igogasil.blogg.se - Keepassx unsigned app

#Keepassx unsigned app code
#Keepassx unsigned app download
#Keepassx unsigned app windows

#Keepassx unsigned app code

The information derived from this structure is necessary for the loader in order to apply necessary code relocations.

It is worth to note that the final stage of the loader has its own header structure, which is described below. The main module uses the same path for data exfiltration.

#Keepassx unsigned app download

Unsigned char C2 // The URL path to download the main module. Unsigned char Key_Salt // Used during the AES decryption of the downloaded main module. Unsigned int Flag // Used during command line parsing since version 0.4.1 The structure of the decrypted configuration is the following: In the final stage, the loader decrypts its configuration using the RC4 algorithm and proceeds with the download process of the main module.

#Keepassx unsigned app windows

In the second phase, the decoded shellcode loads dynamically a set of Windows API functions and decompresses the loader’s code using the LZSS algorithm. Moreover, in more recent samples, they have added the XTEA algorithm as an additional layer of encryption for the decoded payload. NOTE: The magic bytes of the VM bytecodes have been modified by the threat actors as an attempt to hide the usage of the tool that was used. Table 1 - Rhadamanthys Virtualized functionsĪdditionally, we identified a sample, which includes a de-virtualized version of the last code block (parameter 3) and the PDB path:ĭ:\debugInfo\rhadamanthys\debug\sandbox.pdb Gets a set of strings and searches for them in the current’s process memory space. Loads the Windows API functions GetProcAddress and VirtualProtect by using the ROR-13 hashing technique.Ĭalls the loaded VirtualProtect Windows API function to prepare the shellcode for execution.

The identified features of the protected code are summarized in Table 1 below.ĭecodes the next phase using the Base32 algorithm with the custom charset A-Z4-9= Interestingly in one of them, Rhadamanthys uses a virtual machine (Q3VM) in order to obfuscate its code and hide certain code details.Įach virtualized block of the protected code is executed by passing an integer value as a parameter to the interpreter of the virtual machine. In general, we have identified two different types of loaders.

A compressed blob that contains modules for assisting with code injection and the in-memory loader.

In addition, it detects and passes to the next phase the following information: We have categorized these stages as follows:ĭuring the initialization phase, Rhadamanthys main task is to decode an embedded block and pass the execution there. The loader consists of different stages until the actual loader starts its execution. The following subsections focus on the technical analysis of the Rhadamanthys components. In this blog, the Rhadamanthys loader and main module are analyzed in detail including the virtual machine obfuscation based on Quake III, a custom embedded file system, and a weakness in the network encryption protocol. Even though Rhadamanthys started to attract attention from the community in late 2022, early samples started to appear in August 2022. The malware is designed to steal credentials from web browsers, VPN clients, email clients and chat clients as well as cryptocurrency wallets.

Both the loader and the main module network communications can be decrypted due to an implementation flaw in their code.įirst observed in December of 2022, Rhadamanthys is a malicious information stealer written in C++, which is being distributed mostly via malicious Google advertisements.

Rhadamnthys has its own file system, which includes an additional set of embedded modules.

Rhadamnthys uses a variation of the Hidden Bee format, which has been already described to a great extent by Malwarebytes.

One of the detected loaders uses a virtual machine (based on Quake III) in order to protect several parts of its code.

Rhadamanthys is capable of extracting credentials of various applications such as Keepass and cryptocurrency wallets.

The malware implements complex anti-analysis techniques by using a public open source library.

Rhadamanthys is an information stealer that consists of two components, the loader and the main module (responsible for exfiltrating collected credentials).