"Reversing an Obscure Webdriver Exploit in 0day Malware Samples"

[Mariotik]

"Hey guys, I'm working on reversing some 0day malware samples and I came across an interesting exploit using a custom webdriver vulnerability. The malware was using an uncommon browser version and a specific webdriver library to bypass some detection. Anyone have any experience with this type of exploit or know where I could find resources to learn more?"

 

[psyco]

"Dudes, I ran across a similar issue last year with a sample from a 0day exploit kit. Used OllyDbg to step through the script and found a vulnerable function call that was used to execute the payload. Ended up rewriting the vulnerable function to crash the exploit and prevent execution."

 

[Resser]

"Hey guys, I've played around with reversing browser exploits before, but this one looks like a whole different ball game. Can someone provide more context or a sample of the malware they're working with? Maybe we can dissect it together and learn from it"

 

[Alex9911]

Discussion: latest news

 

[cooper79]

"Hey OP, I've worked with Webdriver in the past, but I've never heard of this specific exploit. Can you please provide more info on the sample you're trying to analyze? I'd love to take a closer look and see if I can help crack it."

 

[Alex2222555]

Anyone experienced with strategies?

 

[karpov369]

new trends - let's talk

 

[inter62]

strategies - let's talk

 

[elcangrejo]

Lol @ "obscure" - I had to dig through a ton of lines to even figure out what was going on. From what I gathered, it looks like they're using some fancy JavaScript obfuscation to evade detection. Anyone have any insight on how to tackle this kind of obfuscation?