cybersecurity

3665 readers

18 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

founded 2 years ago

MODERATORS

shellsharks@infosec.pub

tweedge@infosec.pub

Uncovering .NET Malware Obfuscated by Encryption and Virtualization. (unit42.paloaltonetworks.com)

submitted 10 hours ago by Tea@programming.dev to c/cybersecurity@infosec.pub

0 comments fedilink hide all child comments

This article examines obfuscation techniques used in popular malware families, and offers some insights into possible opportunities for automating unpacking of these malware samples.

We will examine these behaviors in samples we have observed, showing how to extract their configuration parameters through unpacking each stage. Performing this same process through automation would allow a sandbox performing static analysis to extract crucial malware configuration parameters from such samples.

Malware authors increasingly use advanced obfuscation techniques to evade sandbox detection, enabling widespread distribution. Static analysis is a process performed by sandboxes for examining samples, without directly executing them.

Adversaries use the following techniques to deliver popular malware families like Agent Tesla, XWorm and FormBook/XLoader:

Code virtualization

Staged payload delivery

Dynamic code loading to introduce new code at runtime

Advanced Encryption Standard (AES) encryption

Creating multi-stage payloads that are self-contained within the original sample

no comments (yet)

sorted by: hot top controversial new old

there doesn't seem to be anything here