Digital Certificates- When the Chain of Trust is Broken
As stated in a previous blog entry, it is common for malware authors to sign malicious files with “legitimate” digital certificates in order to bypass security products. In some cases, certificates are stolen or faked by advanced threat actors using complex techniques. But sometimes, certificate theft is as simple as legally purchasing a certificate from […]
Executable and Linkable Format 101 Part 3: Relocations
In our previous post, we went through the concept of symbols and their functionality. In this post we will introduce the concept of relocations and its relationship with symbols. By the end of this post, the reader will be ready to understand more advanced concepts, such as dynamic linking, which we will cover in depth […]
Unpacking reveals a file’s true DNA
After launching Intezer community edition in November 2017, we noticed that many of our users uploaded packed samples. Yet packed files don’t reveal the true ‘DNA’ of the files. Our goal at Intezer is to provide a clear detection (“Is the file good or bad?”), classify the malware (“Which kind of malware is it? What malware family […]
Building Your Bullet Proof Incident Response Plan
Cyber security is constantly evolving, and therefore rife with challenges. Whether hobbyist hackers or state-sponsored threat actors are targeting organizations, internal security operations center (SOC) teams must proactively assemble a robust incident response plan in order to strategically manage and ultimately eradicate attacks. Security teams at even the largest organizations can be overwhelmed by the […]
Yet Another Distraction? A New Version of North Korean Ransomware Hermes Has Emerged
Detecting Reused Ransomware Whether we’re dealing with a criminal threat actor looking to steal money from their victims using ransomware or malware sponsored by a nation state, we can consistently see the reuse of code. In this specific case, we have observed a variant of a well-known ransomware, via a new version of Hermes from […]
Executable and Linkable Format 101. Part 2: Symbols
In our previous post, we focused on understanding the relationship between sections and segments, which serve as the foundation for understanding the ELF file format. However, we will soon discover that we have ignored some degree of detail for the sake of simplicity. In the next couple of posts, we will focus on explaining the […]
Executable and Linkable Format 101 – Part 1 Sections and Segments
This marks the first of several blog posts that will focus on Executable and Linkable Format (ELF) files. In this series, we’ll introduce various topics, ranging from the basics of ELF files built upon Linux malware technologies such as infection vectors, custom packer techniques and common malware practices like dynamic API resolving techniques or ELF […]
BLOCKBUSTED: Lazarus, Blockbuster, and North Korea
As we have proven in previous research blog posts, malware authors often reuse the same code. This evolution of code and code reuse is seen all throughout the well known Blockbuster campaign and connections between other malware attributed to the Lazarus group, a cyber threat organization attributed to North Korea. You can read about excellent […]
Don’t Be Fooled By Malware Signed with Stolen Certificates
Recent research conducted by the Cyber Security Research Institute (CSRI) demonstrates how easy and common it is for threat actors to purchase stolen digital certificates in order to bypass security solutions. In this blog, we will use this research to show how Intezer Analyze™ deals with signed malware files, even if it has a legitimate […]
IcedID Banking Trojan Shares Code with Pony 2.0 Trojan
IBM X-Force recently released an excellent report on a new banking trojan named IcedID that is being distributed using computers already infected with Emotet. We took the MD5 of one of the droppers from the IBM report and extracted the payload. After extracting the payload from one of the droppers listed in the report, using […]