Posted on

Blogpost: How to create a valid polyglot HTML/JS/WebAssembly module

2019/11/20 @ webassembly-security.com

In this blogpost, I will first explain the WebAssembly binary format and its sections. Then, I’ll demonstrate how to create a valid polyglot wasm module that contain an html/js payload embedded using 2 different techniques. Finally, I’ll give you the link to the github repository if you want to try on your own and learn more about WebAssembly 

link, pdf

Posted on

Blogpost: Analysis of Google Keep WebAssembly module​

webassembly wasm security google keep patrick ventuzelo reversing analysis emscripten

2019/07/16 @ webassembly-security.com

Is WebAssembly already used in the wild?

The answer is of course YES and some WebAssembly modules are potentially running right now in your browser if you are using Google web services. Recently, Google was using WebAssembly for the beta version of Google Earth but also in production for services like Google Keep.

  1. Google Keep Wasm Module & JS File Extraction
  2. WebAssembly Module Reversing
  3. Extract Build Information
  4. What is Sketchology and Ink?
  5. Reversing Protobuf Encoded Blobs
  6. Extract WebGL Vertex Shader Structure
  7. Absolute path, Error messages, Mangling & Constant names
  8. Going Deeper & Conclusion

link, pdf

Posted on

Blogpost: Ethereum Threat Actors Part 3 — Phishings/Scams using Smart Contracts

Ethereum smart contract malware threat actor phishing patrick ventuzelo blogpost quoscient analysis scams

2019/04/03 @ QuoScient Medium

In part three of our mini-series (see part #1 & part #2) describing how cybercrime actors are using the Ethereum blockchain for fraudulent means, we analyze a phishing tactic that used a smart contract address. Interestingly, this smart contract is not unique and the exact same closed-source bytecode is used in more than 130 thousand smart contracts.

  1. Phishing on Forums/Telegram.
  2. Quick analysis of the Smart contract Bytecode
  3. Who is behind 0xAf1931c20ee0c11BEA17A41BfBbAd299B2763bc0?
  4. Similar Luno user wallets Used for Phishing
  5. Conclusion
  6. Indicator of Compromise

link / pdf

Posted on

Blogpost: Ethereum Threat Actors Part 2 — ClipboardWalletHijacker Malware Still Active.

Ethereum clipboard hijacker malware patrick ventuzelo blogpost quoscient analysis qihoo360 Bitcoin

2019/02/18 @ QuoScient Medium

In part two of our mini-series (see part #1) describing how cybercrime actors are using the Ethereum blockchain for fraudulent means, we analyze a clipboard hijacker malware targeting Bitcoin and Ethereum users. This malware, renamed ClipboardWalletHijacker by Qihoo360 Security Center, was first discovered in June 2018, after having infected 300 thousand computers within a week.

  1. Quick ClipboardWalletHijacker Analysis
  2. Hijacked Ethereum Transactions
  3. Cryptocurrency Exchange Used by the Actor
  4. Packers & Variants
  5. Conclusion
  6. Indicator of Compromise

link / pdf

Posted on

Blogpost: Ethereum Threat Actors Part 1 — DotNet Downloader using Ethereum Transactions for C&C updates.

Ethereum threat actor botnet transaction tracking patrick ventuzelo QuoScient C&C updates blockchain blogpost dotnet ilspy etherscan bigquery

2019/02/04 @ QuoScient Medium

As part of our research into how cybercrime actors using the Ethereum blockchain for fraudulent means, we analyzed a DotNet downloader that retrieves the malicious payload from URLs stored inside Ethereum transactions. We analyzed the sample provided by a German Security Researcher, Karsten Hahn @struppigel in this tweet.

  1. Downloader analysis
  2. Main Function
  3. GetLastTransactionHashFromAddress function
  4. GetAdditionalDataFromTransaction function
  5. Transaction analysis
  6. C&C Update Pricing
  7. Blockcypher service
  8. Future of Ethereum botnet
  9. Conclusion
  10. Indicators of Compromise

link / pdf