Malware in a PICTURE! | Reverse Engineering an XWorm Loader that uses STEGANOGRAPHY

Описание

Malware analysis of a fake winrm vbs script which acts as a downloader to invoke a PowerShell script designed to retrieve a malware from within a picture on a public image hosting website.

Note: Apologies for the slightly worse audio quality on this one, I've setup a noise gate now for future videos to avoid the artifacts found in this video.

** Find me at **
Twitter/X - https://twitter.com/CyberRaiju
Blog - https://www.jaiminton.com/
Mastodon - https://infosec.exchange/@CyberRaiju

** Tools **
Notepad++ - https://notepad-plus-plus.org/
CyberChef - https://gchq.github.io/CyberChef/
pestudio - https://www.winitor.com/download
DNSpyEx - https://github.com/dnSpyEx/dnSpy

** Sample **
https://bazaar.abuse.ch/sample/1a93c7da6bb1bc0b7b4d4e34060ec15e80859886d57cea5847f18f2d7b42b2c0/
https://www.virustotal.com/gui/file/1a93c7da6bb1bc0b7b4d4e34060ec15e80859886d57cea5847f18f2d7b42b2c0/behavior
https://urlscan.io/responses/f7a8752410f0436a029e154bf2a40b2a7d6fb379093a3cb71f44e726497ea629/
https://urlscan.io/responses/f5718d6af52e13f7ba5b1b30437e091800759352a92820458664f5c80239f2eb/

** Timestamps **
00:00 - Intro
01:30 - Comparing winrm.vbs scripts
02:36 - Locating the malicious script entries
03:27 - Extracting downloader URL
04:34 - Behavioral analysis of downloader
05:15 - Analysis of malicious PowerShell script
06:39 - Examining 2nd stage stego loader
07:00 - Image hiding malware
08:20 - Extracting PE file from Base64
09:30 - Examining 3rd stage .NET binary using pestudio
10:15 - Examining using dnspy
11:35 - Determining surrogate host for injection
12:45 - Examining 4th and final stage malware
14:02 - Analysis of encrypted configuration
15:45 - Easy decryption of configuration
18:23 - Outro

Credits:
SFX by Pixabay