Reverse The Malware

Modern malware includes different components to protect itself, acting as additional layers of payload armoring. Just as networks have multiple security layers and software includes protections against patching and piracy by reverse engineers, malware also contains components designed to avoid detection. You might think of techniques such as obfuscation, encoding, encryption, or anti-evasion methods but this is not what we are focusing on here. In this article, we dive into two critical malware components called the watcher and the helper . So what are they, and what roles do they play in malware? A watcher is a malware component responsible for monitoring processes and the targeted environment. A helper is another component that assists the malware by supporting its functionality, such as reactivating the payload, establishing communication, and maintaining persistence. Roles of a Watcher A watcher may: Monitor processes to check whether the main malware program is still running ...

  A targeted malware attack refers to malware that is specifically designed to attack a particular business, individual, organization, or institution. Unlike common malware that spreads widely and targets any vulnerable system, targeted malware is created with a specific victim in mind. In a targeted malware attack, the attacker usually begins with reconnaissance , which is the first stage of the cyber kill chain. During this stage, the attacker gathers detailed information about the target environment in order to increase the success of the attack and avoid detection. The main difference between general malware and targeted malware is that targeted malware operates only within predefined conditions. This behavior is similar to geofenced malware , where the malware activates only when it detects that it is running in the intended environment. If the required conditions are not met, the malware may remain inactive or terminate itself. During the reconnaissance stage of a targeted...

  Threat actors sometimes target a specific region, country, or industry to carry out their cyberattacks. This type of highly focused attack is known as geofenced malware . Unlike generic malware that spreads widely, geofenced malware is intentionally restricted to operate only within predefined geographic boundaries. Geofenced malware is a type of malware that is specifically designed to activate only in certain locations or countries. For example, a banking trojan may be programmed to target users in Latin America or Europe while remaining inactive in other regions. In some advanced cases, geofenced malware can even be tailored to target a specific organization or individual, making detection and analysis more difficult. We will discuss targeted malware attacks in more detail in an upcoming blog. One of the key differences with geofenced malware is that its functionality depends on the victim’s geographic location. Malware designed to operate in Europe will work only within Europ...

  Reverse engineering can be particularly challenging for beginners, especially since many high-quality training materials are paid and not everyone can afford access to them. In addition, free resources are often scattered, outdated, or assume prior knowledge, which makes the learning process even more difficult for newcomers. Because of this gap, I decided to write this foundational blog to provide an accessible and practical introduction to malware analysis using Radar. The goal of this article is to guide readers through the basic concepts and techniques involved in introductory malware analysis, focusing on a hands-on approach rather than heavy theory. This blog is designed for beginners who are curious about malware analysis and reverse engineering but don’t know where to start. By using Radar, we can simplify the analysis process and build a solid foundation that readers can later expand upon as they move toward more advanced reverse engineering skills. So, what is Radar? ...

  An LNK file is a Windows shortcut (Shell Link) that provides quick access to another file, folder, application, or website. It acts as a pointer to the original target and is usually identified by a small arrow on its icon and the .lnk extension, although the extension is hidden by default in File Explorer. Created by users for convenience, these files contain information that allows Windows to locate and open the linked item, making it appear as if the shortcut is the actual item. They can also be abused by malicious actors to deliver malware by hiding scripts or payloads inside the shortcut.  Threat actors abuse LNK files for many reasons. One of them is that LNK files are easy to create and customize. It is simple to change the shortcut’s icon to mimic a PDF or another common document type, making the file appear harmless to the victim. LNK files can also execute commands or launch hidden scripts in the background, which allows attackers to run PowerShell, download payloa...

  Threat actors not only bypass EDR, NDR, XDR, and IDS, but they also bypass the toolkits that may be used against their samples during reverse engineering or analysis. In this case, I am going to discuss a malicious PNG file. Binwalk detects that it contains an embedded executable, but it is unable to parse or extract it. Technically, the sample successfully prevents Binwalk from dumping the hidden payload inside the malicious image. Binwalk is a great tool for forensic and steganography analysts, and it is commonly used to extract hidden files from images and other formats. However, this sample demonstrates a method that stops Binwalk from performing that extraction. First, let’s investigate the metadata of the malicious PNG file using ExifTool . ExifTool is a tool that can parse metadata, allowing threat researchers or forensic examiners to analyze it. Essentially, metadata is information about data or, in simple terms, data about data. As you can see in the image below, our sam...

Threat actors often demonstrate far more creativity than traditional security researchers, who may rely heavily on old-school methods to prevent malicious activities or cyber intrusions within their organization’s network. Threat actors will exploit anything, whether physical or digital, to penetrate their targets. In this blog, we discuss something particularly interesting: investigating malicious PNG files that contain the WannaCry ransomware. To begin, what exactly is a PNG file? A PNG (Portable Network Graphics) file is a widely used, open, lossless raster image format commonly found online. It is used for high-quality graphics such as logos, icons, and screenshots. Regarding the tools of the trade, I am using some basic utilities combined with Binwalk and zsteg to gain a broader view and extract the malicious payload. You can easily download Binwalk on macOS through Homebrew, but if you are using Kali Linux or any other red-team or penetration-testing distribution, it is availa...