WebAssembly (WASM) is a new binary format currently supported by all major web-browsers (Firefox, Chrome, Safari and Edge). WebAssembly module are most commonly compiled from C/C++/Rust source code, loaded and executed inside JS scripts. It is known for being used for malicious purposes like cryptojacking but you will legitimately found usage of WebAssembly inside web-browsers addons, nodejs module or even blockchain smart contracts.
In this workshop, I will first introduce WebAssembly concepts and why it’s consider as a “game changer for the web”. Secondly, I will expose how to analyze a WebAssembly module using different techniques (static & dynamic) as well as some open-source tools that make you the life easier (Octopus, Wasabi, …). Finally, we will hands-on with simple examples/crackmes and finally go throws the analysis of cryptominers.
The following point will be discussed in this workshop.
In part two of our mini-series (see part #1) describing how cybercrime actors are using the Ethereum blockchain for fraudulent means, we analyze a clipboard hijacker malware targeting Bitcoin and Ethereum users. This malware, renamed ClipboardWalletHijacker by Qihoo360 Security Center, was first discovered in June 2018, after having infected 300 thousand computers within a week.
As part of our research into how cybercrime actors using the Ethereum blockchain for fraudulent means, we analyzed a DotNet downloader that retrieves the malicious payload from URLs stored inside Ethereum transactions. We analyzed the sample provided by a German Security Researcher, Karsten Hahn @struppigel in this tweet.