Skip to content

Me hanging upside down from a tree

Job

I started working as Malware Analyst for GDATA CyberDefense AG in January 2015. My main tasks were writing of detection signatures for GDATA's antivirus products as well as taking care of customer submissions.

From 2022 until March 2024 I was Lead Engineer for the Protection Engineering team and responsible to improve detection and prevention technologies for GDATA's mEDR product.

Since March 2024 I am Principal Malware Researcher at GDATA. I create internal trainings, assist the PR team with technical knowledge, create infrastructure and tools for hunting new malware and monitoring threats, assist others in blog article creation and write articles myself.

Ransomware Hunting Team

I was part of the Ransomware Hunting Team and contributed mainly with by hunting new ransomware families and finding new variants for known families, e.g., I provided ca 80% of the STOP/DJVU ransomware samples. I also wrote a STOP/DJVU vaccine based on the analysis of John Parol.

Many of the contributions are listed in the weekly BleepingComputer articles.

Malware Findings

Hunting for new malware families is one of my favorite tasks. When families are newly discovered, they are often still in-development and lack important features. Many never become significant. Others unexpectedly grow. I list some of those findings below.

I posted many stealers and ransomware families only as tweets and did not keep track. So this is a selection of the some families that had notable impact or in-depth articles behind them.

Netfilter Rootkit

First tweet: Netfilter rootkit tweet

Article link: Microsoft signed a malicious Netfilter rootkit

While many cite Microsofts article as the first to mention Netfilter, it was me who discovered the rootkit and submitted it to Microsoft. After I published my article, Microsoft had already had enough time to investigate and quickly responsed to my article on the same day. They were not happy about my article.

I still regret that I named this rootkit Netfilter because Netfilter is a legitimate framework for the Linux kernel. It is a prime example why no legitimate program names should be used for any malware family. But I learned from my mistakes.

This particular rootkit is not significant anymore but its discovery shed light on a bigger issue: The certification in the Windows Hardware Compatibility Program allows threat actors to get their malware signed by Microsoft. Similar rootkits are still abusing this today.

SectopRAT

Article link: New SectopRAT: Remote access malware utilizes second desktop to control browsers

This malware was discovered by MalwareHunterTeam. I was the first to write an analysis article about it.

This malware is got its name from utilizing a second desktop on Windows to hide itself. It is a .NET based remote access malware that was unfinished at the time of discovery. It is still in the wild today.

StrRat

Article link: New Java STRRAT ships with .crimson ransomware module

This Java based RAT was in-development when I found it in June 2020 and had a non-functioning ransomware module. Although it is Java based, it ships with a loader that installs the JVM on Windows systems, making it able to infect systems which don't have the JVM installed.

StrRat is still in the wild today. Malpedia lists more than 14 articles by now with the last one dated to March 2024.

WannaCry

Tweet about first WannaCry version.

WannaCry started as an insignificant .NET ransomware. The very first strain had no worm component and was only worth a tweet on March 27, 20017

There was another researcher who found this first WannaCry version at roughly the same time. However, I cannot find a reference of it anymore.

The pandemic outbreak with WannaCry 2.0 began 12th of May 2017 and has made history.

Last update: 2023-04-05

Comments