Category: Engine

Cerbero Suite 6.2 and Cerbero Engine 3.2 are out!

We recently released three commercial packages: OneNote Format, Simple Batch Emulator and PowerShell Beautifier.

In this release we moved a number of features to optional packages so that we can more rapidly update them. Cerbero Store now has the following additional packages:

– JavaScript Beautifier (all licenses)
– EML Format (all advanced licenses)
– Torrent Format (all advanced licenses)
– ShellcodeToExecutable (all advanced licenses)
– Tor Downloader (all advanced licenses)
– Python Snippets (all licenses)

We have also reached another important milestone in the SDK documentation process, as it now features the complete guide on how to create plugins and extensions for Cerbero Suite and Cerbero Engine.

We also improved syntax highlighting and fixed various bugs.

Simple Batch Emulator Package

To help in the analysis of malware which uses Windows batch scripts we just released a package on Cerbero Store called “Simple Batch Emulator”. The name of the package is self-explanatory as it provides a basic emulator for batch scripts. The package is available to all commercial licenses of Cerbero Suite Advanced.

The following is a malicious OneNote document. All embedded files are automatically extracted thanks to the “OneNote Format” package.

Two of the embedded files are batch scripts. We can execute the action to emulate the obfuscated batch code.

Continue reading “Simple Batch Emulator Package”

OneNote Format Support

Microsoft OneNote is rising in popularity as a vector for malware. Therefore, all commercial licenses of Cerbero Suite can now download our “OneNote Format” package from Cerbero Store which parses the OneNote format and extracts embedded files.

Installing the package from Cerbero Store takes only a few mouse clicks.

Once the package is installed, you can directly inspect OneNote documents in Cerbero Suite and all embedded files are automatically extracted and ready to be inspected.

Continue reading “OneNote Format Support”

Cerbero Suite 6.1 and Cerbero Engine 3.1 are out!

We’re happy to announce the release of Cerbero Suite 6.1 and Cerbero Engine 3.1!

This release contains many improvements to our PDF support.

New JBIG2 Library

Our PDF support has been featuring the capability to decode JBIG2 streams for many years.

JBIG2 is an imperative file format which has been demonstrated can be Turing complete. In fact, one of the most sophisticated exploits has been created exploiting a JBIG2 library in iOS. The exploit mentioned in the article creates over 70,000 segments to create a small virtual machine in logical operations defined by JBIG2.

In a recent release we made our already hardened JBIG2 decoding support even more secure by relegating it to a different process and constraining it to a time threshold.

This release features a completely rewritten JBIG2 library. Not only is it faster than the previous one, but it also has constraints on allocation and processing time by default. Therefore, now the library is being run again in the same process and it’s even faster than before.

For the customers of our engine: it is still possible to use the old JBIG2 library:

pdf.SetJBIG2LibraryVersion(1)

By default version 2 (the new library) is used.

Continue reading “Cerbero Suite 6.1 and Cerbero Engine 3.1 are out!”

Cerbero Suite 6 and Cerbero Engine 3 are out!

We’re happy to announce the release of Cerbero Suite 6 and Cerbero Engine 3!

All of our customers can upgrade at a 50% discount their licenses for the next 3 months. We value our customers and everyone who has bought a license in August should have received a free upgrade for Cerbero Suite 6. Everyone who has purchased a license before August, but in the last 3 months, should have received an additional discount. Commercial customers with an active subscription plan should have already received a license for Cerbero Suite 6.

If you’re a customer of Cerbero Suite 5 and didn’t get an email from us, please contact us at sales@cerbero.io.

So what’s new?

Sample Downloader Package

While we published this package on Cerbero Store in August, it was actually planned for the 6.0 release: one of the main reasons for the introduction of Cerbero Store was the ability to offer certain types of updates as soon as they were ready.

Check out the video presentation for a quick introduction to the Sample Downloader package.

Installing the package from Cerbero Store takes only a few clicks. Once installed, you can go to the settings and enter your API keys for the supported intelligence services.

Continue reading “Cerbero Suite 6 and Cerbero Engine 3 are out!”

Suite 5.7 and Engine 2.7 are out!

Here summarized are the main news of this release of Cerbero Suite 5.7 and Cerbero Engine 2.7.

Expanded AbuseCH Intelligence Package

We have released an improved version of the originally named ‘MalwareBazaar Intelligence’ commercial package. We have renamed the package to ‘AbuseCH Intelligence’ and greatly expanded its functionality.

Check out the video presentation to quickly learn about its features.

If you want to learn more about the new features, you can read our dedicated post.

CFBF Module Documentation

We have documented the API for parsing Microsoft legacy Office documents.

The documentation includes examples that show how to enumerate CFBF directories, decrypt documents, extract VBA code and decompile macros.

Augmented JBIG2 Decoding Security

Our PDF support has been featuring the capability to decode JBIG2 streams for many years.

In this release we have made our already hardened JBIG2 decoding support even more secure by relegating it to a different process and constraining it to a time threshold.

JBIG2 is an imperative file format which has been demonstrated can be Turing complete. In fact, one of the most sophisticated exploits has been created exploiting a JBIG2 library in iOS. The exploit mentioned in the article creates over 70,000 segments to create a small virtual machine in logical operations defined by JBIG2.

Our changes perfectly prevent memory exhaustion and stalling issues: if the decoding process doesn’t complete within a given time, the decoding fails and the issue is reported to the user.

Human Hash

We have integrated human hashes in our analysis workspace. When you rest the cursor on the cryptographic hash of the current object, it displays the humanized version of the hash as a tool-tip.

The humanized hash can also be copied to the clipboard from the drop-down menu next to the cryptographic hash edit box.

While a human hash with a uniqueness of 1 in 4 billions defeats the security of cryptographic hashes, it may be useful when comparing hashes at a glance.

Deflate64 Support

We have added support for the proprietary deflate64 decompression method. The decompression is integrated both in our Zip format support and in our filters technology.

New Python APIs

We added a few new APIs to our SDK. The most important addition is the logicProviderArguments method, which can be used by logic providers to retrieve their command line arguments (in case they were invoked from the command line).

This is a small code example of a logic provider init function:

def customLogicProviderInit():
    ctx = proCoreContext()
    args = ctx.logicProviderArguments()
    if not args.isEmpty():
        # has arguments...

Extensions Load Errors

To more easily debug load errors of extensions, we have enabled a debug message which shows only once for each extension which failed to load. This change is mainly directed at developers of extensions.

We have also made other various improvements and fixed a few issues.