Sep 19#ShortAndMalicious — DarkGateIf you follow malware news, you’ve surely heard of the DarkGate loader by now. Using a rather exotic combination of AutoIt automation scripts and the Delphi programming language, its purpose is malware delivery and credential theft. Given its apparent popularity with miscreants currently, DCSO’s CSIRT decided to investigate. While most…Reverse Engineering4 min readReverse Engineering4 min read
Sep 3Microsoft Edge Forensics: Screenshot HistoryAccording to a recent article on Neowin, Microsoft Edge has a new feature that allows it to take screenshots of every web page a user visits. The feature is called “Save screenshots of site for History” and is available in Microsoft Edge 117, which is currently available for testing in…Dfir5 min readDfir5 min read
Aug 15Hostile Code: Dealing with stack strings in IDAPythonFor the first post in our new “Hostile Code” series, in which we aim to showcase the various challenges (and, typically, solutions!) you encounter when analyzing malware, we decided to look at stack strings, a type of code obfuscation rather common in malware nowadays. After we find out what it…Reverse Engineering10 min readReverse Engineering10 min read
May 16Andariel’s “Jupiter” malware and the case of the curious C2Since 2020 DCSO has been monitoring a publicly undocumented malware family attributed to the Andariel group, a subgroup of the infamous North Korean Lazarus Group. The malware family has remained largely unchanged over the years and only made few appearances. In early 2023 however, one such appearance seemed particularly noteworthy…Malware8 min readMalware8 min read
Feb 10#ShortAndMalicious — PikaBot and the Matanbuchus connectionContinuing our #ShortAndMalicious series, where we aim to briefly highlight new or otherwise noteworthy malware, a tweet by Unit 42 Intel caught our attention early February 2023:Malware3 min readMalware3 min read
Dec 24, 2022APT41 — The spy who failed to encrypt meThis blog post is based on our recent investigation into one of APT41’s operations against an unnamed German company from the financial sector. The company contacted us in March 2022 after discovering a ransom note (as presented below) on several of its servers. The threat actor tried to encrypt multiple…Dfir18 min readDfir18 min read
Nov 16, 2022HZ RAT goes ChinaWalking down the Royal Road as we did in one of our previous posts, another by-catch of our Yara rule caught our attention. Turns out we found HZ Rat — a lesser known Trojan. The malware we analyse in this article initially aroused curiosity because the payload of the RTF…Trojan15 min readTrojan15 min read
Nov 8, 2022#ShortAndMalicious: StrelaStealer aims for mail credentialsIn our newest category #ShortAndMalicious DCSO CyTec aims to briefly highlight new and interesting samples we come across in our daily hunt for malware. For the first entry in the series, we take a brief look at an undocumented custom malware we have been analysing under the moniker “StrelaStealer” (“Стрела”…Malware4 min readMalware4 min read
Oct 11, 2022Tracking down MaggieIn our recent blog post “MSSQL, meet Maggie” we shared our research on a novel backdoor malware targeting Microsoft SQL servers that DCSO CyTec refers to as “Maggie“. Maggie can be summarised as malware that comes in form of an “Extended Stored Procedure” DLL, a special type of extension used…Dfir7 min readDfir7 min read
Oct 4, 2022MSSQL, meet MaggieContinuing our monitoring of signed binaries, DCSO CyTec recently found a novel backdoor malware targeting Microsoft SQL servers. The malware comes in form of an “Extended Stored Procedure” DLL, a special type of extension used by Microsoft SQL servers. Once loaded into a server by an attacker, it is controlled…Malware Analysis6 min readMalware Analysis6 min read
