TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Redosdru — Encrypting DLL Payloads to Avoid On-Disk Signatures

2017-07-17 · Read original ↗

ATT&CK techniques detected

5 predictions
T1055.001Dynamic-link Library Injection
95%
"##5a29e0905fb17996584d4380b48e05b84fe56cc9aac090d1 with the raw pe, we quickly inspected the disassembly to determine what was going on under the hood. almost immediately, we discovered several paths to a function which received a base64 buffer and later downloaded a file. rather…"
T1027.002Software Packing
93%
"redosdru — encrypting dll payloads to avoid on - disk signatures finding malware on a computer stinks. it ’ s even worse when the payload is encrypted. in this blog, we ’ ll reverse engineer an encrypted redosdru dll to better understand the threat we discovered within our partne…"
T1055.001Dynamic-link Library Injection
77%
"##z and pe headers. this typically points to some sort of encryption / obfuscation routine which helps the malware author evade security products that inspect files on disk. after some online research, we concluded this dll was related to the redosdru malware family. sha256 : 339…"
T1056.001Keylogging
69%
"was never dropped to disk, we had to set a breakpoint immediately after decryption to extract raw dll from memory. decrypted dll capabilities now that we had a decrypted dll, we were excited to see the purpose of the payload. after decompressing the upx wrapper, it ’ s imports an…"
T1027Obfuscated Files or Information
57%
"##z and pe headers. this typically points to some sort of encryption / obfuscation routine which helps the malware author evade security products that inspect files on disk. after some online research, we concluded this dll was related to the redosdru malware family. sha256 : 339…"

Summary

Dive deep into Redosdru malware analysis, unpacking encrypted DLLs, keylogging behavior, and how Huntress defenders detect and respond.