Thursday, March 28, 2024

FLASHMINGO – Free Threat Intelligence Tool for Malware Analysts’ to Analyse Flash Exploits

FireEye released a Free automated analysis tool FLASHMINGO, which enables malware analysts to detect suspicious flash samples and to investigate them.

The tool integrates various analysis workflows as a stand-alone application or as a powerful library and it can be extended via Python plug-ins.

Adobe flash remains as the most exploited software by attackers, it has more than one thousand CVEs assigned till date and almost nine hundred of these vulnerabilities have CVSS score near of nine or higher.

“We must find a compromise between the need to analyze Flash samples and the correct amount of resources to be spent on a declining product. To this end, we developed FLASHMINGO, a framework to automate the analysis of SWF files,” read FireEye blog post.

https://twitter.com/FireEye/status/1117839324366692356

FLASHMINGO leverages the open source framework SWIFFAS to parse the Flash files. With FLASHMINGO all the binary data and bytecode are parsed and stored as SWFObject.

The SWFObject contains a list of tags that include information about all methods, strings, constants and embedded binary data, to name a few.

The tool is a collection of plug-ins that cover a wide range of common analysis that operates SWFObject and extracts the following information.

  • Find suspicious method names. Many samples contain method names used during development, like “run_shell” or “find_virtualprotect”. This plug-in flags samples with methods containing suspicious substrings.
  • Find suspicious constants. The presence of certain constant values in the bytecode may point to malicious or suspicious code. For example, code containing the constant value 0x5A4D may be shellcode searching for an MZ header.
  • Find suspicious loops. Malicious activity often happens within loops. This includes encoding, decoding, and heap spraying. This plug-in flags method containing loops with interesting operations such as XOR or bitwise AND. It is a simple heuristic that effectively detects most encoding and decoding operations, and otherwise, the interesting code to further analyse.
  • Retrieve all embedded binary data.
  • A decompiler plug-in that uses the FFDEC Flash Decompiler. This decompiler engine, written in Java, can be used as a stand-alone library. Since FLASHMINGO is written in Python, using this plug-in requires Jython to interoperate between these two languages.

FLASHMINGO can be extended by adding your own plug-in, it has all the plug-ins listed under the plug-ins directory, you can copy your plugin to the template directory, rename it, and edit its manifest and code.

“Even though Flash is set to reach its end of life at the end of 2020 and most of the development community has moved away from it a long time ago, we predict that we’ll see Flash being used as an infection vector for a while.”

FLASHMINGO offers malware analysts a flexible framework to deal with Flash samples, you can download the tool from the GitHub Repository.

Course: Learn Malware Analysis – Advance Malware Analyst Bundle

Other Relevant Tools

FileTSAR – A Free all-in-one Forensic Toolkit for Law Enforcement Agencies

Cynet Offers a Free Threat Assessment for Mid-Sized and Large Organizations – Take a Free Ride Now

Commando VM – Windows-based Distribution for Penetration Testers Like Kali Linux

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles