Share this page!

Maybe Scrolly?
Matthew Profile picture
Twitter logo
Jul 19 11 tweets 7 min read
#ChromeLoader #malware persists via obfuscated content stored in the registry. Here's how to decode it using #Cyberchef.
1/ ImageImageImage
2/ First, locate a scheduled task containing content that you suspect to be chromeloader malware. Decode the first stage using "From Base64" and "Remove Null Bytes". This will give you the first stage loader in its #decoded form. Image
3/ Next, check the location of the next stage in the registry. This should be near the beginning of the code. Image
4/ Use the value from the previous tweet to locate stage 2 in the registry. Copy this entire base64 value into #cyberchef. Noting that if you decode it using base64, you will get junk. ImageImage
5/ Now comes a bit of a tricky part, we need to generate an XOR key to decode the stage2 payload. To do that, we must XOR the first 5 bytes of the second payload, with the string "Get-ItemPropertyValue" Image
6/ We can see what that tricky part looks like here. Note that this XOR key is the same as the 5 bytes we obtained before. If done correctly, we now have the "real" XOR key. Image
7/ Now that we've generated a key, we can finally decode the second stage malware. Noting that the first 5 bytes are thrown away after the key is generated, so we will need to implement that in our cyberchef recipe. Image
8/ Here, we can see our XOR key used to decode the #malware. This results in the malicious chrome extension that is compiled, deployed and installed via powershell commands. Image
9/ There is one final encoded section which follows a similar pattern, but without the use of "Get-ItemPropertyValue" to generate the XOR key. Image
10/ To decode that last part, just take the 5 bytes as we did before and use them directly as an XOR key. No need to throw away the first 5 bytes this time. ImageImage
11/ There's a lot more to this #chromeloader #malware outside of the decoding, however I won't go into them here since there are already well documented by @redcanary and @Unit42_Intel. You can read about them here.
unit42.paloaltonetworks.com/chromeloader-m…
redcanary.com/blog/chromeloa…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matthew

Matthew Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @embee_research

Matthew Profile picture
Jul 17
There aren't a lot of free and high quality resources out there for learning #reverseengineering. Here's a few that i've found useful.
@AGDCservices For binary reverse engineering videos and great examples of how to use ghidra for malware analysis.
youtube.com/c/AGDCServices
@_JohnHammond for amazing and long form malware analysis walkthroughs. Great for seeing the entire malware decoding process in action.
Read 7 tweets
Matthew Profile picture
Jul 17
If you utilise API hashing in your #malware or offensive security tooling. Try rotating your API hashes. This can have a significant impact on #detection rates and improve your chances of remaining undetected by AV/EDR. See below for an example with a Bind Shell vs #Virustotal.
Since API hashing can be confusing, most attackers won't rotate their hashes with each iteration of malware. Those same hashes can be a reliable detection mechanism if you can recognize them in code.
Luckily finding these hashes isn't too difficult, just look for random hex values prior to a "call rbp".
If you're unsure whether the value is an API hash, just google it and see if you get any hits. Most of the time, identification can be a simple google search away.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(