Adware has historically been ignored but more and more actors over the years have realized what things such as browser extensions really are, a botnet. So what makes an extension malicious or not is dependent on who is running the botnet, however this can change as people can buy the rights to a popular extension and then load whatever they want, takeover a developers account, or even just develop their own and leverage them over time.

Recently Microsoft talked about an adware botnet that leverages browser extensions and credential stealers[4], I had also talked about another adware botnet being distributed…

By: Jason Reaves and Joshua Platt

Recently we stumbled upon a new CS loader being leveraged by an actor involved in TrickBots CS and ransom operations.

Recently noticed large campaigns spreading Android malware which have been followed by both MalwareHunterTeam and Daniel Lopez[1]. Taking a quick glance at the manifest shows they are definitely packed as some of the manifest is referencing code that doesn’t exist in ‘com.example.myapplicationtest’.

To unpack it statically we just need to figure out where the next DEX file is stored at and how to decode it, the first thing I notice is the strings are encoded in sub functions:

public static String arenalake() { int i = 624; for (int i2 = 0; i2 < 16; i2++) { i = 2517…

By: Jason Reaves and Joshua Platt

Whenever malware is found to be written in new programming languages the AV detections are generally lacking because the new language is producing bytecode sequences that are relatively unknown along with strings of data that can throw off static based heuristic models. It also usually causes stress within the malware reverse engineering community as was seen with GoLang malware initially.

Enter Nim[1], which was used to create a repository of code examples leveraging Nim for red team related utilities but malware developers take notice of things that can be leveraged for more infections including…

On 6 July 2020 SanSec reported that North Korea APT group dubbed Lazarus/HIDDEN COBRA, was performing MageCart style attacks against websites[1].

Two mentions in their report are interesting, PaperSource and FocusCamera[1].

GoLang[8] presents an excellent opportunity for malware developers to create tools that present a challenge to malware researchers and reverse engineers while at the same time coming out of the box capable of cross compiling across various architectures.

A number of people have since come out with various tools to help with statically reverse engineering these binaries and in kind other tools have been developed to demonstrate how to attack these techniques through various obfuscation methods. Most of the current toolage for statically reversing GoLang binaries resides on the existence of the .gopclntab structure which even in stripped binaries is…

MAN1 AKA Moskalvzapoe AKA TA511 are all names given to a threat actor(TA) that has been active in most major crimeware activities since at least 2014.

Within the last few years most of the major e-crime groups have shifted away from normal banking trojan operations and moved towards ransom and data theft, this transition has proven to be very beneficial for them — even though it is a drastic shift from the older days where locking activities were considered to be low-tier activities and a waste of an infection.