We continue our series on using IDAPython to make things easier for reverse-engineers by tackling a problem malware analysts deal with on an almost daily basis: extracting embedded executables. Malware will often store embedded executables in a number of ways. Some examples include attaching these files in the file’s overlay, including them as a PE resource, or storing them in a buffer within the malware.
Continue reading "Using IDAPython to Make Your Life Easier: Part 5"
The holiday season is a time for friends and family, as well as for heightened levels of consumer shopping. It’s also a time of year when threat actors get especially opportunistic, and the 2015 holiday season was no different.
Let’s take a closer look at recent holiday season-themed attacks.
Unit 42 examined the time period from November 25, 2015 through December 29, 2015 and identified nearly 4 million phishing attacks containing malicious attachments using AutoFocus. Out of these phishing email messages, we then searched specifically for holiday-themes, using keywords such as “Christmas,” “holiday,” “Santa,” etc. Amongst the results, 92 percent of the attacks identified to be holiday themed were already found to have a Unit 42 tag associated with it, providing additional context around the malware family in use, indicator sets, and any references that may be of use. Continue reading "As Usual, Attackers Were Busy Over the Holiday Season"
Exploit Kits (EK), arguably the most impactful malicious infrastructure on the Internet, constantly evolve to evade detection by security technology. Tremendous effort has been spent on tracking new variations of different EK families. In this report, we look at an EK from an operational point of view. Specifically, we have been tracking the activity of the notorious Angler Exploit Kit and have uncovered traces of what we believe to be a large underground industry behind this EK.
Given the numerous existing reports from Sophos, Malwarebytes, and USENIX that cover different variants of Angler, we will focus on the new findings in terms of the global operation of Angler in this work. All of the findings are based on the results of our malicious web content detection system.
Key findings include: Continue reading "Angler Exploit Kit Continues to Evade Detection: Over 90,000 Websites Compromised"
Earlier installments of this series (Part 1, Part 2 and Part 3) have examined how to use IDAPython to make life easier. Now let’s look at how reverse engineers can use the colors and the powerful scripting features of IDAPython.
Continue reading "Using IDAPython to Make Your Life Easier: Part 4"
Palo Alto Networks was recently credited with discovery of two new vulnerabilities affecting Adobe Flash Player.
Researcher Hui Gao discovered critical vulnerabilities CVE-2015-8443 and CVE-2015-8444. Descriptions of each, as well as details on affected versions and products, are included in an Adobe Security Bulletin dated December 8, 2015. Adobe has released security updates for Adobe Flash Player. Continue reading "Palo Alto Networks Researcher Discovers Critical Vulnerabilities in Adobe Flash"
In the first two posts of this series (Part 1 and Part 2), we discussed using IDAPython to make your life as a reverse engineer easier. Now let’s look at conditional breakpoints.
While debugging in IDA Pro, there are often situations where an analyst wishes to break on a specific address, but only when a certain condition occurs. An example of this might include breaking on a call to a particular function, but only when a specific argument is passed to it. Another instance I personally run into is breaking when a specific library is loaded into my analysis virtual machine. Today, I’m going to look at this specific problem and discuss ways to handle it with IDAPython. Continue reading "Using IDAPython to Make Your Life Easier: Part 3"
Continuing our theme of using IDAPython to make your life as a reverse engineer easier, I’m going to tackle a very common issue: shellcode and malware that uses a hashing algorithm to obfuscate loaded functions and libraries. This technique is widely used and analysts come across it often. Using IDAPython, we will take this challenging problem and defeat it quite easily.
Reverse engineers most often encounter obfuscated function names in shellcode. The process is quite simple overall. The code will initially load the kernel32.dll library at runtime. Then, it continues to use this loaded image to identify and store the LoadLibraryA function, which is used to load additional libraries and functions. This particular technique employs a hashing algorithm that is used to identify a function. The hashing algorithm is commonly CRC32, however, other variations, such as ROR13, are common as well.
While reverse engineering a piece of malware, I ran into the following technique: Continue reading "Using IDAPython to Make Your Life Easier: Part 2"
Unit 42 did some incredible work in 2015 discovering, analyzing and disclosing malware – some new and others making a reappearance. Take a look below at some of their top threat intelligence research from this past year:
Unit 42 analyzed XcodeGhost, which modifies Xcode and infects Apple iOS Apps, and its behavior. The team found that many popular iOS apps were infected, including WeChat, one of the most popular messaging applications in the world, and that the XcodeGhost attacker can phish passwords and open URLs through these infected apps. Continue reading "The Threat Intelligence Research That Mattered to You This Year"
As a malware reverse engineer, I often find myself using IDA Pro in my day-to-day activities. It should come as no surprise, seeing as IDA Pro is the industry standard (although alternatives such as radare2 and Hopper are gaining traction). One of the more powerful features of IDA that I implore all reverse engineers to make use of is the Python addition, aptly named ‘IDAPython’, which exposes a large number of IDA API calls. Of course, users also get the added benefit of using Python, which gives them access to the wealth of capabilities that the scripting language provides.
Unfortunately, there’s surprisingly little information in the way of tutorials when it comes to IDAPython. Some exceptions to this include the following:
In the hopes of increasing the amount of IDAPython tutorial material available to analysts, I’m providing examples of code I write as interesting use-cases arise. For Part 1 of this series, I’m going to walk through a situation where I was able to write a script to thwart multiple instances of string obfuscation witnessed in a malware sample. Continue reading "Using IDAPython to Make Your Life Easier: Part 1"
Anonymous proxies play an important role in protecting one’s privacy while on the Internet; however, when unsuspecting individuals have their systems turned into proxies without their consent, it can create a dangerous situation. Palo Alto Networks researchers recently discovered a family of malware, designated ProxyBack, and observed over 20 versions that have been used to infect systems as far back as March 2014.
The primary distribution observed by Palo Alto Networks is focused heavily in Europe with most targets belonging to educational institutions.
Figure 1 – ProxyBack distribution shown in AutoFocus Continue reading "ProxyBack Malware Turns User Systems Into Proxies Without Consent"
In late 2014, ESET presented an attack campaign that had been observed over a period of time targeting Russia and other Russian speaking nations, dubbed “Roaming Tiger”. The attack was found to heavily rely on RTF exploits and at the time, thought to make use of the PlugX malware family.
ESET did not attribute the attacks to a particular attack group, but noted that the objective of the campaign was espionage and general information stealing. Based on data collected from Palo Alto Networks AutoFocus threat intelligence, we discovered continued operations of activity very similar to the Roaming Tiger attack campaign that began in the August 2015 timeframe, with a concentration of attacks in late October and continuing into December.
The adversaries behind these attacks continued to target Russia and other Russian speaking nations using similar exploits and attack vectors. However, while the malware used in these new attacks uses similar infection mechanisms to PlugX, it is a completely new tool with its own specific behavior patterns and architecture. We have named this tool “BBSRAT.” Continue reading "BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger"
Last week we hosted the first ever Unit 42 Twitter chat with several of our Unit 42 experts, including Ryan Olson (@ireo), Jen Miller Osborn (@jadefh), Robert Falcone (@r0bf4lc), and Bryan Lee (@obiwanblee). The chat, “Sure Things and Long Shots, A Look at the 2016 Threat Landscape,” tackled questions from the biggest shifts in the threat landscape to the most effective measures to protect against those threats, and the best ways people can protect themselves in 2016.
The #PANWchat also served as the official launch of the new @Unit42_Intel Twitter handle, which moderated yesterday’s chat. Make sure to follow @Unit42_Intel for the latest from our Unit 42 team.
Take a look at some of the highlights from the chat below or catch up on the entire conversation through the #PANWchat hashtag. And be sure to check out our ongoing series of predictions for 2016! Continue reading "#PANWchat Wrap-Up: The 2016 Threat Landscape"
We observed a targeted attack in November directed at an individual working for the French Ministry of Foreign Affairs. The attack involved a spear-phishing email sent to a single French diplomat based in Taipei, Taiwan and contained an invitation to a Science and Technology support group event.
The actors attempted to exploit CVE-2014-6332 using a slightly modified version of the proof-of-concept (POC) code to install a Trojan called Emissary, which is related to the Operation Lotus Blossom campaign. The TTPs used in this attack also match those detailed in the paper. The targeting of this individual suggests the actors are interested in breaching the French Ministry of Foreign Affairs itself or gaining insights into relations between France and Taiwan.
We have created the Emissary tag for AutoFocus users to track this threat. Continue reading "Attack on French Diplomat Linked to Operation Lotus Blossom"
In October 2015, we discovered a malicious payload file targeting Apple iOS devices. After investigating, we believe the payload belongs to a new iOS Trojan family that we’re calling “TinyV”. In December 2015, Chinese users reported they were infected by this malware. After further research, we found the malware has been repackaged into several pirated iOS apps that are available for download via multiple channels. In this blog, we will discuss how the TinyV Trojan spreads and how it works.
TinyV was repackaged into some pirated iOS apps for jailbroken devices. Infected iOS apps include “Watermelon Player (西瓜播放器)”, “Youku (优酷)”, “iQiYi (爱奇艺)” and others. After repackaging, these apps were uploaded to websites for downloading. Continue reading "iOS Trojan “TinyV” Attacks Jailbroken Devices"
Palo Alto Networks researchers Bo Qu and Hui Gao were credited with the discovery of three new critical Microsoft vulnerabilities affecting Internet Explorer (IE) versions 7, 8, 9, 10 and 11 and Microsoft Edge. These vulnerabilities are covered in Microsoft’s December 2015 Security Bulletin and documented in Microsoft Security Bulletins MS15-125 and MS15-124. Continue reading "Palo Alto Networks Researchers Discover Critical Vulnerabilities in Internet Explorer and Microsoft Edge"
Get updates from Unit 42