In the course of its investigations, @volexity frequently encounters malware samples written in Golang. This reflects the increase in popularity of the Golang generally, and presents challenges to reverse engineering tools.
 
Today, @volexity is releasing GoResolver, open-source tooling to help reverse engineers understand obfuscated samples. @r00tbsd & Killian Raimbaud presented details at INCYBER Forum earlier today.
 
GoResolver uses control-flow graph similarity to identify library code in obfuscated code, leaving analysts with only malware functions to analyze. This saves time & speeds up investigations!
 
Check out the blog post on how GoResolver works and where to download it: https://www.volexity.com/blog/2025/04/01/goresolver-using-control-flow-graph-similarity-to-deobfuscate-golang-binaries-automatically/
 
#dfir #reversing #malwareanalysis

Malware Is Evolving — And So Are the Languages It’s Written In — A new study highlights a growing tactic among malware developers: coding in uncommon languages to evade detection.

Key takeaways:
Obscure languages like Lisp, Rust, Haskell, Delphi, and Phix are harder for static analysis tools to parse.
These languages often produce fragmented memory layouts and more indirect execution paths, complicating reverse engineering.
Even the choice of compiler — like Tiny C or Embarcadero Delphi — impacts how easily malware can be flagged.
APTs (Advanced Persistent Threats) are increasingly adopting these strategies to fly under the radar.

Security teams must broaden their detection capabilities and adapt tooling for these underrepresented programming environments.

#CyberSecurity #ThreatIntel #MalwareAnalysis #Infosec #Programming #ReverseEngineering #security #privacy #cloud #infosec

https://www.theregister.com/2025/03/29/malware_obscure_languages/

(cyfirma.com) Konni RAT Analysis: Multi-Stage Attack Process and Evasion Techniques https://www.cyfirma.com/research/analysis-of-konni-rat-stealth-persistence-and-anti-analysis-techniques/

Executive Summary:
This report provides a comprehensive analysis of Konni RAT, a sophisticated remote access Trojan linked to North Korean cyber espionage group APT37. The malware employs a multi-stage attack process involving batch files, PowerShell scripts, and VBScript to exfiltrate sensitive data and maintain persistence. The attack begins with a zip archive containing a malicious LNK file disguised as a document. The malware exploits Windows Explorer limitations to hide malicious commands and uses obfuscation techniques to evade detection. Key capabilities include data exfiltration from user directories, system information gathering, persistence through registry modifications, and communication with command-and-control servers. The report includes detailed technical analysis of the attack stages, from initial infection to data exfiltration, along with indicators of compromise and YARA detection rules.

New Open-Source Tool Spotlight

FLARE's FLOSS is a tool that extracts strings from malware, even if they're obfuscated. Unlike standard tools, FLOSS uses emulation and decoding techniques to identify hidden strings, making it invaluable for reverse engineers. It bridges gaps where simple static analysis falls short. #malwareanalysis #reversing

Project link on #GitHub https://github.com/fireeye/flare-floss

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

—
P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking

The tenth article (35 pages) of the Malware Analysis Series (MAS) is available on:

https://exploitreversing.com/2025/01/15/malware-analysis-series-mas-article-10/

I would like to thank Ilfak Guilfanov @ilfak and @HexRaysSA (on X) for their constant and uninterrupted support, which have helped me write these articles.

I promised to write a series of ten articles, and this is the last one. I hope that over the years I have provided professionals around the world with a little help in improving their malware analysis and reverse engineering skills. The series is now complete and this was my last contribution on malware analysis.

Next week (JAN/22) the third article of the Exploiting Reversing Series (ER 03), which is my long-term series, will be released. I hope you like it.

Have an excellent day.

The nineth article (38 pages) of the Malware Analysis Series (MAS) is available on:

https://exploitreversing.com/2025/01/08/malware-analysis-series-mas-article-09/

I would like to thank Ilfak Guilfanov @ilfak and @HexRaysSA (on X) for their constant and uninterrupted support, which have helped me write these articles.

Even though I haven't been on this subject for years, I promised I would write a series of ten articles, and the last one will be released next week (JAN/15).

Have a great day.

Windows 10 reaches EoL on October 14th, 2025. Are security researchers upgrading their VMs to Windows 11 or holding out until the last minute?

I was recently approached by a friend who had a website they manage be compromised. They offered to let me take a look at some of the files left behind by the attacker. In today's blog post, I go over my methods for deobfuscating a staging script they used.

#hacking #MalwareAnalysis #ReverseEngineering #PHP #CyberSecurity #InfoSec #IndieWeb #SmallWeb
https://www.vzqk50.com/blog/deobfuscating-a-malware-stager/

Rust reversing thread: Let's use panic metadata embedded inside Rust binaries to help us reverse engineer!

(If you prefer reading this thread as a blog post, you can read it here! Using panic metadata to recover source code information from Rust binaries - cxiao.net)

If you've ever looked inside the strings of a Rust binary, you may have noticed that many of these strings are paths to Rust source files (.rs extension). These are used when printing diagnostic messages when the program panics, such as the following message:

thread 'main' panicked at 'oh no!', src\main.rs:314:5

The above message includes both a source file path src\main.rs, as well as the exact line and column in the source code where the panic occurred. All of this information is embedded in Rust binaries by default, and is recoverable statically!

Examining these can be useful in separating user from library code, as well as in understanding functionality. This is especially nice because Rust's standard library and the majority of third-party Rust libraries are open-source, so you can use the panic strings to find the relevant location in the source code, and use that to aid in reversing.

Starting a small thread of malware analysis tools for those times when you NEED INDICATORS YESTERDAY, ie tools I have used that are easy to use and give good leads for further analysis with minimal effort.

First: GarbageMan for .NET binaries, from WithSecure Labs: https://labs.withsecure.com/tools/garbageman

This tool displays the values of objects and relationships between objects inside the .NET runtime’s managed heap memory. It can either work off a memory dump file, or snapshot a running process at regular intervals. It also capture stack traces, and a list of loaded assemblies.

I have done all of the following with it:

Look at all System.Byte[] objects and grab those with values that have the PE headers at the beginning. There’s actually a built in menu option for this (along with tons of other useful searches, such as just grabbing everything that looks remotely like an URL)

Look for “interesting” object types like HttpWebRequest or anything under System.Security.Cryptography, and look at the parents or children of those objects to either find plain text indicators, or to get an idea of how indicators are obfuscated / encrypted

Snapshot a process every 20ms, and look at the list of loaded assemblies in each snapshot to see if / when the binary starts delivering another payload assembly.

Use as a very rough tracing tool by snapshotting at regular intervals, and seeing how the stack trace changes for each snapshot.

Also it persists all of the values of parsed objects to a plain SQLite database So you can just do arbitrary SQL queries on the results as well. I haven’t even begun exploring this yet.