-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfeed.xml
198 lines (195 loc) · 7.03 KB
/
feed.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:media="http://search.yahoo.com/mrss/">
<title>loaders.re</title>
<link href="https://bsendpacket.github.io/loaders.re/feed.xml" rel="self" />
<link href="https://bsendpacket.github.io/loaders.re" />
<updated>2024-06-22T09:26:30-04:00</updated>
<author>
<name>bsendpacket, donaldduck8</name>
</author>
<id>https://bsendpacket.github.io/loaders.re</id>
<entry>
<title>loaders.re</title>
<author>
<name>bsendpacket, donaldduck8</name>
</author>
<link href="https://bsendpacket.github.io/loaders.re/about/"/>
<id>https://bsendpacket.github.io/loaders.re/about/</id>
<media:content url="https://bsendpacket.github.io/loaders.re/media/posts/1/hacking_a_bunch_of_flowers_and_crystals.png" medium="image" />
<updated>2024-06-21T17:28:41-04:00</updated>
<summary>
<![CDATA[
<img src="https://bsendpacket.github.io/loaders.re/media/posts/1/hacking_a_bunch_of_flowers_and_crystals.png" alt="" />
This project is coming soon. For now, here is what we have planned: Loader families commonly go unlabeled within malware analysis reporting, unless they are popular or infamous. Even if reporting for a loader exists, it can be very difficult to find due to the…
]]>
</summary>
<content type="html">
<![CDATA[
<p><img src="https://bsendpacket.github.io/loaders.re/media/posts/1/hacking_a_bunch_of_flowers_and_crystals.png" class="type:primaryImage" alt="" /></p>
<blockquote>
<p>This project is coming soon. For now, here is what we have planned:</p></blockquote>
<p>Loader families commonly go unlabeled within malware analysis reporting, unless they are popular or infamous. Even if reporting for a loader exists, it can be very difficult to find due to the interchangable nature of loaders. </p><p>This makes loader tracking quite difficult, and thus—we have decided to create a taxonomy system to facilitate easier tracking and lookup of loaders.</p><h3 id="reinventing-the-wheel">Reinventing the wheel?</h3>
<p>Have you ever heard of HijackLoader? IDATLoader? Maybe you have, but did you know that it is also named GHOSTPULSE? What about ASMCrypt or DoubleFinger? SHADOWLADDER? Turns out, based on open-source reporting, these are all apparently different names for essentially the same thing.</p><p>Within industry reporting, it is very common for multiple names to be utilized for the same malware family, and we understand that we are the 15th competing standard to fix them all—however, we are hoping to aggregate loader characteristics in a way that simplifies the hunting of loaders.</p><p>With this in mind, we are creating a new taxonomical system to label loaders, inspired by the naming schemes that companies typically adopt for adversaries. </p><p>For example, within some companies, <code>Spider</code> is utilized for financially motivated groups and <code>Sleet</code> is utilized for groups out of North Korea.</p><h3 id="how-does-it-work">How does it work?</h3>
<p>There’s a fundamental problem with naming loaders. Most infection chains utilize several disjoint stages, and even “one loader” might consist of several components written in different languages by different developers. Sometimes, further stages are added or removed from loaders as well, making it difficult to definitively state which loader is used when.</p><p>That is a problem that is beyond the scope of this project. Our goal is simply to connect words with individual stages and hopefully connect the stages to their characteristics such as searchable strings, API calls, and a general understanding of its logic.</p><p>We are also hoping for some help from the community in order to add new entries and to help build a comprehensive list of loaders. We also hope that the community can help identify the loaders described within the compendium. </p><p>We understand that there are likely hundreds of thousands of loaders out there, and creating a lookup for every single loader is infeasible, but we hope to make even just a few analysts’ jobs easier. We also understand that this will take time, and we don’t (and won’t ever) promise that this will be ‘complete’ in any way, shape, or form. This is (in its current stage) simply a passion project in which we try to contribute information for loaders we analyze in our free time.</p><p>With that in mind, the general idea is as follows:</p><ul>
<li>The programming language(s) utilized by an individual stage is represented by a mineral/gemstone.</li>
<li>A random flower name is utilized to identify the logic of a given loader stage.</li>
</ul>
<p>Here is an example loader chain:</p><ol>
<li><em>QuartzDahlia</em> (Launch4j)</li>
<li><em>AmberAmethystDaisy</em> (JPHP portion of D3F@ck Loader)</li>
<li><em>QuartzBegonia</em> (Unknown C++ Loader)</li>
<li><em>DiamondDaffodil</em> (Shellcode stage within QuartzBegonia)</li>
<li><em>LummaStealer</em></li>
</ol>
<p>Here is the current list of programming languages corresponding to mineral/gemstones. This is not comprehensive, and in fact, we don’t know if loaders even exist for all of these languages. As more languages end up being used within loaders, the list will get an update.</p><table>
<thead>
<tr>
<th>Language</th>
<th>Mineral / Gemstone</th>
</tr>
</thead>
<tbody><tr>
<td>AppleScript</td>
<td>Moonstone</td>
</tr>
<tr>
<td>Assembly/Shellcode</td>
<td>Diamond</td>
</tr>
<tr>
<td>AutoHotkey</td>
<td>Tanzanite</td>
</tr>
<tr>
<td>AutoIt</td>
<td>Sapphire</td>
</tr>
<tr>
<td>Batch Script</td>
<td>Graphite</td>
</tr>
<tr>
<td>C / C++</td>
<td>Quartz</td>
</tr>
<tr>
<td>C#</td>
<td>Garnet</td>
</tr>
<tr>
<td>D</td>
<td>Axinite</td>
</tr>
<tr>
<td>Dart</td>
<td>Fluorite</td>
</tr>
<tr>
<td>Delphi</td>
<td>Turquoise</td>
</tr>
<tr>
<td>GoLang</td>
<td>Aquamarine</td>
</tr>
<tr>
<td>Haskell</td>
<td>Opal</td>
</tr>
<tr>
<td>Java</td>
<td>Amber</td>
</tr>
<tr>
<td>JavaScript</td>
<td>Sulfur</td>
</tr>
<tr>
<td>Kotlin</td>
<td>Emerald</td>
</tr>
<tr>
<td>Lua</td>
<td>Jade</td>
</tr>
<tr>
<td>Nim</td>
<td>Citrine</td>
</tr>
<tr>
<td>NSIS</td>
<td>Tourmaline</td>
</tr>
<tr>
<td>Objective-C</td>
<td>Beryl</td>
</tr>
<tr>
<td>OCaml</td>
<td>Hematite</td>
</tr>
<tr>
<td>PascalScript</td>
<td>Jasper</td>
</tr>
<tr>
<td>Perl</td>
<td>Pearl</td>
</tr>
<tr>
<td>PHP</td>
<td>Amethyst</td>
</tr>
<tr>
<td>PowerShell</td>
<td>Onyx</td>
</tr>
<tr>
<td>Python</td>
<td>Topaz</td>
</tr>
<tr>
<td>R</td>
<td>Fluorite</td>
</tr>
<tr>
<td>Ruby</td>
<td>Ruby</td>
</tr>
<tr>
<td>Rust</td>
<td>Cinnabar</td>
</tr>
<tr>
<td>Scala</td>
<td>Malachite</td>
</tr>
<tr>
<td>Shell</td>
<td>Obsidian</td>
</tr>
<tr>
<td>Swift</td>
<td>Peridot</td>
</tr>
<tr>
<td>TypeScript</td>
<td>Azurite</td>
</tr>
<tr>
<td>Visual Basic</td>
<td>Lapis</td>
</tr>
<tr>
<td>VBScript</td>
<td>Jet</td>
</tr>
<tr>
<td>Zig</td>
<td>Zircon</td>
</tr>
</tbody></table>
]]>
</content>
</entry>
</feed>