GuLoader TL;DR GuLoader is a polymorphic shellcode loader packed full of anti-analysis and anti-vm techniques to evade detection. The malware began as a Visual Basic (VB) 5/6 downloader, first identified in 2019. VB served as a wrapper for the core component implemented in shellcode until late last year. GuLoader began experimenting with a variety of delivery methods including VBS and macro...
A Look Back at BazarLoader’s DGA
I was recently asked a question about DGA and I was unsatisfied with my explanation, so I wanted to write a quick post on DGA, what it is, and how it works. I learned a lot going through this exercise and I hope you enjoy it. What is DGA? A Domain Generation Algorithm (DGA) is a technique used by malware authors to generate new domain names for malware command and control. Typically malware will...
The Trash Panda Reemerges from the Dumpster: Raccoon Stealer V2
Raccoon Stealer has emerged from its hiatus, rewritten from the ground up in C/C++, with a new front-end, new back-end and new data stealing capabilities. Raccoon Stealer was previously sold as a Malware-as-a-Service (MaaS) until falling off the radar in March 2022. This shutdown was reportedly due to the loss of a lead developer of the project during the Russian invasion of Ukraine. After a few...
CruLoader: Zero2Auto
Taking a break from my normal blog posts to complete the practical analysis from the Zero2Automated course from Vitali Kremez and Daniel Bunce. Assignment Background Hi there, During an ongoing investigation, one of our IR team members managed to locate an unknown sample on an infected machine belonging to one of our clients. We cannot pass that sample onto you currently as we are still analyzing...
BazarLoader – Back From Holiday Break
We recently observed a Bazarloader campaign at $dayjob, kicking off the return of maldoc campaigns after the holidays. This campaign piqued my interest after it hit on my SPLCrypt Yara rule that I wrote a while back, so I figured why not do a quick write-up and share that rule out. If there are any errors in this post, please feel free to reach out to me for corrections. I’m still learning...
Agent TeslAggah
In May of 2020, Deep Instinct reported on a new variant of the malware loader called “Aggah,” a fileless loader that takes advantage of LOLBINS and free services such as Bitly, Blogger, etc. Heading into the second December of the Covid-19 pandemic, Aggah has continued the trend of using Covid-19 as a lure for malspam. The group behind “Aggah” is known for using the...
Cross-Platform Java Dropper: Snake and XLoader (Mac Version)
According to netmarketshare, Windows still owns about 87% of the market versus about 9% for Mac OS. Although Windows will likely stay the predominant leader of the pack, Mac OS continues to grow year over year, both in consumer and commercial markets. Likewise, malware for Windows is also by far the most common, but malware for Mac OS is gaining popularity. A few weeks ago, a sample came across...
Skip the Middleman: Dridex Document to Cobalt Strike
On June 30th, Dridex Excel documents were observed downloading Cobalt Strike packed with the CryptOne packer – skipping the typical in-between step of downloading Dridex. Filename: attachment_filenameUTF-8WO202825876.xlsb MD5: 56d9a0db8defe0857dd4bb7c9af97ee2 SHA1: abf0d796220d5e8ba7a5cc3f5ed2421411a5fb56 SHA256: a0747e6e54af1fde0586add639282d26b5e22a0bb4e4cca5d362c6eb6f6f3ed4 Excel...