diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md index 3ac6afb5e04..0633d0f286f 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md @@ -623,9 +623,83 @@ for (i = 0; i < 4; i++) { write(fd, nonce, 12); // only the last nonce survives ``` + +## .NET resource-backed stealers: triage and extraction + +Recent .NET stealers increasingly move **config blobs, encrypted strings, and even later-stage functions** into the assembly **resource** section instead of leaving them in IL as plaintext. + +### What to look for + +- Calls that resolve strings from numeric triplets instead of literals, for example `Decoder(18829, 2178, 23)`. +- Use of `.NET` resource APIs such as `Assembly.GetManifestResourceStream`, `ResourceManager`, `ResourceReader`, or Win32 `FindResource` / `LoadResource` / `LockResource`. +- A large opaque resource blob plus a tiny decoder that computes **offset + length + XOR/additive key** at runtime. +- Meaningless identifiers (`a`, `b`, `c`, `hf`, `bb`) and dense `goto` / `switch` / `IL_XXXX` control-flow noise around otherwise simple steal/exfil routines. + +### Practical workflow + +1. Enumerate embedded resources first and dump them before spending time on the decompiled control flow. +2. Identify the decoder prototype and rename its arguments to `offset`, `length`, `key` (or similar) during triage. +3. Re-implement the decoder offline and bulk-resolve every call site to recover URLs, wallet paths, Telegram bot tokens, regexes, and exfil routes. +4. If the resource contains staged methods or a second PE, break on the decoder/resource-loader and dump the post-decryption buffer from memory. +5. Treat very noisy branches as obfuscation until data-flow proves otherwise; often the real behavior is a short linear task list. + +Quick triage commands: + +```bash +strings -a sample.exe | grep -Ei 'resource|manifest|telegram|wallet|ipify|discord' +7z l sample.exe | grep -i resource +capa sample.exe +``` + +Minimal single-byte XOR brute force for a dumped resource blob: + +```python +blob = open('resource.bin', 'rb').read() +for k in range(256): + pt = bytes(b ^ k for b in blob[:256]) + if b'http' in pt or b'Telegram' in pt or b'wallet' in pt: + print(hex(k), pt) +``` + +### Virtualizing packers and "no-labels" obfuscation + +If the sample is protected by a **virtualizing packer**, a memory dump may still expose only custom bytecode plus a VM dispatcher instead of the original logic. In that case: + +- Hunt for the **dispatcher loop**, virtual register state, and opcode handlers instead of trusting the decompiler output. +- Break on **resource decryption**, **string decode**, and **network/exfil** boundaries to observe the real behavior without fully devirtualizing the sample. +- Rename short symbols aggressively while tracing data flow (`bb` -> `browser_stealer`, `hf.a()` -> `collect_all()`, etc.) to turn a noisy graph into a usable map. + +### Live Chromium session theft + +Some stealers no longer rely only on the on-disk `Cookies` / `Login Data` databases and instead talk to the **already running Chromium session** over a local **WebSocket/DevTools-style** channel. This gives them access to **live authenticated state** from the browser process itself. + +Forensic leads: + +- Check browser command lines for unexpected debugging flags or local WebSocket listeners. +- Correlate suspicious processes with access to Chromium session files such as `Current Session`, `Current Tabs`, `Last Session`, and `Last Tabs`. +- Review localhost connections between the stealer and the browser around the time cookies/tokens were exfiltrated. +- If you need exploitation details for DevTools-style browser abuse, review: + +{{#ref}} +../../linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md +{{#endref}} + +{{#ref}} +../../macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-chromium-injection.md +{{#endref}} + +### Cryptocurrency clippers + +Clipboard hijackers are easy to miss if the operator never steals wallet files. Hunt for loops that: + +- Poll `GetClipboardData` / `SetClipboardData` or equivalent .NET wrappers. +- Validate copied text against **wallet regexes**. +- Replace the victim's address with an attacker-controlled value immediately before paste/exfil. + ## References - [Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/) +- [Unit 42 – Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files](https://unit42.paloaltonetworks.com/gremlin-stealer-evolution/) - SoTap: Lightweight in-app JNI (.so) behavior logger – [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap) - Strategies for Analyzing Native Code in Android Applications: Combining Ghidra and Symbolic Execution for Code Decryption and Deobfuscation – [revflash.medium.com](https://revflash.medium.com/strategies-for-analyzing-native-code-in-android-applications-combining-ghidra-and-symbolic-aaef4c9555df) - Ghidra – [github.com/NationalSecurityAgency/ghidra](https://github.com/NationalSecurityAgency/ghidra)