A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


"It's Malware Time" - A Bar Crawl from Skunked Homebrew to Rotten Apples - Erika Noerenberg NolaCon 2019 (Hacking Illustrated Series InfoSec <br>Tutorial Videos)

"It's Malware Time" - A Bar Crawl from Skunked Homebrew to Rotten Apples
Erika Noerenberg


Back in November 2018, a coworker contacted me regarding a homebrewing website that seemed to be serving malware via fake Adobe Flash updates. Digging further, I found that it was using methods of anti-analysis, employing randomized site loading with location and system fingerprinting, locking the redirect to a dummy site if a single IP is detected to be loading the page too many times in a given interval. \n\nGiven this introspection, I first assumed I was being served macOS malware based on my system and user-agent. However, after testing with Windows hosts, it was clear the site was targeting strictly macOS users as macOS malware is still fairly uncommon, this was an intriguing discovery. With a few hours and some Python magic, we had collected 18 unique samples; all were obfuscated and several were undetected by antivirus and not found on malware sharing sites. \n\nIn this talk, I will introduce the techniques employed by this site both to serve malware and to hinder analysis. We will then look deeper into a few of the specific malware samples served out via this site, and commonalities with the malware discovered and recent macOS malware such as WindTail will be discussed.

Erika Noerenberg is a Senior Threat Researcher with Carbon Black's Threat Analysis Unit, with over 15 years of experience in the security industry specializing in digital forensics, malware analysis, and software development. Previously, she worked as a malware analyst at LogRhythm Labs and as a forensic analyst and reverse engineer for the Defense Cyber Crime Center (DC3), performing system and malware examinations in support of intrusions investigations for the Department of Defense and FBI.

Recorded at NolaCon 2019

Back to NolaCon 2019 video list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast