< ciso
brief />
Tag Banner

All news with #malware analysis tag

45 articles · page 2 of 3

CrowdStrike Malware Analysis Agent Detects at Speed

⚡ CrowdStrike’s Malware Analysis Agent, launched as part of the Threat AI initiative at Fal.Con 2025, automates file triage to produce near-real-time, confidence-scored intelligence for analysts. The agent runs parallel static analysis and dynamic sandbox detonations, correlates findings with CrowdStrike’s threat repository and more than 5,000 YARA rules, and synthesizes behavioral summaries, classification, and remediation guidance. Integrated with Falcon Fusion SOAR and APIs, it can trigger automated hunts, deploy protections, export IOCs, and isolate hosts to accelerate response and reduce analyst backlog.
read more →

Technical Analysis of VVS Stealer Targeting Discord

🔍 Unit 42 provides a detailed technical analysis of VVS stealer, a Python-based malware family that targets Discord users and Chromium/Firefox browsers to exfiltrate tokens, credentials, and browser data. The report explains distribution as PyInstaller packages protected with Pyarmor (observed v9.1.4) and documents the deobfuscation steps used to recover bytecode, AES keys, and encrypted strings. It summarizes runtime behaviors including Discord client injection via modified Electron files, webhook-based exfiltration, persistence in %APPDATA%, and sample indicators defenders can monitor.
read more →

RansomHouse Upgrades: From Linear to Layered Encryption

🔒 Unit 42 analyzes a notable upgrade to RansomHouse (tracked as Jolly Scorpius) that replaces a simple linear encryptor with a more complex, multi-layered design. The revised encryptor, Mario, implements a two-stage scheme using a 32-byte primary key and an 8-byte secondary key, plus chunked and sparse file processing. These changes complicate static analysis and decryption and specifically target ESXi virtual and backup artifacts. Unit 42 highlights detection controls and mitigation guidance for defenders.
read more →

NANOREMOTE Windows Backdoor Abuses Google Drive API for C2

🔍 Elastic Security Labs has detailed a Windows backdoor named NANOREMOTE that leverages the Google Drive API to stage payloads and exfiltrate data, making detection more difficult. The C++ implant implements a robust task manager for queued uploads and downloads with pause, resume and cancel capabilities and exposes 22 command handlers for reconnaissance, execution and file transfer. Researchers also observed a WMLOADER dropper and an uploaded artifact linking NANOREMOTE to the FINALDRAFT family, indicating likely code reuse.
read more →

CISA, NSA, and Cyber Centre Warn of BRICKSTORM Malware

🔒 CISA, NSA, and the Canadian Centre for Cyber Security released a joint malware analysis on BRICKSTORM, a sophisticated backdoor targeting VMware vSphere (vCenter) and Windows environments used by PRC state-sponsored actors. The report provides indicators of compromise (IOCs), detection signatures, and CISA-developed YARA and SIGMA rules to help critical infrastructure owners identify compromises. Recommended mitigations include scanning with the provided rules, inventorying and monitoring edge devices, enforcing network segmentation, and adopting Cross-Sector Cybersecurity Performance Goals; organizations are urged to report suspected activity to CISA immediately.
read more →

Kraken Ransomware Benchmarks Hosts to Choose Encryption

🔒 The Kraken ransomware targets Windows and Linux/VMware ESXi hosts and runs on-host benchmarks to decide whether to perform full or partial encryption. Cisco Talos researchers found it creates temporary files, times encryption of random data, and uses the result to select an encryption mode that maximizes damage while avoiding overloads. Before encrypting it deletes shadow volumes, stops backup services, appends .zpsc to files, and drops a readme_you_ws_hacked.txt ransom note. The group continues big‑game hunting and data theft for double extortion and has launched a forum called 'The Last Haven Board'.
read more →

Time Travel Debugging for .NET Process Hollowing Analysis

🕒 This post introduces Time Travel Debugging (TTD) via WinDbg as a high-value tool for accelerating analysis of obfuscated, multi-stage .NET droppers that perform process hollowing. The authors demonstrate recording a TTD trace, querying the Debugger Data Model with LINQ to find CreateProcess and WriteProcessMemory calls, and extracting a hidden AgentTesla payload. It highlights practical tips, tooling (TTD.exe, FLARE-VM), and limitations such as user-mode scope and proprietary trace formats.
read more →

Generative AI Speeds XLoader Malware Analysis and Detection

🔍 Check Point Research applied generative AI to accelerate reverse engineering of XLoader 8.0, reducing days of manual work to hours. The models autonomously identified multi-layer encryption routines, decrypted obfuscated functions, and uncovered hidden command-and-control domains and fake infrastructure. Analysts were able to extract IoCs far more quickly and integrate them into defenses. The AI-assisted workflow delivered timelier, higher-fidelity threat intelligence and improved protection for users worldwide.
read more →

Dynamic Binary Instrumentation with DynamoRIO on Windows

🛠️ This post introduces dynamic binary instrumentation (DBI) and provides a hands-on guide to building DBI tooling using DynamoRIO on Windows 11. It explains the difference between static and dynamic instrumentation and highlights practical uses such as malware analysis, anti-anti-analysis techniques, runtime de-obfuscation, and automated unpacking. The tutorial includes example clients, build instructions, and a GitHub repository with sample code to help researchers get started.
read more →

Python Foundation Rejects $1.5M NSF Grant Over DEI Terms

🛡️ The Python Software Foundation (PSF) withdrew a $1.5 million proposal to the U.S. National Science Foundation after the approved award included conditions that would bar all PSF programs from activities that 'advance or promote diversity, equity, and inclusion.' The funding, under NSF’s Safety, Security, and Privacy of Open Source Ecosystems program, was intended to support automated malware-detection tools for PyPI and to be ported to other package ecosystems. PSF leaders said DEI is central to their mission, creating an unacceptable conflict that led the board to unanimously decline the grant and ask the community for donations and membership support.
read more →

Mandiant Academy Basic Static and Dynamic Analysis

🛡️ Mandiant Academy’s new Basic Static and Dynamic Analysis course teaches foundational techniques for safely examining and triaging Windows binaries. The hands-on curriculum combines PE file inspection, metadata and strings extraction, and controlled execution in a provided virtual machine to observe behavior, network activity, and memory artifacts. No advanced programming prerequisites are required, though familiarity with command-line basics, hexadecimal data, and operating system concepts is recommended.
read more →

VirusTotal Crowdsourced AI Adds Exodia Labs for .CRX

🔍 VirusTotal has added Exodia Labs to its Crowdsourced AI lineup to provide automated analysis of Chrome extension (.CRX) files. The new contributor issues a clear verdict — benign, suspicious, or malicious — alongside a behavioral narrative to complement existing AI streams such as Code Insight. Exodia Labs results are indexed in VirusTotal Intelligence with dedicated search operators and surface in the web UI to help analysts rapidly triage extension-related threats.
read more →

CISA Details Malware Kits Used in Ivanti EPMM Attacks

🔍 CISA released a technical analysis of malware used in attacks exploiting two Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities, CVE-2025-4427 and CVE-2025-4428. The agency details two distinct malware sets that used a common web-install.jar loader and malicious listener classes to inject and execute code, exfiltrate data, and maintain persistence. Attackers targeted the /mifs/rs/api/v2/ endpoint via HTTP GET requests with a ?format= parameter, delivering segmented, Base64-encoded payloads. CISA published IOCs, YARA and SIGMA rules and advises immediate patching and treating MDM systems as high-value assets.
read more →

CISA Malware Analysis: Malicious Listener for Ivanti EPMM

🛡️ CISA released a Malware Analysis Report analyzing two malware families recovered from an organization compromised via CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile. The report, titled Malicious Listener for Ivanti EPMM Systems, provides indicators of compromise and detection content including YARA and SIGMA rules to support hunting and response. Recommended mitigations stress upgrading Ivanti EPMM to the latest versions and treating mobile device management systems as high-value assets with enhanced monitoring, access controls, and restrictions.
read more →

Malware Analysis: Ivanti EPMM Exploitation and Loaders

🔍 CISA analyzed malicious artifacts deployed after threat actors exploited CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (EPMM). The report details two distinct loader/listener sets written to /tmp that enable arbitrary code execution through crafted HTTP requests. CISA provides IOCs, YARA and SIGMA detection rules, and recommends immediate patching and treating MDM systems as high-value assets.
read more →

Chinese APT Uses EggStreme Fileless Framework in Espionage

🛡️ Bitdefender attributed a campaign against a Philippines-based military contractor to a China-linked APT that deployed a previously undocumented fileless framework named EggStreme. The multi-stage operation begins with EggStremeFuel (mscorsvc.dll), which profiles systems, opens a C2 channel, stages loaders, and triggers in-memory execution of the core backdoor via DLL sideloading. EggStremeAgent functions as a central backdoor, injecting a session-specific keylogger (EggStremeKeylogger), communicating over gRPC, and exposing a 58-command toolkit for discovery, lateral movement, privilege escalation and data theft. An auxiliary implant, EggStremeWizard (xwizards.dll), provides reverse-shell access and resilient C2 options; Bitdefender warned that fileless execution and heavy DLL sideloading make detection and forensics difficult.
read more →

SVG Malware Campaign Impersonating Colombian Judiciary

🔍 VirusTotal’s Code Insight now parses SWF and SVG formats and quickly uncovered an undetected campaign impersonating the Colombian justice system. The tool differentiated a benign, heuristic-flagged SWF game from a malicious SVG that evaded all AV engines by hiding inline JavaScript which decodes and injects a Base64 phishing page and a ZIP dropper. Code Insight plus VirusTotal Intelligence exposed dozens of polymorphic SVGs and enabled a retrohunt linking hundreds of samples to the same campaign.
read more →

EMBER2024: Advancing ML Benchmarks for Evasive Malware

🛡️ The EMBER2024 release modernizes the popular EMBER malware benchmark by providing metadata, labels, and computed features for over 3.2 million files spanning six file formats. It supplies a 6,315-sample challenge set of initially evasive malware, updated feature extraction code using pefile, and supplemental raw bytes and disassembly for 16.3 million functions. The package also includes source code to reproduce feature calculation, labeling, and dataset construction so researchers can replicate and extend benchmarks.
read more →

Meet the Next Generation of Unit 42 Threat Intelligence

🔍 Unit 42 highlights two threat intelligence interns, Sakthi Vinayak and Gabrielle Calderon, who completed a 12-week program contributing to practical research and automation projects. Sakthi concentrated on mechanizing data ingestion, implementing a fidelity scoring framework, and building dashboards to surface trends and gaps in the knowledge repository. Gabrielle focused on malware ticket analysis and developing an automation tool to identify malware families and extract indicators of compromise. Both interns credited Unit 42’s collaborative mentorship and cross-team exposure for accelerating their technical growth and real-world impact.
read more →

Integrating Code Insight into Reverse Engineering Workflows

🔎 VirusTotal has extended Code Insight to analyze disassembled and decompiled code via a new API endpoint that returns a concise summary and a detailed description for each queried function. The endpoint accepts prior requests as a history input so analysts can chain, correct, and refine context across iterations. An updated VT-IDA plugin for IDA Pro demonstrates integration inside an analyst notebook, allowing selection of functions, iterative review, and acceptance of insights into a shared corpus. The feature is available in trial mode; results have been promising in testing but are not guaranteed complete or perfectly accurate, and community feedback is encouraged.
read more →