CASSIDIAN CyberSecurity Blog

Reverse engineering

Entries feed

2016/12/05

Following Process Hollowing in OllyDbg

Overview

Process Hollowing is a common technique used by modern malware to create a process which appears legitimate when viewed in tools such as Task Manager, but whose code has in fact been replaced with malicious content.

This post will outline the API calls used in Process Hollowing and will explain how to follow the mechanism in OllyDbg, in order to be able to attach to the new process before it can execute any of the malicious code.

Continue reading...

2016/11/28

Analysing the Hancitor Maldoc

Introduction

Recently we have seen several phishing attempts using macro enabled word attachments to load the Hancitor download trojan. The macros in these documents use routine windows API functions with a callback parameter in order to run shellcode directly in memory without the need to drop further files to disk. This entry follows the analysis of this method and may be useful for those new to the reverse engineering field.

Continue reading...

2016/06/22

Getting a PlugX builder

PlugX has been a well-known RAT for the last 5 years, and we have written many blog posts about it.

However, there has never been known released builders for this RAT, except the one from Ahnlab which allows the building of very old samples (2011), and another which was discussed in our previous post.

Continue reading...

2016/03/23

Fileless Malware – A Behavioural Analysis Of Kovter Persistence

Background

During a recent talk by a representative of MalwareBytes, it was discussed that several modern malware families, notable Poweliks, Phase Bot and Kovter are moving away from the file system and are instead establishing persistence in the registry of the host. This blog outlines the infection vector used by the kovter malware and the analysis method used to investigate it.

Continue reading...

2015/12/15

Newcomers in the Derusbi family

Derusbi is a well-known RAT family, used in various APT attacks since at least 2008. Many papers (1,2,3) have described two known variants of this malware: a client version, acting as any other RAT by contacting its C&C server, as well as a server version, which just listens for incoming connections from a client.

This RAT seems to be continuously evolving, as enlightened by Sekoia which recently described a new way for Derusbi to bypass Windows drivers signature enforcement.

In this blog post, we'll present the analysis of two new variants we encountered: a driver for x64 Windows, and a Linux library.

Continue reading...

2015/12/07

Malware Sakula - Evolutions v2.x-3.x (Part 2)

This post is the second part of article on the Sakula malware. It follows the first one available here and covers versions 2.x and 3.x.

Continue reading...

2015/11/09

Malware Sakula - Evolutions v1.x (Part 1)

This post follows a paper published by Symantec about a group of attackers known as BlackVine. It describes the technical evolution of the custom-developed RAT Sakula used in campaigns targeting industries such as energy, aerospace and healthcare.

Continue reading...

2015/09/08

Volatility plugin for PlugX updated

Just after releasing our previous blog post, we encountered a new PlugX variant using a bigger configuration than usual. We thus decided to study it and update our volatility plugin to handle the latest PlugX versions.

Continue reading...

2015/08/06

Latest changes in PlugX

It has been a while since we last wrote about PlugX RAT.
JPCERT made a great blog post covering the latest features added to the RAT, such as:

  • New protocol (raw IP protocol 0xff)
  • P2P communications
  • MAC address binding
  • Process injection for UAC bypass
  • New encoding algorithm

This post aims at giving new elements we discovered during our investigations on this infamous malware.

Continue reading...

2014/12/15

Vinself now with steganography

VinSelf is a known RAT malware already explained on other blogs . It's a family that has been long used in APT attacks. VinSelf can be recognized in two ways:

  • the network patterns used;
  • the strings obfuscation in the binary.

Continue reading...

2014/10/24

LeoUncia and OrcaRat

The PWC-named malware OrcaRat is presented as a new piece of malware but looking at the URI used for C&C communication, it could be an updated version of a well-known and kind of old piece of malware: LeoUncia.

Continue reading...

2014/06/03

Local root vulnerability in Android 4.4.2

Google has just released Android 4.4.3 version in AOSP (Android Open Source Project). The Funky Android website has published the whole changelog between versions 4.4.2 and 4.4.3. 

This time, it seems Google has fixed an old vulnerability, allowing to elevate privileges from an application with a few permissions to root, on any Android version supporting Android Secure External Caches (ASEC).

Continue reading...

2014/03/06

Disass, script reverse engineering for dummies

On our daily job, we have to manage malicious piece of code every day. On this domain, we historically had two approaches: dynamic analysis on our own sandbox or manual and static analysis with reverse engineering skills. Because static analysis can be boring for known samples, we developed a framework to automatically analyzing malware. We released Disass some time ago and gave a short explanation of the tool during Botconf 2013 in Nantes, France. We received many comments and questions so we thought a blog post could help explain the way Disass is working.

Until last year, in order to automate static analysis, we wrote scripts (often in Python because Python is cool) that can highlight and extract relevant informations from malicious binaries. But these scripts are seldom robust and their behaviour is only guaranteed on the sample the manual analysis has been done.

That's precisely why we wrote Disass. Basically, Disass is a binary analysis framework written in Python to ease the automation of malware reverse engineering. The purpose of Disass is to automatically retrieve relevant information in malware such as the C&C, the user agent, cipher keys, etc. By the way, Disass allows to understand static analysis in human readable code

There are two types of disassembler algorithms: linear and flow-oriented. Disass is based on a linear disassembly module named "diStorm", which is a lightweight, easy-to-use and fast decomposer library.

A linear disassembly uses the size of the disassembled instruction to determine which byte should be disassembled next, without regarding flow-control instructions. The interesting point in a linear disassembly is that it's made for iteratively work on a block of code. The bad point is that linear disassembly is unsuitable to distinguish code and data. It can be partially circumvented with the use of a tool such as pefile.

Let's go deeper: to understand how to use the framework, the example below shows the usage of a Disass script on a real malware called "Trojan.Letsgo". This malware was made famous by the APT1 report from Mandiant. Further information on this malware can be obtained on http://www.cyberengineeringservices....

Continue reading...

2014/02/20

Bitcrypt broken

Ransomware is nothing new. You might already have heard about it already, since it is a kind of fraud which can impact anyone and do severe damages. Some ransomware forbid you to access to your computer, while some others do crypt files on your system so that you cannot open them anymore.

No matter the action this kind of malware does, the victim always ends with a frightening message, which tells him to pay a ransom to get the computer access or data back.

People do not react to this message the same way. It all depends on their computer knowledge and on the value of the presumably "lost" data. People get stuck in front of the screen, wondering if they should pay or not. They think of trying to launch anti-virus products, but they are afraid the operation would definitely destroy their data...

Some lucky people do not care at all: they have done regular backup of their important data on an external harddrive. Luckily enough, they disconnect that external harddrive every time they do not use it. Their data is safe, and they will just try to disinfect their computer from the malware. If they cannot do it, well, they will reinstall the whole operating system.

Continue reading...

2014/01/29

PlugX "v2": meet "SController"

In our previous blog post about the PlugX RAT, we dealt with the original version, and recapped some internal features. Back in mid 2013, we started to see a new version of the RAT in the wild, with enough differences with the previous one to be considered as a new major version. We thus called it internally "PlugX v2". Some posts from SecureList and FireEye were dealing with this new version, but none of them gave a full analysis.

In this post, we will detail the main differences and new features introduced by this version.

Continue reading...

2014/01/06

PlugX: some uncovered points

PlugX (or Korplug, or Gulpix) is a well-known RAT involved in many APT cases. Some excellent write-ups about this malware have already been published by the CIRCL, Sophos and AlienVault. Since we met it on an incident response case back in 2012, we followed its evolution to improve our knowledge, rules and tools. We're planning to release details about this malware in a small serie of blog posts, to cover some points which have not been published yet.

This first post will cover some internals of the original PlugX malware and we'll deal with its evolution in the next one.

Continue reading...