One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 2151459 |
| Date de publication | 2021-01-07 11:00:00 (vue: 2021-01-07 11:05:29) |
| Titre | Malware using new Ezuri memory loader |
| Texte |
This blog was written by Ofer Caspi and Fernando Martinez of AT&T Alien Labs
Multiple threat actors have recently started using a Go language (Golang) tool to act as a packer and avoid Antivirus detection. Additionally, the Ezuri memory loader tool acts as a malware loader and executes its payload in memory, without writing the file to disk. While this technique is known and commonly used by Windows malware, it is less popular in Linux environments.
The loader decrypts the malicious malware and executes it using memfd create (as described in this blog in 2018). When creating a process, the system returns a file descriptor to an anonymous file in '/proc/PID/fd/' which is visible only in the filesystem.
Figure 1 shows a code snippet from the loader, containing the information it uses in order to decrypt the payload using the AES algorithm.
Figure 1. Loader code snippet via Alien Labs analysis.
The loader, written in Golang, is taken from the "Ezuri" code on GitHub via the user guitmz. This user originally created the ELF loader around March 2019, when he wrote a blog about the technique to run ELF executables from memory and shared the loader on his github. Additionally, a similar user ‘TMZ’ (presumably associated with the previously mentioned ‘guitmz’) posted this same code in late August, on a small forum where malware samples are shared.
The guitmz user even ran tests against VirusTotal to prove the efficiency of the code, uploading a detected Linux.Cephei sample (35308b8b770d2d4f78299262f595a0769e55152cb432d0efc42292db01609a18) with 30/61 AV detections in VirusTotal, compared to the zero AV detections by the same sample hidden with the Ezuri code (ddbb714157f2ef91c1ec350cdf1d1f545290967f61491404c81b4e6e52f5c41f).
|
| Envoyé | Oui |
| Condensat | $a1 $a2 $a3 $go “black “magic: “regenerate malware’s this 0a569366eeec52380b4462b455cacc9a788c2a7883b0a9965d20f0422dfc44df 0x464c457f 0xbebafeca 0xcafebabe 0xcefaedfe 0xcffaedfe 0xfeedface 0xfeedfacf 2018 2019 2020 28/62 283e0172063d1a23c20c6bca1ed0d2bb 3/64 30/61 35308b8b770d2d4f78299262f595a0769e55152cb432d0efc42292db01609a18 751014e0154d219dea8c2e999714c32fd98f817782588cd7af355d2488eb1c80 about accessed act active activities actors acts actually addition additional additionally aes aesdec after against aiding algorithm alien along also alto analysis and anonymous another antivirus any apis april archive are around asks associated at&t attack attacks attempt august author authors available avoid aws b494ca3b7bae2ab9a5197b81e928baae5b8eac77dfdc7fe1223fee8f27024772 been before being between binaries binary blog bot bots buildid but cado cadosecurity can capability card caspi cephei cloud/coinminer code codes/showthread collection com/black com/guitmz/ezuri com/post/team com/running com/vinfo/hk commonly compared compiled compiles conclusion condition: containing copyright create created creating credentials crypto cryptojacking cryptominers cryptomining cybercrime cybersecurity da5ae0f2a4b6a52d483fb006bc9e9128 daemon ddbb714157f2ef91c1ec350cdf1d1f545290967f61491404c81b4e6e52f5c41f ddos decrypt decrypted decrypts deploy described description descriptor detect detectable detected detection detections detects developments device disk docker dramatically dropper drops during e15550481e89dbd154b875ce50cc5af4b49f9ff7b837d9ac5b5594e5d63966a3 e1836676700121695569b220874886723abff36bbf78a0ec41cce73f72c52085 easy efficiency elf en/security/news/virtualization encrypted encryption enter environments even evident executable executables execute executed executes executing execution exposed ezuri ezuri/stub/main ezuriloader ezuriloaderosx fernando figure file files filesize filesystem firm first flow focus following forum found from function gafgyt game gathering gave generates german github given golang group guitmz guitmz’s has have hidden hide his https://web identified include including indicator indicators infected information input inspects install installs intelligence intuitive iocs iot its june key known labs language last late later least less leveraging linux linuxmalware list load loader loading located looking main malicious malware management march martinez may memfd memory memory/ mentioned meta: methods micro mining misconfigurations months most multiple name named network networks new note observed october ofer once one only open optional or order org/web/*/https://www org/web/20200903104802/https://www org/web/20201101055326/https://github org/web/20201101092236/https://unit42 org/web/20201106145814/https://evilop org/web/20201110163424/https://www original originally osx osxmalware other otx out own packed packer palo paloaltonetworks password path payload payloads php placed placing please popular ports posted presumably previously probably process prove pulse purposes ran readers recently reference references reflecting related report reported requested research retrieve retrieved returns review rule rules run runfrommemory same sample samples scanners scope scripts security see seen several sha256 shared shows similar similarities since small snippet some source sources started steal string strings strings: system systems taken target team teamtnt teamtnt sample technical technique techniques tests them then threat three tid=71 tnt tool trend trendmicro tune type uint32 unit42 unprotected upload uploading upx use used user user's uses using variant/ variants vast version victim’s virustotal visible well when where which will windows within without worm writing written wrote yara zero |
| Tags | Malware Tool Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.