Malware Launcher using DLL Search Order Hijacking

Hello again,

Have you ever heard of this? It’s a pretty cool technique to load an arbitrary DLL into a process by┬átaking advantage of the way Windows’ DLL search works. Quite honestly, I’ve never seen it in action on real malware, up until very recently.

There is a “launcher” floating around which uses not only DSOH, but some other pretty cool techniques to host malicious activity into the process of a legitimate (and signed) tool.

Continue reading “Malware Launcher using DLL Search Order Hijacking”

Quick “how-to-decode” this banking Trojan encoded string

Remember when you could figure out what bank was being targeted by a Brazilian banking Trojan just by running “strings” against it? Well, that was a while ago.

There’s this decode function widespread among most banking Trojan samples that I get my hands on, especially those written in Delphi.

Let’s take a look!

Continue reading “Quick “how-to-decode” this banking Trojan encoded string”