IntroductionFormbook is a form-grabber and stealer malware written in C and x86 assembly language. It's a ready to sell malware, that can be used by cyber-criminals who don't have any skill in malware development. The sample analyzed in this blog-post has been dropped by...
Malware authors uses extensive obfuscation techniques such as packing, junk code insertion, opaque predicates to harden malware analysis.Binary ninja has recently released a plugin to remove opaque predicates - that is, branch paths that are never taken. Thanks to Medium Level Intermediate Language (MLIL), only...
Password stealers are well-known malware used in daily basis by cyber-criminals. Most of the time those stealers are delivered in ready to used package (builder + panel) with a readme or/and video tutorials. Those malware aim to steal credentials in all kinds of software, record...
Introduction Information stealer malware are used on a daily basis by cyber-criminals. They are often designed to extract saved password stored within browsers, instant messaging applications, FTP clients and many more. Key-logger mechanism may also be embedded, in order to grab additional credentials, that are never...
Row-hammer is hardware bug that can cause bit-flips in physical RAM. Mark Seaborn and Thomas Dullien were the first to exploit the DRAM row-hammer bug to gain kernel privileges. Kaveh Razavi et al. pushed the exploitation of row-hammer bugs to the next level. They abused an OS feature - memory...
IntroductionAs a new member of the Stormshield Security Intelligence team, my initiation ritual was to analyze a form-grabber malware used to steal passwords thanks to web-browser injection method. In this article I'll try to present a detailed analysis of this malware, with emphasis on the...
Introduction During the last decade, different types of malware have been targeting Linux servers; Elknot, Encoder, Mirai, LuaBot, NyaDrop, Gayfgt etc. Most of them are used for DDoS purpose but there are some exceptions. Rex is one of them. In this article we’ll try to present a...
Introduction 2 years ago, Thierry F. wrote an article in this blog about a technique that could allow a driver to inject a DLL in a process (https://thisissecurity.net/2014/04/08/how-to-run-userland-code-from-the-kernel-on-windows/). This was based on the reverse engineering of the field PEB.KernelCallbackTable, which is untyped and completely undocumented.You may...
In this post, we want to share some notes on how to exploit heap-based overflow vulnerabilities by corrupting the size of memory chunks. Please note that we do not present here original content but only want to share with the community two detailed write-up. The...