This blogpost will talk about the analysis of a new password stealer named AcridRain and its different updates during the last 2 months. Introduction AcridRain is a new password stealer written in C/C++ that showed up on forums around the 11th of July 2018. This malware can...
Introduction Formbook is a form-grabber and stealer malware written in C and x86 assembly language. It's a ready to sell malware, that can be used by cyber-criminals who don't have any skill in malware development. The sample analyzed in this blog-post has been dropped by...
Malware authors uses extensive obfuscation techniques such as packing, junk code insertion, opaque predicates to harden malware analysis. Binary ninja has recently released a plugin to remove opaque predicates - that is, branch paths that are never taken. Thanks to Medium Level Intermediate Language (MLIL), only...
Password stealers are well-known malware used in daily basis by cyber-criminals. Most of the time those stealers are delivered in ready to used package (builder + panel) with a readme or/and video tutorials. Those malware aim to steal credentials in all kinds of software, record...
Introduction Information stealer malware are used on a daily basis by cyber-criminals. They are often designed to extract saved password stored within browsers, instant messaging applications, FTP clients and many more. Key-logger mechanism may also be embedded, in order to grab additional credentials, that are never...
Row-hammer is hardware bug that can cause bit-flips in physical RAM. Mark Seaborn and Thomas Dullien were the first to exploit the DRAM row-hammer bug to gain kernel privileges. Kaveh Razavi et al. pushed the exploitation of row-hammer bugs to the next level. They abused an OS feature - memory...
Introduction As a new member of the Stormshield Security Intelligence team, my initiation ritual was to analyze a form-grabber malware used to steal passwords thanks to web-browser injection method. In this article I'll try to present a detailed analysis of this malware, with emphasis on the...
Introduction During the last decade, different types of malware have been targeting Linux servers; Elknot, Encoder, Mirai, LuaBot, NyaDrop, Gayfgt etc. Most of them are used for DDoS purpose but there are some exceptions. Rex is one of them. In this article we’ll try to present a...
Introduction 2 years ago, Thierry F. wrote an article in this blog about a technique that could allow a driver to inject a DLL in a process (https://thisissecurity.net/2014/04/08/how-to-run-userland-code-from-the-kernel-on-windows/). This was based on the reverse engineering of the field PEB.KernelCallbackTable, which is untyped and completely undocumented. You may...