In a digital world it is hard to understand threats and attacks since they don’t appear in a way we can feel them. For example if we see a big leaning tree during a storm day, we can easily feel the danger and we probably would stay away from it. Or if we see an uncovered electrical cable and we need to handle it, we would probably disconnect the electricity source before touching the cable. In the digital space this is not so simple since it is hard to see threats because belonging to a different visible spectrum.

Maze Picture

So I decided to try to translate what is hard to see in a physical space, such as a Malware, into something that is easy to see, such as a picture, by using common binary visualization algorithms and tools.

What am I looking at ?

Your are looking a graphical representation of Maze Ransomware. There is a vast selection of Ransomware on Internet but this is one of my favorite. Its name is 0e03b75972bc00a096a75f4eb6b2245dc23731ed683fcc48d9ed4045069aa0fd and it has been one of the first Maze Ransomware. Maze has changed the way to perform digital ransom asking double “fees”. Once for getting the decrypter (in other words for getting file back) and a second ransom (money or motivational) to avoid to disclose victim files over their websites.

Why are there different colors and symmetric images inside a big cube ?

Often Malware are encrypted/compressed in order to discourage Malware analysts performing reverse engineering. Every encryption/compression and every encoding algorithm holds a specific entropy. Similar entropy are visualized in “similar way”, so they look like with the same color or representation pattern.

In this specific case you are see an executable structure (PE File, represented by blue lines) holding a code (represented by yellow/orange dots) that would decrypt an encrypted/encoded several different code (represented by the little bright squares). The encoded layers looks like to be implemented using a unique algorithm but it;s spread all over the code in many formats. You might appreciate a bright cube straight in the right representing a big junk of encoded data (the real payload) and a bunch of different encoded/encrypted files all around, representing modules and configurations.

Tell me more about Maze

Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated. Actors are known to exfiltrate the data from the network for further extortion. It spreads mainly using email spam and various exploit kits (Spelevo, Fallout). The code of Maze ransomware is highly complicated and obfuscated, which helps to evade security solutions using signature-based detections.

Famous Maze Attacks

  • Xerox Corporation – Full dump (HERE)
  • Innotech-Execaire Aviation Group (HERE)
  • National Highways Authority of India (HERE)
  • LG ELECTRONICS (HERE)
  • … many many more …

Is It Art ?

I have no idea if you can consider this Art or not. Maybe you can consider it a new form of digital art ? Anyway, this is not my point, I don’t pretend to be an artist at all! What I have done to obtain this result is mainly in finding some of the most representative Malware families, collecting them, apply visual algorithms against the more significant Malware stage and try to select the best prospective (in term of 3D angles and visualization prospective). I hope you enjoy it !

Credits

  • Binary Data Visualization by CodiSec (amazing job guys !)
  • Malpedia for some definitions.