/ Recent content on MWLab Hugo -- gohugo.io en-us <span>© 2019-2025 Content by <a href="https://twitter.com/ladislav_b">Ladislav Baco</a> (<a rel="me" href="https://infosec.exchange/@malwarelab_eu">malwarelab_eu</a>)</span> <span>Powered by <a href="https://gohugo.io">Hugo</a> | Theme by <a href="https://twitter.com/panr">panr</a></span> Sat, 26 Jul 2025 18:00:00 +0200 /posts/koske-panda-ai/ Sat, 26 Jul 2025 18:00:00 +0200 /posts/koske-panda-ai/ Recently I noticed the news about AI-generated malware which was hidden in images with pandas. While the main purpose of the malware is &ldquo;only&rdquo; cryptomining, it uses several interesting techniques which are not so common for coinminers. It uses nicely formatted and commented setup script (generated by AI). It supports wide variety of coinminers for various cryptocurrencies and for GPU and different CPU architectures. Its another component, hideproc, tries to hide the Koske miner from file listings and processes. /posts/tryhackme-smb-decryption/ Wed, 14 Aug 2024 17:50:09 +0200 /posts/tryhackme-smb-decryption/ Recent TryHackMe room called &ldquo;Block&rdquo; inspired me to create this write-up. The task is to decrypt SMB3-encrypted communication. It turned out that sometimes we only need the captured network traffic to fulfill this task, while otherwise we need some additional info, such as user&rsquo;s password or its NTLM hash. In this blog post, I would like to summarize three different approaches with practical hands-on exercises based on TryHackMe challenge. I will demonstrate methods of SMB decryption with the knowledge of the user&rsquo;s password, its NTLM hash, and without any password/hash, just from the captured traffic only. /posts/stego-xworm/ Sat, 23 Mar 2024 10:01:09 +0100 /posts/stego-xworm/ When I looked on recent public submissions on Any.Run this week, my attention was attracted by XWorm samples with tags &ldquo;stegocampaign&rdquo;. Quick review of analysis reports reveal simple, yet interesting infection chain. It contains Visual Basic script, PowerShell script, picture with Base64-encoded executable and the XWorm RAT itself. Those payloads have been downloaded from online hosting services such as Pastebin or Firebase. Moreover, they have been downloaded via HTTPs, so basic network analysis does not reveal the content nor the URL links, however, there are some simple methods how to reveal the real URLs. /posts/ekoparty-ctf-2023-kaspersky/ Sun, 12 Nov 2023 18:01:09 +0100 /posts/ekoparty-ctf-2023-kaspersky/ Between 1st-3rd November 2023, there was another CTF event - EKOPARTY CTF. It was a part of the EKOPARTY Security Conference in Buenos Aires, but the CTF was also available online. It was in real Retro theme with IRC and Gopher server. One challenge by Kaspersky was especially interesting for me - network traffic analysis, exploitation, malware and reverse engineering. I would like to share my solution for this very nice challenge. /posts/huntress-ctf-2023/ Wed, 01 Nov 2023 09:01:09 +0100 /posts/huntress-ctf-2023/ During the October 2023, I participated in the Huntress Capture the Flag contest. It started with couple of warmups challenges on the first day. Then they published two or one challenge every day. There were various categories, such as Warmups, Malware, Forensics, OSINT, Miscellaneous and Steganography. The difficulty levels differs from easy (usually very easy), medium (usually easy, but educative for new players) and hard (usually medium). Couple of &ldquo;lolz&rdquo; challenges have an extreme difficulty, and they were some kind of&hellip;what? /posts/asyncrat-cyberchef/ Sun, 22 Oct 2023 10:20:15 +0200 /posts/asyncrat-cyberchef/ Yesterday, as a part of a challenge in one CTF competition, I had to analyze a modified sample of AsyncRAT. I will try to avoid any spoilers, however, I wanted to decode and decrypt strings from AsyncRAT configuration settings. AsyncRAT is written in C#, and there are various variants and clones in the wild, such as DcRat or VenomRAT. Some samples are almost not obfuscated (except the encryption of the configuration), some are lightly obfuscated with just renamed methods and classes. /posts/log4shell-minecraft/ Sat, 07 Oct 2023 12:23:00 +0200 /posts/log4shell-minecraft/ Last month I had two lectures about cyber attacks at Gamefair 2023 conference. And what could be a better practical demonstration than exploitation of a very famous game, which would lead to an encryption of a game server with ransomware? I decided to leverage the two years old vulnerability CVE-2021-44228 (a.k.a Log4shell) in Java Log4j library. This library is also part of the Minecraft Java edition. It is very easy to exploit the vulnerability, as we will see later during this blog post. /posts/malware-analysis-tools-2/ Tue, 05 Oct 2021 19:30:00 +0200 /posts/malware-analysis-tools-2/ Note: my article was originally published on IstroSec blog In the second part of our overview we continue with the selection of the most used and most usable malware analysis tools. Moreover, we select the tools which are freely available. This time, we focus on tools for analysis other types of the files instead of the native binaries from the previous blog. Wireshark Wireshark is the well known tool for analysis of network traffic and network protocols. /sk/malware-analysis-tools-2/ Tue, 05 Oct 2021 19:30:00 +0200 /sk/malware-analysis-tools-2/ Poznámka: tento môj článok pôvodne vyšiel na blogu firmy IstroSec V druhej častí nášho prehľadu prinášame pokračovanie výberu z najpoužívanejších a najužitočnejších nástrojov na analýzu malvéru, ktoré sú navyše k dispozícii bezplatne. Tentoraz sa zameriame aj na nástroje užitočné aj pri iných typoch súborov, než sú tradičné spustiteľné programy. Wireshark Wireshark je veľmi dobre známy nástroj na analýzu sieťovej komunikácie a sieťových protokolov. Umožňuje zachytávanie a analýzu sieťovej komunikácie v reálnom čase, aj ukladanie zachytenej komunikácie a jej následnú offline analýzu. /posts/malware-analysis-tools-1/ Tue, 05 Oct 2021 19:00:00 +0200 /posts/malware-analysis-tools-1/ Note: my article was originally published on IstroSec blog In this overview we introduce the selection of the most used and most usable malware analysis tools. Moreover, we select the tools which are freely available. Malware analysis conststs of several phases, starting with extraction and investigation of basic info based on malware sample&rsquo;s metadata, continuing with behavioral analysis and ending with debugging and reverse engineering of the sample. Depending on requirements and approach, malware analyses can take several hours and we often need to use tens of tools. /sk/malware-analysis-tools-1/ Tue, 05 Oct 2021 19:00:00 +0200 /sk/malware-analysis-tools-1/ Poznámka: tento môj článok pôvodne vyšiel na blogu firmy IstroSec V tomto prehľade prinášame výber z najpoužívanejších a najužitočnejších nástrojov na analýzu malvéru, ktoré sú navyše k dispozícii bezplatne. Analýza malvéru pozostáva z viacerých krokov, od zisťovania základných informácií založených na metadátach analyzovanej vzorky, cez (behaviorálnu) analýzu správania až po debugovanie a kompletné reverzné inžinierstvo inžinierstvo. V závislosti od požiadaviek a použitých metód môžu takéto analýzy trvať aj niekoľko hodín a použijú sa pri nich aj desiatky nástrojov. /posts/kaseya-revil-ransomware-obfuscation/ Fri, 09 Jul 2021 12:11:12 +0200 /posts/kaseya-revil-ransomware-obfuscation/ Attackers compromised up to 1500 companies during massive ransomware attack, which is now reported as one of the largest cyber attacks ever. Victims have been infected with REvil ransomware, which is similar to DarkSide ransomware used recently in Colonial Pipeline attack. However, this time, the deployed REvil ransomware was more obfuscated than versions observed in beginning of 2021. In this article, we will discuss the obfuscation techniques used by REvil in Kaseya incident. /posts/darkside-ransomware/ Sun, 06 Jun 2021 08:40:35 +0200 /posts/darkside-ransomware/ DarkSide Ransomware is a very hot topic now, especially after the Compromise of Colonial Pipeline networks, which has been investigated by FBI, too. It caused so serious problems that even hackers said that they &ldquo;didn&rsquo;t mean to create problems&rdquo;. However, DarkSide ransomware is not something completely new, and it is similar to the infamous Revil/Sodinokibi ransomware. In this post, I would like to highlight some significant similarities between newer samples of both ransomwares with insights about DarkSide victims based on custom ransom notes. /posts/logchecker/ Sun, 31 Jan 2021 17:55:29 +0100 /posts/logchecker/ Threat intelligence is one of the most critical weapons we can use in cyber defense. I often use Threat intelligence for enhancing my daily tasks in LIFARS such as incident response, threat hunting, forensics and malware analysis. And because the automation is the key for many tasks, I decided to design a new tool which helps us to speedup our processes. Our great R&amp;D team then developed this tool and we recently released under Open Source MIT License as our gift to the community. /posts/idc-python/ Sat, 09 Jan 2021 18:36:17 +0100 /posts/idc-python/ IDA, the Interactive Disassembler, is well known tool. It also comes in Freeware version, however, there are several limitations. For example, it is known, that IDA Freeware doesn&rsquo;t support IDA Python, scripting language which brings the best from the IDA and from the Python world. For scripting, IDA Freeware supports only IDC, a &ldquo;toy&rdquo; [2] C-like language. In past I was wondering if it is possible to run Python even from IDA Freeware, Recently I played little bit more with IDC and I found a way how to pass data from IDA to external Python, and get back results to the IDA. /posts/fluorescence/ Sat, 02 Jan 2021 23:12:06 +0100 /posts/fluorescence/ Few weeks ago, I saw somewhere on the Internet question about IDA Freeware compatibility with the Fluorescence plugin. And because this plugin is written in IDAPython and IDAPython isn&rsquo;t officially supported by IDA Freeware, also this plugin isn&rsquo;t compatible. However, when I checked what this plugin does, it turns out that it is very simple - its purpose is to highlight call instructions. So as an exercise I re-created IDC script with similar feature, and moreover, I also created plugin version of IDC Fluorescence. /posts/fin6-cobalt-strike/ Tue, 07 Jul 2020 07:30:22 +0200 /posts/fin6-cobalt-strike/ In June, LIFARS team worked on engagement related to FIN6 threat actor. FIN6 group was also detected and described in April and May, by various other forensics firms, including SentinelOne and FireEye Managed Defense (Mandiant), which described intrusion by FIN6 threat actor and their latest tactics, techniques, and procedures (TTPs). In particular, they used also LockerGoga and Ryuk ransomware families, and Cobalt Strike for initial compromise and lateral movement. Even three months after publishing their post, some of the URLs for Cobalt Strike stagers have been still active, so I decided to publish analysis of these Cobalt Strike stagers and payloads. /posts/blue-mockingbird-hunting/ Fri, 19 Jun 2020 07:19:50 +0200 /posts/blue-mockingbird-hunting/ In my recent post about XMRig-based CoinMiners spread by Blue Mockingbird Group based mainly on Case Study by LIFARS I wrote about multi-stage attack performed by this threat actor. However, this case study doesn&rsquo;t contain lot of IOCs (one reason could be to maintain privacy of the victims), and when I want to analyze these samples, first I have to find them somewhere. In this post I describe my process of searching for these samples using public services and how we can reconstruct the whole attack chain. /posts/synology-memory-acquisition/ Thu, 04 Jun 2020 23:42:27 +0200 /posts/synology-memory-acquisition/ As I stated in the post about Synology in VirtualBox, I wondered about forensic analysis of Synology NAS, especially about memory acquisition. As a part of preparation phase, I had to figure out how to create a Synology VM, because I did not have access to real Synology HW. Then I found the way how to create a memory dump in DSM 6.1.7 (from May 2018), but I wanted to verify my approach also in real HW with up-to-date version of DSM. /posts/xmrig-blue-mockingbird/ Mon, 01 Jun 2020 08:21:42 +0200 /posts/xmrig-blue-mockingbird/ Overview During March-May the Blue Mockingbird group infected thousands of computer systems, mainly in the enterprise environment. There are known incidents in which they exploited the CVE-2019-18935 vulnerability in Telerik Web UI for ASP.NET, then they used various backdoors and finally, they deployed XMRig-based CoinMiners for mining Monero cryptocurrency. Interesting about these cases is the persistence which they used for CoinMiners - lot of techniques including scheduled tasks, services, but also WMI Event Subscription and COR Profilers. /posts/phishing-pdf/ Fri, 27 Mar 2020 01:05:13 +0100 /posts/phishing-pdf/ Background A few days ago, we detected a PDF file with a non-zero detection score on VirusTotal, however, almost all the detections have only a kind of “generic” results. Moreover, further investigation revealed that the same file was two weeks ago without any detections on VirusTotal. We continued with a deeper analysis of this document and its behavior to determine if this is only a false-positive alert, or if it can be a serious problem for those, who already opened this PDF document. /posts/synology_in_virtualbox/ Wed, 23 Oct 2019 11:35:10 +0200 /posts/synology_in_virtualbox/ I wondered about forensic analysis of Synology NAS, especially how to create a memory dump, but unfortunately, I was not able to find any useful howtos. I had to try it myself, but as a 1st step I needed a running instance of Synology DSM (DiskStation Manager, the web-based OS running on Synology NAS). Because I do not have any real HW Synology NAS, I decided to try it as a Virtual Machine. /posts/oss_and_free_tools_for_incident_response_teams/ Sun, 20 Oct 2019 10:58:56 +0200 /posts/oss_and_free_tools_for_incident_response_teams/ Some people asked me what tools can be useful for Incident Response and for the CSIRT/CERT teams, so I decided to prepare list of such tools and seize the opportunity of the Open Source Weekend in Košice, Slovakia on 19th October. The motivation behind this list is help to enthusiasts and new teams to prepare and/or strengthen technical equipment needed for incident response with minimal costs. On the other hand, the participation of clever and engaged people is always required for similar tasks in cybersecurity, and use of Open Source and Free(ware) tools can have some caveats with need of more tinkering or adjustments. /posts/qubit-ctf-sofia2019/ Wed, 09 Oct 2019 11:01:09 +0200 /posts/qubit-ctf-sofia2019/ Few weeks ago I prepared the technical background of the CTF (Capture the Flag) for QuBit Conference Sofia 2019. It was intedned as a contest in which the three most successful participants will get the opportunity to attend QuBit Conference Sofia 2019. The content itself consisted of 10 challenges divided in 5 categories. In this post will be sumarized the thoughts, ideas and hints about the intended ways how to solve particular challenges. /posts/gandcrab-string-decryption-update/ Thu, 25 Apr 2019 23:46:31 +0200 /posts/gandcrab-string-decryption-update/ Introduction In the post about GandCrab String Decryption I use very simple heuristic for identifying the function for string decryption. Because this kind of funtion is usually heavily used, I made an assumption that the scting decryption function is the most used function in our sample. This assumption is correct for GandCrab v5.1 DLL files, but it turns out that it is not true for GandCrab v5.2 and v.53. EXE samples. /posts/gandcrab-string-decryption-1/ Thu, 18 Apr 2019 13:36:31 +0200 /posts/gandcrab-string-decryption-1/ Introduction In the last arcitle about Ursnif campaign have been presented the ursnif powershell downloader, which was also able to download the GandCrab payload. This payload was injected as DLL library into the running process and during the last analysis I have extracted it. Now, it is time to look more closely at this GandCrab sample. Obfuscated strings After a quick look at the disassembly we can notice many calls to one particular function, in our case named by IDA as sub_10009E69. /posts/ursnif-requestdoc-campaign-2/ Sat, 09 Mar 2019 10:36:53 +0100 /posts/ursnif-requestdoc-campaign-2/ Introduction In the first part of this analysis have been presented the two types of macro-enabled documents with powershell downloader spreading via emails in recent campaign. The powershell downloaders and/or the macros were slightly obfuscated, however, it was easy to defeat this obfuscation and reveal their purpose. Unfortunately, during my analysis the downloaded content was not present on the involved servers and also in the most cases it was not available even during the analysis on sandboxes like Any. /posts/ursnif-requestdoc-campaign-1/ Fri, 22 Feb 2019 07:59:35 +0100 /posts/ursnif-requestdoc-campaign-1/ Overview During the first half of February 2019 there was an increase in occurrences of the Spam messages containing attached documents with the names in the form &ldquo;Request&rdquo; followed by the number, like &ldquo;Request15.doc&rdquo;. These documents contain slightly obfuscated macros which lead to execution of the PowerShell downloader. This PowerShell downloader connects to the domains registered in Russian Federation and resolved to the Russian IP addresses. It seems that on these servers are hosted malicious content, in many cases detected as the Ursnif malware. /posts/hidden-bundpil/ Sun, 17 Feb 2019 00:27:12 +0100 /posts/hidden-bundpil/ Introduction My friend have got one USB stick infected with malware, at least that&rsquo;s what one AntiVirus product reported about it. But strange thing happen, it seemed that the detected file was not present on this USB key. Not only the detected file, but also all of the user data was missing. Only one .lnk file was present in the root of the filesystem. So, this is point where our investigation begins&hellip; /about/ Mon, 01 Jan 0001 00:00:00 +0000 /about/ Contact Twitter: @ladislav_b @malwarelab_eu Mastodon: @malwarelab_eu@infosec.exchange Nostr: npub1ksxp2k6449prsqz6e3uq4k87hzw64v6c6u7zqdw9u99ev2y7gfpsnh07l5 LinkedIn: ladislav-baco Author Ladislav Baco is a Senior Security Consultant, Malware Analyst and Network Analyst, with more than 10 years of experience in computer security, computer science and education. Currently he works as a Network Analyst at ESET, with focus on Network Forensics, Threat Hunting, Threat Intelligence and Research of Intrusion Detection. During his previous employments he led Research Department at IstroSec cybersecurity company.