Introduction When performing malware analysis, one of the most common techniques of hiding strings is by simply “stacking” them or building them into a buffer to be called later. This...
Introduction A RTF document “Danh sach can bo.doc”(A50386914339E119E27B37C81CF58972) recently showed up on my radar. While analyzing, I noticed that it showcased a lot of the modern Applocker bypass techniques. I...
Summary: Recent new reporting was released on the DragonOK group which unveiled the many versions of the Sysget backdoor as well as the IsSpace backdoor. One of the samples we...
Summary: Linux malware is slowly becoming more popular. Within the past couple years there were several major incidents that cited the use of Windows backdoors being ported to Linux. Through...
Symantec released a report in the beginning of October that talks about Odinaff, which is a new piece of malware used in campaigns targeting financial institutions. In the report, Symantec...
Summary: Just in time for the holidays, a brand new Point Of Sale (POS) malware family has been discovered. Booz Allen responded to a Kronos phishing campaign that involved a...
Introduction Tying malware back to its earlier versions gives us the ability to look at more rudimentary versions of the code. The versions where the malware writer was just trying...
Introduction Hancitor is a popular dropper used in phishing campaigns. It’s often associated with dropping vawtrak and pony. There are already write-ups on Hancitor’s general capabilities, but we wanted to...
Radare2 has been receiving a lot of attention lately. Rather than browsing through some of the documentation, I decided to try and port some existing code to use Radare. Rewind...
Introduction There has been an explosion in POS malware in the last year. At Morphick, Nick Hoffman and I found 2 undiscovered families in 2014 and we just found our...
Introduction Yet another new credit card dumping utility has been discovered. BernhardPOS is named after (presumably) its author who left in the build path of C:\bernhard\Debug\bernhard.pdb and also uses the...
Introduction I’ll keep this one short. I’ve recently been spending more time with the Bro framework and discovering the power of its scripting language. I had written a PoC script...
Introduction I’ve recently been doing a lot of work around credit card dumpers at CBTS. While casually browsing through totalhash I found the following binary (http://totalhash.com/analysis/1c8bae904340f9a8cf17d90a2de726a226ad6dba) that contained some interesting...
As a reverse engineer on the CBTS Advanced Cyber Security team, I spend a large part of my time pulling apart and profiling the latest and greatest malware. The Mozart...
Introduction I previously wrote about a new piece of malware called “getmypass” that was scoring 0/55 on Virustotal. The malware had an active digital signature and was able to successfully...
Introduction In my previous post I showed off some tricks that malware authors use to check to see if they are being executed inside of a virtual machine. While it...
Introduction I recently noticed a new piece of malware that had made its way into the database. The part that stuck out to me is that it runs checks to...
Introduction At our dayjobs, as reverse engineers at CBTS, Jeremy and I have been hunting new POS malware. A new sample appeared on Virustotal this week that had a very...
Introduction While doing some digging recently on VirusTotal I had a rule trigger on what appears to be a new POS malware family. The MD5 (1d8fd13c890060464019c0f07b928b1a) is the malware that...
Introduction Reverse engineers organize discrete of pieces of malware into families. While digging through my malware collection I stumbled across this hash (B8FDFEE08DEEE5CCC1794BAF9ED553CE). It turns out that this is a...
This project is maintained by securitykitten