Blog

05/06/2017
The main analysis will be on the Longhorn Trojan loader and its in-memory DLL loading feature, which is used to execute downloaded payloads on the system, and shows that the attackers didn't want to leave traces. This feature is precisely described in the CIA leaked documents abode and we will see that the loader was indeed built following those specifications. Then, we will give a look at a complex and stealthy spying backdoor payload called Black Lambert used in targeted attacks and related to the CIA toolkits.
14/03/2017
FlokiBot is a recent banking trojan targeting Europe and Brasil, sold as a malware kit for $1000 on some hacking forums. It is being spread via spam and exploit kits. Even though it is based on ZeuS, FlokiBot shows a lot of interesting improvements, new features like RAM scraping, a custom dropper, and seems to have borrowed some lines of code from the Carberp leak.
26/02/2017
TreasureHunter is a POS malware first observed in 2014 and which got some recognition through 2016. Most POS malwares are pretty simple and don't have the advanced capabilities we can find in banking malwares for example. Their main feature is RAM scraping, which consists of looking for PAN and other credit card credentials in running process' memory.
IDA
31/12/2016
Monitoring functions with API hooking is very useful when you're doing reverse engineering, especially malware or firmware analysis. It is especially convenient to do it directly inside your debugger. In this article, we will explain how to perform API hooking in IDA Pro.
Powershell
15/08/2016
A fileless malware is a malware that doesn't drop any executable on disk. Stealthier than the usual malwares, they have been on the rise with the growth of script languages like PowerShell and WMI scripts.
x64dbg
21/07/2016
Pizzacrypts is another recent ransomware installed via a RunPE dropper. Since we're seeing more and more of those, it is always interesting to do some reversing and see how it works.
04/07/2016
Satana is a very recent ransomware that, like Petya, will encrypt your files and infect the Master Boot Record. Since the payload has already been reversed and analyzed, I will only focus on the unpacking part.
PhantomJS
07/06/2016
Headless browsers are browsers without GUI. They are mainly used for test automation and web scraping, but we will see that they can be very useful and convenient when used for cybercrime activities.