Posts tagged "REM":
This blog post focuses on the various string obfuscation methods employed by the still relatively new ransomware BlackMatter and presents ways to decode those strings by leveraging Ghidra's scripting capabilities and the usage of the Unicorn engine for CPU emulation. The corresponding Ghidra scripts published on Github aim to aid future analyses of BlackMatter-samples, which employ the following string obfuscation techniques:
(...)The ransomware BlackMatter aims at stepping into the void, which was left by REvil's and DarkSide's (temporary) retreat. At this point in time this new ransomware seems to pose a serious threat. In this blogpost BlackMatter's API hashing mechanism is described in detail and a Ghidra-script is supplied 1 to aid future analyses.
(...)