Skip to main content

Posts

Showing posts with the label malware analysis

Return of Domen? Mysterious Zip file

1. Overview On March 17, Waseda University announced that its sports newspaper club's website(https://wasedasports[.]com/) had been infected with malware. At the time of my research the final payload was common malware called BitRAT, but there are several interesting points in its infection chain. A portion of the infection chain is shown below. The compromised site finally trigger download of the zip file. There is nothing interesting about the infection chain after this. You can refer to the IoC section for more information on infecting malware if necessary. Now, what is interesting? In my opinion, the interesting points of this attack are as follows. ・Using Domen social engineering toolkit: This toolkit was used around 2019-2020, but not recently. ・Mysteriously structured zip file: The file name in this zip file is depending on the archiver used for decompression. 2. Domen social engineering toolkit Domen is social engineering toolkit and was used for fake update

Next Pdf Converter PUA

1. Overview This post describes a PUA similar to the sample mentioned in the following article. https://www.c2server.xyz/2023/09/net-in-javascript-fake-pdf-converter.html If you would like to know more about the previous sample, the following articles are excellent. Thanks to the article for following up on the deficiency of my previous post. https://www.themalwareanalyst.com/2023/11/fake-pdf-converter-leading-to-malicious.html https://security5magics.blogspot.com/2023/10/interesting-customloader-observed-in.html 2. Sample This sample can be downloaded from the following URL. https://www.free-pdf-convert[.]com/ The this sample operations are as follows. This sample also uses WebView2 like the previous sample. The single page app works as PDF converter as follows. In other words, this sample does not run WebView2 in hidden mode. How is this single page application implemented? The main implementation of this app can be found at https://pdf.activegn.com/js/app.[xxxx

Node.js Malware created by pkg project

1. Overview JavaScript is one of the most used programming languages, and Node.js is also used widely as execution environment. However, Node.js applications cannot be run without Node.js runime, so using them as malware requires a little effort. For this reason, pkg project that convert NodeJS applications to EXE file or other executable formats can be the attractive tool for attackers. This article describes tips for analyzing Node.js malware created by pkg project. 2. Sample Node Stealer SHA256: d6aee63ffe429ddb9340090bff2127efad340240954364f1c996a8da6b711374 3. pkg project pkg project packs js files and runtime into a single file. This executable file created is structured as follows. The custom runtime has the capability to execute js files stored in the virtual file system and downloaded from following repositories. Repositories URL : https://github.com/vercel/pkg-fetch The pkg project adds virtual files and index to the back of the runtime. Furthermore, the ru

.NET in JavaScript, Fake PDF Converter

1. Overview I found a site that distributes curious PDF converter. The executable file distributed at this site appears to be malicious and have several interesting features. ・ .NET Anti-Analysis ・ Execution of external JavaScript payload with WebView2 ・ .NET object manipulation from JavaScript code This post will mention these techniques. The execution flow of this executable is shown below. 2. .NET Anti-Analysis PdfConverters.exe analyzed in this article was created with .NET Core. .NET Core allows developer to embed runtime and libraries into a single executable file. This executable also contains a number of files, which are extracted at execution time into a folder under %TEMP%\PdfConverters. A good way to know the role of these files is to look at [AppName].deps.json. app.deps.json reveals that main functionality of this executable exists in app.dll. [app.deps.json] ... "app/1.0.0": { "dependencies": { "Microsoft.