I’m excited to announce that my book, “Evasive Malware”, will soon be available for pre-order! The past 2.5 years of late nights, eye strain, and carpal tunnel is almost worth it 😎
Also excited to announce that my technical reviewer is the amazing
@fr0gger_
!
Stay tuned! 👇
#Malware
Analysis Tip:
Windows registry contains an interesting key (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UAC\COMAutoApprovalList) that shows all COM objects that auto-elevate, bypassing UAC. Malware may be able to modify or hijack some these to elevate privileges.
As a former IDA Pro guy (who must now use Ghidra because of money reasons), this guide really helped me get my Ghidra interface more IDA-like 😎 A lot of useful stuff here.
#CobaltStrike
hunting tip of the week:
CobaltStrike uses named pipes for communication between processes. Default beacon configs use pipes in the format "MSSE-x-server", where "x" is a number from 1 to 4 characters. Hunting for this named pipe pattern may find things 😉
#Malware
analysis tip:
You can automatically extract certain files hidden inside an image file (steganography) using 7zip, such as this PK file hidden inside a JFIF image. Remove the file extension and extract with 7z, and 7z will attempt to locate embedded files and extract 🥳
#Malware
Analysis Tip:
Setting the registry key "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM\ConsentPromptBehaviorAdmin" to 0 seems to disable UAC prompts. If you see a malware sample reading or modifying this key, now you know what it may be trying to do 😉
Excited to share the cover for my upcoming book
#EvasiveMalware
! I think
@nostarch
did a great job with this one. Obviously not the final final version, but let me know what you think 😄
Ps. If you try to print this, your printer will explode.
#Malware
analysis tip of the week:
If you spot malware using memcpy or WriteProcessMemory to write the bytes "4C 8B D1” to an arbitrary address in memory, it is probably trying to unhook AV or EDR by overwriting inline hooks. 🧐
Is malware detecting your VirtualBox VM's? Is pafish giving you trouble? Try out the latest release of my PowerShell-based tool VBoxCloak! A quick and dirty way to hide your VM's from some common VM-detection techniques. VMware coming soon! 🥳
Want to learn how a simple UAC bypass / priv elevation works? Start msconfig, go to Tools menu, select "Command Prompt", and click Launch. Depending on your system configuration, a shell will pop open as a child process of msconfig, with elevated privileges and higher integrity.
Interested in how modern
#malware
evades defenses and analysis? I wrote up a summary of my new book "Evasive Malware: Understanding Deceptive and Self-Defending Threats" (
@nostarch
).
DM's open to feedback or questions! :)
#Malware
analysis tip of the week:
Malware can call DeviceIoControl with the parameter 0x7405C (IOCTL_DISK_GET_LENGTH_INFO) to check the size of the disk. This can be used as an anti-VM and anti-sandbox technique 🥳
In case you didn't know,
#VirusTotal
has this (new?) feature that can generate hunting rules for files and URL's in one click 😍
It's hidden in the "Follow" menu.
Want to learn how
#malware
evades defenses and analysis tools? You can pre-order my new book "Evasive Malware" at Barnes & Noble for 25%-off (through 28 April)🥳
Use promo code "PREORDER25" when ordering.
#CobaltStrike
hunting tip of the week:
CS powershell loader one-liners can often be decoded using Cyberchef. Specifically,
@0xtornado
has a great recipe for this (link will be in comments). The resulting shellcode can then be run through a shellcode debugger (like Scdbg)!
#Malware
analysis tip of the week:
Malware can hide from a debugger by calling NtSetInformationThread and setting the ThreadHideFromDebugger flag. If this flag is set, the running code thread will no longer send debug events to the debugger, essentially hiding code execution. 🧐
#CobaltStrike
hunting tip of the week:
#PEsieve
by
@hasherezade
can oftentimes extract CS implants and loader shellcode directly from memory (depending, of course, on code injection methods). Try this out during investigations into suspect processes!
#MalwareAnaysis
tip: I've been using "shellcode2exe" a lot lately. It makes it a lot easier to statically analyze and especially debug shellcode, or run the shellcode in a sandbox. Shellcode2exe basically adds a PE header to your raw shellcode. 🤓
Any similar tools you all use?
The wait is over 🥳 I completed some major updates for VMwareCloak, a Powershell script that sanitizes VMware Workstation VM's from some of the common VM-detection techniques used by
#malware
! Try it out and let me know how it works for you 👇
Is malware detecting your VirtualBox VM's? Is pafish giving you trouble? Try out the latest release of my PowerShell-based tool VBoxCloak! A quick and dirty way to hide your VM's from some common VM-detection techniques. VMware coming soon! 🥳
#Malware
analysis tip of the week:
Hooking Windows CryptoAPI functions like (CryptEncrypt and BCryptEncrypt) can help you identify what data malware is sending to a C2, before it is encrypted! 🥳
For example, this
#Emotet
sample:
Excited to announce that my book "Evasive Malware: Understanding Deceptive and Self-Defending Threats" is officially on the
@nostarch
website for Early Access! There is even a 25% discount available! 🥳
Thanks for all the support I've gotten so far!
Is malware detecting your VM's and making you sad? In case you missed it, I made some improvements to my PowerShell-based tool VBoxCloak! A quick and dirty way to hide your VM's from some common VM-detection techniques. 🥳
VMware updates coming soon!
VT Academy, a free course from
@VirusTotal
, is really awesome. It covers the basics of VT, as well as many important incident response, threat intel, and threat hunting fundamentals.
#CobaltStrike
hunting tip of the week:
EDR and AV got you down? Another way to detect/hunt for CS in your environment is through the deployment of Yara rules.
This list has some good stuff, including Yara rules from
@tenacioustek
and
@cyb3rops
.
Here is a really cool new feature in
@virustotal
: Code Insights! Basically it gives you an LLM-generated analysis of what the code does, for example in this VBS file 🔥
I'm not sure if this is only available in the commercial version of VT, but probably.
#MalwareAnalysis
tip: Inetsim is a network simulator for malware analysis. You can host your own files/payloads in inetsim really easily. I had to do this today to analyze a shellcode implant that was no longer hosted on its staging domain.
Here is how to do this 👇
Saw malware use DLL hijacking with an old legit copy of calc.exe. This version of calc.exe looks for a DLL called "windowscodecs.dll". Guess what happens when the malware drops a malicious DLL with the same name alongside calc.exe? 🥳
Excited to announce I joined
@proofpoint
's Threat Research team! I'm fired up to be part of a team that makes up some of the best threat intel folks, detection engineers, and malware reversers I know😈
In VMware Workstation, you can add "SMBIOS.reflectHost = “True” to your VMX file to hide the default hypervisor BIOS info from
#malware
. Anyone know how to do this in VirtualBox? 🧐
As the usage of
#malware
written in Go is increasing, I was looking for a good analysis methodology for Go samples. Here is a good one from the team at
@SentinelOne
. 🤓
#CobaltStrike
hunting tip of the week:
"Beacon.dll" and "ReflectiveLoader" are hardcoded artifacts in (default!) Beacon implants. When hunting for implants in memory, these are a good clue!
For example, here is an implant injected into Acrobat Reader:
Hey infosec fam, hope you're all doing well! 😎Just a heads up - Barnes&Noble is offering 25% off on pre-orders for my book "Evasive Malware". If you ❤️ malware, check it out! No pressure, just wanted to share with you all. Promo code is: PREORDER25.
I was investigating a
#malware
sample that uses the Beep WinAPI function as an anti-analysis technique. It was just annoying enough to write a blog post on. Check it out if you want to learn more 🤓
Finally added
#VMware
support for my
#malware
anti-evasion scripts. This script will attempt to sanitize your VMware malware analysis VM's by modifying registry keys, files, and processes. Get it and test it out here:
Is
#Malware
detecting and evading your
#VirtualBox
virtual machines? Check out VBoxCloak - a Powershell script for hiding VirtualBox from malware. Guaranteed to bring down your pafish detections😄
"Stand up a 100% containerized Elastic stack, TLS secured, with Elasticsearch, Kibana, Fleet, and the Detection Engine all pre-configured, enabled and ready to use, within minutes." Yes please. 😎
Shout-out to
@hasherezade
for making
#hollows_hunter
! Working with this tool inspired me to write a quick tutorial on it:
Anyone know of other good malcode extraction tools like hollows_hunter?
Here's a list of
#shellcode
analysis tools, separated by runners/emulators and converters.
Thanks to all the people who contributed their favorite tools! 👇
#MalwareAnaysis
tip: I've been using "shellcode2exe" a lot lately. It makes it a lot easier to statically analyze and especially debug shellcode, or run the shellcode in a sandbox. Shellcode2exe basically adds a PE header to your raw shellcode. 🤓
Any similar tools you all use?
Not sure who needs to hear this, but I was today years old when I realized how effective conditional breakpoints in x64dbg are.. I had a need to break conditionally on all VirtualAlloc calls with a size parameter > 0x3000000. Here is how to do this.😎
#CobaltStrike
hunting tips for
@virustotal
:
1) The imports hash (imphash) "dc25ee78e2ef4d36faa0badf1e7461c9" is very common for Beacon implants.
2) The hardcoded pipe string "MSSE-%d-server" is very common as well.
If you want to find some implants, search for these in VT 😉
A simple stenography trick used by
#malware
is modifying data bytes in an image, reading the image (ReadFile), and extracting the modified bytes. For example, the highlighted bytes in this image, when executed as x86 code, could be shellcode:
mov eax, [ebp+0x5]
call eax
This analysis on a
#BruteRatel
agent is awesome. Nice work on this. I love to see deep-dives into adversarial emulation tools, especially tools being abused by malicious actors.❤️
Interested in learning how to analyze RTF
#malware
? I wrote up my step-by-step analysis of the recent 2023 NATO Summit lure maldoc. Let me know if I missed any techniques/tools that could have made this a better analysis 🤓
#Malware
analysis tip of the week:
As an anti-analysis technique, malware can sneakily execute code by registering a malicious exception handler using the AddVectoredExceptionHandler WinAPI function. The malware can then trigger an exception which jumps to the malicious code.
Is
#Malware
detecting and evading your
#VirtualBox
virtual machines? Check out VBoxCloak - a Powershell script for hiding VirtualBox from malware. Guaranteed to bring down your pafish detections😄
#Malware
analysis tip of the week:
Running simple XOR "bruteforcing" (like the great xorsearch from
@DidierStevens
) can help you find additional embedded executable code in a malicious file. Takes 30 seconds and can save a lot of time in the long run.
I was investigating a
#SmokeLoader
#malware
sample and noticed it deletes its zone identifier information as an evasion technique.
I wrote up a quick blog post on this. Check it out if you find this as interesting as I did: 🤓 🥳
In one of the malware groups I am part of, someone asked a question about malware using the "unaligned function calls" evasion technique. Here is how this technique works: (1/5)
Don't forget your OPSEC! This great blog post from
@cosiveco
provides some useful tips for maintaining OPSEC in threat intelligence and malware research activities. A good reminder for us all.
Thanks for sending this to me,
@fr0gger_
😉
Just finished final edits for some additional chapters for my book "Evasive Malware". You can pre-order it from
@nostarch
. Thanks to everyone for the amazing feedback so far! ❤️
Make sure to read the book summary here:
Here is a stupid-simple PowerShell script for changing a system's username, hostname, and domain. I run this script before executing
#malware
in my sandboxes and sometimes it circumvents some basic VM checks. 🥳
Can AV vendors please stop calling
#CobaltStrike
and similar tools "riskware" or "PUA's/PUP's"? I think by now these "tools" are being used more often by threat actors than by pentesters...
@cyb3rops
Florian, you are missing one key fact. Threat actors never use open source tooling. They only develop their own custom tooling because GitHub says “for educational use only”.
#VirusTotal
has a special field for mutexes (mutexes_created) in their Yara plugin. You can basically hunt for mutex references in the malware behaviors. I have found this useful on several occasions.
Here is an example hunt for common Remcos mutexes:
Interested in learning one method for unpacking
#StrelaStealer
? I wrote up a quick blog post on my experience with a recent sample.
SHA1: 627c28a917a2c700951f574d3ea7608cbf6546a5
C2: 45[.]9.74.12/server.php
Have fun 😈
When analysing malware strings prior to Yara rule creation, I use a one-liner for extracting and comparing strings from a malware sample set. I wrote up a quick blog post about this here. Happy
#100DaysOfYara
!
To all my friends located in the US, Barnes & Noble is running a pre-order sale (code: PREORDER25) for my upcoming book "Evasive Malware" through Friday, September 8th! 😎
Thanks to everyone who has already ordered and/or given me feedback! ❤️
Dynmx is a handy detection language for malware sandbox logs. Basically, it runs rules (similar to Yara or Sigma) against malware sandbox function logs to create custom detections for malware behaviours. 😎
I'm working on a research project around evasive, context-aware, and self-defending
#malware
. Any experts (or wanna-be experts) see any cool new techniques being used out there in the wild? DM's open, please RT for visibility.
Short update:
You can pre-order the book from many sites online, but these do not include the Early Access version of the book. With Early Access, you get an early version of the book (plus the final version once it’s ready). Early access will be available from No Starch soon!
I’m excited to announce that my book, “Evasive Malware”, will soon be available for pre-order! The past 2.5 years of late nights, eye strain, and carpal tunnel is almost worth it 😎
Also excited to announce that my technical reviewer is the amazing
@fr0gger_
!
Stay tuned! 👇
Fun
#malware
analysis story. I submitted a sample to a sandbox today. The sample downloads a payload, so I started analysing that. 30 minutes in and I find out I'm reversing the fake executable that inetsim returns. 🙄
Merged new updates to the
#VMwareCloak
project, thanks to the suggestions from
@t_mtsmt
! This Powershell script helps hide your analysis VM's from
#malware
(by modifying registry keys, killing processes, etc.) 😎 Try it out, and I'm open to feedback!
Looks like some of the new
#Emotet
payloads are executing using:
"rundll32.exe <shady_temp_dir>,Control_RunDLL"
This would make for a good threat hunt. Not sure how many false-positives this would bring though.. 🙄
Thoughts?
Malware campaign uses PDFs with OneDrive URLs to download JS, user interaction required to run the JS, delivers WasabiSeed using MSI, VBS, more JS and EXE.
Consider GPO to change the default file handler for JS,VBS,WSF etc. away from WScript to notepad
#Ghidra
has a nice built-in script for generating
#Yara
rules ("YaraGhidraGUIScript"). You can highlight a block of code and the script will generate byte sequences that can speed up Yara rule creation.
Tips to avoid ransomware infections:
Step 1: Install the Russian language pack on all your computers.
Step 2: Change all wallpaper to the image of Putin riding a bear.
Step 3: (Optional): Move to Russia.
This is a great video from
@DidierStevens
on reversing code in a malicious document, completed entirely with
#cyberchef
. Sometimes I think I'm too l33t for cyberchef and would rather punish myself with command line tools, but cyberchef is amazing.
Love investigating malware? You can preorder and get early access to "Evasive Malware: Understanding Deceptive and Self-Defending Threats" - use coupon code "EVASIVE25" to get 25% off and send some ❤️ to the
#UnprotectProject
(
@fr0gger_
/
@DarkCoderSc
)
In the spirit of
#100DaysOfYara
, I've been working on a simple rule for a malware family I'm tracking, OriginBotnet. OriginBotnet is lightweight, modular offshoot of AgentTesla. I'll likely share the rule later to my Git - for now you all just get the screenshot 🤓