In recent months, CPR has been investigating the usage of compiled V8 JavaScript by malware authors. Compiled V8 JavaScript is a lesser-known feature in V8, Google’s JavaScript engine, that enables the compilation of JavaScript into low-level bytecode.
This technique assists attackers in evading static detections and hiding their original source code, rendering it almost impossible to analyze statically. To statically analyze compiled JavaScript files, Check Point researchers employed a newly-developed custom tool named ”View8”, specifically designed for decompiling V8 bytecode to a high-level readable language. Using View8, they decompiled thousands of malicious compiled V8 applications, spanning various malware types, such as Remote Access Tools (RATs), stealers, miners and even ransomware.
Read more…
Source: Check Point
Related:
- Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module
May 28, 2020
First discovered in 2016, TrickBot is an information stealer that provides backdoor access sometimes used by criminal groups to distribute other malware. TrickBot uses modules to perform different functions, and one key function is propagating from an infected Windows client to a vulnerable Domain Controller (DC). TrickBot currently uses three modules for propagation. As early as April ...
- FakeNet Genie: Improving Dynamic Malware Analysis with Cheat Codes for FakeNet-NG
April 2, 2020
As developers of the network simulation tool FakeNet-NG, reverse engineers on the FireEye FLARE team, and malware analysis instructors, we get to see how different analysts use FakeNet-NG and the challenges they face. We have learned that FakeNet-NG provides many useful features and solutions of which our users are often unaware. In this blog post, ...

