In this brief post, we present a selection of recent malware analysis write-ups. Our goal is to highlight the contributions of individuals who share their passion for malware analysis with the community. These dedicated analysts work tirelessly to document their approach to reverse engineering malware, publish code, and educate others on effective malware analysis tools and techniques.
If you're interested in learning how to sharpen your own malware analysis skills, consider participating in the SANS courses FOR610: Malware Analysis Tools and Techniques or FOR710: Reverse-Engineering Malware: Advanced Code Analysis. These courses not only include the required background and instructor-led walkthroughs but also afford students ample opportunities to confront real-world reverse engineering scenarios through in-class labs.
DarkGate Campaign Analysis by @0xToxin
(https://0xtoxin.github.io/threat%20breakdown/DarkGate-Camapign-Analysis/)
This article provides an in-depth exploration of the latest iteration of the DarkGate Loader malware. Initially documented in 2018, this malware resurfaced as part of a recent phishing campaign. Execution begins with a malicious Microsoft Software Installer (MSI) that launches an embedded AutoIT executable. This AutoIT code, in turn, executes embedded shellcode responsible for deobfuscating and executing yet another Windows executable. This secondary Windows executable accesses the AutoIT component and decodes a final Windows executable, representing the DarkGate malware's ultimate payload. This payload boasts a range of capabilities, including the ability to download and execute arbitrary files, log keystrokes, and escalate privileges, among other features.
A Deep Dive Into Brute Ratel C4 Payloads by CyberMasterV (https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/)
Within this article, the author conducts an analysis of a Brute Ratel C4 sample. Brute Ratel C4 is designed for red team exercises and adversary simulations, but it is also used by malicious actors to advance their objectives. The blog post dives deep into code analysis and offers strategies to identify the API hashing obfuscation technique, decrypt concealed configuration data, extract a deobfuscated DLL, and determine C2 commands.
Pikabot deep analysis by Mohamed Adel / @0xd01a (https://d01a.github.io/pikabot/)
In this write-up, the author conducts a rigorous analysis of Pikabot, a malware family that first appeared in early 2023. The execution chain includes JavaScript, PowerShell, and two in-memory Windows DLLs. The analysis explores multiple obfuscation strategies including API hashing, stack strings, and data encryption, which aim to conceal the program's functionality and C2 communications. To decode the obfuscated content, the author explores emulation capabilities like Qiling and presents code to quickly decipher strings and encryption keys. The article also details the malware's numerous anti analysis capabilities, which evaluate the presence of a debugger and assess if the malware was launched within a VM. The final payload is embedded within two PNG images using steganographic techniques.
Ducktail: Multi stage analysis by @Crovax4 (https://medium.com/@crovax/ducktail-multi-stage-analysis-39c2a7d9675d)
In this insightful article, the author delves into the details of the Ducktail malware, a .NET infostealer. The technical analysis explores three stages of Windows executables, each obfuscated with a combination of AES encryption, base64 encoding and the SmartAssembly .NET obfsucator. What's most notable about the write-up is the author's decision to use the dotnetfile Python library (https://github.com/pan-unit42/dotnetfile) to explore the malware. While many analysts are well-acquainted with the pefile Python module for PE file analysis, this article presents a worthwhile exploration of a Python library specific to .NET malware analysis.
Connect with me!
Anuj Soni
https://www.youtube.com/@sonianuj
