In a digital world it is hard to understand threats and attacks since they don’t appear in a way we can feel them. For example if we see a big leaning tree during a storm day, we can easily feel the danger and we probably would stay away from it. Or if we see an uncovered electrical cable and we need to handle it, we would probably disconnect the electricity source before touching the cable. In the digital space this is not so simple since it is hard to see threats because belonging to a different visible spectrum.
So I decided to try to translate what is hard to see in a physical space, such as a Malware, into something that is easy to see, such as a picture, by using common binary visualization algorithms and tools.
What am I looking at ?
Your are looking a graphical representation of Emotet Malware. There is a vast selection of Emotet Malware on Internet but this is one of my favorite. Its name is
de6a8b8612b5236a18eea1a6a8f53e117d046cf2ad95e079a6715af68f8d2216 and I’ve been dissecting it here.
Why are there different colors and symmetric images inside a big cube ?
Often Malware are encrypted/compressed in order to discourage Malware analysts performing reverse engineering. Every encryption/compression and every encoding algorithm holds a specific entropy. Similar entropy are visualized in “similar way”, so they look like with the same color or representation pattern.
In this specific case you are see an executable structure (PE File, represented by blue lines) holding a code (represented by yellow/orange dots) that would decrypt an encrypted/encoded code (represented by the little bright cube).
Tell me more about Emotet
While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.
It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.
Famous Emotet Attacks
- United Nations (HERE)
- Berlin’s high court (HERE)
- Companies with External SOC (HERE)
- Japanese Companies (HERE)
Is It Art ?
I have no idea if you can consider this Art or not. Maybe you can consider it a new form of digital art ? Anyway, this is not my point, I don’t pretend to be an artist at all! What I have done to obtain this result is mainly in finding some of the most representative Malware families, collecting them, apply visual algorithms against the more significant Malware stage and try to select the best prospective (in term of 3D angles and visualization prospective). I hope you enjoy it !
- Binary Data Visualization by CodiSec (amazing job guys !)
- Malpedia for some texts.