Reverse Engineering Skid Malware
🔥 Analyzing an unknown malware we found on Triage
👨💻 Buy Our Courses: https://guidedhacking.com/register/
💰 Donate on Patreon: / guidedhacking
❤️ Follow us on Social Media: https://linktr.ee/guidedhacking
🔗Article Link: https://guidedhacking.com/threads/rev...
📜 Video Description:
Finding and studying intriguing malware is something I frequently do by scrolling through the public reports of the Triage sandbox website, where users execute their samples. On one such occasion, I stumbled across a rather interesting piece of skid malware. This skid malware caught my attention because it had a high score but no family detected, meaning the employees at Triage had not yet written a detection for it. This indicated that it was something unique and not previously covered. Looking through the Triage detonation report, I observed the signatures which triggered the high malicious score. These signatures suggested a range of illicit activities, such as elevation of privileges, detonation of web downloaded executables, and various forms of data theft.
The process tree for the skid malware revealed that it begins with an executable which immediately spawns a child process. This child process initiates a variety of different processes, including cmd.exe and powershell, to name a few. I also found that the malware sends HTTP requests to a C2 server, which harbors numerous PHP files presumably responsible for the malware's functionality.
To understand more about this skid malware, I began with a detailed malware analysis of its initial loader, which is a simple .NET malware that downloads the next stage. This malware manages to accomplish this by storing the URL in a separate class, then downloading the binary to a path and initiating process start for it.
A closer look at the 2nd stage binary, applying my reverse engineering malware skills, showed an open directory on the webserver housing all the threat actor's malware. This finding made the malware analysis even more intriguing.
We focused on the main binary for our continued reverse engineering malware, which was unusually large at 3mb. The first few functions of the skid malware reveal that it checks if a debugger is present and, if detected, it immediately exits.
The malware then begins its persistence by creating a registry key in the current programs run registry for programs that begin upon startup. Interestingly, these strings are base64 encoded, presumably to avoid detection. This clever technique is a common focus of malware analysis.
What sets this piece of malware apart is its approach to system infiltration. The malware steals from browsers and gathers information about the system. It then takes a batch file from the resources of the binary and proceeds to drop and execute it. This batch script activates RDP for the system. Lastly, in a surprising move for skid malware, it calls ngrok to open the RDP port to the wider internet, potentially causing significant damage if left unchecked.
Applying reverse engineering malware techniques, the true complexities of this malware start to unravel, giving us more insight into the minds of its creators and helping to prevent similar attacks in the future.
Reverse engineering malware, a process both complex and daunting, involves the intricate unravelling of software to analyze its functions and intentions. This technical task is essential in cybersecurity, permitting experts to dissect the tactics, techniques, and procedures of a threat actor.
The first step in reverse engineering malware is often static analysis. This involves looking at the malware code without actually running it. Tools can reveal strings of text, which can provide insights into what the malware is designed to do. From file names to command and control server addresses, each bit of data can be a clue in this digital detective work.
Through reverse engineering malware, we can often trace the lineage of the code. By comparing the dissected code with known malware families, experts can often identify which group may be responsible for an attack. This can help predict future threats and improve cybersecurity measures.
Reverse engineering malware is a continuous, evolving process. As malware developers craft increasingly sophisticated and obfuscated software, security experts need to be always adapting and innovating. Thus, reverse engineering malware remains an essential tool in our cybersecurity arsenal.
📝 Timestamps:
0:00 Skid Malware Intro
0:31Identifying Malicious Signatures
1:19 Analyzing the Initial Loader
2:40 Analyzing the Main Binary
4:42 String Decoding and Functionality
7:02 Understanding the Mutex Functionality
8:55 Bat File Explanation and RDP Process
✏️ Tags:
#malwareanalysis
#malware
#reverseengineering
