Since I started working in threatintel and specifically analysing state-sponsored attacks, I felt the need to understand the geopolitical component connected to the malicious campaigns. In particular, I wanted to understand the historical and social component behind the cyber attack. So here is a list of my recent readings on the topic (language specified next to the resource). Books: “Active measures, the secret history of disinformation and political warfare”, Thomas Rid.

This post is a walk through on how to load DLLs “manually” without the use of the WinAPI LoadLibrary and store APIs addresses in memory in order to make it less obvious which API functions are imported (and therefore used) by the malware. With this technique, the malware analyst cannot see which functions are imported from the Import section. It will be necessary to step through the code to find out which API functions are actually used.

This post is a brief collection of anti-debugging and anti-analysis techniques that I found while reversing some samples. Anti-analysis techniques' purpose is to slow down the analysis as much as possible. By using these techniques a malware could detect if the malicious code is running in a monitored environment and decide to not execute at all or to behave differently, causing the analysis to be mislead. An example of different behavior could be contacting a different C2 to alert the attacker that some analysis is conducted on the binary (or to make superficial analysis lead to the wrong IOCs).