Deep Dive into a Dumped Malware without a PE Header


This analysis is part of an incident investigation led by the FortiGuard Incident Response Team.

Fortiguard Incident Response Team discovered malware that had been running on a compromised machine for several weeks. The threat actor had executed a batch of scripts and PowerShell to run the malware in a Windows process. Although obtaining the original malware executable was difficult, a memory dump of the running malware process and a full memory dump of the compromised machine (the “fullout” file, size 33GB) were successfully acquired.

Read more…
Source: Fortinet


Sign up for our Newsletter
The latest news and insights delivered right to your inbox.


Related:

  • Malware Makers Using ‘Exotic’ Programming Languages

    July 26, 2021

    Malware authors are increasingly using rarely spotted programming languages such as Go, Rust, Nim and DLang in order to create new tools and to hinder analysis, researchers have found. Use of those four languages is escalating in the number of malware families being identified, according to a report published on Monday by BlackBerry Research and Intelligence ...

  • Trickbot updates its VNC module for high-value targets

    July 14, 2021

    The Trickbot botnet malware that often distributes various ransomware strains, continues to be the most prevalent threat as its developers update the VNC module used for remote control over infected systems. Its activity has been increasing constantly since the complete disruption of the Emotet botnet in January, which acted as a distributor for both Trickbot and ...

  • WildPressure targets the macOS platform

    July 7, 2021

    Our previous story regarding WildPressure was dedicated to their campaign against industrial-related targets in the Middle East. By keeping track of their malware in spring 2021, we were able to find a newer version. It contains the C++ Milum Trojan, a corresponding VBScript variant with the same version (1.6.1) and a set of modules that ...

  • Detecting unknown threats: a honeypot how-to

    June 30, 2021

    Catching threats is tricky business, especially in today’s threat landscape. To tackle this problem, for many years сybersecurity researchers have been using honeypots – a well-known deception technique in the industry. Dan Demeter, Senior Security Researcher with Kaspersky’s Global Research and Analysis Team and head of Kaspersky’s honeypot project, explains what honeypots are, why they ...

  • Nefilim Ransomware Attack Through a MITRE Att&ck Lens

    June 28, 2021

    Nefilim is among a new breed of ransomware families that use advanced techniques for a more targeted and virulent attack. It is operated by a group that we track under the intrusion set “Water Roc”. This group combines advanced techniques with legitimate tools to make them significantly harder to detect and respond before it is ...

  • REvil Ransomware Code Ripped Off by Rivals

    June 23, 2021

    They say imitation is the sincerest form of flattery: The LV ransomware, a strain that cropped up just this spring, turns out to be based on what is most likely pirated REvil ransomware code, according to researchers. A malware analysis of LV from Secureworks Counter Threat Unit (CTU) found that its operators (which it calls Gold ...