Malware Analysis

Malware Analysis

63 bookmarks
Custom sorting
BLUERABBIT: A Golang-Based Backdoor with Ransomware and Destructive Capabilities
BLUERABBIT: A Golang-Based Backdoor with Ransomware and Destructive Capabilities
Meet BLUERABBIT, this Golang-based backdoor, attributed to a likely Iran-nexus threat actor, routes its command-and-control through RabbitMQ (AMQP) for tasking, Redis for state management, and MinIO for S3-compatible data exfiltration. # Phase Description 1 Initial Execution Binary executes, checks HKCU\Software\OneDrive\Environment registry key for prior execution 2 Persistence Creates “OneDrive Update” scheduled task with 60-second repeat interval and startup trigger 3 C2 Registration Connects to RabbitMQ (AMQP), declares a queue named after the victim device 4 Tasking Receives numeric task IDs over AMQP, maps each to a built-in module 5 Reconnaissance Profiles OS, hardware, network, installed software, security products, BitLocker status, drivers, domain 6 Exfiltration Stages files in GUID-named directories, exfiltrates to attacker-controlled MinIO infrastructure 7 Destructive Actions Disables recovery, encrypts files (.candy), and/or wipes disks across all logical drives Capability Matrix BLUERABBIT operates on a modular tasking system. Category Description Remote Access Full remote desktop-style control with keyboard and mouse input via VNC; shell command execution Surveillance Screenshot capture, screen recording, process and Windows service enumeration and management System Profiling OS details, hardware configuration, network settings, installed software, security products, BitLocker status, installed drivers, domain information File Exfiltration Files staged in GUID-named directories and exfiltrated to attacker-controlled MinIO (S3-compatible) cloud storage File Encryption Encrypts files across all logical drives with .candy extension; replaces desktop wallpaper with AI-generated “High-Alert” image Disk Wiping (Single-Pass) Overwrites all drives with random data in a single pass Disk Wiping (Multi-Pass) Writes zeros, random data, and 0xFF in sequence across all drives, rendering systems permanently unrecoverable Anti-Recovery Disables automatic reboot, system recovery, and scheduled maintenance; takes ownership of critical boot files The combination of exfiltration and encryption is consistent with a double extortion model: data is stolen before encryption occurs. Initial Execution and Persistence Upon execution, BLUERABBIT checks the registry key HKCU\Software\OneDrive\Environment to track its execution count. If this key does not exist, the malware assumes it is running for the first time and executes a PowerShell command to establish persistence as a scheduled task named “OneDrive Update,” deliberately impersonating a legitimate Microsoft service. The scheduled task itself must be removed to break persistence. The following registry modifications are made to disable automatic reboot and system recovery: Registry Path Value Effect HKLM\SYSTEM\CurrentControlSet\Control\CrashControl AutoReboot = 0 Prevents automatic reboot on crash HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU NoAutoRebootWithLoggedOnUsers = 1 Blocks reboot while users are logged on HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance MaintenanceDisabled = 1 Disables scheduled maintenance HKLM\SYSTEM\CurrentControlSet\Control\Windows NoAutoRebootWithLoggedOnUsers = 1 Additional reboot suppression HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AlwaysAutoRebootAtScheduledTime = 0 Disables forced scheduled reboot The raw commands, preserved here for detection engineering purposes: Collectively, these modifications ensure that once BLUERABBIT begins encryption or wiping, the system cannot automatically recover, reboot into repair mode, or interrupt the destructive process. Scheduled task fingerprint: The combination of a task named “OneDrive Update,” created via New-ScheduledTaskAction with AllowStartIfOnBatteries, Hidden, and an immediate start trigger, is distinctive and unlikely to appear in legitimate enterprise tooling. Indicators of Compromise Type Indicator File (SHA-256) 633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001 File (SHA-256) 9706a192e2c1a1faaf0a521daf31c2af60ff4590e3f47bbb4abc
·binarydefense.com·
BLUERABBIT: A Golang-Based Backdoor with Ransomware and Destructive Capabilities
[2508.10038] Certifiably robust malware detectors by design
[2508.10038] Certifiably robust malware detectors by design
Malware analysis involves analyzing suspicious software to detect malicious payloads. Static malware analysis, which does not require software execution, relies increasingly on machine learning techniques to achieve scalability. Although such techniques obtain very high detection accuracy, they can be easily evaded with adversarial examples where a few modifications of the sample can dupe the detector without modifying the behavior of the software. Unlike other domains, such as computer vision, creating an adversarial example of malware without altering its functionality requires specific transformations. We propose a new model architecture for certifiably robust malware detection by design. In addition, we show that every robust detector can be decomposed into a specific structure, which can be applied to learn empirically robust malware detectors, even on fragile features. Our framework ERDALT is based on this structure. We compare and validate these approaches with machine-learning-based malware detection methods, allowing for robust detection with limited reduction of detection performance.
·arxiv.org·
[2508.10038] Certifiably robust malware detectors by design
Booz Allen Vellox Reverser
Booz Allen Vellox Reverser
Booz Allen Vellox Reverser is an AI-first malware reverse engineering product that automates the analysis of complex evasive malware in minutes not days.
·boozallen.com·
Booz Allen Vellox Reverser
HijackLibs.net
HijackLibs.net
HijackLibs provides an curated list of DLL Hijacking opportunities: mappings between DLLs and vulnerable executables, with additional metadata for more context. For defenders, this project can provide valuable information when trying to detect DLL Hijacking attempts; for red teamers, this project can help identify DLLs that can be used to achieve DLL Hijacking.
·hijacklibs.net·
HijackLibs.net
Sogen - Windows User Space Emulator
Sogen - Windows User Space Emulator
Sogen is a high-performance Windows user space emulator that can emulate windows processes. It is ideal for security-, DRM- or malware research.
·sogen.dev·
Sogen - Windows User Space Emulator
owasp-dep-scan/blint: BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries.
owasp-dep-scan/blint: BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries.
BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries. - owasp-dep-scan/blint
·github.com·
owasp-dep-scan/blint: BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries.
GitHub - volexity/GoResolver: GoResolver is a Go analysis tool using both Go symbol extraction and Control Flow Graph (CFG) similarity to identify and resolve the function symbols of an obfuscated Go binary.
GitHub - volexity/GoResolver: GoResolver is a Go analysis tool using both Go symbol extraction and Control Flow Graph (CFG) similarity to identify and resolve the function symbols of an obfuscated Go binary.
GoResolver is a Go analysis tool using both Go symbol extraction and Control Flow Graph (CFG) similarity to identify and resolve the function symbols of an obfuscated Go binary. - volexity/GoResolver
·github.com·
GitHub - volexity/GoResolver: GoResolver is a Go analysis tool using both Go symbol extraction and Control Flow Graph (CFG) similarity to identify and resolve the function symbols of an obfuscated Go binary.
regshot
regshot
Download regshot for free. Regshot is an open-source (LGPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product.
·sourceforge.net·
regshot
LLVM-powered devirtualization
LLVM-powered devirtualization
Virtualization is a powerful technique for code obfuscation, and reversing it can be challenging. In this post, we cover the work done during an internship on developing an automated devirtualization tool. We explore a simplified taint-based approach and discuss its limitations. For a more in-depth analysis, the full report is also made available.
·blog.thalium.re·
LLVM-powered devirtualization
owasp-dep-scan/blint: BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries.
owasp-dep-scan/blint: BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries.
BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries. - owasp-dep-scan/blint
·github.com·
owasp-dep-scan/blint: BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries.
csvl/SEMA: SEMA is based on angr, a symbolic execution engine used to extract API calls. Especially, we extend ANGR with strategies to create representative signatures based on System Call Dependency graph (SCDG). Those SCDGs can be exploited in machine learning modules to do classification/detection.
csvl/SEMA: SEMA is based on angr, a symbolic execution engine used to extract API calls. Especially, we extend ANGR with strategies to create representative signatures based on System Call Dependency graph (SCDG). Those SCDGs can be exploited in machine learning modules to do classification/detection.
SEMA is based on angr, a symbolic execution engine used to extract API calls. Especially, we extend ANGR with strategies to create representative signatures based on System Call Dependency graph ...
·github.com·
csvl/SEMA: SEMA is based on angr, a symbolic execution engine used to extract API calls. Especially, we extend ANGR with strategies to create representative signatures based on System Call Dependency graph (SCDG). Those SCDGs can be exploited in machine learning modules to do classification/detection.
No symbols? No problem!
No symbols? No problem!
This blog will share a tried and tested method for dealing with thousands of unknown functions in a given file to significantly decrease the time spent on analysis while improving accuracy. Once all theory is covered, an instance of the Golang based qBit stealer is analyzed with the demonstrated techniques to show what happens when the theory is put into practice.
·trellix.com·
No symbols? No problem!
DISGOMOJI Malware Used to Target Indian Government | Volexity
DISGOMOJI Malware Used to Target Indian Government | Volexity
Note: Volexity has reported the activity described in this blog and details of the impacted systems to CERT at the National Informatics Centre (NIC) in India. In 2024, Volexity identified a cyber-espionage campaign undertaken by a suspected Pakistan-based threat actor that Volexity currently tracks under the alias UTA0137. The malware used in these recent campaigns, which Volexity tracks as DISGOMOJI, is written in Golang and compiled for Linux systems. Volexity assesses with high confidence that UTA0137 has espionage-related objectives and a remit to target government entities in India. Based on Volexity’s analysis, UTA0137’s campaigns appear to have been successful. DISGOMOJI appears to be exclusively used by UTA0137. It is a modified version of the public project discord-c2, which uses the messaging service Discord for command and control (C2), making use of emojis for its C2 communication. The use of Linux malware for initial access paired with decoy documents (suggesting a […]
·volexity.com·
DISGOMOJI Malware Used to Target Indian Government | Volexity