Leveraging LLMs for malware analysis - CFF deobfuscation
Motivated by this paper on Control Flow Flattening (CFF) deobfuscation via LLM, I decided to explore the topic with current frontier models. The paper does n...
Malware
research
&
reverse
engineering
Posts
Configuration extraction in Mirai samples
Over the years all the public Mirai configuration extractors that I have come across either: Rely on bruteforcing the encryption key and apply the guessed...
Decompiled code matching via AST features
This article is about a particular function matching technique implemented in diaphora and how it was ported to r2diaphora.
r2pipe optimization tips
Some quick tips on using radare2 from r2pipe python scripts to increase analysis performance.
External posts
Hijacked: How Cybercriminals Are Turning Anti-Virus Software Against You
Threat actors are modifying legitimate anti-virus binaries and re-signing them to run SbaProxy, a tool that establishes proxy connections through a C&C serve...
LevelBlue Labs Discovers Highly Evasive, New Loader Targeting Chinese Organizations
SquidLoader is a new highly evasive malware loader delivered via phishing attachments, using anti-analysis and decoy techniques to deliver Cobalt Strike beac...
Code similarity analysis with r2diaphora
Binary diffing can speed up malware analysis and family attribution. This post introduces r2diaphora, an open-source port of Diaphora for Radare2, with pract...
PRISM attacks fly under the radar
A cluster of low-detected Linux ELF samples turned out to be modified PRISM backdoors used in small campaigns that remained active and under the radar for mo...
Technical Analysis of an Active Cryptomining Worm by LevelBlue Labs
Overview of common malicious implants deployed after exploitation of vulnerable Exim, Confluence, and WebLogic servers, including a modified Xmrig-based Mone...