Andrew Case

@attrc@infosec.exchange
344 Followers
413 Following
42 Posts
Memory forensics and #DFIR at @volatility @volexity. NOLA
Andrew CaseApr 1
Volexity Apr 1
In the course of its investigations, @volexity frequently encounters malware samples written in Golang. This reflects the increase in popularity of the Golang generally, and presents challenges to reverse engineering tools.
 
Today, @volexity is releasing GoResolver, open-source tooling to help reverse engineers understand obfuscated samples. @r00tbsd & Killian Raimbaud presented details at INCYBER Forum earlier today.
 
GoResolver uses control-flow graph similarity to identify library code in obfuscated code, leaving analysts with only malware functions to analyze. This saves time & speeds up investigations!
 
Check out the blog post on how GoResolver works and where to download it: https://www.volexity.com/blog/2025/04/01/goresolver-using-control-flow-graph-similarity-to-deobfuscate-golang-binaries-automatically/
 
#dfir #reversing #malwareanalysis
GoResolver: Using Control-flow Graph Similarity to Deobfuscate Golang Binaries, Automatically

In the course of its investigations, Volexity frequently encounters malware samples written in Golang. Binaries written in Golang are often challenging to analyze because of the embedded libraries and the sheer size of the resulting binaries. This issue is amplified when samples are obfuscated using tools such as Garble, an open-source Golang obfuscation tool.The popularity of Golang amongst malware developers, and the use of obfuscators to make reverse-engineering harder, raised the need for better tooling to assist in reverse-engineering efforts. Volexity developed GoResolver, an open-source tool...

Volexity
Andrew CaseAug 31, 2024
volatilityAug 25, 2024
Our next speaker in the #FTSCon lineup: Andrew Case (@attrc) will present “Detecting & Defeating EDR-Evading Malware with Volatility 3” in the MAKER track!
 
Register for From The Source, hosted by @volatility, here: https://events.humanitix.com/from-the-source-hosted-by-the-volatility-foundation
 
Stay tuned for more speaker announcements!
 
#dfir
From The Source - Hosted by The Volatility Foundation

From The Source - Hosted by the Volatility Foundation

Andrew CaseJul 20, 2024
I very am confused by the “remove EDRs from the kernel” crowd given the prevalence of BYOVD in ransomware and targeted attacks. Also, why is it assumed that userland EDRS, which are based on API hooking, are more stable? Not to mention that Win10+ prevents injection of core OS processes when security settings are configured, making userland EDRs completely blind to what happens in them.
Andrew CaseJul 19, 2024
Volexity Jul 12, 2024

Don’t miss @attrc’s talk at #DEFCON on August 9! He will be presenting research by @volexity’s R&D team + Golden Richard III (LSU), "Defeating EDR Evading Malware with Memory Forensics", at 1:00PM in Track 4.

More details here: https://defcon.org/html/defcon-32/dc-32-speakers.html#54450

#dfir #memoryforensics

Andrew CaseApr 12, 2024
Kevin BeaumontApr 12, 2024

🚨 If you use Palo-Alto GlobalProtect VPN, there’s an in the wild zero day being used to gain access to organisations.

CVE-2024-3400, patch out now (edit: they haven’t released patches yet) https://security.paloaltonetworks.com/CVE-2024-3400

Thread throughout the day as more info drops. It’s easy to exploit. #threatintel

CVE-2024-3400 PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect

A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurat...

Palo Alto Networks Product Security Assurance
Andrew CaseMar 4, 2024
Virus BulletinMar 4, 2024
Recorded Future’s Insikt Group examines a newly discovered infrastructure related to the operators of Predator, a mercenary mobile spyware. This infrastructure is believed to be in use in at least eleven countries. https://www.recordedfuture.com/predator-spyware-operators-rebuild-multi-tier-infrastructure-target-mobile-devices
Predator Spyware Operators Rebuild Multi-Tier Infrastructure to Target Mobile Devices

Following a string of major public disclosures, Insikt Group has identified new infrastructure associated with operators of the mercenary mobile spyware Predator.

Andrew CaseFeb 13, 2024
Volexity Feb 13, 2024

@volexity's consistently observes Iranian-origin #APT group CharmingCypress innovate ways to persistently pursue targets. This blog post reviews the group's phishing tactics & malware + how to investigate attacks with Volexity Volcano: https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence

#dfir #threatintel #memoryforensics

Andrew CaseJan 25, 2024
BSidesCharmJan 22, 2024

🧠 DYK? The @BSidesCharm CFP is open to practitioners of all levels. Share your knowledge, experiences, and ideas with our inclusive community. Time is running out – submit your talk and training ideas before the CFP closes! 📝

https://bsidescharm.org/cfp/

Andrew CaseJan 21, 2024
Volexity Jan 19, 2024

@volexity Volcano Server & Volcano One v24.01.17 adds 150 new YARA rules, new IOCs for credential theft on Windows, and detection of new forms of code injection on Linux. This release also adds built-in artifact documentation, verbose details for MITRE labels, and expanded file collection templates.

For more information about Volcano Server & Volcano One, contact us: https://volexity.com/company/contact/

#dfir #memoryforensics #memoryanalysis

Contact

Volexity
Andrew CaseNov 23, 2023
Volexity Nov 20, 2023

.@attrc will be at #BSidesPhilly on Friday, Dec 8, where he will be presenting his talk, Hunting For Credential Dumping Attacks In Modern Windows Environments. Conference details can be found here: https://bsidesphilly.org

#dfir #memoryforensics

BSidesPhilly

BSidesPhilly seeks to create awareness and improve upon the conversation and research of security topics within the Philadelphia region for researchers, professionals, and practitioners alike.

BSidesPhilly