/r/Malware

Photograph via snooOG

A place for malware reports and information.

A place for malware reports and information for [anti]malware professionals and enthusiasts.

This is NOT a place for help with malware removal or any type of tech support. Ask your IT support staff, your search engine of choice, another subreddit (/r/antivirus or /r/techsupport for example), or a friend or relative. In that order.

Content rules:

  • This is a subreddit for readers to discuss technical malware news, malware internals and infection techniques, malware tools, and anything related to the professional world of [anti]malware. Technical Support posts are forbidden and will result in removal and a possible ban.
  • Our readers are intelligent, or at the very least technically curious. Posted content must be highly technical, wel-researched, and of good quality.
  • Do not sensationalize or otherwise unnecessarily change the original title of the article you are linking. Clickbait will result in an immediate and permanent ban.

You might also be interested in:

Chat with us:

#reddit-malware:matrix.org

/r/Malware

77,648 Subscribers

0

Windows backup ransomware block

I would like to ask this community for help because the threat ID that i get is not very informative and can’t find solution on web. I’m having an issue where paloalto firewall profile detects AvosLocker Ransomware Ransom Note SMB (86508) traffic when doing a backup from one server to another. The file it detects is a .vhdx file. Repeating the backup it detects .vhdx.mrt and later .vhdx.prefetch. Before that it detected some .tmp files that had no info on them just bunch of null values. Deleting those files and repeating the backup only the .vhdx file problem remains. How should one understand this detection?

  1. Does it detect signs of ransomware software or only a ‘ransomware note’ as the name suggests.
  2. Does the profile compare hash and finds simmilar to ransomware IOC when doing backup or does it read content of file and recognises a ransomware note??
  3. Does it recognize a simmilar pattern to how a ransomware acts”large file transfer, weird file extensions”? ( other backups from other servers go through the firewall without getting blocked with the same profile settings)

I’ve scanned the system already for malware, did not yet start a deeper inspection of the system with yara rules to find IOC, but before that i would like to find out how does the detection happen. Thank you for any kind of info❤️

0 Comments
2024/05/05
14:31 UTC

0

Is this app “anihomie plus” malware

I’ve seen reviews of one person saying it opened a website called trackmenow(DOT)com and someone saying it opens weird apps on there phone

0 Comments
2024/05/05
02:03 UTC

0

Browser closes instantly

I deleted chrome and redownloaded but every browser closed instantly shutdown pc everytime but I’m not sure??

0 Comments
2024/05/05
00:48 UTC

3

VirusTotal - Flags

I was hoping someone could explain briefly how virustotal.com works and why this, seemingly safe, file was flagged by one of the scans as malware..

File is Vortex mod manager from https://www.nexusmods.com/site/mods/1?tab=files&file_id=2896

Virus Total results: https://www.virustotal.com/gui/file/25956ebf73d290541f8abf8fd9f1a74bf12c6d03ad422bb8388b23b21cb67787/details

Detection: Gridinsoft (no cloud)Malware.Win32.PrivateLoader.tr

3 Comments
2024/05/04
03:19 UTC

1

Malware Analysis On Mac?

Anyone here tried using mac to analyze malware for both windows and MacOS malware. If so what do you use?

5 Comments
2024/05/03
17:07 UTC

0

Government site has malware and viruses

today while i was studying i saw a QR code on my studying book which says it leads to the pdf version of the book . however i wanted to download it so i opened the QR code on my Iphone and it didn't open so i opened my pc and entered the site when i entered it , malwarebytes chrome extension told me this site has malware i was very confused cause how come a government site has malware and viruses.

i have two questions :

my first question : did i got malware or virus on my computer cause i'am concerned that the website had infected my computer although i didn't click anything on the page .

note : malwarebytes deleted that malware but i'am still concerned

my second question : how come a huge and i mean huge government site has viruses and malware just by entering their site .

the link of the malware website is

https://qrs.gpseducation.com/alemte7an/3669

8 Comments
2024/04/30
18:07 UTC

3

Memory Forensics with Volatility | PDF Malware Analysis with Any.Run | Cyber Incident Response

We covered a cyber incident response case study that involved a malicious PDF malware delivered through a phishing email. The PDF malware once opened, spawned a powershell session in a hidden window that execute a base64 encoded command to retrieve another malicious file from a C2 server. We extracted the sample using Volatility plugins then we uploaded the sample to Virustotal and Any.run to dynamically analyze the malware and extract the related artifacts.

Video

Writeup

3 Comments
2024/04/30
09:40 UTC

6

Understanding How CVEProject/cvelistV5 Works

Hey everyone,

I'm trying to get a better understanding of the CVEProject/cvelistV5 repository on GitHub: https://github.com/CVEProject/cvelistV5. Could anyone explain how it operates behind the scenes? Specifically, I'm curious about who is responsible for publishing and updating CVEs, and whether it provides an API that allows fetching the latest CVEs published every 24 hours.

I've already managed to get the latest CVEs with a simple Python script using the deltaLog.json file
in the repo, but I'm wondering if there's a more streamlined API available. I prefer not using the NVD API because the CVE list provides more detailed information about product names, versions, etc.

Thanks for your help!

1 Comment
2024/04/25
02:12 UTC

0

Fileless Malware Detection Tool Using memory forensics and Machine learning

Hey I am just looking for thr project based on this domain If someone can help me out reach to me in DM. If you will post any repo link regarding to project, it will be a great favour.
Thanks

7 Comments
2024/04/23
14:17 UTC

3

Seeking Advice on Implementing a Vulnerability Management Solution Using Elasticsearch

Hi everyone!

I'm currently working on a project titled "Implementation of a Vulnerability Management Solution." I write a Python script to extract CVEs and filter them based on specific products, then saving the data in CSV format. Additionally, I've set up Elasticsearch and Kibana on my machine.

I'm considering using the Eland API to integrate my script with Elasticsearch. The goal is to leverage Elasticsearch for analyzing data, and for product comparison and filtering... Are there any alternative approaches or enhancements you could suggest?

Also, I'm fairly new to Elasticsearch and would appreciate any advice on how to enhance this project or implement new features.

Thanks in advance for your help!

2 Comments
2024/04/21
03:56 UTC

8

[Video] Triaging Files on VirusTotal

0 Comments
2024/04/20
09:27 UTC

3

Trashing the Pandas: Analyzing Current Infrastructure Trends and T9000v2 - A Mustang Panda Case Study

0 Comments
2024/04/20
05:14 UTC

6

Need recommendations for Premium Tools

I was asked to find some tools that can be used for malware analysis and intel. Atm, the budget hasn’t been established but I’ll cross that road later.

Currently, the tools used are all open source (Mostly from GREM / SANS) and there have been no problems with that, just was posed with collecting information about paid tooling.

We have IDA Pro and possibly Maltego on the drawing board, what other tools are worth purchasing?

0 Comments
2024/04/19
21:54 UTC

11

Are hidden incoming SMS common for C&C?

Did I stumble on some evidence of a compromise? Or am I just being paranoid? I'm not sure if what I'm seeing would be normal for android malware these days.

Carrier logs for the phone's one account show incoming messages from a single origin number, at a rate of about 50 per day, for a week. On the device, there is no record of this number - no texts or calls. It is an unknown number. The block lists on the device are small and don't show this number, and there's no blocking enabled at the carrier. Tech support at the carrier said the origin number is in their block for customers.

3 Comments
2024/04/17
20:46 UTC

8

A Powerful tracing engine based on Qemu

Dynamic Tracing engines are crucial tools in Reverse Engineering. By executing a desired use-case and collecting code coverage, you can effectively narrow down the sections of the binary to refine your understanding of the program. While dealing with a MIPS binary reversing challenge, I came across a tool called Cannoli, which provides tracing capability in Qemu User-mode. It allows you to write plugins to trace execution paths and memory operations like read and write. What’s most fascinating about this tool is not just what it does (as there are other tools that also do this), but how quickly and elegantly it accomplishes its tasks. In other words, I was captivated by its engineering.

The tool’s author patched Qemu to expose some of its internal functions, allowing you to inject your own code into the JIT code emitted by Qemu for execution. This is achieved by providing two callbacks: one before an instruction is lifted and another before an instruction performing a memory operation is lifted in Qemu. The real work is done by the code you inject into the JIT code. This custom code exposes execution trace and memory operation data via IPC to another process, which then post-processes this data.

Essentially, you’ll be writing the data consumer library that is sent via IPC. The IPC design is also interesting. It uses shared memory-based IPC, where you allocate a large block of memory that is divided into smaller chunks. The idea is to use chunk sizes that match your CPU cache size to avoid cache misses, thereby improving performance. The design supports a single producer and multiple consumers. A single write-only chunk is available to the producer, and once the producer is done, it releases the buffer to be consumed. The consumers then post-process the data, clear it, and release the memory chunk to be reused by the producer.

One important thing to note is that this tool doesn’t allow you to modify the behavior of the executing program; it only allows you to observe the program’s behavior. Despite this, it’s still a very powerful tool. All of this is achieved by introducing about ~200 lines of code into QEMU. There’s a lot more to discuss about this tool that can’t fit into this small post. I would recommend checking out the project link and the blog post that discusses these tools in depth.

Project link : https://github.com/MarginResearch/cannoli

https://margin.re/2022/05/cannoli-the-fast-qemu-tracer/

https://margin.re/2023/02/harness-the-power-of-cannoli/

4 Comments
2024/04/13
10:56 UTC

3

following Maldev academy course with c++

Hello,im not sure if this is the right place to ask ,but i couldnt find an answer to it,I have prior experience in C++ and OOP C++ (up to c++11) but no C exposure. and I've heard from people that got the course that the later is mainly on C, im asking if the course can be followed using C++ or the C concepts used in it arent C-unique(memory management for exemple)

1 Comment
2024/04/12
04:00 UTC

12

[Fixed] Coding The Rat King: A Multi-Family Malware Configuration Parser

I somehow managed to not post the video last time, apologies

For those who just want to use the tool/look at code:

https://github.com/jeFF0Falltrades/rat_king_parser

0 Comments
2024/04/12
00:24 UTC

0

Malware Detect Request

I recently received a file from a user. It's supposed to be a file used in online game. But I'm suspecting if the file is a malware and send sensitive information like account password to the others. I checked the file, but I'm not professional cyber-security engineer. So I would like to request some help. I will post the original link here.

https://anonymfile.com/50eN9/costumegeometry.bin

6 Comments
2024/04/11
18:38 UTC

1

Dark Web Email Search

Are there any good sources to use that can search the darkweb to see if a particular email account/password has been compromised?

I'm familiar with 'Have I Been Pwned', however that focuses on large leaks and I'm interested to see what can be found for more general instances.

8 Comments
2024/04/11
08:48 UTC

7

Dynamic Malware Analysis of Konni RAT Malware APT37 With Any.Run

We analyzed Konni RAT Malware which was developed by advanced persisten group APT37 according to MITRE ATT&CK. We performed dynamic malware analysis using Any.run cloud malware analysis tool. Konni malware masqureades as word document file which when opened downloads a spyware executable designed to exfitlrate and send machine OS and credentials data to the main C2 server. The malware uses powershell to execute system commands to achieve the aformentioned objectives.

Video

Writeup

0 Comments
2024/04/06
11:55 UTC

9

Malware: Research shows that SpyLoan Apps have entered Tanzania and is exploiting Tanzanian Citizens.

https://www.researchgate.net/publication/379537228_Malware_Research_shows_that_SpyLoan_Apps_have_entered_Tanzania_and_is_exploiting_Tanzanian_Citizens

and

https://medium.com/@brotheralameen/malware-research-shows-that-spyloan-apps-have-entered-tanzania-and-is-exploiting-tanzanian-76ae9d2bb23f

In this research, we see the approach of Spy Loan Malware Apps in Tanzania. The threat actors then use the data to harass their victims who refuse to pay their money by means of extortion and blackmail, while the rest of their data remains in the cloud in China. Thus, a proof of cyber-espionage happening in Tanzania by the Chinese and the apps being a National Security Threat posed by the Chinese.

0 Comments
2024/04/03
19:19 UTC

4

⚠️ #Konni #APT LNK trickery: hiding multiple files in oversized LNK files

0 Comments
2024/04/03
12:11 UTC

3

From OneNote to RansomNote: An Ice Cold Intrusion

In late February 2023, threat actors rode a wave of initial access using Microsoft OneNote files. In this case, we observed a threat actor deliver IcedID using this method. The threat actor used FileZilla to exfiltrate data from the network before deploying Nokoyawa ransomware.

https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/

1 Comment
2024/04/01
11:56 UTC

4

Zero2Auto and Maldev Academy in terms of course quality.

Looking into getting into RE or Malware Research/Development and wondering any current opinions on these two courses. I already went through most of the RE stuff on Udemy but getting my company to pay for these might take a while for approval given that I only want this for my own personal interests and curiosity.

7 Comments
2024/04/01
08:54 UTC

11

Advanced Topics For Malware Analysis and RE

Hey Everyone , I Have Been Learning Malware Analysis From The Last Year and Blue Teaming From 2 years , I Studied For The Malware

- Practical Malware Analysis

- Malware Analysis Techniques

- TCM Course

- ASM and C++ Basics
I am also making reports For samples

but i kind stuck in IDA Pro I am Trying To Analyze Every Function and Get Into A Rabbit Hole and not Much Good In RE any resources ?
and what i should know to work as a Malware Analyst
from techniques , books , and so on

and last I am not good in simple TI

i kind feel most of what i am learning is not what companies want or not the real MA Job
thanks .

8 Comments
2024/04/01
05:44 UTC

2

Compression/encryption Javascript from a phishing page

I recently encountered a phishing site targeting the customers, former and current, of several banks and credit unions. I reported the domain to the registrar listed on whois, who suspended the domain.

Before the domain got yanked, I saved a copy of a particular bit of Javascript on that phishing page. The code is unsurprisingly obfuscated. I have been able to make some sense of the logic in the code after figuring out the string-dictionary substitution scheme used in the code.

As far as I can tell, the code gathers browser characteristics and then use XMLHttpRequest to send a compressed/encrypted (?) form of the data back to the scammers.

Below is the part of the code that does the compression/encryption, after some deobfuscation.

f={
    'h':function(D){
        if (D==null) {
            return '';
        } else {
            return f.g(D,function(E){return "4qHnrLSYkzxFAiVN$QdfE3vT0CZymIXeGPwgs5OD78Wc1ouj6UtbKRlp2a-BJMh9+".charAt(E)});
        }
    },
    'g':function(D,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T){
        if(null==D)return'';
        for(H={},I={},J='',K=2,L=3,M=2,N=[],O=0,P=0,Q=0;Q<D.length;Q+=1) {
            R=D.charAt(Q);
            Object["prototype"]["hasOwnProperty"]["call"](H,R)||(H[R]=L++,I[R]=!0);
            S=J+R;
            if(Object["prototype"]["hasOwnProperty"]["call"](H,S)) {
                J=S;
            } else{
                if(Object["prototype"]["hasOwnProperty"]["call"](I,J)){
                    if(256>J["charCodeAt"](0)){
                        for(G=0;G<M;O<<=1,5==P?(P=0,N["push"](F(O)),O=0):P++,G++);
                        for(T=J["charCodeAt"](0),G=0;8>G;O=T&1|O<<1,P==5?(P=0,N["push"](F(O)),O=0):P++,T>>=1,G++);
                    } else {
                        for(T=1,G=0;G<M;O=T|O<<1.23,5==P?(P=0,N["push"](F(O)),O=0):P++,T=0,G++);
                        for(T=J["charCodeAt"](0),G=0;16>G;O=O<<1.49|T&1,P==5?(P=0,N["push"](F(O)),O=0):P++,T>>=1,G++);
                    }
                    K--,0==K&&(K=Math["pow"](2,M),M++),delete I[J]
                } else for(T=H[J],G=0;G<M;O=T&1.19|O<<1.68,P==5?(P=0,N["push"](F(O)),O=0):P++,T>>=1,G++);
                J=(K--,K==0&&(K=Math["pow"](2,M),M++),H[S]=L++,String(R))
            }
        }
        if(''!==J){
            if(Object["prototype"]["hasOwnProperty"]["call"](I,J)){
                if(256>J["charCodeAt"](0)){
                    for(G=0;G<M;O<<=1,P==5?(P=0,N["push"](F(O)),O=0):P++,G++);
                    for(T=J["charCodeAt"](0),G=0;8>G;O=T&1.12|O<<1.41,5==P?(P=0,N["push"](F(O)),O=0):P++,T>>=1,G++);
                }else{
                    for(T=1,G=0;G<M;O=O<<1|T,5==P?(P=0,N["push"](F(O)),O=0):P++,T=0,G++);
                    for(T=J["charCodeAt"](0),G=0;16>G;O=O<<1|1&T,P==5?(P=0,N["push"](F(O)),O=0):P++,T>>=1,G++);
                }
                K--,K==0&&(K=Math["pow"](2,M),M++),delete I[J]
            } else for(T=H[J],G=0;G<M;O=1.11&T|O<<1.37,P==5?(P=0,N["push"](F(O)),O=0):P++,T>>=1,G++);
            K--,0==K&&M++
        }
        for(T=2,G=0;G<M;O=O<<1.8|1.89&T,P==5?(P=0,N["push"](F(O)),O=0):P++,T>>=1,G++);
        for(;;) {
            if(O<<=1,5==P){
                N["push"](F(O));break
            }else P++;
        }
        return N["join"]('')
    }
}

The way it is used is encoded_string=f.h(original_string).

Does this code look familiar to anyone?

3 Comments
2024/03/31
22:23 UTC

6

[Video] JS to PowerShell to XWorm with Binary Refinery

0 Comments
2024/03/31
12:05 UTC

Back To Top