Certified Bad

Authenticode Certificates are intended to ensure that software is created by vetted parties and that the software can be trusted; however, malware is often signed with valid Authenticode certificates and the process for signing malware and the implications are often misunderstood within InfoSec. This post takes a deep dive into my research on certificate abuse.

Solarmarker: The Old is New

The purpose of this blogpost is to document the PowerShell used by Solarmarker. The PowerShell was first observed between Feb 2022 until May 2022 and then resurfaced in September 2022. The goal of this post is to publish information regarding the PowerShell to enable others to identify and understand what the PowerShell is doing. DetectingContinue reading “Solarmarker: The Old is New”

SolarMarker Bloat

The goal of this post is to document SolarMarker malware as seen between May 2022 and September 2022. This malware is also known under other names (Jupyter Infostealer, YellowCockatoo, Polazert). If you are interested in earlier forms of the malware, check out my previous blog posts. The TLDR on SolarMarker is that it has beenContinue reading “SolarMarker Bloat”

Solarmarker: May 2022 Persistence

The purpose of this post is to document the new persistence methods used by Solarmarker. The previous persistence methods were used from July 2021 until May 2022 (read about those here, here and here). Whether this persistence is short lived or is used for the next year, it is my desire to make it publiclyContinue reading “Solarmarker: May 2022 Persistence”

Review: Practical Malware Analysis and Triage (PMAT)

I have often recommended the book Practical Malware Analysis (PMA) by Michael Sikorski and Andrew Honig; however, the book was originally published in 2012 and there have been no updates to the core book, so if I recommend the book, I always have to give caveats regarding the age and the age of some ofContinue reading “Review: Practical Malware Analysis and Triage (PMAT)”

Solarmarker: by any other name

Payload SHA256: c61348ab7e5ffeb9ba5d1077b13c49bde4d841c5ada9aBackdoor SHA256: 0e673eb418c87268aa3bcb262e8e03a3f719a95a8e118ba99515c57c9aa02d38Backdoor C2: Solarmarker (AKA JupyterInfostealer AKA YellowCockatoo AKA Polazert) is still a trending malware. According to Expel.io the malware accounted for 33% of their identified malicious payloads in September 2021. Several companies have published write-ups: they often dig deep and the writeups and detection methods often fall out of dateContinue reading “Solarmarker: by any other name”

Solarmarker: Registry Key Persistence Walkthrough

Binary: 1197067d50dd5dd5af12e715e2cc00c0ba1ff738173928bbcfbbad1ee0a52f21Infostealer: 6852699e4420f08ab63a9a4e0b126d73d0ac3d7e21da06ad77bc3fe67c9a2e1fBackdoor: 8c35f2a78e366abf2450d5882c49c69ee5cc01dba3743938b45cedc2b5dee3a3 This is a follow up blogpost regarding the malware known as Solarmarker / Jupyter Infostealer / Yellow Cockatoo / Polazert. This post can be read on its own but consider reading my first post on Solarmarker that discusses the persistence mechanism for April – May and my second post for informationContinue reading “Solarmarker: Registry Key Persistence Walkthrough”

Mars-Deimos: From Jupiter to Mars and Back again (Part Two)

Dropper SHA256: a871b7708b7dc1eb6fd959946a882a5af7dafc5ac135ac840cfbb60816024933Backdoor SHA256: cc17391dde8a9f3631705c01a64da0989b328760e583009e869a7fff315963d7 In May, I published an analysis of the persistence mechanism for Mars-Deimos and had intended to publish further analysis regarding that individual sample, however there has been many changes to the distributed malware since that time. As a reminder and abbreviated summary, a particular malware author or group of authorsContinue reading “Mars-Deimos: From Jupiter to Mars and Back again (Part Two)”

Mars-Deimos: SolarMarker/Jupyter Infostealer (Part 1)

Part One: Persistence Script Analysis (Note: This post is outside of my series on theZoo. ) Mars-Deimos-RS-2.MD5: 88E60DFE5045E7157D71D1CB4170C073Mars-Deimos-RS-2:SHA256: 8A57BD2598057EE784711B47B9B61B4ECBA5311FAC800B55070D560480F86EAC Overview: Mars-Deimos-RS-2 is .NET binary injected into memory. It has also been documented as Solarmarker by CrowdStrike. It shares Indicators of Compromise (IOC) with a directly related malware which has been documented as Jupyter Infostealer byContinue reading “Mars-Deimos: SolarMarker/Jupyter Infostealer (Part 1)”

theZoo: Win32.OnionDuke.B

Win32.OnionDuke.DLL md5: c8eb6040fd02d77660d19057a38ff769  Win32.OnionDuke.DLL sha256: 366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b  Overview: Win32.OnionDuke.B is reported as part of a backdoor from 2013-2015. The company F-Secure associates the malware with the threat actor “The Duke” (aka APT29, CozyBear). I am able to perform some Static Analysis, but due to a mixture of the malware’s complexity and my inexperience I am unableContinue reading “theZoo: Win32.OnionDuke.B”