we explored how cybercriminals are sending fake emails to YouTubers, pretending to offer sponsorships. These emails contain files that look like offer documents or PDFs but are actually info-stealers. The attackers use a clever trick to bypass antivirus (AV) scanners by inflating the file size, making it too large to scan effectively. However, as a malware analyst, I was able to identify the file type and confirm it was an executable (EXE) instead of a PDF by using a hex editor.
One key feature we used is removing the padding that artificially inflates the file size. This allows us to analyze the malware more effectively. This time, we'll leverage an online tool called Binary Visualizer (b.i) to gain deeper insights into the file's structure. Binary Visualizer displays the contents of a file using a color scheme, making it easier to distinguish between different file types and detect anomalies.
Key Features of Binary Visualizer:
Color-Coded Visualization:
- Black: Represents empty space or padding.
- Blue: Indicates ASCII characters.
- Green: Shows lower byte values.
- Red: Displays higher byte values.
This color-coding helps quickly identify the structure and content of the file, making it easier to spot abnormalities.
Comparison Across File Types:
- Visualize and compare different file types such as Linux ELF files, Windows EXE files, and PDF documents. Each type has a distinct visual pattern, making it easier to differentiate between legitimate and malicious files.
Detection of Obfuscation Techniques:
- Attackers may use various obfuscation methods to disguise the true nature of a file. However, the fundamental structure will always differ from that of a legitimate file. By comparing the visual patterns, we can detect these discrepancies and identify malicious files.
Step-by-Step Analysis Using Binary Visualizer:
Real PDF Document Analysis:
- We start by analyzing a genuine PDF document. The Binary Visualizer displays a dense pattern with various colors representing different data types. This pattern serves as a reference for comparing other files.
Safe EXE File Analysis:
- Next, we analyze a legitimate executable file, such as Process Explorer. The dense pattern of an EXE file is distinct from that of a PDF, allowing us to see the structural differences clearly.
Malware Sample Analysis:
- Finally, we examine the malware sample. The visual representation reveals significant anomalies, such as large empty spaces, unlike any normal file structure. By zooming in, we see that it closely resembles a PE file with unique intricacies, distinctly different from a PDF.
By analyzing and comparing files visually, we can detect malware despite any attempts to obfuscate or alter its structure. This method is robust against various evasion techniques used by cybercriminals.
For further details on avoiding such attacks, watch the first video in this series, where we provide step-by-step guidance and advice.
Additionally, consider joining our Discord community, where we discuss cybersecurity topics, share insights, and collaborate on projects. We host events and offer a platform for industry professionals to connect and contribute. If you're interested, join our Discord and introduce yourself with your background and interests.
No comments