Malware posing as popular Windows tools

There's an interesting new malware that is currently being distributed actively around the globe through phishing campaigns.

This malware is a Trojan RAT, that poses as a version of the popular open-source archive utility PeaZip. The authors of this malware have copied the file info and make it look like a legit version of PeaZip. Careful analysis of this malware shows us that this infact is a Trojan RAT, that is falsely adverstised as PeaZip. In this article, we analyse this malware and discuss the findings.

Read full article here:

https://blog.joshlemon.com.au/new-malware-posing-as-popular-archiving-tool-peazip/

Comments

TrickBot C2i and Configs March 2019

There are some new additions in the latest target list. These are the targeted URIs extracted from the complete configs. Some of the regex'd URIs are very interesting and highly effective. Article by Vishal Thakur C2: http://103.119.144.250:8082 http://75.183.130.158:8082 http://96.36.253.146:8082 http://75.183.130.158:8082 http://96.36.253.146:8082 http://14.102.107.114:8082 http://181.115.156.218:80 http://200.21.51.30:80 http://36.91.93.114:80 http://97.87.127.198:80 http://190.152.125.162:80 http://192.210.152.173:443 http://212.80.216.228:443 http://185.68.93.59:443 http://31.202.132.5:443 http://107.175.132.141:443 http://185.86.148.195:443 Target list: <lm>https://us.etrade.com/webapiagg/aggregator</lm> <lm>https://us.etrade.com/etx/hw/0/accountshome.json</lm> <lm>https://www.nwolb.com/*.aspx*</lm> <lm>https://www.rbsdigital.com/*.aspx*</lm> <lm>https://www.ulsterbankanytimebanking.

Grinju Downloader: Anti-analysis (on steroids) | Part 2

This malware takes anti-analysis and stealth techniques to a new level We took a look at this malware in the Part 1 of this publication. Now let’s carry on with the analysis and dig deeper into the various anti-analysis and stealth-exec features of this malware in Part2. Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju Secondary Macro Code First of all, here’s the entire code that is dumped in the sheet once all the macro functions have been completed. Take a look at these lines and try to figure out what they are meant to do. Then we’ll take a look at the most important of these briefly before moving on to the next section. =CLOSE(FALSE) =FORMULA(LEN(APP.MAXIMIZE())+-459,Sheet1!R18690C129) =FORMULA(LEN(GET.WINDOW(7))+-131,Sheet1!R18691C129) =FORMULA(LEN(GET.WINDOW(20))+-893,Sheet1!R18692C129) =FORMULA(LEN(GET.WINDOW(23)=3)+433,Sheet1!R18693C129) =FORMULA(LEN(GET.WORKSPACE(31))+864,Sheet1!R18694C129) =FORMULA(LEN(GET.WORKSPACE(13)>770)+707,Sheet1!R18

Grinju Downloader: Anti-analysis (on steroids) | Part 1

This malware takes anti-analysis and stealth techniques to a new level Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju I’ve come across some great anti-analysis code in malware over the years. This one takes the top spot. On that note, let’s get into it, this is a long one! Since this malware employs a very complex structure, I’ve decided to divide the analysis into different sections. I’ll try to keep it as simple as possible but having said that, it really is a very complicated project. Hence, publishing in parts. TLDR: This is a very well-thought and equally well-written malware. There’s no VBA that you can analyse. The values and formulas that are used are spread across the worksheets to thousands of rows. The functions, among other things, are used to close the file, corrupt it and also delete the dropped scripts to make analysis extremely hard. In fact, you cannot analyse this malware without altering the code it self. Along the way, you’ll also

_malienist_

Search This Blog