Unstacking Strings with Cutter and Radare2
Introduction When performing malware analysis, one of the most common techniques of hiding strings is by simply “stacking” them or building them into a buffer to be called later. This...
Applocker Bypass and Danh Sach Can Bo
Introduction A RTF document “Danh sach can bo.doc”(A50386914339E119E27B37C81CF58972) recently showed up on my radar. While analyzing, I noticed that it showcased a lot of the modern Applocker bypass techniques. I...
The Rambo Backdoor
Summary: Recent new reporting was released on the DragonOK group which unveiled the many versions of the Sysget backdoor as well as the IsSpace backdoor. One of the samples we...
MiKey - A Linux keylogger
Summary: Linux malware is slowly becoming more popular. Within the past couple years there were several major incidents that cited the use of Windows backdoors being ported to Linux. Through...
The KLRD Keylogger
Symantec released a report in the beginning of October that talks about Odinaff, which is a new piece of malware used in campaigns targeting financial institutions. In the report, Symantec...
ScanPOS, new POS malware being distributed by Kronos
Summary: Just in time for the holidays, a brand new Point Of Sale (POS) malware family has been discovered. Booz Allen responded to a Kronos phishing campaign that involved a...
Hundter's Keylogger
Introduction Tying malware back to its earlier versions gives us the ability to look at more rudimentary versions of the code. The versions where the malware writer was just trying...
A Closer Look at Hancitor
Introduction Hancitor is a popular dropper used in phishing campaigns. It’s often associated with dropping vawtrak and pony. There are already write-ups on Hancitor’s general capabilities, but we wanted to...
Writing a Malware Config Parser Using Radare2 and Ruby
Radare2 has been receiving a lot of attention lately. Rather than browsing through some of the documentation, I decided to try and port some existing code to use Radare. Rewind...
Introducing LogPOS
Introduction There has been an explosion in POS malware in the last year. At Morphick, Nick Hoffman and I found 2 undiscovered families in 2014 and we just found our...
BernhardPOS
Introduction Yet another new credit card dumping utility has been discovered. BernhardPOS is named after (presumably) its author who left in the build path of C:\bernhard\Debug\bernhard.pdb and also uses the...
Finding Beacons With Bro
Introduction I’ll keep this one short. I’ve recently been spending more time with the Bro framework and discovering the power of its scripting language. I had written a PoC script...
The Little Dumper That Could
Introduction I’ve recently been doing a lot of work around credit card dumpers at CBTS. While casually browsing through totalhash I found the following binary (http://totalhash.com/analysis/1c8bae904340f9a8cf17d90a2de726a226ad6dba) that contained some interesting...
The Mozart RAM Scraper
As a reverse engineer on the CBTS Advanced Cyber Security team, I spend a large part of my time pulling apart and profiling the latest and greatest malware. The Mozart...
Getmypass Point of Sale Malware Update
Introduction I previously wrote about a new piece of malware called “getmypass” that was scoring 0/55 on Virustotal. The malware had an active digital signature and was able to successfully...
An Evening With N3utrino
Introduction In my previous post I showed off some tricks that malware authors use to check to see if they are being executed inside of a virtual machine. While it...
VM Checking and Detecting
Introduction I recently noticed a new piece of malware that had made its way into the database. The part that stuck out to me is that it runs checks to...
LusyPOS and Tor
Introduction At our dayjobs, as reverse engineers at CBTS, Jeremy and I have been hunting new POS malware. A new sample appeared on Virustotal this week that had a very...
Getmypass Point of Sale Malware
Introduction While doing some digging recently on VirusTotal I had a rule trigger on what appears to be a new POS malware family. The MD5 (1d8fd13c890060464019c0f07b928b1a) is the malware that...
Curious Korlia
Introduction Reverse engineers organize discrete of pieces of malware into families. While digging through my malware collection I stumbled across this hash (B8FDFEE08DEEE5CCC1794BAF9ED553CE). It turns out that this is a...