Reverse The Malware

  Artificial Intelligence makes human life easier for students, researchers, programmers, and so on. However, as I mentioned in my previous articles, we are not alone on this planet. There are individuals with criminal mindsets who abuse legitimate technology for malicious purposes. The ESET security research team recently discovered the first AI-based ransomware this year, which is quite interesting. Before we dive deeper into this article, let's go through the process of PromptLock  how it works and how it was revealed: The threat actor wrote C code and then compiled it into an executable file using GCC. The code snippet contained a full chain for generating a Lua script by sending a request to a local LLM (large language model) server. The ESET team found a sample and analyzed it in a controlled environment (a sandbox). They observed it attempting to connect to the local LLM server. The executable sent queries to the local LLM to generate a malicious script. The ...

  Artificial intelligences are gradually becoming our partners in daily tasks. It’s actually a great tool if people know how to use it, but we must remember we are not alone in the digital space there are criminals too. Artificial intelligence includes technologies such as deepfakes, voice cloning, etc. What is a deepfake? According to Wikipedia, deepfakes are images, videos, or audio that have been edited or generated using artificial intelligence, AI-based tools, or audio–video editing software.  However, threat actors are using this new technology and subtechnologies of artificial intelligence for many reasons, such as: Malware development Social engineering We have already seen the first AI-powered ransomware revealed by ESET Internet Security, and there have been many breaches and “shadow-IT” workers who even passed interviews using deepfake technology. In this article I will show how we can analyze and detect AI-generated images by examining metadata only, rathe...

  Sextrortion is a form of extortion where someone threatens to share sexual content (like nudes, sexual videos, or other intimate material) of a person unless the victim complies with certain demands . These demands can be: Providing more sexual content Sending money Doing favors Other forms of coercion So, in short: sextrortion = threatening someone to prevent sharing sexual content or to force them into something sexual or financial .  The game has changed. We have seen numerous examples of malicious Android applications that threat actors use for webcam phishing, weaponizing the app to exfiltrate data through a Telegram bot. This method is still common in many countries across Asia, the Middle East, and Europe. What’s particularly interesting is that now threat actors or black markets are offering commercial malware with premium features that include sextrortion modules . Stealerium is a well-known infostealer that exfiltrates data in multiple ways, parti...

  Malware revelations are unstoppable. Every day, month, and year, threat actors abuse legitimate software and utilities to deliver malware to random victims or targeted ones in many different ways. In addition, malware researchers use different terms for specific operations that happen during the infection process. The most common terms used by malware researchers are dropper and downloader . Actually, there is often some misconception regarding droppers and downloaders. Sometimes, newbie malware researchers and even security researchers mix them up. In this article, we will discuss the differences between droppers and downloaders. I hope this will be helpful for both professional and beginner researchers. First of all, what is a dropper? A dropper is not a type of malware itself; instead, it is an operation in the malware infection chain that drops another stage of malware. The dropper chain can be multi-stage or just one or two stages, depending on the environment the malwar...

  Malware is a type of malicious software “Mal” stands for malicious, and “ware” stands for software. However, what we often hear in the news, articles, or conference talks is the term “agent.” So, what is the main difference between an agent and malware? What makes an agent sound more realistic and trustworthy, while malware does not? In this article, I will answer these questions to provide valuable knowledge and insights for the malware research community. In future articles, we may also discuss implants, droppers, and other terms commonly used by malware researchers. First of all, the perception of an agent as “realistic” and malware as “disgusting” largely depends on the intent, motivation, and functionality of the software installed on a target computer, whether in an authorized or unauthorized manner. While the functionality of an agent is not very different from malware, agents monitor computers more comprehensively, from the user level to the kernel level that is, from R...

  A binder or file binder is software used to combine an executable file with other files, which can be documents or legitimate executable programs. We have already discussed wrappers and mentioned that a wrapper is a technique abused by threat actors to hide malware inside another file. Both wrappers and binders can effectively bypass traditional detection software, and they can exploit the curiosity of users ranging from casual computer users to IT professionals. So, how does binder software work, and what is the binding process? You can refer to the graph below to understand how it actually works: I created an example where an executable file is bound with a PDF document. After executing the file, both the executable and the PDF are launched. Before running it, I want to analyze this executable to see what information we can extract from it. Now, let’s check the entropy of the .rdata section : As we can see, the .rdata section is mostly compressed or packed by the bin...

  Threat actors spend hours or even weeks finding new techniques and making their software look as legitimate as possible. One technique that can trick IT teams, regular users, and sometimes even professional users is the wrapping technique . So, what is the wrapping technique? A wrapper is basically a method abused by threat actors to hide malware inside another file. Technically, it is similar to but not exactly the same as a binding technique. How does the wrapping technique work? Imagine we have an executable file named document.pdf.exe . When a user clicks it, a PDF file appears to open. This is an example of the wrapper technique. Right now, this example may not seem convincing because the file has a full extension: document.pdf.exe . However, most computer users have the “show file extensions” option turned off by default. As a result, the file might appear as document.pdf , which makes it look harmless. But if we enable file name extensions and look at it, the whole s...