.NET Malware 101: Analyzing the .NET Executable File Structure
Welcome to our deep dive into the world of .NET malware reverse engineering. As a security researcher or analyst, you’re likely aware that the .NET framework, famed for its ability to enable rapid and robust application development, is a double-edged sword. The same features that make it attractive to legitimate developers also make it a […]
FBI Takedown: IPStorm Botnet Infrastructure Dismantled
Written by Nicole Fishbein and Avigayil Mechtinger UPDATE NOVEMBER 2023: IPStorm Infrastructure Dismantled by FBI The FBI today revealed US law enforcement’s dismantlement of a botnet proxy network, along with a guilty plea for the individual responsible for the botnet infrastructure which was associated with the IPStorm malware. This achievement is a significant milestone in […]
How Hackers Use Binary Padding to Outsmart Sandboxes and Infiltrate Your Systems
What is binary padding? How can you detect against threats using junk data in various ways to evade defensive systems and sandboxes? Read on to learn more. Binary padding is the process of adding extra or junk data to a portable executable (PE) file that, while not changing the behavior of the binary, changes certain […]
Malware Reverse Engineering for Beginners – Part 2
In part 1 of this series, we warmed up and aligned with basic computing terminologies. We learned the basics of assembly and how to use disassemblers. All of these tools and techniques are very important for reversing malware samples. Different sorts of malware have different capabilities and implementations. As reverse engineers, we need to be […]
Conducting Digital Forensics Incident Response (DFIR) on an Infected GitLab Server
GitLab servers are under attack with a now-patched critical vulnerability Earlier this week we investigated an incident that occurred on a user’s GitLab server. After the user installed a sensor on their server, an initial runtime scan was performed. An alert was immediately triggered on the execution of a malicious metasploit shellcode named gitlab.elf, which […]
Misconfigured Airflows Leak Thousands of Credentials from Popular Services
This research refers to misconfigured Apache Airflow managed by individuals or organizations (“users”). As a result of the misconfiguration, the credentials of users are exposed, including their own credentials to the different platforms, applications and services mentioned in this article. This article doesn’t refer to exposed credentials of the entities behind the development of the […]
ELF Malware Analysis 101: Part 3 – Advanced Analysis
Getting Caught Up to Speed So far in this series we have profiled the ELF threat landscape and covered the most common intrusion vectors seen in Linux systems. We also pursued initial ELF analysis with an emphasis on static analysis. We learned about the different artifacts and components that are relevant for initial analysis and […]
Detect Malware Associated with the Most Exploited CVEs
Unpatched or undetected software vulnerabilities are a common method for malware delivery once exploited by attackers. Last month, the US-CERT urged IT security professionals to patch the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors from 2016 to 2019. The alert advised that a concerted effort among the public and private sectors to […]
ELF Malware Analysis 101: Linux Threats No Longer an Afterthought
Linux has a large presence in the operating systems market because it’s open-sourced, free, and software development oriented—meaning its rich ecosystem provides developers easy access to many different artifacts. Linux is the predominant operating system for Web servers, IoT, supercomputers, and the public cloud workload. Although Linux holds only two percent of the desktop market […]
Linux Rekoobe Operating with New, Undetected Malware Samples
Introduction Our research team has identified new versions of an old Linux malware known as Rekoobe, a minimalistic trojan with a complex CNC authentication protocol originally targeting SPARC and Intel x86, x86-64 systems back in 2015. The new malware samples have lower detection rates than their predecessors. We believe this malware ceased its operation in 2016 […]