Malware’s Wardrobe I – Bredolab, From “You Jump, I Jump” To ” I see you”
Yet again we arrived to witness Bredolab’s aftermath. After some days of seeding itself with the help of its infamous friend – Pushdo/Cutwail/Webwail Botnet – Bredolab just returned to a single malware downloader – FakeAV downloader. And, it wears the new clothes, dream of giving us a surprise. Will they?
Figure 1 – Fake API Calls
It seems the new clothes have some decorations. From Figure 1, we could see that the block full-filled with Fake API calls(with invalid parameters). The purpose of doing this is obvious, attempt to stop defective emulators. Are those fake API calls useless?