This blog post shows the analysis of a malware of the PyRation family by Tomas Nieponice as part of a 3-week winter cybersecurity internship at the Stratosphere Laboratory. The internship was done under the supervision of Assist. prof. Sebastian Garcia, PhD.
Deep Dive into an Obfuscation-as-a-Service for Android Malware
While confined in our homes studying the interactions of individuals involved in the spread of the Android banking Trojan botnet (known as Geost), we encountered a unique opportunity: investigate an automated obfuscation-as-a-service platform for Android malware authors.
Indeed, in a leaked chat log that involved Geost botnet operators, two individuals talked about an obfuscation service used to “protect” their malicious Android Applications (APKs) from being detected by antivirus engines. We visited the website related to the “protection” service (protection from antivirus engines -so basically obfuscation), which raised a lot of questions: How does this obfuscation service work? Is it automated? Does it really obfuscate applications well enough to avoid malicious applications being detected? How well is the service known in the underground community?
Dark Nexus: the old, the new and the ugly
RHOMBUS: a new IoT Malware
IoT-23 In Depth: CTU-IoT-Malware-Capture-1-1
This post is a continuation of the IoT-23 In Depth series based on the IoT-23 Dataset, the first dataset of malicious and benign IoT network traffic, that consists of 23 scenarios. In this blog post we provide an analysis of Scenario 9, CTU-IoT-Malware-Capture-60-1. This malware sample is called Hide-and-Seek. This variant is an IoT malware family capable of different types of DDoS attacks, exploits vulnerabilities in other devices, such as routers and wireless cameras, and to brute force the Telnet service across the Internet to expand its botnet. This malware makes use of the custom peer-to-peer (P2P) protocol to transfer data.
IoT-23 In Depth: CTU-IoT-Malware-Capture-60-1
This post is a continuation of the IoT-23 In Depth series based on the IoT-23 Dataset, the first dataset of malicious and benign IoT network traffic, that consists of 23 scenarios [1]. In this blog post we provide an analysis of Scenario 9 [2], CTU-IoT-Malware-Capture-60-1. This malware sample is called Gafgyt. This variant is an IoT malware family capable of different types of DDoS attacks and exploits vulnerabilities in other devices, such as routers, to expand its botnet which has been seen attacking gaming servers [3].
IoT-23 In Depth: CTU-IoT-Malware-Capture-8-1
This post is a continuation of the IoT-23 In Depth series based on the IoT-23 Dataset, the first dataset of malicious and benign IoT network traffic, that consists of 23 scenarios [1]. In this blog post we provide an analysis of Scenario 13 [2], CTU-IoT-Malware-Capture-8-1. This malware sample is called Hakai and it’s a variant of Linux.Mirai/Gafgyt. Mirai is an IoT malware family capable of different types of DDoS attacks, telnet brute force attacks and it uses different sets of exploits to infect other devices, such as routers.
IoT-23 In Depth: CTU-IoT-Malware-Capture-3-1
This post is a continuation of the IoT-23 In Depth series based on the IoT-23 Dataset, the first dataset of malicious and benign IoT network traffic, that consists of 23 scenarios [1]. In this blog post we show an analysis of Scenario 19 [2], CTU-IoT-Malware-Capture-3-1. This malware sample is called Muhstik and it’s a variant of the STD/Tsunami bot. The STD/Tsunami bot is an IoT malware capable of different types of DDoS attacks and it uses the IRC protocol to communicate with its C&C server.
IoT-23 In Depth: CTU-IoT-Malware-Capture-9-1
A couple of weeks ago, we released the IoT-23 Dataset, the first dataset of malicious and benign IoT network traffic, that consists of 23 scenarios. In this blog post we provide an analysis of Scenario 18, CTU-IoT-Malware-Capture-9-1. This malware sample is Hajime. We analysed the binary sample and the network traffic of this scenario.