Malware Analysis
Summary of Symbiote Research (A New, Nearly-Impossible-to-Detect Linux Threat)
In pop culture, a symbiote often gives a host superhuman ability (and occasionally also hilarious inner monologue). But in real life, parasitic...
How to Analyze Malicious PDF Files
Portable Document Format (PDF) files are cross-platform file format, supporting links, images, and fonts. The flexibility of the PDF format makes these...
How You Can Use Our New Open-Source Database Access Control Tool
Use this open-source Just-In-Time database access control tool (integrated with directory service, slack, and SIEM) to secure your...
URL Analysis 101: Machine Learning What and How?
Analyzing suspicious URLs on an individual basis can be tricky, but when you’re facing a large volume of potentially malicious URLs then...
Boost Your SOC Skills: How to Detect Good Apps Gone Bad
Threat actors have a wide range of tools and techniques they can use in cyber attacks including: malware-as-a-service, open-source tools and malware...
URL Analysis 101: A Beginner’s Guide to Phishing URLs
At Intezer, we recently launched a URL analysis feature that will allow detecting phishing or malicious URLs. To do so, we have...
TeamTNT Cryptomining Explosion 🧨
This post was originally published as a white paper in September 2021. Get the full report as a PDF here. Zusammenfassung (Executive...
Radare Plugin is Here for Intezer Community
When you reverse engineer code as part of an incident response team, you want to quickly get information about what kind of...
4 Top Cyber Threats to the Finance and Insurance Industries
Financial services are a high target for cyberattackers. The reason is easy to understand: attackers follow the money. Most work in this...
3 Ways to Save Incident Response Time
Save time during incident response with these tips and tools to help your team accelerate HD, memory, and live...
Make your First Malware Honeypot in Under 20 Minutes
A “honeypot” is a metaphor that references using honey as bait for a lure or trap. Honeypots have served many purposes in...
How to Analyze Malicious Microsoft Office Files
All the most common file types that can be used to deliver malicious code, including Microsoft Office files, are supported in Intezer...
New SysJoker Backdoor Targets Windows, Linux, and macOS
Malware targeting multiple operating systems has become no exception in the malware threat landscape. Vermilion Strike, which was documented just last September,...
Malware Reverse Engineering for Beginners - Part 1: From 0x0
Malware researchers require a diverse skill set usually gained over time through experience and self-training. Reverse engineering (RE) is an integral part of...
The Role of Malware Analysis in Cybersecurity
Threat actors use malicious software to cause damage to individuals and organizations. Malware is the most common form of a cyberattack because...
All Your Go Binaries are Belong to Us
The skillset of performing binary analysis may to some appear to be limited to a few undeadly souls. While it may look...
The State of Malware Analysis
Malware is the thorn in the side of security analysts everywhere. The main question when getting a suspicious file alert is, “Is...
New Type of Supply Chain Attack Could Put Popular Admin Tools at Risk
Research between Intezer and Checkmarx describes ChainJacking, a type of software supply chain attack that could be potentially exploited by threat actors...
Teaching Capa New Tricks: Analyzing Capabilities in PE and ELF Files
When analyzing malware, one of the goals in addition to identifying what malware it is, is to understand what it does when...
Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike
Key Findings Discovered Linux & Windows re-implementation of Cobalt Strike Beacon written from scratchLinux malware is fully undetected by vendorsHas IoC and...
Intezer Analyze Transforms for Maltego
We are happy to introduce the Intezer Analyze plugin for Maltego. Combine insights from our malware analysis platform with Maltego’s graphical tool (And you...
How to Detect Cobalt Strike
Cobalt Strike is a penetration testing tool created by Raphael Mudge in 2012. To this day, it remains extremely popular both in...
What MITRE D3FEND™ Techniques Does Intezer Analyze Implement?
The MITRE Corporation recently released MITRE D3FEND™, a complementary framework to its industry acclaimed MITRE ATT&CK® matrix. D3FEND provides defense techniques that...
Fast Insights for a Microsoft-Signed Netfilter Rootkit
Automate malware analysis of Netfilter rootkit and other advanced threats. Obtain deep insights without long, manual effort. News broke in June about a...
Securing the Software Supply Chain
How to scope, plan, and execute an effective supply chain security initiative. Supply Chain is Latest Land Grab for Cyber Attackers Software...
Reimagining the Malware Analysis Experience
Itai Tevet, CEO of Intezer, shares the company’s vision for a simplified, consolidated malware analysis experience. Since its inception, Intezer has strived...
Targeted Phishing Attack against Ukrainian Government Expands to Georgia
In May 2021, Fortinet published a report about the early stages of an ongoing phishing attack against the Ukrainian government. The attack, initially...
Covering the Infection Chain: Analyze Documents and Scripts with Intezer Analyze
Malware threats come in many forms. You can now analyze more of them with Intezer Analyze We have made a major expansion...
Genetic Analysis and Lessons Learned from REvil Attack
Validating your Software Supply Chain for Tampering SolarWinds, Codecov and now Kaseya are the latest supply chain attacks we know about. In...
Klingon RAT Holding on for Dear Life
With more malware written in Golang than ever before, the threat from Go-based Remote Access Trojans (RATs) has never been higher. Not only...
Wrapping Up a Year of Infamous Bazar Campaigns
Bazar is the latest tool developed by the TrickBot gang Common malware used for cybercrime such as Agent Tesla, Dridex and Formbook...
HabitsRAT Used to Target Linux and Windows Servers
We have discovered a new malware written in Go, which we are calling HabitsRAT, targeting both Windows and Linux machines. The Windows version of...
Accelerate Incident Response with Intezer Analyze Volatility Plugin
Significantly reduce memory forensics time from hours to minutes Memory analysis is a core component of a typical incident response process. In many cases...
New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor
We discovered a new sophisticated backdoor targeting Linux endpoints and servers Based on Tactics, Techniques, and Procedures (TTPs) the backdoor is believed to...
When Viruses Mutate: Did SunCrypt Ransomware Evolve from QNAPCrypt?
Dov Lerner from Cybersixgill contributed to this report Intro Programmers frequently reuse code, as recycling something that is already written and functional is...
Year of the Gopher: 2020 Go Malware Round-Up
Developers are not the only ones that have adopted Go. Malware written in Go has been steadily increasing. In the last few...
ELF Malware Analysis 101: Part 3 - Advanced Analysis
Getting Caught Up to Speed So far in this series we have profiled the ELF threat landscape and covered the most common...
New Feature: Get More Context for your Analysis with TTPs
Classifying a threat is just the first step in a malware analyst’s investigation. You know it’s malicious but what does it do?...
Proactive Threat Hunting with Intezer
What is Proactive Hunting? Advanced attacks like the SolarWinds backdoor and Pay2KEY are on the rise, while preventive solutions have failed to detect them....
An Important Update
We’re rolling out an important update to the Intezer Analyze community edition to better accommodate our users. Effective December 17 community users will have...
A Zebra in Gopher's Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy
Summary In November, we uncovered COVID-19 phishing lures that were used to deliver the Go version of Zebrocy. Zebrocy is mainly used...
Stantinko’s Proxy After Your Apache Server
Intro It is common for threat actors to evolve their Linux malware. BlackTech with their new ELF_PLEAD malware and Winnti’s PWNLNX tool are recent examples....
TrickBot or Treat 2.0
In the spirit of Halloween we’re giving away YARA signatures for TrickBot and Emotet. Last year we handed out signatures for malware...
New Threat Intel Features in Intezer Analyze
We’ve made some updates in Intezer Analyze to improve your incident response and threat intelligence workflows. From classifying samples faster to staying...
Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure
Main Findings We discovered two vulnerabilities in Microsoft Azure. They existed in a popular cloud service called Azure App Services—specifically impacting Linux...
Emotet Evolves but Code Remains Mostly the Same
Just after the publication of this post the US-CERT released an alert about Emotet. Evolution is the result of adaptations that take...
VB2020 - Advanced Pasta Threat: Mapping Malware Use of Open Source Offensive Security Tools
The term Offensive Security Tool, also known as OST, is a controversial subject within the InfoSec community. It often sparks fierce debate...
Looking Back on the Last Decade of Linux APT Attacks
APTs are targeting Linux systems more than they ever have. Linux Attacks are on the Rise The research community continues to witness...
Using YARA Rules to Turn Open Source Against Malware
Introduction Offensive Security Tools are any kind of functionality meant to facilitate intrusions and security bypasses in order to achieve the former....
ELF Malware Analysis 101 Part 2: Initial Analysis
Introduction In the previous article we profiled the ELF malware landscape and explained how malware infects systems. We discussed the current lack...
Accelerate Memory Forensics with Intezer Analyze
Incident investigations usually begin with a triggered alert. One of the sensors deployed across your organization claims that suspicious activity has occurred...
Community Ghidra Plugin is Here
Ghidra is a free and open source reverse engineering tool developed by the NSA. The plugin reduces the burden on the analyst...
Get Access to our Weekly Linux Threat Feed
With an emphasis placed on protecting Windows endpoints, the antivirus industry is struggling to detect Linux threats. In a 2019 study conducted by...
Detect Malware Associated with the Most Exploited CVEs
Unpatched or undetected software vulnerabilities are a common method for malware delivery once exploited by attackers. Last month, the US-CERT urged IT...
IDA Pro Plugin Now Available to the Community
The Intezer Analyze IDA Pro plugin is now available to community users! IDA Pro is the most common reverse engineering platform for...
ELF Malware Analysis 101: Linux Threats No Longer an Afterthought
Linux has a large presence in the operating systems market because it’s open-sourced, free, and software development oriented—meaning its rich ecosystem provides...
Intezer Analyze May Community Roundup
See below some of the threats our community detected this month 1. Fileless Dridex sample, originally with five detections in VirusTotal, contains a payload...
Mapping Binaries Inside a Microsoft Azure Cloud Server
Linux has become the “go-to” OS in cloud computing, running 90% of the public cloud workload. Linux usage has even surpassed Windows...
The Evolution of APT15’s Codebase 2020
The Ke3chang group, also known as APT15, is an alleged Chinese government-backed cluster of teams known to target various high-profile entities spanning...
Kaiji: New Chinese Linux malware turning to Golang
It is not often that you see a botnet’s tooling written from scratch. The Internet of things (IoT) botnet ecosystem is relatively well-documented by...
Intezer Analyze community roundup
Maze ransomware, APT41 and Lazarus highlight this month’s community samples 1. More_eggs variant with low Antivirus detections has modified string encoding mechanisms...
Malicious APKs share code during Covid-19 pandemic
Threat actors are exploiting fear and uncertainty to spread Covid-19 themed malicious Android package kits (APKs) onto users’ mobile devices. APKs pose...
Fantastic payloads and where we find them
Attackers have long used evasion features in their malware to avoid detection by security products and analysis systems. One of the most...
Evasion Techniques Dissected: A Mirai Case Study
Code reuse analysis vs. signature-based detection We are often asked the question, “what sets your approach apart from other malware detection solutions?”...
Accelerate Reverse Engineering with Intezer Analyze IDA Pro Plugin
IDA Pro is the most common reverse engineering platform for disassembling computer software. The Intezer Analyze IDA Pro plugin accelerates reverse engineering...
Ransomware and Spyware Top Intezer Analyze Community Detections
This month’s community highlights span a variety of file formats — APK, ELF and PE. 1) Anubis [Link to Analysis] Anubis is...
The Human Element at RSA Conference
This year’s RSA Conference theme is the Human Element. At Intezer, we introduce an innovative approach called Genetic Malware Analysis which reveals the...
Intezer Featured in IBM X-Force Threat Index
Banking trojans and ransomware were the top innovators in 2019 malware code evolution Drawing on previous IBM X-Force collaboration in detecting new...
New Iranian Campaign Tailored to US Companies Utilizes an Updated Toolset
Introduction Our researchers Paul Litvak and Michael Kajilolti have discovered a new campaign conducted by APT34 employing an updated toolset. Based on uncovered...
Linux Rekoobe Operating with New, Undetected Malware Samples
Introduction Our research team has identified new versions of an old Linux malware known as Rekoobe, a minimalistic trojan with a complex CNC...
Intezer Analyze Community: 2019 Recap and Trends
Emotet, Trickbot, and Lazarus were the most common threats detected by the community in 2019. Linux threats, with code connections to Mirai,...
2019: A Year-in-Review
What an amazing year it has been for us at Intezer! The company nearly doubled in size, we added several new important...
ChinaZ Updates Toolkit by Introducing New, Undetected Malware
Introduction ChinaZ is a Chinese cybercrime group and the author of several DDoS malware. We have profiled this group in a previous...
Now Supporting Genetic Malware Analysis for Android Applications
We are excited to share that we now support Genetic Malware Analysis for Android applications! Intezer Analyze community and enterprise users can...
Exploring the Chinese DDoS Threat Landscape [Research Report]
Distributed denial-of-service attacks were on the rise in 2018 and continuing into 2019, ranging from a high volume of Mirai attacks to...
Intezer Analyze Community: Buhtrap, Divergent, Kronos, and More
In this month’s community highlights we see a range of malware types, including banking trojans, exploit kits, and nation-state sponsored threats. 1)...
Revealing the Origins of Software
Summary Nearly all cyber attacks require running code. Regardless of the attack vector, in order for an adversary to create any damage,...
Genetic Malware Analysis for Golang
Intezer Analyze now proudly supports genetic analysis for files created with the Golang programming language. Community and enterprise users can detect and...
PureLocker: New Ransomware-as-a-Service Being Used in Targeted Attacks Against Servers
Analysis by Intezer and IBM X-Force points its origins to a Malware-as-a-Service (MaaS) provider utilized by the Cobalt Gang and FIN6 attack...
Intezer Analyze Community Halloween Edition: Trickbot or Treat!
In the spirit of Halloween we’re spotlighting three “spooky” threats detected by the Intezer Analyze community in October. And as a special...
Intezer Analyze Use Case: Visibility Among Global SOCs
For mid to large size enterprises, protecting the organization against targeted cyber threats is often a global operation. It’s not uncommon for...
Mapping the Connections Inside Russia's APT Ecosystem
This research is a joint effort conducted by Omri Ben-Bassat from Intezer and Itay Cohen from Check Point Research. Prologue пролог If...
Russian Cybercrime Group FullofDeep Behind QNAPCrypt Ransomware Campaigns
Introduction We previously reported on how we managed to temporarily shut down 15 operative QNAPCrypt ransomware campaigns targeting Linux-based file storage systems...
Why we Should be Paying More Attention to Linux Threats
In a previous post we wrote for the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC), we discussed the emergence of...
Intezer Analyze Community: GonnaCry, HawkEye, BXAQ and More
In July, Intezer Analyze community detections included GonnaCry ransomware, the HawkEye malware kit, and BXAQ, the spyware that Chinese authorities have been...
Siemplify and Intezer: Incorporate Genetic Malware Analysis into your SOAR Platform (Video)
One of the most common and time-consuming cases security operations centers (SOCs) must complete daily are malware investigations. Part of the problem...
Intezer Analyze Community: Mapping Code Connections Between Malware Samples
In addition to highlighting five notable file uploads and endpoint scans made by our community users each month, I thought it was...
Watching the WatchBog: New BlueKeep Scanner and Linux Exploits
Overview We have discovered a new version of WatchBog—a cryptocurrency-mining botnet operational since late 2018—that we suspect has compromised more than 4,500 Linux...
EvilGnome: Rare Malware Spying on Linux Desktop Users
Introduction Linux desktop remains an unpopular choice among mainstream desktop users, making up a little more than 2% of the desktop operating system...
How We Seized 15 Active Ransomware Campaigns Targeting Linux File Storage Servers
Introduction It is rare to see ransomware being used to target the Linux operating system. However, cyber criminals seem to adapt to...
Intezer Analyze Community: BlackSquid, RobbinHood Ransomware and More
1) BlackSquid [Link to Analysis] BlackSquid is a Monero crypto-miner which was recently discovered by researchers at Trend Micro. According to Trend...
Intezer and IBM Resilient Integrate to Enrich Threat Investigations with Genetic Malware Analysis
I am pleased to highlight the new integration between Intezer Analyze™ and IBM Resilient. The integration enables users of both platforms to...
HiddenWasp and the Emergence of Linux-based Threats
This blog post was featured as contributing content for the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC). The Linux threat...
Executable and Linkable Format 101 Part 4: Dynamic Linking
This is a new post in our Executable and Linkable Format (ELF) 101 series, where the goal is to spread awareness about the...
Chinese APTs Rising: Key Takeaways from the Intezer Analyze Community in May
1) Pirpi (APT3) [Link to Analysis] APT3, commonly referred to as Gothic Panda, TG-0110 and Buckeye, is a Chinese cyber espionage group...
HiddenWasp Malware Stings Targeted Linux Systems
Overview • Intezer has discovered a new, sophisticated malware that we have named “HiddenWasp”, targeting Linux systems. • The malware is still...
Top Five Community Uploads | April 2019
This month’s Intezer Analyze community findings include malware employed by two cyber espionage groups linked to the Russian government and an endpoint...
Meet the Team: Shaul Holtzman
Get to know Intezer’s community manager, Shaul Holtzman. Shaul is a former cybersecurity analyst helping organizations detect and classify advanced cyber threats....
Scan the Memory of Entire Endpoints using Genetic Malware Analysis
I am excited to announce the launch of a new Endpoint Analysis solution, located within the Intezer Analyze™ platform. The Endpoint Analysis solution consists...
Top Five Community Uploads | March 2019
Last month I published a blog post highlighting notable uploads made by the Intezer Analyze community during the month of February. In...
Technical Analysis: Pacha Group Deploying Undetected Cryptojacking Campaigns on Linux Servers
Introduction Cryptomining malware, also known as cryptojacking or cryptocurrency mining malware, refers to software developed to take over a computer’s resources and...
Pacha Group, A New Threat Actor Deploying Undetected Cryptojacking Campaigns on Linux Servers
Key Takeaways: • Intezer has evidence of a new threat actor, calling it Pacha Group, which has been deploying undetected cryptojacking campaigns...
Top Five Community Uploads | February 2019
As manager of the free Intezer Analyze community edition I witness first hand the interesting samples our users upload on a daily...
New! API for the Intezer Analyze Community
On behalf of Intezer, I am pleased to announce the release of an API for the Intezer Analyze community edition. Members of...
What is Genetic Malware Analysis?
At Intezer, we view malware analysis as a key component in properly and effectively responding to security incidents. We have introduced a...
ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups
Introduction Distributed denial-of-service (DDoS) attacks were on the rise in 2018, ranging from a high volume of Mirai attacks to more sophisticated...
Verifying Code Reuse Between Ursnif and 'Brexit' Malware Campaign Targeting the United Kingdom
Today My Online Security published research describing a fairly large Ursnif campaign targeting the United Kingdom. The threat actors behind the attack are using...
Making Malware Human: A SANS Product Review of Intezer Analyze™
Alerts can enter an organization at inconceivable rates. Security teams are tasked with sifting through countless alerts, making it difficult to prioritize...
Intezer Analyze™ ELF Support Release: Hakai Variant Case Study
ELF SUPPORT We would like to proudly announce that Intezer Analyze™ now supports genetic malware analysis for ELF binaries! You may now...
Code, Strings and what’s in between
Our technology is based on genetic analysis of files. So far, we’ve focused mainly on detection of code reuse, as part of...
Product Updates
In this blog post we’d like to share with you some details about our latest cool developments. New User Interface: We’ve recently...
Executable and Linkable Format 101 Part 3: Relocations
In our previous post, we went through the concept of symbols and their functionality. In this post we will introduce the concept...
NEW: Intezer Compromise Assessment Service
GET AN INDEPENDENT EXAMINATION OF YOUR IT ENVIRONMENT TO DETECT ANY EXISTING CYBER ATTACK IN YOUR NETWORK Intezer, today announced the release...
Unpacking reveals a file’s true DNA
After launching Intezer community edition in November 2017, we noticed that many of our users uploaded packed samples. Yet packed files don’t reveal the...
Building Your Bullet Proof Incident Response Plan
Cyber security is constantly evolving, and therefore rife with challenges. Whether hobbyist hackers or state-sponsored threat actors are targeting organizations, internal security...
Executable and Linkable Format 101. Part 2: Symbols
In our previous post, we focused on understanding the relationship between sections and segments, which serve as the foundation for understanding the...
Don’t Be Fooled By Malware Signed with Stolen Certificates - How Intezer Analyze™ Detects Major Breaches in Security
Recent research conducted by the Cyber Security Research Institute (CSRI) demonstrates how easy and common it is for threat actors to purchase...
Intezer Analyze™ FREE community edition
This isn’t a gimmick, we’re providing this quota FREE of charge. Intezer Analyze™ was created by incident team experts for incident response...
Cyber Threat Diversion: Managing the False Positive Madness
Security teams have a lot of noise to deal with in their day-to-day jobs. Every organization is managing thousands of alerts each...
Meet the Founders: Alon Cohen
Serial entrepreneur Alon Cohen co-founded and grew one of the world’s first cyber security startups, CyberArk, which eventually became a ‘unicorn’. Now,...
Intezer Community Tip: How to Optimize ssdeep Comparisons with ElasticSearch
Why Standard Hash Functions Aren’t Helpful In Memory At Intezer, we specialize in analyzing code from memory to deal with injections, process...
About the Founders: Meet Itai Tevet
Itai Tevet was the self-described ‘PC kid’ whose fascination with technology led to a strong interest in information security–an interest that benefited...
Why Identifying ‘Good or Bad’ is Not Enough
Throughout my career, I have witnessed many cyber security professionals adopting a “shoot and don’t ask questions” approach when dealing with malware....
GDPR: How to Bring Your Incident Response Plan Up to Speed
Every organization that is impacted by the sharing and storage of data are discussing the General Data Protection Regulation (GDPR), a recently...