Category

Malware analysis

Elastic Security Labs share details about the SADBRIDGE loader and GOSAR backdoor, malware used in campaigns targeting Chinese-speaking victims.

placeholder image
Declawing PUMAKIT

Declawing PUMAKIT

PUMAKIT is a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to hide its presence and maintain communication with command-and-control servers.

Katz and Mouse Game:  MaaS Infostealers Adapt to Patched Chrome Defenses

Katz and Mouse Game: MaaS Infostealers Adapt to Patched Chrome Defenses

Elastic Security Labs breaks down bypass implementations from the infostealer ecosystem’s reaction to Chrome 127's Application-Bound Encryption scheme.

Tricks and Treats: GHOSTPULSE’s new pixel-level deception

Tricks and Treats: GHOSTPULSE’s new pixel-level deception

The updated GHOSTPULSE malware has evolved to embed malicious data directly within pixel structures, making it harder to detect and requiring new analysis and detection techniques.

Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse

Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse

The REF6138 campaign involved cryptomining, DDoS attacks, and potential money laundering via gambling APIs, highlighting the attackers' use of evolving malware and stealthy communication channels.

Code of Conduct: DPRK’s Python-fueled intrusions into secured networks

Code of Conduct: DPRK’s Python-fueled intrusions into secured networks

Investigating the DPRK’s strategic use of Python and carefully crafted social engineering, this publication sheds light on how they breach highly secure networks with evolving and effective cyber attacks.

Beyond the wail: deconstructing the BANSHEE infostealer

Beyond the wail: deconstructing the BANSHEE infostealer

The BANSHEE malware is a macOS-based infostealer that targets system information, browser data, and cryptocurrency wallets.

BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor

BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor

Elastic Security Labs identified a novel Windows backdoor leveraging the Background Intelligent Transfer Service (BITS) for C2. This malware was found during a recent activity group tracked as REF8747.

Dipping into Danger: The WARMCOOKIE backdoor

Dipping into Danger: The WARMCOOKIE backdoor

Elastic Security Labs observed threat actors masquerading as recruiting firms to deploy a new malware backdoor called WARMCOOKIE. This malware has standard backdoor capabilities, including capturing screenshots, executing additional malware, and reading/writing files.

Globally distributed stealers

Globally distributed stealers

This article describes our analysis of the top malware stealer families, unveiling their operation methodologies, recent updates, and configurations. By understanding the modus operandi of each family, we better comprehend the magnitude of their impact and can fortify our defences accordingly.

Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID

Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID

Elastic Security Labs has observed an uptick in a recent emerging loader known as LATRODECTUS. This lightweight loader packs a big punch with ties to ICEDID and may turn into a possible replacement to fill the gap in the loader market.

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Four

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Four

In previous articles in this multipart series, malware researchers on the Elastic Security Labs team decomposed the REMCOS configuration structure and gave details about its C2 commands. In this final part, you’ll learn more about detecting and hunting REMCOS using Elastic technologies.

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Three

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Three

In previous articles in this multipart series, malware researchers on the Elastic Security Labs team dove into the REMCOS execution flow. In this article, you’ll learn more about REMCOS configuration structure and its C2 commands.

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Two

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Two

In the previous article in this series on the REMCOS implant, we shared information about execution, persistence, and defense evasion mechanisms. Continuing this series we’ll cover the second half of its execution flow and you’ll learn more about REMCOS recording capabilities and communication with its C2.

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part One

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part One

This malware research article describes the REMCOS implant at a high level, and provides background for future articles in this multipart series.

Introduction to Hex-Rays decompilation internals

Introduction to Hex-Rays decompilation internals

In this publication, we delve into Hex-Rays microcode and explore techniques for manipulating the generated CTree to deobfuscate and annotate decompiled code.

Getting gooey with GULOADER: deobfuscating the downloader

Getting gooey with GULOADER: deobfuscating the downloader

Elastic Security Labs walks through the updated GULOADER analysis countermeasures.

Elastic catches DPRK passing out KANDYKORN

Elastic catches DPRK passing out KANDYKORN

Elastic Security Labs exposes an attempt by the DPRK to infect blockchain engineers with novel macOS malware.

GHOSTPULSE haunts victims using defense evasion bag o' tricks

GHOSTPULSE haunts victims using defense evasion bag o' tricks

Elastic Security Labs reveals details of a new campaign leveraging defense evasion capabilities to infect victims with malicious MSIX executables.

Disclosing the BLOODALCHEMY backdoor

Disclosing the BLOODALCHEMY backdoor

BLOODALCHEMY is a new, actively developed, backdoor that leverages a benign binary as an injection vehicle, and is a part of the REF5961 intrusion set.

Dancing the night away with named pipes - PIPEDANCE client release

Dancing the night away with named pipes - PIPEDANCE client release

In this publication, we will walk through this client application’s functionality and how to get started with the tool.

Introducing the REF5961 intrusion set

Introducing the REF5961 intrusion set

The REF5961 intrusion set discloses three new malware families targeting ASEAN members. The threat actor leveraging this intrusion set continues to develop and mature their capabilities.

Revisiting BLISTER: New development of the BLISTER loader

Revisiting BLISTER: New development of the BLISTER loader

Elastic Security Labs dives deep into the recent evolution of the BLISTER loader malware family.

NAPLISTENER: more bad dreams from developers of SIESTAGRAPH

NAPLISTENER: more bad dreams from developers of SIESTAGRAPH

Elastic Security Labs observes that the threat behind SIESTAGRAPH has shifted priorities from data theft to persistent access, deploying new malware like NAPLISTENER to evade detection.

Elastic charms SPECTRALVIPER

Elastic charms SPECTRALVIPER

Elastic Security Labs has discovered the P8LOADER, POWERSEAL, and SPECTRALVIPER malware families targeting a national Vietnamese agribusiness. REF2754 shares malware and motivational elements of the REF4322 and APT32 activity groups.

Elastic Security Labs steps through the r77 rootkit

Elastic Security Labs steps through the r77 rootkit

Elastic Security Labs explores a campaign leveraging the r77 rootkit and has been observed deploying the XMRIG crypto miner. The research highlights the different modules of the rootkit and how they’re used to deploy additional malicious payloads.

Elastic Security Labs discovers the LOBSHOT malware

Elastic Security Labs discovers the LOBSHOT malware

Elastic Security Labs is naming a new malware family, LOBSHOT. LOBSHOT propagates and infiltrates targeted networks through Google Ads and hVNC sessions to deploy backdoors masquerading as legitimate application installers.

Elastic users protected from SUDDENICON’s supply chain attack

Elastic users protected from SUDDENICON’s supply chain attack

Elastic Security Labs is releasing a triage analysis to assist 3CX customers in the initial detection of SUDDENICON, a potential supply-chain compromise affecting 3CX VOIP softphone users.

BLISTER Loader

BLISTER Loader

The BLISTER loader continues to be actively used to load a variety of malware.

Attack chain leads to XWORM and AGENTTESLA

Attack chain leads to XWORM and AGENTTESLA

Our team has recently observed a new malware campaign that employs a well-developed process with multiple stages. The campaign is designed to trick unsuspecting users into clicking on the documents, which appear to be legitimate.

Not sleeping anymore: SOMNIRECORD's wake-up call

Not sleeping anymore: SOMNIRECORD's wake-up call

Elastic Security Labs researchers identified a new malware family written in C++ that we refer to as SOMNIRECORD. This malware functions as a backdoor and communicates with command and control (C2) while masquerading as DNS.

Thawing the permafrost of ICEDID Summary

Thawing the permafrost of ICEDID Summary

Elastic Security Labs analyzed a recent ICEDID variant consisting of a loader and bot payload. By providing this research to the community end-to-end, we hope to raise awareness of the ICEDID execution chain, capabilities, and design.

Twice around the dance floor - Elastic discovers the PIPEDANCE backdoor

Twice around the dance floor - Elastic discovers the PIPEDANCE backdoor

Elastic Security Labs is tracking an active intrusion into a Vietnamese organization using a recently discovered triggerable, multi-hop backdoor we are calling PIPEDANCE. This full-featured malware enables stealthy operations through the use of named

CUBA Ransomware Malware Analysis

CUBA Ransomware Malware Analysis

Elastic Security has performed a deep technical analysis of the CUBA ransomware family. This includes malware capabilities as well as defensive countermeasures.

QBOT Malware Analysis

QBOT Malware Analysis

Elastic Security Labs releases a QBOT malware analysis report covering the execution chain. From this research, the team has produced a YARA rule, configuration-extractor, and indicators of compromises (IOCs).

Exploring the REF2731 Intrusion Set

Exploring the REF2731 Intrusion Set

The Elastic Security Labs team has been tracking REF2731, an 5-stage intrusion set involving the PARALLAX loader and the NETWIRE RAT.

BUGHATCH Malware Analysis

BUGHATCH Malware Analysis

Elastic Security has performed a deep technical analysis of the BUGHATCH malware. This includes capabilities as well as defensive countermeasures.

Elastic protects against data wiper malware targeting Ukraine: HERMETICWIPER

Elastic protects against data wiper malware targeting Ukraine: HERMETICWIPER

Analysis of the HERMETICWIPER malware targeting Ukranian organizations.

Going Coast to Coast - Climbing the Pyramid with the Deimos Implant

Going Coast to Coast - Climbing the Pyramid with the Deimos Implant

The Deimos implant was first reported in 2020 and has been in active development; employing advanced analysis countermeasures to frustrate analysis. This post details the campaign TTPs through the malware indicators.