Stratosphere IPS

February 23, 2024

malware analysis

Analysis and understanding of malware of the PyRation family

Stratosphere IPS

February 23, 2024

malware analysis

Analysis and understanding of malware of the PyRation family

This blog post shows the analysis of a malware of the PyRation family by Tomas Nieponice as part of a 3-week winter cybersecurity internship at the Stratosphere Laboratory. The internship was done under the supervision of Assist. prof. Sebastian Garcia, PhD.

Masarah Paquet

November 29, 2021

Underground Economy

Studying Cybercrime is Fun! An Overview of Five Years of Research Surrounding the Geost Botnet

Masarah Paquet

November 29, 2021

Underground Economy

Studying Cybercrime is Fun! An Overview of Five Years of Research Surrounding the Geost Botnet

This blog shows how a curious research experiment can lead a student into an interesting cybercrime investigation that contains weird -yet interesting- topics, such as understanding underground attackers, botnets, informal Internet forums, and the economy of encrypting malware-as-a-service.

Stratosphere IPS

December 3, 2020

malware analysis, Underground Economy

Deep Dive into an Obfuscation-as-a-Service for Android Malware

Stratosphere IPS

December 3, 2020

malware analysis, Underground Economy

Deep Dive into an Obfuscation-as-a-Service for Android Malware

While confined in our homes studying the interactions of individuals involved in the spread of the Android banking Trojan botnet (known as Geost), we encountered a unique opportunity: investigate an automated obfuscation-as-a-service platform for Android malware authors.

Indeed, in a leaked chat log that involved Geost botnet operators, two individuals talked about an obfuscation service used to “protect” their malicious Android Applications (APKs) from being detected by antivirus engines. We visited the website related to the “protection” service (protection from antivirus engines -so basically obfuscation), which raised a lot of questions: How does this obfuscation service work? Is it automated? Does it really obfuscate applications well enough to avoid malicious applications being detected? How well is the service known in the underground community?

Stratosphere IPS

April 29, 2020

malware analysis, traffic analysis, Aposemat Project

RHOMBUS: a new IoT Malware

Stratosphere IPS

April 29, 2020

malware analysis, traffic analysis, Aposemat Project

For this blog post we will analyze the x86-64 version of RHOMBUS, originally shared by MMD and found by R. Bansal (@0xrb). At the time this post was written, this sample has a 4/59 detection rate (4 out of 59 AVs detected this file as malicious) according to VirusTotal.

Stratosphere IPS

October 8, 2019

Aposemat Project

Hexa Payload Decoder Tool: A Tool To Automatically Extract and Decode Hex Data in C&C Servers

Stratosphere IPS

October 8, 2019

Aposemat Project

Hexa Payload Decoder Tool: A Tool To Automatically Extract and Decode Hex Data in C&C Servers

In this blog post we introduce the “Hexa Payload Decoder Tool”, a tool that is able to process a pcap file and return any decoded characters translated to English. This tool was developed to assist the network security analyst when working and interpreting data sent and received by command and control servers used by malware.

Stratosphere IPS

May 19, 2019

Aposemat Project

IoT Malware Analysis Series. An IoT malware dropper with custom C&C channel exploiting HNAP

Stratosphere IPS

May 19, 2019

Aposemat Project

IoT Malware Analysis Series. An IoT malware dropper with custom C&C channel exploiting HNAP

On February 28th, 2019 we infected one of our devices with the malware sample that most AV detect as Mirai. However, it was a bash script downloader that obtains and exacute an ARM ELF binary to attack others using the HNAP vulnerability in order to infect new bots.

Veronica Valeros

February 17, 2019

What do we know about Quasar RAT? A review.

Veronica Valeros

February 17, 2019

This blog post aims to give an overview of what do we know so far about the Quasar RAT, and provide an exhaustive list of references associated with this piece of software.

Veronica Valeros

September 7, 2018

What do we know about NanoCore RAT? A review.

Veronica Valeros

September 7, 2018

This blog post aims to give an overview of what do we know so far about the NanoCore RAT, and provide an exhaustive list of references associated with this piece of software.

Stratosphere IPS

March 29, 2018

Laboratory

How to Create a Small Lab at Home with a Raspberry Pi to execute Malware

Stratosphere IPS

March 29, 2018

Laboratory

How to Create a Small Lab at Home with a Raspberry Pi to execute Malware

On how to configure your computer and RaspberryPi to execute malware at home.

Stratosphere IPS

November 8, 2017

ANALISIS OF CTU-MALWARE-CAPTURE-1 (ZBOT.OOWO)

Stratosphere IPS

November 8, 2017

CTU-MALWARE-CAPTURE-1 (ZBOT.OOWO)

This capture was done between Thu Sep 5 15:40:07 CEST 2013 and Tue Oct 1 13:38:29 CEST 2013, having a total of 25 days and 21 hours. It corresponds to a binary with the MD5 46b3df3eaf1312f80788abd43343a9d2 of and that was classified by Kaspersky in VirusTotal as Trojan-Spy.Win32.Zbot.oowo. However we are not sure of the name.

CTU-MALWARE-CAPTURE-1 (ZBOT.OOWO)

Protecting the civil society through high quality research