Recently I noticed the news about AI-generated malware which was hidden in images with pandas. While the main purpose of the malware is “only” cryptomining, it uses several interesting techniques which are not so common for coinminers. It uses nicely formatted and commented setup script (generated by AI). It supports wide variety of coinminers for various cryptocurrencies and for GPU and different CPU architectures. Its another component, hideproc, tries to hide the Koske miner from file listings and processes.

Recent TryHackMe room called “Block” inspired me to create this write-up. The task is to decrypt SMB3-encrypted communication. It turned out that sometimes we only need the captured network traffic to fulfill this task, while otherwise we need some additional info, such as user’s password or its NTLM hash. In this blog post, I would like to summarize three different approaches with practical hands-on exercises based on TryHackMe challenge. I will demonstrate methods of SMB decryption with the knowledge of the user’s password, its NTLM hash, and without any password/hash, just from the captured traffic only.

When I looked on recent public submissions on Any.Run this week, my attention was attracted by XWorm samples with tags “stegocampaign”. Quick review of analysis reports reveal simple, yet interesting infection chain. It contains Visual Basic script, PowerShell script, picture with Base64-encoded executable and the XWorm RAT itself. Those payloads have been downloaded from online hosting services such as Pastebin or Firebase. Moreover, they have been downloaded via HTTPs, so basic network analysis does not reveal the content nor the URL links, however, there are some simple methods how to reveal the real URLs.

Between 1st-3rd November 2023, there was another CTF event - EKOPARTY CTF. It was a part of the EKOPARTY Security Conference in Buenos Aires, but the CTF was also available online. It was in real Retro theme with IRC and Gopher server. One challenge by Kaspersky was especially interesting for me - network traffic analysis, exploitation, malware and reverse engineering. I would like to share my solution for this very nice challenge.

During the October 2023, I participated in the Huntress Capture the Flag contest. It started with couple of warmups challenges on the first day. Then they published two or one challenge every day. There were various categories, such as Warmups, Malware, Forensics, OSINT, Miscellaneous and Steganography. The difficulty levels differs from easy (usually very easy), medium (usually easy, but educative for new players) and hard (usually medium). Couple of “lolz” challenges have an extreme difficulty, and they were some kind of…what?