Last week we promised to explain in detail how the “Blackbeard” Trojan infiltrates and hide itself in a victim’s system, especially on its 64-bit variant. Everything described in this blogpost happens just before Pigeon (clickbot payload) gets downloaded and executed. The most interesting aspects are the way it bypasses the Windows’ User Access Control (UAC) security feature and switches the run of 32-bit code of the Downloader to 64-bit code of the Payload. And finally, how the persistence is achieved.
From 32-bit Loader to 64-bit Payload
As almost all other malware, this downloader is encapsulated with a cryptor. After removing the first layer cryptor, we can see that the downloader is written in a robust way. The same code can be run under either a 32-bit or 64-bit environment, which the code itself decides on the fly based on the entrypoint of the unpacked layer. Authors can therefore encapsulate their downloader in either a 32-bit or 64-bit cryptor and it will get executed well in both environments.
In our blog, we wrote several times about various types of Ransomware, most recently about CryptoLocker. In most cases, ransomware has pretended to be a program installed into a victim’s computer by the police. Because of some alleged suspicious activities found on the user’s computer, ransomware blocks the user from using the computer and demands a ransom to unlock the machine or files.
Different ransomware families have different graphics and skins, usually showing intimidating images of handcuffs, logos of various government and law enforcement organizations, policemen performing inspections, government officials, etc… You can read some of our previous analyses on our blog – Reveton, Lyposit, Urausy – are the most prolific examples of such ransomware.
In this blog post, we will look at the functionally of the same type of ransomware, but one which displays more annoying and disturbing photos. After showing the message saying, “Your computer has been suspended on the grounds of viewing illegal content,” accompanied with the current IP address, name of internet service provider (ISP) and the geographical location, it displays several pictures of child pornography!
In today’s world where malware evolves and develops rapidly, sharing security information is the key element for success. Companies which ignore this fact sooner of later suffer from the consequences of their bad decision. Malware researchers from all over the world regularly meet at various IT security conferences, where they learn from each other how to fight with malware and how to make the IT world a safer place.
It has been more than a year, since we last time reported about Reveton lock screen family. The group behind this ransomware is still very active and supplies new versions of their ransomware regularly.
If thieves gain control of sensitive personally identifiable information (PII) on your computer, your identity can be stolen. Information such as your social security number, driver’s license number, date of birth, or full name are examples of files that should be encrypted. Confidential business data like individual customer information or intellectual property should also be encrypted for your safety.
In this blog post we will look at a service offering file decryption. This service helps you to decrypt files which were previously encrypted. But this is no helpful ‘Tips and Tricks’ blog for people who forgot the password to their documents and ask for help recovering it. Although breaking weak passwords is quite possible, noproblembro.com specializes in a different type of service.
InfoStealer is a Trojan that collects sensitive information about the user from an affected computer system and forwards it to a predetermined location. This information, whether it be financial information, log in credentials, passwords, or a combination of all of them, can then be sold on the black market. AVAST detects this infostealer as MSIL:Agent-AKP.
In this blogpost, we will look at a malicious .NET file served to a victim’s computer via an exploit kit. After opening the file in decompiler, we noticed resources containing only noisy images similar to the figure below.
Yes, if your computer gets infected by Urausy Lockscreen, it will get locked. Luckily, not forever! Avast protects you against it. In this blogpost we will introduce an infamous lockscreen called Urausy. We will look at its special anti-debugging and anti-reverse engineering tricks, at its communication protocol, and determine what the conditions (if any) are for self-deleting from the compromised system.
Recently we identified a threat which uses Twitter and Facebook to spread. The origin of the infection begins by clicking malicious tweets or Facebook posts.
The title of this blog post may make you think that we will discuss the security of your Facebook account. Not this time. However, I will analyze an attack which starts with a suspicious email sent to the victim’s email account.
The incoming email has the following subject, ‘Hey <name> your Facebook account has been closed!‘ or ‘Hi <name> your Facebook account is blocked!‘. The email has a ZIP file attachment with name <name>.zip, which contains a downloader file named <name>.exe. <name> stands for a random user name. After a user downloads and executes the executable file, he is presented with the message saying that “Your Facebook connection is now secured! Thank you for your support!” It tries to convince you that there was a problem with your Facebook account, which was later successfully solved by executing the application from the email attachment.
Let’s look inside the executable file!
Recently I wrote a blog post about a legitimate website spreading Sirefef malware. Then I continued with a deeper analysis and noticed that it uses an interesting cryptor.
Malware authors spread many new variants of malware every day. These variants often look completely different at the first glance. That’s why regular updates of your antivirus is important. However, when we look deeper into most malware spreading these days, we see that the core functions do not change very often. Most of the variability of today’s malware is caused by encapsulating it by so-called “cryptors.”
In most cases, these cryptors are pretty boring pieces of software. They usually take seemingly random data from the malicious file, reshuffle them in a correct way, so that these bytes then become an executable code, and then they execute them. However, authors of Sirefef malware often come up with more interesting methods of loading their programs, and we will look at their method in this blog post.
Now, let’s get to Sirefef. Soon after it is executed, we can see the following scheme.