Author

Cyril François

Elastic Security Labs Team Senior Research Engineer, Malware

Subscribe

Articles

Shedding light on the ABYSSWORKER driver

Shedding light on the ABYSSWORKER driver

Elastic Security Labs describes ABYSSWORKER, a malicious driver used with the MEDUSA ransomware attack-chain to disable anti-malware tools.

You've Got Malware: FINALDRAFT Hides in Your Drafts

You've Got Malware: FINALDRAFT Hides in Your Drafts

During a recent investigation (REF7707), Elastic Security Labs discovered new malware targeting a foreign ministry. The malware includes a custom loader and backdoor with many features including using Microsoft’s Graph API for C2 communications.

Katz and Mouse Game: MaaS Infostealers Adapt to Patched Chrome Defenses

Katz and Mouse Game: MaaS Infostealers Adapt to Patched Chrome Defenses

Elastic Security Labs breaks down bypass implementations from the infostealer ecosystem’s reaction to Chrome 127's Application-Bound Encryption scheme.

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Four

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Four

In previous articles in this multipart series, malware researchers on the Elastic Security Labs team decomposed the REMCOS configuration structure and gave details about its C2 commands. In this final part, you’ll learn more about detecting and hunting REMCOS using Elastic technologies.

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Three

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Three

In previous articles in this multipart series, malware researchers on the Elastic Security Labs team dove into the REMCOS execution flow. In this article, you’ll learn more about REMCOS configuration structure and its C2 commands.

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Two

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Two

In the previous article in this series on the REMCOS implant, we shared information about execution, persistence, and defense evasion mechanisms. Continuing this series we’ll cover the second half of its execution flow and you’ll learn more about REMCOS recording capabilities and communication with its C2.

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part One

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part One

This malware research article describes the REMCOS implant at a high level, and provides background for future articles in this multipart series.

STIXy Situations: ECSaping your threat data

STIXy Situations: ECSaping your threat data

Structured threat data is commonly formatted using STIX. To help get this data into Elasticsearch, we’re releasing a Python script that converts STIX to an ECS format to be ingested into your stack.

Disclosing the BLOODALCHEMY backdoor

Disclosing the BLOODALCHEMY backdoor

BLOODALCHEMY is a new, actively developed, backdoor that leverages a benign binary as an injection vehicle, and is a part of the REF5961 intrusion set.

Introducing the REF5961 intrusion set

Introducing the REF5961 intrusion set

The REF5961 intrusion set discloses three new malware families targeting ASEAN members. The threat actor leveraging this intrusion set continues to develop and mature their capabilities.

Elastic charms SPECTRALVIPER

Elastic charms SPECTRALVIPER

Elastic Security Labs has discovered the P8LOADER, POWERSEAL, and SPECTRALVIPER malware families targeting a national Vietnamese agribusiness. REF2754 shares malware and motivational elements of the REF4322 and APT32 activity groups.

Unpacking ICEDID

Unpacking ICEDID

ICEDID is known to pack its payloads using custom file formats and a custom encryption scheme. We are releasing a set of tools to automate the unpacking process and help analysts and the community respond to ICEDID.

BLISTER Loader

BLISTER Loader

The BLISTER loader continues to be actively used to load a variety of malware.

Thawing the permafrost of ICEDID Summary

Thawing the permafrost of ICEDID Summary

Elastic Security Labs analyzed a recent ICEDID variant consisting of a loader and bot payload. By providing this research to the community end-to-end, we hope to raise awareness of the ICEDID execution chain, capabilities, and design.

PHOREAL Malware Targets the Southeast Asian Financial Sector

PHOREAL Malware Targets the Southeast Asian Financial Sector

Elastic Security discovered PHOREAL malware, which is targeting Southeast Asia financial organizations, particularly those in the Vietnamese financial sector.

QBOT Malware Analysis

QBOT Malware Analysis

Elastic Security Labs releases a QBOT malware analysis report covering the execution chain. From this research, the team has produced a YARA rule, configuration-extractor, and indicators of compromises (IOCs).

Update to the REF2924 intrusion set and related campaigns

Update to the REF2924 intrusion set and related campaigns

Elastic Security Labs is providing an update to the REF2924 research published in December of 2022. This update includes malware analysis of the implants, additional findings, and associations with other intrusions.

FLARE-ON 9 Solutions:

FLARE-ON 9 Solutions:

This year's FLARE-ON consisted of 11 different reverse engineering challenges with a range of interesting binaries. We really enjoyed working on these challenges and have published our solutions here to Elastic Security Labs.

Exploring the QBOT Attack Pattern

Exploring the QBOT Attack Pattern

In this research publication, we'll explore our analysis of the QBOT attack pattern — a full-featured and prolific malware family.