Crypto miners are making money with your money, how to fight them?

Cyberattacks never stop evolving, and malware authors moved from destroying systems to finding a new way of earning money, as it is the case with ransomware (which encrypts your sensitive files and asks for ransom to get them back). With the emergence of cryptocurrencies like Bitcoin and Ethereum, a new type of attack is born: crypto miner malwares. What is …

Virtual Machine Introspection in Malware Analysis

This article will illustrate how Virtual Machine Introspection can be applied to malware analysis. It will be more focused on malware analysis on Windows architectures. All malwares analysis posted in our blog are done with the help of the dynamic analysis system based on Virtual Machine Introspection technology. In general, the term introspection is the observation and the examination of …

SAFE Olympic Malware

Pyeongchang Olympic Games Targeted Cyber-attack

A new cyber-attack has been recently discovered targeting the Pyeongchang 2018 Olympic Games. The Guardian posted an article about technical issues before the opening ceremony: “Reporters at the Pyeongchang Olympic Stadium noticed that the internet wifi stopped working shortly before the ceremony while the televisions and wifi at the main press centre also stopped. Pyeongchang 2018 was also forced to …

SAFE Powershell bypass

How malware can use Powershell without powershell.exe

Windows PowerShell is a task automation and configuration management framework from Microsoft, it’s a command line shell with its own associated scripting language. Powershell was built on DotNet Framework. Powershell is often used in cyberattacks to run malicious code stealthy on a target computer, but calling powershell.exe can be detected by security solutions. To avoid this, malwares can use a Windows feature …

Load/Inject malicious DLL using Microsoft Tools

More and more malware are relying on Microsoft tools to hide their malicious activity and damage the system. These tools can be used to bypass security products which trust Microsoft signed binary, and can be a serious alternative to rundll32 to execute malicious DLL like NotPetya or Wannacry. In this article we will see how some Microsoft tools can be used …

Hide malware through Microsoft HTML interpretors

In this article we will see how Microsoft Compiled HTML Help (CHM) and HTML Application (HTA) can be used to build a malware to compromise a system through legit Microsoft tools. A CHM file is a binary file containing a collection of HTML pages in order to provide a user guide for a tool or a software. CHM files are …

SAFE - BadRabbit Ransomware analysis

BadRabbit Ransomware analysis

BadRabbit is a ransomware used in a cyberattack which targeted eastern Europe and Russia in October 2017. The name Bad Rabbit was given to this malware because of its presence on the ransom website. Just like NotPetya, BadRabbit uses EternalRomance to spread into networks and brute force access on computers based on a default credentials list.   BadRabbit Execution Flow …

DDE Attacks, a new way to spread malwares using a Microsoft feature

The Dynamic Data Exchange protocol (DDE) is a built-in Microsoft feature that permits to share and exchange data between applications. This feature can be used in Microsoft Office programs to request data from another application. For malicious purpose, this feature allows an attacker to craft a document to perform malicious actions without any exploit or macro. This attack method has been …

NotPetya Ransomware analysis

NotPetya is a ransomware and a wiper used in a cyberattack which targeted Ukraine on the 27th of June. Like WannaCry, this malware can spread using the known exploit Eternal Blue. In addition to that, this malware implements some other techniques to compromise Windows operating systems of the same network even if they are patched with the MS17-010 Patch. By …

WannaCry Ransomware analysis

WannaCry also known as WanaCrypt or Wanacrypt0r 2.0 is a ransomware used in a worldwide cyberattack which started on the 13th of May 2017. This malware spreads on the internet by using a known exploit called Eternal Blue. Because of this exploit, more than 300k computers have been infected in over 150 countries. Eternal Blue is an exploit that uses …