Arkbird Profile picture
Malware slayer
Dec 27, 2020 5 tweets 4 min read
Interesting sample looking like Muddywater, the macro download and execute the code from the GitHub at the opening of the document. This downloads a picture from picture web storage and uses steganography in using the value of the pixels for getting the payload to execute. The decoded code that executed is a cobalt strike script. Once decode with the XOR Op, We can note the shellcode use the eicar string for let thinking that a test to the SOC team.This use the Wininet module for contact the C2 in the shellcode.
Sep 29, 2020 6 tweets 9 min read
As reported by @KorbenD_Intel, the initial powershell script use DeflateStream method for uncompress the zip in memory and extract it. This execute the second layer that heavily obfuscated. More 70 functions are used for reorder the data for sensible strings and the implant ImageImage Once removed, this extract from another deflated stream with content the x64 PE still in memory by a memorystream. This finally loaded by reflective method. ImageImageImage
Jul 14, 2020 6 tweets 6 min read
[TLP:White] The #APT Mustang Panda group targets the Vatican state with lures. This uses the TTPs already used for pushing the payloads as vulnerable Word version (office 2007) by side-loading method for execute a dll. This dll perform a request for getting the dat file (configuration file) for the PlugX implant, performs a side-loading technique on another vulnerable software (Adobe AAM) for execute it.
Jul 10, 2020 6 tweets 7 min read
#Thanos ransomware use several methods against Sandbox and VM ( debugger, check size of the disk, dlls ...). Once this done, this hide for monitoring tool that uses NtQuerySystemInformation method in downloading and executing ProcessHide binaries. After this kill the security solutions and change the preferences of MSE. This write the persistence by Winlogon key. This download a second binary "PAExec" for spread install the ransomware on the infrastruture and reboot the computer.