- Joined
- Jun 13, 2020
- Messages
- 7,905
- Reaction score
- 942
- Points
- 212
- Awards
- 2
Specialists have developed a method for identifying malware developers based on their "handwriting".
Creation of ransomware for a cybercriminal group requires the involvement of a range of experts from various fields. The question arises, is it possible, after examining the malicious code, to identify its developers?
Check Point specialists have developed a new way to identify malware developers based on identifying their unique characteristics, i.e. "Handwriting". Using the new method, the researchers were able to link 16 privilege elevation exploits on Windows PCs to two vendors of zero-day vulnerabilities, Volodya (also known as BuggiCorp) and PlayBit (also known as luxor2008).
“Rather than focusing on all malware and catching new samples of malware or cybercriminals, we wanted to offer a different perspective and decided to focus on a few features written by the exploit developer,” said Check Point experts Itay Cohen and Eyal. Itkin (Eyal Itkin).
The idea is to examine the exploit for special artifacts that might point to its developer.
As the researchers explained, their analysis began in response to a "sophisticated attack" against one of Check Point customers. Experts have discovered an exploit for privilege escalation vulnerability CVE-2019-0859which turns out to have been written by two different development teams. The researchers used the properties of the binary as a unique "handwriting" and thanks to it they were able to find at least 11 other exploits developed by the same developer under the pseudonym Volodya.
Creation of ransomware for a cybercriminal group requires the involvement of a range of experts from various fields. The question arises, is it possible, after examining the malicious code, to identify its developers?
Check Point specialists have developed a new way to identify malware developers based on identifying their unique characteristics, i.e. "Handwriting". Using the new method, the researchers were able to link 16 privilege elevation exploits on Windows PCs to two vendors of zero-day vulnerabilities, Volodya (also known as BuggiCorp) and PlayBit (also known as luxor2008).
“Rather than focusing on all malware and catching new samples of malware or cybercriminals, we wanted to offer a different perspective and decided to focus on a few features written by the exploit developer,” said Check Point experts Itay Cohen and Eyal. Itkin (Eyal Itkin).
The idea is to examine the exploit for special artifacts that might point to its developer.
As the researchers explained, their analysis began in response to a "sophisticated attack" against one of Check Point customers. Experts have discovered an exploit for privilege escalation vulnerability CVE-2019-0859which turns out to have been written by two different development teams. The researchers used the properties of the binary as a unique "handwriting" and thanks to it they were able to find at least 11 other exploits developed by the same developer under the pseudonym Volodya.