Malware Analysis Space

  Summary   The XWorm malware family is known for leveraging VBScript (VBS), Batch (BAT), and PowerShell (PS1) scripts to implement advanced obfuscation and evasion techniques, which are highly modular and weaponizing, and it is also a sophisticated RAT .     Technique analysis   Sample md5 a2907290e94d10d566afaad71f0a77d2 Sha256 ecb6c26329c5aa711c857bb37431b6d5037b0d28818af4c033c78231d007bb40   combining Scri pt-based obfuscation  (VBS/BAT/PS1) and multi-stages This malware sample uses VBScript to create a batch file, WordDoc.bat. The file WordDoc.bat runs and injects and executes injection code, which is the PowerShell script, and finally uses the PS1 to load a malicious embedded payload and connects to the attacker’s Command & Control (C2) server. The way belongs to multi-stages to load the payload of attacking . Fig.1 Combining VBS+BAT+PS1 and multi-stages   In VBScript , the ...

  Summary   The PowerShell for writing malicious code is a normal way, and in the past, usually PowerShell itself was played as a supporting role, like executing cmdlets or loaders, but the trend is now to be changed. To make a ransomware, totally with pure PowerShell, is never seen before, and recently many samples were discovered, which attracted me to learn from what happened.   Technique analysis   The PowerShell ransomware samples have the same abilities, such as deleting shadows, stopping interfering processes, disabling the defender, spreading to the network, and adding registry persistence, and so on; the whole thing is done by the only PowerShell.   Third party software encryption scheme One of the PowerShell ransomware is to utilize third-party encrypt free software called VeraCrypt to help encrypt the data of the drive; it will download from the remote address https[:]//Launchpad[.]net/veracrypt/trunk/1.25.9/+download/VeraCrypt_Setup...

  Summary   As we know, using obfuscated VBScript to execute obfuscated PowerShell  is a common technique in malware to evade detection and complicate analysis. This approach leverages the strengths of both scripting languages while making it harder for security tools and analysts to understand the malicious intent.   Recently I came across a malware that is very well-designed for these obfuscation techniques to use, which is so interesting and attracted my curiosity to learn more about what’s happened inside the malware, and it was also low detection rate until first discovered.   Below, I would like to share how the attackers use VBScript and PowerShell to evade detection, maybe it can help other malware researchers or analysts, and the common technique but new doing uncommon which being talked on both VBScript obfuscation and PowerShell obfuscation.     Technical analysis   Basic info The sample hashs: md5 0e513e80fc18...

Summary   First thanks for Szabolcs Schmidt was calling global malware analysts to analysis the samples on X, I’m really appreciate his work and he is helping to make cybersecurity more safer and stronger. In this report, I do plan to dive deep into more details of the advanced Trojan dropper; it looks like obfuscation mechanisms, but until now, their true intentions have been unknown. The Trojan dropper is very intriguing and different from other APT groups. If you are keen to learn from the latest and related report, please click here .   Technical analysis   Basic info The sample hashs: md5 A699AFD908E0DEC5C96FF7188450B89F Sha256 f18631344d6f7fc57fd248edce37baeb11976e315b72b68d48311c406ace3f8c   Operation system: Operation system: Windows(95)[I386, 32-bit, GUI] (Heur)Packer: Packer detected[High entropy + Section 1 (".data") compressed]     Advanced string obfuscation Mechanisms? The strings in the malware Trojan d...