Understanding Syscalls: Direct, Indirect, and Cobalt Strike Implementation

In case images fail to load, it might be due to jsDelivr CDN ban in Egypt. To resolve this, consider using a VPN. :) Syscalls? Why? To Bypass user-mood hooks. why? For Hiding a code inside a legitimate process (Process Injection) Avoiding EDR alerts! User-mood Hooks Hooking user-mode functions by placing a jump to another code section. EDRs use hooks to check the function parameters. For example, if you are trying to change the memory protections of some data to add executable protections.

Pikabot deep analysis

Introduction Pikabot is a new malware first seen in early 2023. It has two components: Loader and core module. It is still in its initial stages, expected to see increasing activity in the future. Some researchers believe that it is linked to TA570 because of the similarity of delivering method between it and Qbot trojan. And the absence of Qbot activity in the period of pikabot activity. The Loader usage is to perform a lot of Anti-debug, Anti-VM and Anti-emulation checks to make it harder for automated analysis and inject the core module.

Aurora Stealer Builder

Introduction in the previous article, I discussed what’s inside Aurora Stealer. After the release, @Gi7w0rm provided me samples of some versions of Aurora Stealer builder, a new version that was created recently and another one that was created in 2022. The newer version has some improvements in the builder and new features we will discuss in this article. Before we start this article, it is important to note that the Builder also contains and creates the Web panel to control the bots.

Aurora Stealer

Introduction Aurora Stealer is an information stealer Written in GO. It is a commercial stealer that costs around 250$ per month. The malware can steal Browser password and saved cookies, crypto information (Desktop and Web), Telegram, Steam and Specific files from the victim machine and can take a screenshot from it. Basic information The icon of the executable gives us a hit about how this is spreading. It has Photoshop icon, most probably it was spreading using Malvertising.

OriginLogger Loader

Conclusion Origin Logger is a variant of Agent tesla, it is build on top of it and uses all of its capabilities. The malware is spreading using spam emails with a malicious attachments. The malware exfiltrate user accounts and passwords and other information from the infected machine. Infection through Email the infection is started with spam email attached by .iso File the .ISO file contains only an executable with a PDF icon.

Raccoon Stealer

Conclusion Raccoon Stealer V2 (or RecordBreaker) Is a stealer that provided as a service with about 200$/m. It is a new version of Raccoon stealer that appeared in 2019 and died for a while then it returns with this new Stealer which known as RecordBreaker. It Comes with a lot of capabilities, It can grab a lot of sensitive information like : Steal Victim System information Steal Victim Username and passwords stored in the browser Steal Victim Browser’s Autofill Information Steal Credit Card information Steal Crypto wallets Information Steal Bitcoin Wallets Grab any file from the victim system Take Screenshots from the victim system Load next stage Analysis First Look First we start with basic analysis, using Detect it easy we see that the file seems to be not packed.