FLARE-On 2016

For the first time in my life, I joined a CTF competition.

FLARE-On is a reverse engineering contest, developed by FireEye Lab’s Advanced Reverse Engineering team. Honestly, I didn’t know about its existence up until Mid/2016, which was when I met some of FLARE’s members (@williballenthin and @m_r_tz) – and i’m very glad I did. I learned a lot while doing these challenges, and for that, I can’t thank enough.

I’m very happy I ended up being one of the 124 winners, and will definitely participate next year. Check more stats about the CTF in this year’s conclusion post.

Alright, without further ado, here are my solutions:

Continue reading “FLARE-On 2016”

Malware Launcher using DLL Search Order Hijacking

Hello again,

Have you ever heard of this? It’s a pretty cool technique to load an arbitrary DLL into a process by┬átaking advantage of the way Windows’ DLL search works. Quite honestly, I’ve never seen it in action on real malware, up until very recently.

There is a “launcher” floating around which uses not only DSOH, but some other pretty cool techniques to host malicious activity into the process of a legitimate (and signed) tool.

Continue reading “Malware Launcher using DLL Search Order Hijacking”

Quick “how-to-decode” this banking Trojan encoded string

Remember when you could figure out what bank was being targeted by a Brazilian banking Trojan just by running “strings” against it? Well, that was a while ago.

There’s this decode function widespread among most banking Trojan samples that I get my hands on, especially those written in Delphi.

Let’s take a look!

Continue reading “Quick “how-to-decode” this banking Trojan encoded string”

A random 2016 Brazilian Banking Trojan – Londer / jottvxz / Telax

“Brazil has a lot of banking Trojans” – is a sentence folks working the AV industry might have said/heard quite a few times.

Well, here’s a quick analysis on a random Brazilian banking Trojan. Spoiler alert: it’s a mess.

Continue reading “A random 2016 Brazilian Banking Trojan – Londer / jottvxz / Telax”