IPV4/IPV6 Obfuscation Data Obfuscation

The obfuscated payload masquerades itself as an array of ASCII IPv4 addresses. Each one of these IPs is passed to the RtlIpv4StringToAddressA function, which will translate the ASCII IP string to binary. The binary representation of all of these IPs is combined to form a blob of shellcode. Additionally, IPfuscation variants were spotted using IPv6 instead of IPv4 addresses, UUIDs, …

VBA Purging Antivirus/EDR Evasion

VBA Purging is an obfuscation technique designed to evade detection mechanisms used in malware analysis. When a VBA macro is added to a Microsoft Office document, it is stored in two sections: the PerformanceCache (compiled VBA code) and the CompressedSourceCode (compressed VBA source code). In VBA Purging, the PerformanceCache (compiled code) is completely removed from the module stream, along with …

Exfiltration via SMTP Network Evasion

Exfiltration via SMTP is a technique where attackers leverage the Simple Mail Transfer Protocol (SMTP) to exfiltrate data. This method involves sending stolen data, such as sensitive files or system information, via email to an attacker-controlled email account. By using email traffic, attackers can often bypass traditional network monitoring solutions since SMTP traffic is usually deemed legitimate.

To execute …

Manipulating Debug Logs Anti-Forensic

Using the sed -i command, specific entries in debug logs, such as errors (segfault, SystemError) or trace information (e.g., filenames like main.cc), are surgically removed. This allows attackers to target only incriminating evidence without erasing the entire log file. The process preserves the structure and authenticity of the log while removing key evidence of exploitation or system errors.

…

Deleting Troubleshoot Information and Core Dumps Anti-Forensic

Commands like rm -rf /data/var/statedumps/* and rm -rf /data/var/cores/* delete state dumps and core dumps, which are generated when processes crash. These files contain memory snapshots, stack traces, and runtime states of processes at the time of failure. They are often used to debug and understand the causes of crashes or application malfunctions.

Attackers use this technique to eliminate …

VPCEXT Sandbox Evasion

The VPCEXT instruction (visual property container extender) is another anti–virtual machine trick used by malware to detect virtual systems. This technique is not documented. If the execution of the instruction does not generate an exception (illegal instruction), then the program is running on a virtual machine.

File Format Confusion Antivirus/EDR Evasion

By looking the structure of the PE and the content of the file, the engine is able to detect if the file is malicious or not. For example, an heuristic engine can try to figure out if a file are using a dual extension (e.g: invoice.doc.exe) and determine the file as being malicious.

Confusing file format is another trick …

NtQueryObject Anti-Debugging

This function retrieves object information. By calling this function with the class ObjectTypeInformation will retrieve the specific object type (debug) to detect the debugger.

RDTSC Anti-Debugging

The Read-Time-Stamp-Counter (RDTSC) instruction can be used by malware to determine how quicky the processor executes the program's instructions. It returns the count of the number of ticks since the last system reboot as a 64-bit value placed into EDX:EAX.

It will execute RDTSC twice and then calculate the difference between low order values and check it with …

Unhandled Exception Filter Anti-Debugging

An application-defined function that passes unhandled exceptions to the debugger, if the process is being debugged. Otherwise, it optionally displays an application error message box and causes the exception handler to be executed.

If an exception occurs and no exception handler is registered, the UnhandledExceptionFilter function will be called. It is possible to register a custom unhandled exception filter …

Search Evasion Techniques

Search Result