Code similarity is a common and powerful way to cluster malware samples and make connections between seemingly unrelated malware families. Although it sounds simple, it is actually a complex problem and is hard to automate at scale without generating false positives. 1/
Blindly trusting code similarity can get one to make connections when there are none. This yields erroneous conclusions and can create very wrong media headlines. 2/
An example of wrong use of code similarity was published by Cluster25 recently, where they connect #IsaacWiper to various other malware families. cluster25.io/2022/05/03/a-s… 3/
The article uses two examples to support their similarity assessment. The problem? Both show similarity in standard libraries statically linked into the malware samples. 4/
The first one mentions the function at virtual address 100DDAE0h in the Vatet sample. This function is actually part of Microsoft’s C++ standard library implementation. We can find its reference in the virtual method table of std::num_put<wchar_t>. 5/
IDA Pro identify the function used in the second example as “try_get_function(…)”, which is part of Microsoft Visual C runtime library. Comparing the implementation with the function in the sample confirms IDA Pro is correct. 6/
To confirm a link between malware families can be established using code similarity, a researcher should verify that the similarity is on the relevant parts of the code and not on boilerplate or widely available library implementations. 7/
For example, we connected Linux/Cdorked, Linux/Ebury and Perl/Calfbot in 2014 into the single Operation Windigo welivesecurity.com/wp-content/upl… 8/
The similarity here was relevant because it was related to a unique custom string decryption routine across the three samples, one of them even being coded in a different language (Perl!). 9/
• • •
Missing some Tweet in this thread? You can try to
force a refresh
#ESETresearch A year ago, a signed Mach-O executable disguised as a job description was uploaded to VirusTotal from Singapore 🇸🇬. Malware is compiled for Intel and Apple Silicon and drops a PDF decoy. We think it was part of #Lazarus campaign for Mac. @pkalnai@marc_etienne_ 1/8
The document, named BitazuCapital_JobDescription.pdf, reminds a strong similarity with a lure from Lazarus attacks using 2 TOY GUYS code-signing certificates for Windows, targeting aerospace and defense industries. welivesecurity.com/wp-content/upl… 2/8
Both decoys are PDF v1.5 documents produced by Microsoft Word 2016. They are obviously not identical, as one uses Colonna MT font while the other uses Calibri, but the title and ornaments on the front page have the same colors (#569bd5 and #aacc5db). 3/8
#ESETresearch identified an #Android banking trojan campaign active since October 2021, targeting 8 Malaysian banks. The malware is distributed via copycat websites of legitimate services – the majority being cleaning services available in Malaysia 🇲🇾. welivesecurity.com/2022/04/06/fak… 1/4
The copycat websites do not provide an option to shop directly through them. Instead, they include buttons that claim to download apps from #GooglePlay. However, these buttons do not actually lead to the Google Play store, but to malicious apps controlled by the attackers. 2/4
The malicious apps pretend to offer goods and services for purchase while matching the interface of the original stores. At the payment step, victims are presented with a fake FPX payment page, asked to select one of eight Malaysian banks, and enter their credentials. 3/4
Wslink’s multilayered #virtualmachine introduced a diverse arsenal of #obfuscation techniques, which
we were able to overcome to reveal a part of the deobfuscated malicious code. 2/5
We also described the code we developed to facilitate our research. It is provided to the community @github 3/5 github.com/eset/wslink-vm…
#BREAKING#ESETresearch warns about the discovery of a 3rd destructive wiper deployed in Ukraine 🇺🇦. We first observed this new malware we call #CaddyWiper today around 9h38 UTC. 1/7
This new malware erases user data and partition information from attached drives. #ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations. 2/7
CaddyWiper does not share any significant code similarity with #HermeticWiper, #IsaacWiper or any other malware known to us. The sample we analyzed was not digitally signed. 3/7
Breaking. #ESETResearch discovered a new data wiper malware used in Ukraine today. ESET telemetry shows that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites earlier today 1/n
We observed the first sample today around 14h52 UTC / 16h52 local time. The PE compilation timestamp of one of the sample is 2021-12-28, suggesting that the attack might have been in preparation for almost two months. 2/n
The Wiper binary is signed using a code signing certificate issued to Hermetica Digital Ltd 3/n
In T3 2021, #ESETtelemetry saw a decline in all detections of monitored #macOS threats by 5.9%, compared to T2. The biggest drop was seen towards the end of December 2021, probably attributed to various festivities around the world. 🎅🕎 #ESETresearch 1/4
The decline was visible in nearly all monitored categories – Potentially Unwanted Applications (-22.5%), Adware (-10.6%) and trojans (-6.2%). Only Potentially Unsafe Applications saw a negligible uptick in T3. 2/4
While overall lower detection numbers could be seen as something positive, more than 36% of all macOS threats ESET detected in T3 were trojans and overall macOS Trojan detections rose by 126% from 2020 to 2021. 3/4