card dumping utility has been discovered. BernhardPOS is named after (presumably) its author who left in the build path of C:\bernhard\Debug\bernhard.pdb and also uses the...

Jul 2, 2015

Finding Beacons With Bro

Introduction I’ll keep this one short. I’ve recently been spending more time with the Bro framework and discovering the power of its scripting language. I had written a PoC script...

Jan 30, 2015

The Little Dumper That Could

Introduction I’ve recently been doing a lot of work around credit card dumpers at CBTS. While casually browsing through totalhash I found the following binary (http://totalhash.com/analysis/1c8bae904340f9a8cf17d90a2de726a226ad6dba) that contained some interesting...

Jan 11, 2015

The Mozart RAM Scraper

As a reverse engineer on the CBTS Advanced Cyber Security team, I spend a large part of my time pulling apart and profiling the latest and greatest malware. The Mozart...

Jan 8, 2015

Getmypass Point of Sale Malware Update

Introduction I previously wrote about a new piece of malware called “getmypass” that was scoring 0/55 on Virustotal. The malware had an active digital signature and was able to successfully...

Jan 4, 2015

An Evening With N3utrino

Introduction In my previous post I showed off some tricks that malware authors use to check to see if they are being executed inside of a virtual machine. While it...

Dec 3, 2014

VM Checking and Detecting

Introduction I recently noticed a new piece of malware that had made its way into the database. The part that stuck out to me is that it runs checks to...

Dec 1, 2014

LusyPOS and Tor

Introduction At our dayjobs, as reverse engineers at CBTS, Jeremy and I have been hunting new POS malware. A new sample appeared on Virustotal this week that had a very...

Nov 26, 2014

Getmypass Point of Sale Malware

Introduction While doing some digging recently on VirusTotal I had a rule trigger on what appears to be a new POS malware family. The MD5 (1d8fd13c890060464019c0f07b928b1a) is the malware that...

Nov 25, 2014

Curious Korlia

Introduction Reverse engineers organize discrete of pieces of malware into families. While digging through my malware collection I stumbled across this hash (B8FDFEE08DEEE5CCC1794BAF9ED553CE). It turns out that this is a...

This project is maintained by securitykitten