reverse engineering

January 6, 2021

THREAT RESEARCH

A Deep Dive into Lokibot Infection Chain

1 min read

News summary Lokibot is one of the most well-known information stealers on the malware landscape. In this post, we’ll provide a technical breakdown of one of the latest Lokibot campaigns. Talos also has a new script to unpack the dropper’s third stage. The actors behind Lokibot usually have the ability to steal multiple types of […]

December 17, 2020

THREAT RESEARCH

Talos Tools of the Trade

1 min read

If you’re looking for something to keep you busy while we’re all stuck inside during the holidays, Cisco Talos has a few tools for you you can play with in the coming days and weeks. We recently updated GhIDA to work with the latest version of IDA and we are releasing new features for the […]

October 20, 2020

THREAT RESEARCH

Dynamic Data Resolver – Version 1.0.1 beta

1 min read

Cisco Talos is releasing a new beta version of Dynamic Data Resolver (DDR) today. This release comes with a new architecture for samples using multi-threading. The process and thread tracing has been completely reimplemented. We also fixed a few bugs and memory leaks. Another new feature is that the DDR backend now comes in two […]

October 11, 2019

THREAT RESEARCH

New IDA Pro plugin provides TileGX support

1 min read

Cisco Talos has a new plugin available for IDA Pro that provides a new disassembler for TileGX binaries. This tool should assist researchers in reverse-engineering threats in IDA Pro that...

October 12, 2017

THREAT RESEARCH

Disassembler and Runtime Analysis

1 min read

This post was authored by Paul Rascagneres. Introduction In the CCleaner 64bit stage 2 previously described in our blog, we explained that the attacker modified a legitimate executable that is part of “Symantec Endpoint”. This file is named EFACli64.dll. The modification is performed in the runtime code included by the compiler, more precisely in the […]

August 9, 2017

THREAT RESEARCH

WinDBG and JavaScript Analysis

1 min read

This blog was authored by Paul Rascagneres. Introduction JavaScript is frequently used by malware authors to execute malicious code on Windows systems because it is powerful, natively available and rarely disabled. Our previous article on .NET analysis generated much interest relating to how to use WinDBG to analyse .js files. In this post we extend our description of […]

August 3, 2017

THREAT RESEARCH

Taking the FIRST look at Crypt0l0cker

1 min read

This post is authored by Matthew Molyett. Executive Summary In March, Talos reported on the details of Crypt0l0cker based on an extensive analysis I carried out on the sample binaries. Binaries — plural — because, as noted in the original blog, the Crypt0l0cker payload leveraged numerous executable files which shared the same codebase. Those executables had nearly identical […]

July 17, 2017

THREAT RESEARCH

PyREBox, a Python scriptable Reverse Engineering sandbox

1 min read

This post was authored by Xabier Ugarte Pedrero In Talos, we are continuously trying to improve our research and threat intelligence capabilities. As a consequence, we not only leverage standard tools for analysis, but we also focus our efforts on innovation, developing our own technology to overcome new challenges. Also, Talos has traditionally supported open-source […]

February 10, 2017

SECURITY

Indicators of Compromise and where to find them

4 min read

Indicators of Compromise (“IOC”) are used to suggest a system has been affected by some form of malware. An Indicator of Compromise can be anything from a file name to the behavior observed while malware is actively running on an infected system. Where do they look? Social media, new feeds, industry reports, Threat Grid sample […]