May 11 2023

Millions of mobile phones come pre-infected with malware, say researchers

Category: Information Security,Malware,Mobile Securitydisc7 @ 12:03 pm

The threat is coming from inside the supply chain

BLACK HAT ASIA Threat groups have infected millions of Androids worldwide with malicious firmware before the devices have even been shipped from their manufacturers, according to Trend Micro researchers at Black Hat Asia.

The mainly mobile devices, but also smartwatches, TVs and more, have their manufacturing outsourced to an original equipment manufacturer (OEM), a process the researchers say makes them easily infiltrated.

“What is the easiest way to infect millions of devices?” posed senior threat researcher Fyodor Yarochkin, speaking alongside colleague Zhengyu Dong.

He compared infiltrating devices at such an early stage of their life cycle to a tree absorbing liquid: you put the infection at the root, and it gets distributed everywhere, out to every single limb and leaf.

The malware installation technique began as the price of mobile phone firmware dropped. Competition between firmware distributors became so furious that eventually the providers could not charge money for their product.

“But of course there’s no free stuff,” said Yarochkin, who explained that the firmware started to come with an undesirable feature – silent plugins. The team manually analyzed dozens of firmware images looking for malicious software. They found over 80 different plugins, although many of those were not widely distributed.

The plugins that were the most impactful were those that had built a business model around them and were selling underground services, marketing them out in the open on places like Facebook, in blog posts, and on YouTube.

    The objective of the malware is to steal info or make money from information collected or delivered.

    The malware turns the devices into proxies which are used to steal and sell SMS messages, social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud.

    One type of plugin, proxy plugins, allow the criminal to rent out devices for up to around five minutes at a time. For example, those renting the control of the device could acquire data on keystrokes, geographical location, IP address and more.

    “The user of the proxy will be able to use someone else’s phone for a period of 1200 seconds as an exit node,” said Yarochkin. He also said the team found a Facebook cookie plugin that was used to harvest activity from the Facebook app.

    Through telemetry data, the researchers estimated that at least millions of infected devices exist globally, but are centralized in Southeast Asia and Eastern Europe. A statistic self-reported by the criminals themselves, said the researchers, was around 8.9 million.

    As for where the threats are coming from, the duo wouldn’t say specifically, although the word “China” showed up multiple times in the presentation, including in an origin story related to the development of the dodgy firmware. Yarochkin said the audience should consider where most of the world’s OEMs are located and make their own deductions.

    “Even though we possibly might know the people who build the infrastructure for this business, its difficult to pinpoint how exactly the this infection gets put into this mobile phone because we don’t know for sure at what moment it got into the supply chain,“ said Yarochkin.

    The team confirmed the malware was found in the phones of at least 10 different vendors, but that there was possibly around 40 more affected. For those seeking to avoid infected mobile phones, they could go some way of protecting themselves by going high end.

    “Big brands like Samsung, like Google took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market,” said Yarochkin. ®

    #Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy

     InfoSec tools | InfoSec services | InfoSec books

    Tags: Mobile phone security, Pegasus

    Apr 30 2023


    Category: Hacking,MalwareDISC @ 1:14 pm

    A new piece of malware known as Atomic macOS Stealer (AMOS) was recently discovered by researchers as it was being offered for sale on Telegram. The threat actor who is promoting it charges $1,000 each month and continually updates the virus that they are selling. The Atomic macOS Stealer is capable of stealing a variety of information from the computer of the victim, such as passwords saved in the Keychain, comprehensive system information, files from the victim’s desktop and documents folder, and even the macOS password itself.

    One of its many capabilities is the extraction of data from web browsers and cryptocurrency wallets such as Atomic, Binance, Coinomi, Electrum, and Exodus. This is only one of its many functions. When a threat actor purchases the stealer from the creators of the stealer, they are also given a web panel that is pre-configured and ready to use for managing the victims.

    In the event that AMOS is installed, it has the potential to compromise a broad range of data, some of which include the passwords for iCloud Keychain, the password for the macOS system, cookies, passwords, and credit card credentials from browsers like as Chrome, Firefox, Brave, Edge, and Opera, among others. Additionally, it has the ability to compromise cryptocurrency wallets such as Atomic, Binance, Exodus, Electrum, MetaMask, and a great number of others.

    A web panel, a program called Brute MetaMask, logs in Telegram with alerts, and more features are provided to customers by the malicious party that is offering malware as a service.

    The following is the message that the threat actor posted on Telegram while trying to sell the malware:

    After the malware has gained access to a user’s information, it places the information into a ZIP file, compresses it, and then sends it to the malicious party via a command and control server URL.

    It is imperative that users only download and install software from trusted sources, enable two-factor authentication, review app permissions, and refrain from opening suspicious links received via email or SMS messages as a result of this development, which is another sign that macOS is increasingly becoming a lucrative target beyond nation-state hacking groups to deploy stealer malware. The development is also a sign that macOS is becoming a target for cybercriminals to deploy stealer malware.

    To protect against it:

    Only applications from the official Apple App Store should be downloaded and installed on your device.
    Install an antivirus and internet security software package that has a good reputation on your computer.
    Make sure to use secure passwords, and implement multi-factor authentication whenever it’s possible.
    When it is feasible to do so, enable the biometric security capabilities of the device, such as fingerprint or face recognition, so that it can be unlocked.
    Always use caution before clicking on any links that are delivered to you in emails.
    When enabling any permissions, exercise extreme caution.
    Make that all of your software, including operating systems and apps, is up to date.

    The Art of Mac Malware: The Guide to Analyzing Malicious Software

    InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

    Tags: Mac Malware, MACOS COMPUTERS

    Apr 24 2023

    Preventing Malware & Cyber Attacks: Simple Tips for Your Computer

    Category: Cyber Attack,MalwareDISC @ 8:15 am

    Living without the Internet is hardly imaginable today. However, the anonymity of the internet has led to the flourishing of cyber attacks and malware. Malicious software can cause damage to our devices, steal personal data, and lead to monetary loss. Therefore, protecting your computer from these threats is crucial. This article will outline some methods and resources for protecting your devices from malicious software, and explain why it’s essential to use malware removal at all times.

    Tip #1: Keep Your Operating System and Software Up to Date

    One of the most crucial things you can do to keep your computer secure is to keep your operating system and software up to date. Security patches are frequently released by software developers to address flaws that hackers could exploit. Failing to update your system and software leaves your computer vulnerable to potential threats.

    To ensure that your operating system and software are up to date, it’s important to turn on automatic updates. This will ensure that your system gets updates as soon as they become available. Additionally, you can manually check for updates by accessing the settings for your software or operating system. By doing this, you can be certain that your computer is protected against potential threats.

    Tip #2: Use Antivirus and Anti-Malware Software

    Antivirus and malware removal software are essential tools for protecting your computer against malicious software such as viruses, spyware, and ransomware. These programs scan your computer on a regular basis for malware and remove it if found. By using antivirus and anti-malware software, you can safeguard your computer from malicious attacks and maintain its security.

    When it comes to antivirus and anti-malware software, it’s crucial to choose a reputable and trustworthy option that offers comprehensive protection against various types of malware. With numerous software options available on the market, selecting the right one can be overwhelming. However, by doing some research and selecting the one that meets your needs, you can ensure that your computer remains protected from potential threats.

    Tip #3: Use a Firewall

    firewall is a crucial security system that monitors and controls network traffic, both incoming and outgoing. It serves as a barrier between your computer and the internet, blocking unauthorized access. By utilizing a firewall, you can protect your computer from potential cyber attacks and enhance its security.

    Most operating systems come with a built-in firewall that you can enable by going to your system’s settings. However, you can further increase your computer’s security by installing a third-party firewall. These firewalls offer additional features and customization options that can help you tailor the protection to your needs. By using a firewall, you can safeguard your computer against potential threats and enhance its overall security.

    Tip #4: Use Strong and Unique Passwords

    Using strong and unique passwords is crucial in safeguarding your device against potential cyber attacks. Cybercriminals frequently use automated programs to guess passwords and weak passwords are easily guessed, allowing them to gain access to your computer more easily. By using strong and unique passwords, you can significantly enhance your computer’s security.

    To create a strong password, use a combination of letters, numbers, and symbols. Avoid using common phrases or words that are easily guessed. Additionally, do not use the same password for multiple accounts, as this can leave you vulnerable if one account is compromised. Consider using a password manager to generate and store strong and unique passwords for all your accounts. By taking these steps, you can ensure that your computer remains protected against potential threats.

    Tip #5: Be Wary of Phishing Scams

    Phishing scams are a type of social engineering attack that cybercriminals use to trick people into disclosing sensitive information like passwords and credit card numbers. These scams can be sent via email, text messages, or even social media. Falling prey to a phishing scam can lead to significant financial loss and compromise your personal information.

    To avoid falling victim to phishing scams, it’s important to be cautious of any suspicious emails or messages. Do not click on any unknown links or download any attachments from suspicious sources. Always check the sender’s email address to ensure that it is from a legitimate source.

    If you receive an email that appears to be from your bank or another financial institution, do not provide any sensitive information. Instead, contact the institution directly to confirm the authenticity of the email. By taking these steps, you can protect yourself from phishing scams and keep your personal information secure.

    Tip #6: Use Two-Factor Authentication

    Two-factor authentication (2FA) is a crucial security measure that adds an extra layer of protection to your online accounts. This security measure requires users to provide two forms of identification before accessing their accounts, making it more difficult for cybercriminals to access your information. Two-factor authentication can prevent unauthorized access to your accounts and protect your sensitive information from being compromised.

    Many online services, such as email and social media platforms, offer two-factor authentication as an additional security measure. To enable two-factor authentication, go to your account settings and follow the instructions provided by the service. You can usually choose between receiving a code via text message or using an authentication app. Enabling two-factor authentication can greatly improve the security of your accounts and help keep your personal information safe.

    Tip #7: Back Up Your Data Regularly

    The best practice to protect your data from cyber attacks is to regularly back it up. If your computer is infected with malware or hacked, you might lose all your data. By backing up your data regularly, you can easily restore your data in the event of a cyber attack.

    In conclusion, adhering to the tips and tools mentioned above can not only safeguard your personal or business data but also prevent potential embarrassment and costly fines.
    Use anti-virus and anti-malware software.

    The Cybersecurity Playbook for Modern Enterprises: An end-to-end guide to preventing data breaches and cyber attacks

    InfoSec Threats
     | InfoSec books | InfoSec tools | InfoSec services

    InfoSec Threats
     | InfoSec books | InfoSec tools | InfoSec services

    Tags: cyber attacks, data breaches, Malware

    Apr 09 2023

    Malware types and analysis

    Category: Information Security,MalwareDISC @ 9:48 am

    Accelerated Windows Malware Analysis with Memory Dumps: Training Course Transcript and WinDbg Practice Exercises, (Windows Internals Supplements)

    Malware analysis reports – Reports and IoCs from the NCSC malware analysis team

    InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

    Tags: Malware, Malware Analysis, windows malware

    Apr 05 2023


    Category: AI,ChatGPT,MalwareDISC @ 9:35 am

    There is evidence that ChatGPT has helped low-skill hackers generate malware, which raises worries about the technology being abused by cybercriminals. ChatGPT cannot yet replace expert threat actors, but security researchers claim there is evidence that it can assist low-skill hackers create malware.

    Since the introduction of ChatGPT in November, the OpenAI chatbot has assisted over 100 million users, or around 13 million people each day, in the process of generating text, music, poetry, tales, and plays in response to specific requests. In addition to that, it may provide answers to exam questions and even build code for software.

    It appears that malicious intent follows strong technology, particularly when such technology is accessible to the general people. There is evidence on the dark web that individuals have used ChatGPT for the development of dangerous material despite the anti-abuse constraints that were supposed to prevent illegitimate requests. This was something that experts feared would happen. Because of thisexperts from forcepoint came to the conclusion that it would be best for them not to create any code at all and instead rely on only the most cutting-edge methods, such as steganography, which were previously exclusively used by nation-state adversaries.

    The demonstration of the following two points was the overarching goal of this exercise:

    1. How simple it is to get around the inadequate barriers that ChatGPT has installed.
    2. How simple it is to create sophisticated malware without having to write any code and relying simply on ChatGPT

    Initially ChatGPT informed him that malware creation is immoral and refused to provide code.

    1. To avoid this, he generated small codes and manually assembled the executable.  The first successful task was to produce code that looked for a local PNG greater than 5MB. The design choice was that a 5MB PNG could readily hold a piece of a business-sensitive PDF or DOCX.

     2. Then asked ChatGPT to add some code that will encode the found png with steganography and would exfiltrate these files from computer, he asked ChatGPT for code that searches the User’s Documents, Desktop, and AppData directories then uploads them to google drive.

    3. Then he asked ChatGPT to combine these pices of code and modify it to to divide files into many “chunks” for quiet exfiltration using steganography.

    4. Then he submitted the MVP to VirusTotal and five vendors marked the file as malicious out of sixty nine.

    5. This next step was to ask ChatGPT to create its own LSB Steganography method in my program without using the external library. And to postpone the effective start by two minutes.

    6. The another change he asked ChatGPT to make was to obfuscate the code which was rejected. Once ChatGPT rejected hisrequest, he tried again. By altering his request from obfuscating the code to converting all variables to random English first and last names, ChatGPT cheerfully cooperated. As an extra test, he disguised the request to obfuscate to protect the code’s intellectual property. Again, it supplied sample code that obscured variable names and recommended Go modules to construct completely obfuscated code.

    7. In next step he uploaded the file to virus total to check

    And there we have it; the Zero Day has finally arrived. They were able to construct a very sophisticated attack in a matter of hours by only following the suggestions that were provided by ChatGPT. This required no coding on our part. We would guess that it would take a team of five to ten malware developers a few weeks to do the same amount of work without the assistance of an AI-based chatbot, particularly if they wanted to avoid detection from all detection-based suppliers.

    ChatGPT for Startups

    InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

    Tags: ChatGPT malware

    Mar 28 2023

    What is Malware and how to prevent it

    Category: MalwareDISC @ 10:15 am
    How to recognize and remove malware

    What is Malware and how to prevent it

    Malware comes in many forms: the unwanted programs can surface as pathogensspies, or remote controls in computers. Whether it’s a virus, spyware, or a Trojan horse, this harmful software should be kept well away from your computer. What are the different types of malware? We show you how to protect yourself from them and what steps to take if your computer or webspace are affected.

    1. What exactly is malware and what are the different types?
    2. Who is affected by malware and how do you recognize an attack?
    3. Preventative measures against malware
    4. Use internet applications wisely
    5. How to remove spyware, Trojans, viruses, etc.
    6. Malware on websites
    7. Never underestimate the dangers of malicious software


    InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

    Tags: Malware prevention

    Feb 27 2023

    Researchers Share New Insights Into RIG Exploit Kit Malware’s Operations

    Category: MalwareDISC @ 1:09 pm
    RIG Exploit Kit

    The RIG exploit kit (EK) touched an all-time high successful exploitation rate of nearly 30% in 2022, new findings reveal.

    “RIG EK is a financially-motivated program that has been active since 2014,” Swiss cybersecurity company PRODAFT said in an exhaustive report shared with The Hacker News.

    “Although it has yet to substantially change its exploits in its more recent activity, the type and version of the malware they distribute constantly change. The frequency of updating samples ranges from weekly to daily updates.”

    Exploit kits are programs used to distribute malware to large numbers of victims by taking advantage of known security flaws in commonly-used software such as web browsers.

    The fact that RIG EK runs as a service model means threat actors can financially compensate the RIG EK administrator for installing malware of their choice on victim machines. The RIG EK operators primarily employ malvertising to ensure a high infection rate and large-scale coverage.

    As a result, visitors using a vulnerable version of a browser to access an actor-controlled web page or a compromised-but-legitimate website are redirected using malicious JavaScript code to a proxy server, which, in turn, communicates with an exploit server to deliver the appropriate browser exploit.

    The exploit server, for its part, detects the user’s browser by parsing the User-Agent string and returns the exploit that “matches the pre-defined vulnerable browser versions.”

    “The artful design of the Exploit Kit allows it to infect devices with little to no interaction from the end user,” the researchers said. “Meanwhile, its use of proxy servers makes infections harder to detect.”

    Since arriving on the scene in 2014, RIG EK has been observed delivering a wide range of financial trojans, stealers, and ransomware such as AZORultCryptoBitDridex, Raccoon Stealer, and WastedLoader. The operation was dealt a huge blow in 2017 following a coordinated action that dismantled its infrastructure.

    For more details:

    Tags: Exploit Kit, Malware Analysis

    Feb 03 2023


    Category: Malware,RansomwareDISC @ 11:02 am

    Packers are becoming an increasingly important tool for cybercriminals to use in the commission of illegal acts. On hacker forums, the packer is sometimes referred to as “Crypter” and “FUD.” Its primary function is to make it more difficult for antivirus systems to identify malicious code. Malicious actors are able to disseminate their malware more quickly and with fewer consequences when they use a packer. It doesn’t matter what the payload is, which is one of the primary qualities of a commercial Packer-as-a-Service, which implies that it may be used to pack a variety of different harmful samples. This opens up a lot of opportunities for cybercriminals. Another key quality of the packer is that it is transformational. Because the packer’s wrapper is changed on a frequent basis, it is able to avoid detection by devices designed to enhance security.

    According to Checkpoint, TrickGate is an excellent illustration of a robust and resilient packer-as-a-service. It has been able to go under the radar of cyber security researchers for a number of years and is consistently becoming better in a variety of different ways.

    Although a lot of very good study was done on the packer itself, TrickGate is a master of disguises and has been given a number of different titles due to the fact that it has so many different characteristics. A number of names have been given to it, including “TrickGate,” “Emotet’s packer,” “new loader,” “Loncom,” and “NSIS-based crypter.”

    At the end of 2016, they made our first observation of TrickGate. During that time, it was used to spread the Cerber malware. Since that time, they have been doing ongoing research on TrickGate and have discovered that it is used to propagate many forms of malicious software tools, including ransomware, RATs, information thieves, bankers, and miners. It has come to their attention that a significant number of APT organizations and threat actors often employ TrickGate to wrap their malicious code in order to evade detection by security solutions. Some of the most well-known and top-distribution malware families have been wrapped by TrickGate,

    including Cerber, Trickbot, Maze, Emotet, REvil, CoinMiner, Cobalt Strike, DarkVNC, BuerLoader, HawkEye, NetWire, AZORult, Formbook, Remcos, Lokibot, AgentTesla, and many more. TrickGate has also been involved in the wrapping of many other malware.


    Jan 28 2023

    PlugX Malware Sneaks Onto Windows PCs Through USB Devices

    Category: Malware,Windows SecurityDISC @ 9:29 am

    PlugX malware has been around for almost a decade and has been used by multiple actors of Chinese nexus and several other cybercrime groups.

    The Palo Alto Networks Unit 42 incident response team has discovered a new variant of PlugX malware that is distributed via removable USB devices and targets Windows PCs. This should not come as a surprise since 95.6% of new malware or their variants in 2022 targeted Windows.

    According to Unit 42 researchers, the new variant was detected when carrying out an incident response post a Black Basta ransomware attack. The researchers uncovered several malware samples and tools on the victims’ devices. This includes the Brute Ratel C4 red-teaming tool, GootLoader malware, and an old PlugX sample.

    PlugX malware has been around for almost a decade and has been used by multiple actors of Chinese nexus and several other cybercrime groups. The malware was previously used in many high-profile cyberattacks, such as the 2015 U.S. Government Office of Personnel Management (OPM) breach.

    The same backdoor was also used in the 2018 malware attack on the Android devices of minority groups in China. Most recently, in November 2022, researchers linked Google Drive phishing scams to the group infamously known for using PlugX malware.

    Scope of Infection

    The new variant stood out among other malware because it could infect any attached removable USB device, e.g., floppy, flash, thumb drives, and any system the removable device was plugged into later.

    So far, no evidence connects the PlugX backdoor or Gootkit to the Black Basta ransomware group, and researchers believe another actor could have deployed it. Moreover, researchers noted that the malware could copy all Adobe PDF and Microsoft Word documents from the host and places them in a hidden folder on the USB device. The malware itself creates this folder.

    PlugX Malware Being Distributed through Removable USB Devices

    Malware Analysis

    Unit 42 researchers Jen Miller-Osborn and Mike Harbison explained in their blog post that this variant of PlugX malware is a wormable, second-stage implant. It infects USB devices and stays concealed from the Windows operating file system. The user would not suspect that their USB device is being exploited to exfiltrate data from networks. 

    PlugX’s USB variant is different because it uses a specific Unicode character called non-breaking space/ U+00A0 to hide files in a USB device plugged into a workstation. This character prevents the Windows OS from rendering the directory name instead of leaving an anonymous folder in Explorer.

    Furthermore, the malware can hide actor files in a removable USB device through a novel technique, which even works on the latest Windows OS

    The malware is designed to infect the host and copy the malicious code on any removable device connected to the host by hiding it in a recycle bin folder. Since MS Windows OS by default doesn’t show hidden files, the malicious files in recycle bin aren’t displayed, but, surprisingly, it isn’t shown even with the settings enabled. These malicious files can be viewed/downloaded only on a Unix-like OS or through mounting the USB device in a forensic tool.

    Mastering Windows Security and Hardening: Secure and protect your Windows environment from intruders, malware attacks, and other cyber threats

    InfoSec books | InfoSec tools | InfoSec services

    Tags: PlugX Malware

    Jan 27 2023

    New Python Malware Targeting Windows Devices

    Category: Malware,PythonDISC @ 10:26 am

    The malware features also include file transfer, keylogging, stealing passwords stored in the browser, clipboard data stealing, cookies exfiltration and more.

    Threat analysis firm Securonix’s cybersecurity researchers have discovered a new malware dubbed PY#RATION allowing attackers to steal sensitive files and log keystrokes from impacted devices.

    Malware Distribution Technique

    The malware is distributed through a conventional phishing mechanism in which the email contains a password-protected ZIP archive. When it is unpacked, two shortcut image files appear, titled front.jpg.lkn and back.jpg.lnk. When launched, these files display the front and back of a driver’s license that doesn’t exist.

    New Python Malware Targeting Windows Devices
    Images used in the scam (Credit: Securonix)

    With this, the malicious code is also executed, leading to two new files being downloaded from the internet. These files are titled front.txt and back.txt, later renamed to .bat docs and executed. The malware disguises itself as Cortana virtual assistant to ensure persistence on the system.

    What is PY#RATION

    PY#RATION is a Python-based malware that displays a RAT (remote access trojan) like behaviour to sustain control over the affected host. The malware has various capabilities and functionalities, such as keylogging and data exfiltration.

    However, the unique aspect is that it uses WebSocket for exfiltration and C2 communication, and evades detection from network security solutions and antivirus programs. Leveraging Python’s built-in Socket.IO framework that facilitates client and server WebSocket communications, the malware pulls data and gets commands over a single TCP connection through open ports simultaneously.

    Moreover, according to a blog post published by Securonix, the attackers use the same C2 address, which the IPVoid checking system is yet to block. Researchers believe this malware is still under active development as they have detected multiple versions since August 2022. The malware receives instructions from the operations through WebSocket and obtains sensitive data.

    Potential Dangers

    This Python RAT is packed into an executable that uses automated packers such as ‘pyinstaller’ and ‘py2exe’ to convert Python code into Windows executables. This helps inflate payload size (The first detected version 1.0 being 14MB and the last detected version 1.6.0 being 32 MB containing 1000+ lines and additional code).

    New Python Malware Targeting Windows Devices
    Infection chain of the PY#RATION python malware (Credit: Securonix)

    Researchers claim that the latest version of the payload remains undetected by all except for one antivirus engine listed on VirusTotal.

    The malware features include file transfer to and from the C2 server, network enumeration, shell command execution, keylogging, stealing passwords stored in the browser, host enumeration, clipboard data stealing, and cookies exfiltration. Who’s behind this campaign, the distribution volume, and campaign objectives are still unclear.

    Python for Cybersecurity: Using Python for Cyber Offense and Defense

    InfoSec books
     | InfoSec tools | InfoSec services

    Tags: Python Malware

    Jan 19 2023

    Google ads increasingly pointing to malware

    Category: MalwareDISC @ 11:13 am

    The FBI has recently warned the public about search engine ads pushing malware disguised as legitimate software – an old tactic that has lately resulted in too many malicious ads served to users searching for software, cracked software, drivers – anything that can be downloaded, really – via Google and Bing.

    The recent explosion of search engine malvertising

    Malware peddlers employ a variety of methods to deliver their wares to unsuspecting users:

    The latter tactic is particularly good at hitting a wide pool of potential targets, since most internet users also use search engines.

    Lately, though, they have been overdoing it – or perhaps it’s just that more people have begun noticing it and talking about it online?

    Many documented campaigns

    HP threat researcher Patrick Schläpfer says that they have seen “a significant increase in malware distributed through malvertising, with multiple threat actors currently using this technique.”

    Some of these campaigns have been going on since late last year, and mostly target users searching to download popular software (e.g., Audacity, Blender 3D, GIMP, Notepad++, Microsoft Teams, Discord, Microsoft OneNote, 7zipOBS, etc.).

    malicious Google ads

    The malicious ads often manage to be the first link users see when searching for software on Google, and point to a (usually typosquatting) domain that resembles the original software manufacturer’s page. Clicking on the download link triggers the download of the malicious package from a file-hosting and sharing service (e.g., Dropbox), an app development platform (e.g., Google Firebase), or a code-hosting service (e.g., GitHub).

    Protect yourself and your loved ones

    While Google and Microsoft are trying to keep their users safe, it’s becoming obvious that they are failing to keep pace with the rapid change of tricks employed by cybercriminals to push those ads.

    As some ads are removed and new ones inevitably spring up, we are forced to do what we can to protect themselves.

    Just being aware of this danger and knowing about the prevalence of these malicious ads will help. Also, carefully check whether the URL to which the advertisement points is the correct one (e.g., by comparing it with the official domain listed on the software’s Wikipedia page).

    If you fail to spot the malicious nature of the ad and the typosquatting site, don’t ignore warnings you might get from Microsoft Defender or another security solution you use.

    malicious Google ads

    But the best advice may be to completely avoid clicking on Google and Bing ads – either by recognizing them and avoiding them consciously, or by installing an ad-blocking extension that will stop those ads from being displayed. That latter option is perhaps the best one for less tech-savvy users, to completely remove the temptation of willy-nilly clicking on potentially malicious ads – wherever they might pop up.

    Google and Microsoft, on the other hand, may want to ramp up their efforts to block this kind of abuse of their ad network, or risk their reputation being dented and more and more users start using ad blockers.

    Learn Malware Removal Techniques: How to remove malwares from a computer

    Checkout our previous posts on “Malware” topic

    InfoSec books | InfoSec tools | InfoSec services

    Tags: Google ads

    Jan 07 2023

    Best Malware Analysis Tools List For Security Researchers & Malware Analyst 2023

    Category: Malware,Security ToolsDISC @ 1:24 pm

    Malware analysis tools are highly essential for Security Professionals who always need to learn many tools, techniques, and concepts to analyze sophisticated Threats and current cyber attacks.

    Most Important Security Tools and Resources For Security Researcher and Malware Analyst

    Malware Analysis Tools & Courses

    • Malware Analysis Courses
    • Hex Editors
    • Disassemblers
    • Detection and Classification
    • Dynamic Binary Instrumentation
    • Dynamic Analysis
    • Deobfuscation
    • Debugging
    • Malware Analaysis Courses
    • Reverse Engineering
    • Binary Analysis
    • Decompiler
    • Bytecode Analysis
    • Reconstruction
    • Memory Forensics
    • Windows Artifacts
    • Storage and Workflow
    • Malware samples
    • Courses
    • Domain Analysis
    • Books

    Malware Analysis Courses

    Here we have listed the best courses list for malware analysis, reverse engineering, exploit development and more..

    Hex Editors

    A hex editor (or binary file editor or byteeditor) is a type of computer program that allows for manipulation of the fundamental binary data that constitutes a computer file. The name ‘hex’ comes from ‘hexadecimal’: a standard numerical format for representing binary data.


    disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler.

    A disassembler differs from a decompiler, which targets a high-level language rather than an assembly language. Disassembly, the output of a disassembler, is often formatted for human-readability rather than suitability for input to an assembler, making it principally a reverse-engineering tool.

    Detection and Classification

    • AnalyzePE – Wrapper for a variety of tools for reporting on Windows PE files.
    • Assemblyline – A scalable distributed file analysis framework.
    • BinaryAlert – An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules.
    • ClamAV – Open source antivirus engine.
    • Detect-It-Easy – A program for determining types of files.
    • ExifTool – Read, write and edit file metadata.
    • File Scanning Framework – Modular, recursive file scanning solution.
    • hashdeep – Compute digest hashes with a variety of algorithms.
    • Loki – Host based scanner for IOCs.
    • Malfunction – Catalog and compare malware at a function level.
    • MASTIFF – Static analysis framework.
    • MultiScanner – Modular file scanning/analysis framework
    • nsrllookup – A tool for looking up hashes in NIST’s National Software Reference Library database.
    • packerid – A cross-platform Python alternative to PEiD.
    • PEV – A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
    • Rootkit Hunter – Detect Linux rootkits.
    • ssdeep – Compute fuzzy hashes.
    • – Python script for easy searching of the database.
    • TrID – File identifier.
    • YARA – Pattern matching tool for analysts.
    • Yara rules generator – Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives

    Dynamic Binary Instrumentation

    Dynamic Binary Instrumentation Tools

    Mac Decrypt

    Mac Decrypting Tools


    Emulator Tools

    Document Analysis

    Document Based Malware Analysis Tools.

    Dynamic Analysis

    This introductory malware dynamic analysis class is dedicated to people who are starting to work on malware analysis or who want to know what kinds of artifacts left by malware can be detected via various tools.

    The class will be a hands-on class where students can use various tools to look for how malware is: Persisting, Communicating, and Hiding

    Deobfuscation Malware Analysis Tools

    Reverse XOR and other code obfuscation methods.

    • Balbuzard – A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
    • de4dot – .NET deobfuscator and unpacker.
    • ex_pe_xor & iheartxor – Two tools from Alexander Hanel for working with single-byte XOR encoded files.
    • FLOSS – The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
    • NoMoreXOR – Guess a 256 byte XOR key using frequency analysis.
    • PackerAttacker – A generic hidden code extractor for Windows malware.
    • unpacker – Automated malware unpacker for Windows malware based on WinAppDbg.
    • unxor – Guess XOR keys using known-plaintext attacks.
    • VirtualDeobfuscator – Reverse engineering tool for virtualization wrappers.
    • XORBruteForcer – A Python script for brute forcing single-byte XOR keys.
    • XORSearch & XORStrings – A couple programs from Didier Stevens for finding XORed data.
    • xortool – Guess XOR key length, as well as the key itself.


    IN this List we could  see the tools for Disassemblers, debuggers, and other static and dynamic analysis tools.Cross-Platform Debugging Tools

    Windows-Only Debugging Tools

    Linux-Only Debugging Tools

    Reverse Engineering 

    • angr – Platform-agnostic binary analysis framework developed at UCSB’s Seclab.
    • bamfdetect – Identifies and extracts information from bots and other malware.
    • BAP – Multiplatform and open source (MIT) binary analysis framework developed at CMU’s Cylab.
    • BARF – Multiplatform, open source Binary Analysis and Reverse engineering Framework.
    • binnavi – Binary analysis IDE for reverse engineering based on graph visualization.
    • Binary ninja – A reversing engineering platform that is an alternative to IDA.
    • Binwalk – Firmware analysis tool.
    • Bokken – GUI for Pyew and Radare. (mirror)
    • Capstone – Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
    • codebro – Web based code browser using  clang to provide basic code analysis.
    • DECAF (Dynamic Executable Code Analysis Framework) – A binary analysis platform based   on QEMU. DroidScope is now an extension to DECAF.
    • dnSpy – .NET assembly editor, decompiler and debugger.
    • Evan’s Debugger (EDB) – A modular debugger with a Qt GUI.
    • Fibratus – Tool for exploration and tracing of the Windows kernel.
    • FPort – Reports open TCP/IP and UDP ports in a live system and maps them to the owning application.
    • GDB – The GNU debugger.
    • GEF – GDB Enhanced Features, for exploiters and reverse engineers.
    • hackers-grep – A utility to search for strings in PE executables including imports, exports, and debug symbols.
    • Hopper – The macOS and Linux Disassembler.
    • IDA Pro – Windows disassembler and debugger, with a free evaluation version.
    • Immunity Debugger – Debugger for malware analysis and more, with a Python API.
    • ILSpy – ILSpy is the open-source .NET assembly browser and decompiler.
    • Kaitai Struct – DSL for file formats / network protocols / data structures reverse engineering and dissection, with code generation for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
    • LIEF – LIEF provides a cross-platform library to parse, modify and abstract ELF, PE and MachO formats.
    • ltrace – Dynamic analysis for Linux executables.
    • objdump – Part of GNU binutils, for static analysis of Linux binaries.
    • OllyDbg – An assembly-level debugger for Windows executables.
    • PANDA – Platform for Architecture-Neutral Dynamic Analysis.
    • PEDA – Python Exploit Development Assistance for GDB, an enhanced display with added commands.
    • pestudio – Perform static analysis of Windows executables.
    • Pharos – The Pharos binary analysis framework can be used to perform automated static analysis of binaries.
    • plasma – Interactive disassembler for x86/ARM/MIPS.
    • PPEE (puppy) – A Professional PE file Explorer for reversers, malware researchers and those who want to statically inspect PE files in more detail.
    • Process Explorer – Advanced task manager for Windows.
    • Process Hacker – Tool that monitors system resources.
    • Process Monitor – Advanced monitoring tool for Windows programs.
    • PSTools – Windows command-line tools that help manage and investigate live systems.
    • Pyew – Python tool for malware analysis.
    • PyREBox – Python scriptable reverse engineering sandbox by the Talos team at Cisco.
    • QKD – QEMU with embedded WinDbg server for stealth debugging.
    • Radare2 – Reverse engineering framework, with debugger support.
    • RegShot – Registry compare utility that compares snapshots.
    • RetDec – Retargetable machine-code decompiler with an online decompilation service and API that you can use in your tools.
    • ROPMEMU – A framework to analyze, dissect and decompile complex code-reuse attacks.
    • SMRT – Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
    • strace – Dynamic analysis for Linux executables.
    • Triton – A dynamic binary analysis (DBA) framework.
    • Udis86 – Disassembler library and tool for x86 and x86_64.
    • Vivisect – Python tool for malware analysis.
    • WinDbg – multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
    • X64dbg – An open-source x64/x32 debugger for windows.

    Binary Format and  Binary Analysis

    The Compound File Binary Format is the basic container used by several different Microsoft file formats such as Microsoft Office documents and Microsoft Installer packages.

    Binary Analysis Resources



    A decompiler is a computer program that takes an executable file as input, and attempts to create a high level source file which can be recompiled successfully. It is therefore the opposite of a compiler, which takes a source file and makes an executable.Generic Decompiler

    Java Decompiler

    .NET Decompiler

    Delphi Decompiler

    Python Decompiler

    Bytecode Analysis

    Bytecode Analysis Tools

    Malware Analysis Tools for Reconstruction

    Import Reconstruction Tools

    • AndroTotal – Free online analysis of APKs against multiple mobile antivirus apps.
    • AVCaesar – online scanner and malware repository.
    • Cryptam – Analyze suspicious office documents.
    • Cuckoo Sandbox – Open source, self hosted sandbox and automated analysis system.
    • cuckoo-modified – Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
    • cuckoo-modified-api – A Python API used to control a cuckoo-modified sandbox.
    • DeepViz – Multi-format file analyzer with machine-learning classification.
    • detux – A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs.
    • DRAKVUF – Dynamic malware analysis system.
    • – Unpacks, scans and analyzes almost any firmware package.
    • HaboMalHunter – An Automated Malware Analysis Tool for Linux ELF Files.
    • Hybrid Analysis – Online malware analysis tool, powered by VxSandbox.
    • IRMA – An asynchronous and customizable analysis platform for suspicious files.
    • Joe Sandbox – Deep malware analysis with Joe Sandbox.
    • Jotti – Free online multi-AV scanner.
    • Limon – Sandbox for Analyzing Linux Malware.
    • Malheur – Automatic sandboxed analysis of malware behavior.
    • malsub – A Python RESTful API framework for online malware and URL analysis services.
    • Malware config – Extract, decode and display online the configuration settings from common malwares.
    • Malwr – Free analysis with an online Cuckoo Sandbox instance.
    • MASTIFF Online – Online static analysis of malware.
    • – Scan a file, hash or IP address for malware (free).
    • NetworkTotal – A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro.
    • Noriben – Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
    • PDF Examiner – Analyse suspicious PDF files.
    • ProcDot – A graphical malware analysis tool kit.
    • Recomposer – A helper script for safely uploading binaries to sandbox sites.
    • Sand droid – Automatic and complete Android application analysis system.
    • SEE – Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.
    • VirusTotal – Free online analysis of malware samples and URLs
    • Visualize_Logs – Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come…)
    • Zeltser’s List – Free automated sandboxes and services, compiled by Lenny Zeltser.

    Document Analysis

    Document Analysis Tools




    Android tools


    Yara Resources

    Memory Forensics Malware Analysis Tools 

    Tools for dissecting malware in memory images or running systems.

    • BlackLight – Windows/MacOS forensics client supporting hiberfil, pagefile, raw memory analysis.
    • DAMM – Differential Analysis of Malware in Memory, built on Volatility.
    • evolve – Web interface for the Volatility Memory Forensics Framework.
    • FindAES – Find AES encryption keys in memory.
    • – High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.
    • Muninn – A script to automate portions of analysis using Volatility, and create a readable report.
    • Rekall – Memory analysis framework, forked from Volatility in 2013.
    • TotalRecall – Script based on Volatility for automating various malware analysis tasks.
    • VolDiff – Run Volatility on memory images before and after malware execution, and report changes.
    • Volatility – Advanced memory forensics framework.
    • VolUtility – Web Interface for Volatility Memory Analysis framework.
    • WDBGARK – WinDBG Anti-RootKit Extension.
    • WinDbg – Live memory inspection and kernel debugging for Windows systems.

    Windows Artifacts

    • AChoir – A live incident response script for gathering Windows artifacts.
    • python-evt – Python library for parsing Windows Event Logs.
    • python-registry – Python library for parsing registry files.
    • RegRipper (GitHub) – Plugin-based registry analysis tool.

    Storage and Workflow

    • Aleph – Open Source Malware Analysis Pipeline System.
    • CRITs – Collaborative Research Into Threats, a malware and threat repository.
    • FAME – A malware analysis framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis.
    • Malwarehouse – Store, tag, and search malware.
    • Polichombr – A malware analysis platform designed to help analysts to reverse malwares collaboratively.
    • stoQ – Distributed content analysis framework with extensive plugin support, from input to output, and everything in between.
    • Viper – A binary management and analysis framework for analysts and researchers.

    Malware samples

    Malware samples collected for analysis.

    • Clean MX – Realtime database of malware and malicious domains.
    • Contagio – A collection of recent malware samples and analyses.
    • Exploit Database – Exploit and shellcode samples.
    • Malshare – Large repository of malware actively scrapped from malicious sites.
    • MalwareDB – Malware samples repository.
    • Open Malware Project – Sample information and downloads. Formerly Offensive Computing.
    • Ragpicker – Plugin based malware crawler with pre-analysis and reporting functionalities
    • theZoo – Live malware samples for analysts.
    • Tracker h3x – Agregator for malware corpus tracker and malicious download sites.
    • ViruSign – Malware database that detected by many anti malware programs except ClamAV.
    • VirusShare – Malware repository, registration required.
    • VX Vault – Active collection of malware samples.
    • Zeltser’s Sources – A list of malware sample sources put together by Lenny Zeltser.
    • Zeus Source Code – Source for the Zeus trojan leaked in 2011.

    Domain Malware Analysis Tools

    Inspect domains and IP addresses.

    • – Community based IP blacklist service.
    • boomerang – A tool designed for consistent and safe capture of off network web resources.
    • Cymon – Threat intelligence tracker, with IP/domain/hash search.
    •– One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
    • Dig – Free online dig and other network tools.
    • dnstwist – Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.
    • IPinfo – Gather information about an IP or domain by searching online resources.
    • Machinae – OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.
    • mailchecker – Cross-language temporary email detection library.
    • MaltegoVT – Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
    • Multi rbl – Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs.
    • NormShield Services – Free API Services for detecting possible phishing domains, blacklisted ip addresses and breached accounts.
    • SpamCop – IP based spam block list.
    • SpamHaus – Block list based on domains and IPs.
    • Sucuri SiteCheck – Free Website Malware and Security Scanner.
    • Talos Intelligence – Search for IP, domain or network owner. (Previously SenderBase.)
    • TekDefense Automater – OSINT tool for gathering information about URLs, IPs, or hashes.
    • URLQuery – Free URL Scanner.
    • Whois – DomainTools free online whois search.
    • Zeltser’s List – Free online tools for researching malicious websites, compiled by Lenny Zeltser.
    • ZScalar Zulu – Zulu URL Risk Analyzer.


    Most Important books Reverse Engineering Books

    Documents and Shellcode

    Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.

    • AnalyzePDF – A tool for analyzing PDFs and attempting to determine whether they are malicious.
    • box-js – A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation.
    • diStorm – Disassembler for analyzing malicious shellcode.
    • JS Beautifier – JavaScript unpacking and deobfuscation.
    • JS Deobfuscator – Deobfuscate simple Javascript that use eval or document.write to conceal its code.
    • libemu – Library and tools for x86 shellcode emulation.
    • malpdfobj – Deconstruct malicious PDFs into a JSON representation.
    • OfficeMalScanner – Scan for malicious traces in MS Office documents.
    • olevba – A script for parsing OLE and OpenXML documents and extracting useful information.
    • Origami PDF – A tool for analyzing malicious PDFs, and more.
    • PDF Tools – pdfid, pdf-parser, and more from Didier Stevens.
    • PDF X-Ray Lite – A PDF analysis tool, the backend-free version of PDF X-RAY.
    • peepdf – Python tool for exploring possibly malicious PDFs.
    • QuickSand – QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.
    • Spidermonkey – Mozilla’s JavaScript engine, for debugging malicious JS.

    Practice Malware Analysis Tools 

    Practice Reverse Engineering. Be careful with malware.

    Open Source Threat Intelligence Tool

    Harvest and analyze IOCs.

    • AbuseHelper – An open-source framework for receiving and redistributing abuse feeds and threat intel.
    • AlienVault Open Threat Exchange – Share and collaborate in developing Threat Intelligence.
    • Combine – Tool to gather Threat Intelligence indicators from publicly available sources.
    • Fileintel – Pull intelligence per file hash.
    • Hostintel – Pull intelligence per host.
    • IntelMQ – A tool for CERTs for processing incident data using a message queue.
    • IOC Editor– A free editor for XML IOC files.
    • ioc_writer – Python library for working with OpenIOC objects, from Mandiant.
    • Massive Octo Spice – Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
    • MISP – Malware Information Sharing Platform curated by The MISP Project.
    • Pulsedive – Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
    • PyIOCe – A Python OpenIOC editor.
    • RiskIQ – Research, connect, tag and share IPs and domains. (Was PassiveTotal.)
    • threataggregator – Aggregates security threats from a number of sources, including some of those listed below in other resources.
    • ThreatCrowd – A search engine for threats, with graphical visualization.
    • ThreatTracker – A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
    • TIQ-test – Data visualization and statistical analysis of Threat Intelligence feeds.

    Other Resources


    This list is Created with helping of following Awesome Peoples.

    Infosec books | InfoSec tools | InfoSec services

    Tags: malware analysis tools

    Dec 29 2022

    GuLoader Malware Uses Advanced Anti-Analysis Techniques to Evade Detection

    Category: Antivirus,Malware,Threat detectionDISC @ 11:30 am

    An advanced malware downloader named GuLoader has recently been exposed by cybersecurity researchers at CrowdStrike. This advanced downloader has the capability to evade the detection of security software by adopting a variety of techniques.

    While analyzing the shellcode of GuLoader, a brand-new anti-analysis technique was discovered by CrowdStrike through which researchers would be able to identify if the malware is operating in an adversarial environment or not. While this is done by examining the whole process memory for any VM-related strings.

    Evolution of GuLoader Malware

    On infected machines, GuLoader (aka CloudEyE) distributes remote access trojans like AgentTeslaFormBookNanocoreNETWIRERemcos, and the Parallax RAT using the VBS downloader. 

    GuLoader has been active since at least 2019 and has undergone several changes in its functionality and delivery methods. Over time, the malware has become more sophisticated, using various methods to evade detection and avoid being removed from infected systems. 

    It has also been distributed through other channels, such as exploit kits and hacked websites. While it has evolved over time and has been used in various campaigns to deliver a range of malware, including ransomware, banking Trojans, and other types of malware.

    A strong anti-analysis technique was also deployed by GuLoader in order to avoid detection in order to remain undetected. 

    GuLoader exhibits a three-stage process, the VBScript script will first inject the shellcode embedded within it into the memory, then the next stage of the process will execute anti-analysis checks that will protect the code from being analyzed.

    Furthermore, the shellcode also incorporates the same anti-analysis methods in order to avoid detection by third parties. It is through this shellcode that an attacker is able to download a final payload of their choice and execute it with the same anti-analysis methods as the original shellcode on the host that is compromised.

    Detecting breakpoints used for code analysis is done with anti-debugging and anti-disassembling checks in the malware.

    There is also a redundant code injection mechanism that can be used to avoid the use of a NTDLL.dll hook that is commonly used by antivirus programs and EDRs.

    In order to detect and flag processes on Windows that may be suspicious, anti-malware engines use NTDLL.dll API hooking. 

    Anti-Analysis Techniques

    Here below we have mentioned the anti-analysis techniques used:-

    • Anti-Debugging
    • Anti-Virtual Machine
    • Process Hollowing

    It was pointed out by experts that GuLoader remains a treacherous threat that is constantly evolving as it continues to develop. Furthermore, experts also provided indicators of compromise for the latest version of the downloader, as well as other key information.

    GuLoader Malware Advanced Anti-Analysis

    Antivirus Bypass Techniques: Learn practical techniques and tactics to combat, bypass, and evade antivirus software

    Malware Analysis

    Infosec books | InfoSec tools | InfoSec services

    Tags: Antivirus Bypass Techniques, Evade Detection, Malware

    Dec 27 2022

    Hackers Deploy New Information Stealer Malware onto Python Developers’ Machines

    Category: Malware,PythonDISC @ 10:48 am

    Researchers at Phylum recently discovered that hackers had been injecting information stealer malware into Python developers’ machines in order to steal their information.

    As they dug deeper, they discovered a new stealer variant with many different names. While apart from this, the source code of the program reveals that it is a straightforward copy of the old Stealer, W4SP. 

    Attack Chain to Deploy Malware

    A stealer in this case dropped directly into the file rather than obfuscating the code or being obvious about the attempts to escape detection.

    Only one instance has been found in which multiple stages were used in order to obfuscate and obscure the attacker’s intentions. In this case, the attacker used a package called chazz to pull obfuscated code from the website, using a simple first stage to get it.

    There is a great deal of similarity between the first stage of the stealer code and the injector code. While this has been obfuscated with BlankOBF, it’s an obfuscation program. As soon as it is de-obfuscated, it reveals the Leaf $tealer.

    Malicious Packages

    Listed below are packages that feature similar IOC and apart from this, what we can expect is this list will grow over the coming months and years:-

    • modulesecurity – “Celestial Stealer”
    • informmodule – “Leaf $tealer”
    • chazz – first stage that pull from which contains the obfuscated code shown above
    • randomtime – “ANGEL stealer”
    • proxygeneratorbil – “@skid STEALER”
    • easycordey – “@skid Stealer”
    • easycordeyy – “@skid Stealer”
    • tomproxies – “@skid STEALER”
    • sys-ej – “Hyperion Obfuscated code”
    • infosys – “@734 Stealer”
    • sysuptoer – “BulkFA Stealer”
    • nowsys – “ANGEL Stealer”
    • upamonkws – “PURE Stealer”
    • captchaboy – “@skid STEALER”
    • proxybooster – “Fade Stealer”

    W4SP Copies

    W4SP’s original publication in loTus’s repository has been disabled by GitHub staff due to the violation of the T&C of GitHub, and as a result, it will be not found anymore.

    It has been Phylum’s mission for some time to monitor the actions of these threat actors in an attempt to finally bring down their infrastructure, due to their persistent, pervasive, and egregious nature.

    It was discovered that several copies of W4SP-Stealer started flashing under different names as soon as the repo for W4SP-Stealer was removed. This new stealer is even being distributed through PyPI by threat actors already, which is a sign that it is becoming a real threat.

    It has been discovered that W4SP has been hosted in two GitHub repositories under two different aliases, each with its own purpose.

    • Satan Stealer
    • angel-stealer

    There is a copy of the original source here, as well as the earlier versions of W4SP, hosted in an account titled aceeontop. 

    W4SP Stealer will likely remain part of the scene for quite some time to come, as will their imitations and other variants.

    There will be a constant increase in their number of attempts, their persistence, and their sophistication as time passes. However, Phylum ensured that it would mitigate and block supply chain attacks since its platform is capable enough in doing so.

    Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware

    Tags: Information Stealer Malware

    Dec 21 2022


    Category: Antivirus,Cheat Sheet,MalwareDISC @ 9:21 am

    VirusTotal cheat sheet makes it easy to search for specific results

    Opening the Blackbox of VirusTotal, analyzing online phishing scan engines

    The Antivirus Hacker’s Handbook

    Mastering Malware Analysis

    Infosec books | InfoSec tools | InfoSec services

    Tags: VirusTotal, VirusTotal INTELLIGENCE CHEAT SHEET

    Dec 20 2022

    Microsoft shares details for a Gatekeeper Bypass bug in Apple macOS

    Category: Bug Bounty,MalwareDISC @ 11:02 am

    Microsoft disclosed technical details of a vulnerability in Apple macOS that could be exploited by an attacker to bypass Gatekeeper.

    Microsoft has disclosed details of a now-fixed security vulnerability dubbed Achilles (CVE-2022-42821, CVSS score: 5.5) in Apple macOS that could be exploited by threat actors to bypass the Gatekeeper security feature.

    The Apple Gatekeeper is designed to protect OS X users by performing a number of checks before allowing an App to run. In fact, you will not be able to execute code that wasn’t signed by an Apple developer, you will not be able to run apps that weren’t downloaded from Apple’s store if the device is not jailbreaked of course.

    The flaw was discovered on July 27, 2022, by Jonathan Bar Or from Microsoft, it is a logic issue that was addressed with improved checks.

    “On July 27, 2022, Microsoft discovered a vulnerability in macOS that can allow attackers to bypass application execution restrictions imposed by Apple’s Gatekeeper security mechanism, designed to ensure only trusted apps run on Mac devices. We developed a proof-of-concept exploit to demonstrate the vulnerability, which we call “Achilles”.” reads the post published by Microsoft.

    Microsoft researchers explained that Gatekeeper bypasses can be used by threat actors to install malware on macOS systems.

    The experts pointed out that Apple’s Lockdown Mode introduced in July does not prevent the exploitation of the Achilles bug.

    The Achilles vulnerability relies on the Access Control Lists (ACLs) permission model to add extremely restrictive permissions to a downloaded file (i.e., “everyone deny write, writeattr, writeextattr, writesecurity, chown”), to block the Safari browser from setting the quarantine extended attribute.

    Below is the POC developed by Microsoft:

    1. Create a fake directory structure with an arbitrary icon and payload.
    2. Create an AppleDouble file with the extended attribute key and a value that represents a restrictive ACL (we chose the equivalent of “everyone deny write,writeattr,writeextattr,writesecurity,chown”). Perform the correct AppleDouble patching if using ditto to generate the AppleDouble file.
    3. Create an archive with the application alongside its AppleDouble file and host it on a web server.
    Gatekeeper bypass.png

    while video POC is available here.

    Tags: Gatekeeper Bypass bug

    Dec 12 2022

    95.6% of New Malware in 2022 Targeted Windows

    Category: Malware,Windows SecurityDISC @ 11:06 am

    Malware attacks are a growing problem in our increasingly digital world. By infiltrating computers and networks, malicious software can cause serious harm to those affected by it.

    One of the most common types of malware is ransomware (encryption-based malware), which prevents users from accessing their files until they pay a hefty fee to the cyber attacker. This type of attack has been used to target everything from individuals to large organizations, including government agencies and healthcare providers.

    In addition to financial losses, malware attacks can have devastating effects on businesses and individuals. In some cases, sensitive data can be stolen or destroyed as part of an attack. This can lead to identity theft and other forms of fraud, as well as put organizations at risk for long-term damage if confidential information is exposed or compromised.

    Research Findings

    A recent study by Atlas VPN shows how malware infection is on the rise and the trends in the new malware samples found in the first three quarters of 2022. 

    According to researchers, 59.58 million samples of new Windows malware were found in the first three quarters of 2022 and these make up 95.6% of all new malware discovered during that time period. 

    This analysis was based on data by AV-TEST GmbH, an independent organization that evaluates and rates antivirus and supplies services in IT Security and Antivirus Research. The study also includes new malware samples detected in the four quarters of 2021 and the first three quarters of 2022. 

    Windows, Linux, and Android Malware

    Overall, there is a downward trend in the data with the malware samples this year has decreased by 34% as compared to the same period last year. However, the numbers are still exceptionally high.

    Following Windows on the list is Linux malware with 1.76 million new malware samples – 2.8% of the total malware threats in 2022. 

    Android malware takes third place with the first three quarters of 2022 seeing 938,379 new Android malware threats, constituting 1.5% of the total new malware. 

    Lastly, 8,329 samples of never before seen malware threats aimed at macOS were observed in the same period. 

    Total Number of Malware

    The study also shows that the total number of malware threats found in the first three quarters of 2022 across all operating systems amount to 62.29 million. This is about 228,164 malware threats daily. 

    If we make a quarter-by-quarter comparison, the first quarter of 2022 saw the most significant number of malware samples – 22.35 million. However, this number dropped by 4% to 21.49 million in the second quarter of this year. Again, it decreased by another 14% to 18.45 million. 

    The numbers continue to plummet into the fourth quarter of the year with 7.62 million new threats found in October and November – nearly 60% less than at the same time last year. 

    Protection Against Malware

    Malware is a pervasive threat to internet users on both personal and professional networks. It can cause serious damage to computers, networks, and data that can be expensive to fix. Fortunately, there are steps you can take to protect yourself from malware.

    The most important step in protecting your network from malware is keeping your anti-malware software up to date. Regularly updating anti-malware programs ensures that they’re able to detect the latest threats and keep them away from your computer or network.

    Additionally, be sure not to click on suspicious links or download files from unknown sources as these could contain malicious code that could harm your system.

    Another way to stay safe online is by using a secure web browser with built-in security features like pop-up blockers, phishing protection, and ad blockers ((don’t use it on though :0)) for enhanced protection against malicious activities.

    95.6% of New Malware in 2022 Targeted Windows

    Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware

    Tags: Malware, Malware Analysis

    Dec 09 2022

    Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

    Category: Hacking,MalwareDISC @ 1:44 pm

    ThreatFabric’s security researchers have reported a new dark web platform through which cybercriminals can easily add malware to legitimate Android applications.

    Dubbed Zombinder, this platform was detected while investigating a campaign in which scammers were distributing multiple kinds of Windows and Android malware, including Android banking malware like Ermac, Laplas “clipper,” Erbium, and the Aurora stealer, etc.

    This comes just days after a new dark web marketplace called InTheBox surfaced online, serving smartphone malware developers and operators.

    Further probe helped researchers trace the adversary to a third-party dark web service provider called Zombinder. It was identified as an app programming interface binding service launched in March 2022.

    Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

    According to ThreatFabric’s blog post, numerous different threat actors are using this service and advertising it on hacker forums. On one such forum, the service was promoted as a universal binder that binds malware with almost any legitimate app.

    The campaign is designed to appear as it helps users access internet points by imitating the WiFi authorization portal. In reality, it pushes several different malware strains.

    What does Zombinder Do?

    In the campaign detected by ThreatFabric’s researchers, the service is distributing the Xenomorph banking malware disguised as the VidMate app. It is distributed via modified apps advertised/downloaded from a malicious website mimicking the application’s original website. The victim is lured to visit this site via malicious ads.

    The Zombinder-infected app works just as it is marketed while the malicious activity carries on in the background and the victim stays unaware of the malware infection.

    Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

    At the moment, Zombinder is focusing entirely on Android apps but the service operators are offering Windows apps binding services. Those who downloaded the infected Windows app were delivered the Erbium stealer as well. It is an infamous Windows malware distributed to steal stored passwords, cookies, credit card details, and cryptocurrency wallet data.

    It is worth noting that two downloaded buttons on the malicious website’s landing page, one for Windows and the other for Android. when a user clicks on the Download for Windows button, they are delivered malware designed for Microsoft operating system, including Aurora, Erbium, and Laplas clipper. Conversely, the Download for Android button distributes the Ermac malware.

    How to Stay Protected?

    If you want to stay safe, do not sideload apps even if you are desperate to make a specific product work. Also, avoid installing apps from unauthentic or unknown sources onto your Android mobile phone and rely on legitimate sources such as Google Play Store, Amazon Appstore, or Samsung Galaxy Store. Always check the app’s rating, and reviews, and check out the app developers’ website before installing a new app.

    Cyber Deep Web

    Tags: Cyber Deep Web, dark net, dark web, Zombinder

    Dec 01 2022

    The CHRISTMA EXEC network worm – 35 years and counting!

    Category: MalwareDISC @ 11:32 am

    Forget Sergeant Pepper and his Lonely Hearts Club Band, who taught the band to play a mere 20 years ago today.

    December 2022 sees the 35th anniversary of the first major self-spreading computer virus – the infamous CHRISTMA EXEC worm that temporarily crushed the major mainframe networks of the day…

    … not by any deliberately coded side-effects such as file scrambling or data deletion, but simply by leeching too much network bandwidth for its own unauthorised purpose.

    As a decoy to disguise the fact that it read in the 1980s IBM equivalents of your email address book (NAMES) and your known-hosts file (NETLOG) in order to find as many new recipients of the malware as possible to send itself to, the malware displayed this:

              *************                A
               ***********                VERY
           *******************           HAPPY
             ***************            CHRISTMAS
         ***********************         AND MY
           *******************         BEST WISHES
       ***************************     FOR THE NEXT
                 ******                    YEAR

    If you’re wondering why the virus is widely known as CHRISTMA EXEC, rather than by the full word CHRISTMAS

    …that’s because filenames were limited to eight characters, which could be followed by a space and what we would today call an “extension” of EXEC in order to turn them into scripts that could be run directly by the user – executed, in technical jargon.

    The virus itself was written in IBM’s powerful text-based scripting language REXX (the resoundingly named Restructured Extended Executor), so a non-programmer looking at the message would probably recognise it as “program code”, and therefore tend to ignore it as unimportant and irrelevant, for all that it might look interesting.

    Except that the author of the virus found a cheerful way to embed an instructional lure right into the code itself, which starts with a remark (as in the C language, text between /* and */ in REXX programs is treated as a comment and ignored when the file gets used)…

    /*    LET THIS EXEC  */
    /*                   */
    /*        RUN        */
    /*                   */
    /*        AND        */
    /*                   */
    /*       ENJOY       */
    /*                   */
    /*     YOURSELF!     */

    …and then offers the following cheery advice to non-techies:

    /*  browsing this file is no fun at all
           just type CHRISTMAS from cms     */

    CMS is short for Conversational Monitor System, a command prompt environment on top of IBM’s venerable VM/370 operating system and its many variants, which offered individual users a real-time virtual machine that behaved like a computer all of their own, with its own disk space for storing personal files and programs.

    Handily, the user didn’t have to be taught to leave the final -S off the word CHRISTMAS, because CMS would automatically ignore any extra characters and hunt for CHRISTMA EXEC, which was the very script program that the user had just received without expecting it or asking for it.

    As stated above, the code did indeed display the Christmas Tree ASCII art – or, more precisely, EBCDIC art, given that IBM famously had its own character encoding system known as Extended Binary Coded Decimal Interchange Code (pronounced ebb-si-dick).

    But it also trawled through your NAMES and NETLOG files, which listed other users and computers you regularly contacted, and copied itself to all of them, so that for every user who innocently typed CHRISTMAS at the command prompt…

    …a sea of copies of the virus (20? 50? 200?) would be distributed, potentially worldwide, and if any of those recipients (20? 50? 200?) innocently typed CHRISTMAS at the command prompt…

    …a sea of copies of the virus would be distributed, and so on, and so on.

    Shades of the future

    As we said in this week’s podcast, where we discussed this seminal worm:

    [This is j]ust like modern macro malware that says to the user, “Hey, macros are disabled, but for your ‘extra safety’ you need to turn them back on… why not click the button? It’s much easier that way.”

    35 years ago, malware writers had already figured out that if you ask users nicely to do something that is not at all in their interest, some of them, possibly many of them, will do it.

    Detection of Network Worm to Eliminate Security Threats in MANET: Wormhole Attack and its Challenges

    Tags: CHRISTMA EXEC network worm

    Nov 21 2022

    Chinese Hackers Using 42,000 Phishing Domains To Drop Malware On Victims Systems

    Category: Hacking,Malware,PhishingDISC @ 11:13 am

    An extensive phishing campaign targeting businesses in numerous upright markets, including retail, was discovered by Cyjax recently in which the attackers exploited the reputation…

    China’s Playbook – new Art of War

    War Without Rules: China's Playbook for Global Domination

    Tags: Art of war, China's Playbook, Chinese hackers

    Next Page »