XWorm is a multi-purpose malware family, commonly used as RAT. This post contains a detailed analysis and walk-through the reverse-engineering process.

When, what and why As a national CERT we analyse all kinds of incidents. Some of them involve widespread APT campaigns, othertimes we just focus on everyday threats. Recently we got notified about a new malspam campaign targeting Polish users and decided to investigate. It all started with this phishing …

For the past two years we've been tinkering with a proof-of-concept decryptor for the Phobos family ransomware. It works, but is impractical to use for reasons we'll explain here. Consequently, we've been unable to use it to help a real-world victim so far. We've decided to publish our findings and tools, in hope that someone will find it useful, interesting or will continue our research. We will describe the vulnerability, and how we improved our decryptor computational complexity and performance to reach an almost practical implementation.

Table of contents Getting Started Your first karton Malware extraction with malduck Introduction Today we'll continue topics started in the first part of the tutorial. We'll learn about malduck, what can it do and how to write your own modules. Later we'll also show how to integrate it with Karton …

Table of contents Getting Started Your first karton Malware extraction with malduck Introduction In the last part, we've explained how to set up a simple Karton pipeline and start your tasks. If you haven't already, it's probably a good idea to read it now. Or you can clone the karton-playground …

Table of contents Getting Started Your first karton Malware extraction with malduck What is Karton? Karton is a framework for microservice orchestration, designed by security researchers for security researchers (but flexible enough to be used everywhere). It shines in scenarios where there is a clear separation of "input" and "output …

We proudly announce that today we open-source a large part of our analysis framework and pipeline! If you want to try it – check out Karton project on GitHub. What is karton? Karton is a robust framework for lightweight and flexible analysis backends. It can be used to connect malware analysis …

High-level overview CERT Polska collaborates in SISSDEN (Secure Information Sharing Sensor Delivery event Network) project. One of its goals is to create feeds of actionable security information, that will be further processed by relevant entities (like security and academic researchers, CERTs, LEAs etc.). Mtracker is going to be one of …

Tofsee is a multi-purpose malware with wide array of capabilities – it can mine bitcoins, send emails, steal credentials, perform DDoS attacks, and more. All of this is possible because of its modular nature. We have already published about Tofsee/Gheg a few months ago – https://www.cert.pl/en/news …

Mole ransomware is almost month old ransomware (so it’s quite old from our point of view), that was distributed mainly through fake online Word docs. It’s a member of growing CryptoMix family, but encryption algorithm was completely changed (…again). We became interested in this variant after victims contacted …