Category: All

Category: All

Latest changes in PlugX

It has been a while since we last wrote about PlugX RAT. JPCERT made a great blog post covering the latest features added to the RAT, such as: New protocol (raw IP protocol 0xff) P2P communications MAC address binding Process injection for UAC bypass New encoding algorithm This post aims at giving new elements we

Volatility plugin for PlugX updated

Just after releasing our previous blog post, we encountered a new PlugX variant using a bigger configuration than usual. We thus decided to study it and update our volatility plugin to handle the latest PlugX versions. The new version we encountered has a configuration size of 0x4ea4 bytes, while the previous one was only 0x36e4

Malware Sakula – Evolutions v1.x (Part 1)

This post follows a paper published by Symantec about a group of attackers known as BlackVine. It describes the technical evolution of the custom-developed RAT Sakula used in campaigns targeting industries such as energy, aerospace and healthcare. By analysing the samples, we see that the code evolves over the years, becoming increasingly well-structured and defensive.

Malware Sakula – Evolutions v2.x-3.x (Part 2)

This post is the second part of article on the Sakula malware. It follows the first one available here and covers versions 2.x and 3.x. It provides a lot of technical details to follow Sakula evolution. Some parts of the article can be a bit long to read, but the fact to put constants, pathes,

Newcomers in the Derusbi family

Derusbi is a well-known RAT family, used in various APT attacks since at least 2008. Many papers (1,2,3) have described two known variants of this malware: a client version, acting as any other RAT by contacting its C&C server, as well as a server version, which just listens for incoming connections from a client. This

Mounting Bitlocker Volumes Under Linux

Background Recently I have been encountering more and more devices encrypted with Microsoft’s Bitlocker. As I tend to perform a lot of my forensics work on a Linux host I needed to find a way to work with these volumes. Thankfully it turns out that an opensource driver has been written for this purpose. This

Fileless Malware – A Behavioural Analysis Of Kovter Persistence

Background During a recent talk by a representative of MalwareBytes, it was discussed that several modern malware families, notable Poweliks, Phase Bot and Kovter are moving away from the file system and are instead establishing persistence in the registry of the host. This blog outlines the infection vector used by the kovter malware and the

Getting a PlugX builder

PlugX has been a well-known RAT for the last 5 years, and we have written many blog posts about it. However, there has never been known released builders for this RAT, except the one from Ahnlab which allows the building of very old samples (2011), and another which was discussed in our previous post. Using

Playing defence against the Equation Group

In August 2016 an archive was released to the public by an unknown group calling itself Shadow Brokers. This archive contained material attributed to the Equation Group. The authenticity of this leak, its reason, attribution and content have already been widely discussed, by Bruce Schneier and Matthieu Suiche among others. Mustafa Al-Bassam has kept an

Analysing the Hancitor Maldoc

Introduction Recently we have seen several phishing attempts using macro enabled word attachments to load the Hancitor download trojan. The macros in these documents use routine windows API functions with a callback parameter in order to run shellcode directly in memory without the need to drop further files to disk. This entry follows the analysis

Back to top