Cryptominers are making money with your money, how to fight them?

Cyberattacks never stop evolving, and malware authors moved from destroying systems to finding a new way of earning money, as it is the case with ransomware (which encrypts your sensitive files and asks for a ransom to get them back). With the emergence of cryptocurrencies like Bitcoin and Ethereum, a new type of attack is born: crypto miner malware. What …

Virtual Machine Introspection in Malware Analysis

This article will illustrate how Virtual Machine Introspection can be applied to malware analysis. It will be more focused on malware analysis on Windows architectures. All malwares analysis posted in our blog are done with the help of the dynamic analysis system based on Virtual Machine Introspection technology. In general, the term introspection is the observation and the examination of …

SAFE Olympic Malware

Pyeongchang Olympic Games Targeted Cyber-attack

A new cyber-attack has been recently discovered targeting the Pyeongchang 2018 Olympic Games. The Guardian posted an article about technical issues before the opening ceremony: “Reporters at the Pyeongchang Olympic Stadium noticed that the internet wifi stopped working shortly before the ceremony while the televisions and wifi at the main press centre also stopped. Pyeongchang 2018 was also forced to …

SAFE Powershell bypass

PowerShell: Malwares use it without powershell.exe

Windows PowerShell (PS) is a task automation and configuration management framework from Microsoft, it’s a command line shell with its own associated scripting language. Powershell was built on DotNet Framework. PS is often used in cyber attacks to run malicious code stealthy on a target computer, but calling powershell.exe can be detected by security solutions. To avoid this, malwares can use …

Load/Inject malicious DLL using Microsoft Tools

More and more malware are relying on Microsoft tools to hide their malicious activity and damage the system. These tools can be used to bypass security products which trust Microsoft signed binary, and can be a serious alternative to rundll32 to execute malicious DLL like NotPetya or Wannacry. In this article we will see how some Microsoft tools can be used …

SAFE - BadRabbit Ransomware analysis

BadRabbit Ransomware analysis

BadRabbit is a ransomware used in a cyberattack which targeted eastern Europe and Russia in October 2017. The name Bad Rabbit was given to this malware because of its presence on the ransom website. Just like NotPetya, BadRabbit uses EternalRomance to spread into networks and brute force access on computers based on a default credentials list.   BadRabbit Execution Flow …

NotPetya Ransomware analysis

NotPetya is a ransomware and a wiper used in a cyberattack which targeted Ukraine on the 27th of June. Like WannaCry, this malware can spread using the known exploit Eternal Blue. In addition to that, this malware implements some other techniques to compromise Windows operating systems of the same network even if they are patched with the MS17-010 Patch. By …

WannaCry Ransomware analysis

WannaCry also known as WanaCrypt or Wanacrypt0r 2.0 is a ransomware used in a worldwide cyberattack which started on the 13th of May 2017. This malware spreads on the internet by using a known exploit called Eternal Blue. Because of this exploit, more than 300k computers have been infected in over 150 countries. Eternal Blue is an exploit that uses …