Author

Salim Bitam

Elastic Security Labs Team Research Engineer II, Malware


Articles

Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite

Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite

Elastic Security Labs share details about the SADBRIDGE loader and GOSAR backdoor, malware used in campaigns targeting Chinese-speaking victims.

Katz and Mouse Game:  MaaS Infostealers Adapt to Patched Chrome Defenses

Katz and Mouse Game: MaaS Infostealers Adapt to Patched Chrome Defenses

Elastic Security Labs breaks down bypass implementations from the infostealer ecosystem’s reaction to Chrome 127's Application-Bound Encryption scheme.

Tricks and Treats: GHOSTPULSE’s new pixel-level deception

Tricks and Treats: GHOSTPULSE’s new pixel-level deception

The updated GHOSTPULSE malware has evolved to embed malicious data directly within pixel structures, making it harder to detect and requiring new analysis and detection techniques.

Globally distributed stealers

Globally distributed stealers

This article describes our analysis of the top malware stealer families, unveiling their operation methodologies, recent updates, and configurations. By understanding the modus operandi of each family, we better comprehend the magnitude of their impact and can fortify our defences accordingly.

Invisible miners: unveiling GHOSTENGINE’s crypto mining operations

Invisible miners: unveiling GHOSTENGINE’s crypto mining operations

Elastic Security Labs has identified REF4578, an intrusion set incorporating several malicious modules and leveraging vulnerable drivers to disable known security solutions (EDRs) for crypto mining.

PIKABOT, I choose you!

PIKABOT, I choose you!

Elastic Security Labs observed new PIKABOT campaigns, including an updated version. PIKABOT is a widely deployed loader malicious actors utilize to distribute additional payloads.

Ransomware in the honeypot: how we capture keys with sticky canary files

Ransomware in the honeypot: how we capture keys with sticky canary files

This article describes the process of capturing encryption keys from ransomware using Elastic Defend ransomware protection.

Introduction to Hex-Rays decompilation internals

Introduction to Hex-Rays decompilation internals

In this publication, we delve into Hex-Rays microcode and explore techniques for manipulating the generated CTree to deobfuscate and annotate decompiled code.

Unmasking a Financial Services Intrusion: REF0657

Unmasking a Financial Services Intrusion: REF0657

Elastic Security Labs details an intrusion leveraging open-source tooling and different post-exploitation techniques targeting the financial services industry in South Asia.

GHOSTPULSE haunts victims using defense evasion bag o' tricks

GHOSTPULSE haunts victims using defense evasion bag o' tricks

Elastic Security Labs reveals details of a new campaign leveraging defense evasion capabilities to infect victims with malicious MSIX executables.

Introducing the REF5961 intrusion set

Introducing the REF5961 intrusion set

The REF5961 intrusion set discloses three new malware families targeting ASEAN members. The threat actor leveraging this intrusion set continues to develop and mature their capabilities.

Revisiting BLISTER: New development of the BLISTER loader

Revisiting BLISTER: New development of the BLISTER loader

Elastic Security Labs dives deep into the recent evolution of the BLISTER loader malware family.

The DPRK strikes using a new variant of RUSTBUCKET

The DPRK strikes using a new variant of RUSTBUCKET

Watch out! We’ve recently discovered a variant of RUSTBUCKET. Read this article to understand the new capabilities we’ve observed, as well as how to identify it in your own network.

Initial research exposing JOKERSPY

Initial research exposing JOKERSPY

Explore JOKERSPY, a recently discovered campaign that targets financial institutions with Python backdoors. This article covers reconnaissance, attack patterns, and methods of identifying JOKERSPY in your network.

Elastic Security Labs steps through the r77 rootkit

Elastic Security Labs steps through the r77 rootkit

Elastic Security Labs explores a campaign leveraging the r77 rootkit and has been observed deploying the XMRIG crypto miner. The research highlights the different modules of the rootkit and how they’re used to deploy additional malicious payloads.

BLISTER Loader

BLISTER Loader

The BLISTER loader continues to be actively used to load a variety of malware.

Attack chain leads to XWORM and AGENTTESLA

Attack chain leads to XWORM and AGENTTESLA

Our team has recently observed a new malware campaign that employs a well-developed process with multiple stages. The campaign is designed to trick unsuspecting users into clicking on the documents, which appear to be legitimate.

Not sleeping anymore: SOMNIRECORD's wake-up call

Not sleeping anymore: SOMNIRECORD's wake-up call

Elastic Security Labs researchers identified a new malware family written in C++ that we refer to as SOMNIRECORD. This malware functions as a backdoor and communicates with command and control (C2) while masquerading as DNS.

CUBA Ransomware Malware Analysis

CUBA Ransomware Malware Analysis

Elastic Security has performed a deep technical analysis of the CUBA ransomware family. This includes malware capabilities as well as defensive countermeasures.

Update to the REF2924 intrusion set and related campaigns

Update to the REF2924 intrusion set and related campaigns

Elastic Security Labs is providing an update to the REF2924 research published in December of 2022. This update includes malware analysis of the implants, additional findings, and associations with other intrusions.

NETWIRE Dynamic Configuration Extraction

NETWIRE Dynamic Configuration Extraction

Elastic Security Labs discusses the NETWIRE trojan and is releasing a tool to dynamically extract configuration files.

FLARE-ON 9 Solutions:

FLARE-ON 9 Solutions:

This year's FLARE-ON consisted of 11 different reverse engineering challenges with a range of interesting binaries. We really enjoyed working on these challenges and have published our solutions here to Elastic Security Labs.

SiestaGraph: New implant uncovered in ASEAN member foreign ministry

SiestaGraph: New implant uncovered in ASEAN member foreign ministry

Elastic Security Labs is tracking likely multiple on-net threat actors leveraging Exchange exploits, web shells, and the newly discovered SiestaGraph implant to achieve and maintain access, escalate privilege, and exfiltrate targeted data.

Exploring the REF2731 Intrusion Set

Exploring the REF2731 Intrusion Set

The Elastic Security Labs team has been tracking REF2731, an 5-stage intrusion set involving the PARALLAX loader and the NETWIRE RAT.

Doing time with the YIPPHB dropper

Doing time with the YIPPHB dropper

Elastic Security Labs outlines the steps collect and analyze the various stages of the REF4526 intrusion set. This intrusion set uses a creative approach of Unicode icons in Powershell scripts to install a loader, a dropper, and RAT implants.

BUGHATCH Malware Analysis

BUGHATCH Malware Analysis

Elastic Security has performed a deep technical analysis of the BUGHATCH malware. This includes capabilities as well as defensive countermeasures.

CUBA Ransomware Campaign Analysis

CUBA Ransomware Campaign Analysis

Elastic Security observed a ransomware and extortion campaign leveraging a combination of offensive security tools, LOLBAS, and exploits to deliver the CUBA ransomware malware.

LUNA Ransomware Attack Pattern Analysis

LUNA Ransomware Attack Pattern Analysis

In this research publication, we'll explore the LUNA attack pattern — a cross-platform ransomware variant.