Industroyer C2 Communication

As part of my day job, I work for Secarma (previously known as Pentest Limited) as a Senior Penetration Tester. During engagements, the question of malware threats is increasingly raised, in part due to media focus on APT groups such as APT28, and malware campaigns such as WannaCry. While looking into another malware variant recently uncovered by ESET, Industroyer, I started reviewing the protocol used to communicate with the backdoor component of the malware. Details of the research have been published under Secarma Labs, which can be found here. A video demonstrating the malware in action,…

Read more »

Using Hopper scripting to analyse MacRansom

This week, Objective-See published a walkthrough of the recently released "Malware as a Service" family, MacRansom, originally identified by FortiNet. Patrick from Objective-See does a brilliant fly-by of the malware using LLDB, and presents some nice "anti anti-analysis" tricks. If you are interested in the internals of the malware, I'd recommend that you take a look. Seeing how uncommon this type of "MaaS" is on MacOS (at the minute at least), this was a good opportunity to break out Hopper and see how well it handles malware analysis. If you have never used Hopper before, it is a low cost d…

Read more »

Reviewing the APT32 phishing malware

This week, FireEye released an awesome review into APT32 (aka OceanLotus). The full writeup of their analysis can be found on FireEye's site here, and is certainly worth a read if you are interested in the evolving world of APT and attribution. One of the things I found interesting about this group was their use of "off the shelf" open source tools and techniques, often associated with commercial red-team engagements. So of course I was curious to see exactly how these tools were being deployed within the initial stages of a campaign. What follows is a brief review of the initial infiltrati…

Read more »

Exploiting with pwndbg - Solving PlaidCTF 2016 SmartStove

This bank holiday weekend I spent a bit of time updating my docker containers (I know, rock-n-roll!). One of the tools I've been hearing good things about is pwndbg, an open source plugin for GDB which aims to help with exploit development. I've always been a fan of peda, which provides similar functionality, but seeing the integration that pwndbg had with radare2, I couldn't help but give it a shot. To install the tool, I used the provided installation instructions: git clone https://github.com/pwndbg/pwndbg cd pwndbg ./setup.sh One of the snags I ran into early was a nasty error message when…

Read more »