Share this page!

ESET research Profile picture
Twitter logo
Mar 28 5 tweets 4 min read
#ESETresearch is offering you a #behindthescenes look at the diligent work required to see through the
obfuscation techniques used in the recently described #Wslink, unique and undocumented
malicious loader that runs as a server. 1/5
@HrckaVladislav
welivesecurity.com/2022/03/28/und…
Wslink’s multilayered #virtualmachine introduced a diverse arsenal of #obfuscation techniques, which
we were able to overcome to reveal a part of the deobfuscated malicious code. 2/5
We also described the code we developed to facilitate our research. It is provided to the community
@github 3/5
github.com/eset/wslink-vm…
While there are several frameworks for #reverseengineering that provide features we needed to see
through Wslink’s virtual-machine-based obfuscator, we used @MiasmRe in this project simply because
it’s actively maintained and we’re already familiar and satisfied with it. 4/5
Our #whitepaper also presents an overview of the internal structure of virtual machines in general, and introduces some important terms and frameworks used in our detailed analysis of the Wslink virtual
machine. 5/5

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ESET research

ESET research Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ESETresearch

ESET research Profile picture
Mar 14
#BREAKING #ESETresearch warns about the discovery of a 3rd destructive wiper deployed in Ukraine 🇺🇦. We first observed this new malware we call #CaddyWiper today around 9h38 UTC. 1/7
This new malware erases user data and partition information from attached drives. #ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations. 2/7
CaddyWiper does not share any significant code similarity with #HermeticWiper, #IsaacWiper or any other malware known to us. The sample we analyzed was not digitally signed. 3/7
Read 7 tweets
ESET research Profile picture
Feb 23
Breaking. #ESETResearch discovered a new data wiper malware used in Ukraine today. ESET telemetry shows that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites earlier today 1/n
We observed the first sample today around 14h52 UTC / 16h52 local time. The PE compilation timestamp of one of the sample is 2021-12-28, suggesting that the attack might have been in preparation for almost two months. 2/n
The Wiper binary is signed using a code signing certificate issued to Hermetica Digital Ltd 3/n Image
Read 7 tweets
ESET research Profile picture
Feb 22
In T3 2021, #ESETtelemetry saw a decline in all detections of monitored #macOS threats by 5.9%, compared to T2. The biggest drop was seen towards the end of December 2021, probably attributed to various festivities around the world. 🎅🕎 #ESETresearch 1/4
The decline was visible in nearly all monitored categories – Potentially Unwanted Applications (-22.5%), Adware (-10.6%) and trojans (-6.2%). Only Potentially Unsafe Applications saw a negligible uptick in T3. 2/4
While overall lower detection numbers could be seen as something positive, more than 36% of all macOS threats ESET detected in T3 were trojans and overall macOS Trojan detections rose by 126% from 2020 to 2021. 3/4
Read 4 tweets
ESET research Profile picture
Jan 18
#ESETresearch investigated Donot Team’s (also known as APT-C-35 and SectorE02) #cyberespionage campaigns targeting military organizations, governments, Ministries of Foreign Affairs, and embassies of countries in South Asia. welivesecurity.com/2022/01/18/don… 1/5
A recent report by #Amnesty International links the group’s malware to an Indian cybersecurity company that be selling the spyware to entities in the region. 2/5
ESET’s investigation spans from September 2020 to October 2021 and details variants of the yty malware framework used to target entities in Bangladesh 🇧🇩, Sri-Lanka 🇱🇰, Pakistan 🇵🇰 and Nepal 🇳🇵. But also embassies in the Middle East, Europe, North and South America. 3/5
Read 5 tweets
ESET research Profile picture
Jan 17
The #WhisperGate malware discovered by Microsoft contains MSIL stub commonly used by commodity e-crime malware. We observed samples using the same stub that drop different malware families such as Remcos RAT, FormBook and others. #ESETresearch 1/5
We believe that attackers used FUD crypting service from darkweb to make #WhisperGate malware undetected. This service has been abusing cloud providers like GitHub, Bitbucket, Discord to store its payload in encrypted form. 2/5
Automatic detection MSIL/TrojanDownloader.Agent_AGen.FP was made 4 days prior to the attack in #Ukraine 🇺🇦 based on samples with similar MSIL stub used in an unrelated campaign. ESET solutions successfully detected stage2 malware but stage1 was not observed in ESET telemetry 3/5
Read 5 tweets
ESET research Profile picture
Dec 13, 2021
#ESETresearch identified malicious MS Excel documents automatically downloaded upon visiting the websites of cryptocurrencies #HotDoge, www.hotdogetoken[.]com, and #DonutCatBSC, www.donutcatbsc[.]com. Opening the document led to stealing the victim’s private information. 1/6
We contacted @HotDogeTokenBSC and provided them with the information to remediate the threat. They resolved the issue and the websites no longer serve the malicious documents. 2/6
We attribute this campaign to the 🇰🇵North Korea-linked APT group #Kimsuky. The Excel document contains a malicious Excel V4.0 macro that uses the #Squiblydoo technique to download and execute an XML file with a VBS scriptlet. 3/6
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @ESETresearch has new unrolls!

Check out other threads from @ESETresearch!

Read all threads by @ESETresearch

:(