Analysis of APT28 hospitality malware (Part 2)

In the first part [/apt28-hospitality-malware/] of this malware review, we looked at the VBA code used by APT28 to drop a DLL onto the victims' machine as part of their recently highlighted hospitality campaign. In this post, we will look at the dropped file, and understand just what it does, and how we can analyse it using IDA Pro. So we know from the first post that we have a DLL, which is run using the following command: rundll32.exe %APPDATA%\user.dat,#1 Loading the extracted DLL into I... Read More »

Analysis of APT28 hospitality malware

This week, FireEye published a writeup of yet another APT28 campaign, this time targeting the hospitality sector: > Exposing Russian hackers #APT28 [https://twitter.com/hashtag/APT28?src=hash] and their targeting of hotels & travelers. Also first targeted use of ETERNALBLUE. https://t.co/iiHh71UQeF pic.twitter.com/SIMeDd7MTM [https://t.co/SIMeDd7MTM] — Nick Carr (@ItsReallyNick) August 11, 2017 [https://twitter.com/ItsReallyNick/status/896018119214465024] I'm always interested to see the lates... Read More »

Industroyer C2 Communication

As part of my day job, I work for Secarma (previously known as Pentest Limited) as a Senior Penetration Tester. During engagements, the question of malware threats is increasingly raised, in part due to media focus on APT groups such as APT28, and malware campaigns such as WannaCry. While looking into another malware variant recently uncovered by ESET, Industroyer, I started reviewing the protocol used to communicate with the backdoor component of the malware. Details of the research have bee... Read More »

Using Hopper scripting to analyse MacRansom

This week, Objective-See published a walkthrough [https://objective-see.com/blog/blog_0x1E.html] of the recently released "Malware as a Service" family, MacRansom, originally identified by FortiNet [https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service] . Patrick from Objective-See does a brilliant fly-by of the malware using LLDB, and presents some nice "anti anti-analysis" tricks. If you are interested in the internals of the malware, I'd recommend that you take a ... Read More »

Reviewing the APT32 phishing malware

This week, FireEye released an awesome review into APT32 (aka OceanLotus). The full writeup of their analysis can be found on FireEye's site here [https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html] , and is certainly worth a read if you are interested in the evolving world of APT and attribution. One of the things I found interesting about this group was their use of "off the shelf" open source tools and techniques, often associated with commercial red-team engagem... Read More »