Then, they call a function to allocate memory (VirtualAlloc or VirtualAllocEx). trying to read some random keys from the registry). At the beginning of execution, all of the samples make some meaningless API calls (i.e. Tracing the flow of execution, we notice similarities. carrying payload: 5a58395fda49c8f3f4571a007cf02f4dīefore we start unpacking, let's have a look at similarities in the code that made me to believe that the above three samples (captured in different distribution campaigns) are all packed by the same tool.1afb93d482fd46b44a64c9e987c02a27 - an executable delivered by Blackhole Exploit Kit (will be referred as: blackhole.exe).bbcfb9db21299e9f3b248aaec0a702a5 - an executable captured under the name: makta.exe.27b138e6bed7acfe72daa943762c9443 - a DLL delivered by Magnitude Exploit Kit (will be referred as: Magnitude.dll).As an example, I would like to present you several different malware samples packed by the same/similar crypter. That's why knowing the crypter that is used does not help in identifying the malware family. Cybercriminals can use it to protect any malware that they want to deliver. For example, it allows the configuration of the encryption method and key as well as where the payload should be injected.Īs you can see, a crypter is a completely independent module. That's why authors provide a GUI to configure all the options in a very easy way. These products are designed to cater to simple criminals, those who do not need (or want) a deep technical knowledge. Below, you can see examples of crypters being advertised on the black market and the tricks they use: Underground crypters, created to defend malware against antivirus/anti-malware products, are sold in typical cybercriminal hangouts. They may also add some icons and metadata that make the sample look like a legitimate product. They try to deceive pattern-based or even behavior-based detection engines - often slowing down the analysis process by masquerading as a harmless program then unpacking/decrypting their malicious payload. A crypter's role is basically to be the first - and most complex - layer of defense for the malicious core. Most modern malware samples, in addition to built-in defensive techniques, are protected by some packer or crypter. We will also present some example of identifying and unpacking a malware crypter. Today, we will study some examples to make sure that everyone knows what this type of tools are and why they are dangerous. Recently, two suspects were arrested for selling Cryptex Reborn and other FUD tools (helping to install malware in a Fully UnDetectable way).
0 kommentar(er)
