Category: APT

Category: APT

APT Kill chain – Part 1 : Definition

Today we decided to release a serie of blog posts regarding the APT kill chain, in an effort to share our experience and knowledge on this hot topic. For starters, “APT” stands for Advanced Persistent Threat. Some people do not use this word at all, considering that this acronym is just a buzzword, created by

APT Kill chain – Part 2 : Global view

 is. As we have seen, there are different definitions, and I bet nearly all companies working on APT incident handling do have their own definition. What every experienced APT incident responder agrees on, is the way APT attacks are conducted. The APT kill chain can be presented with some variations, depending on the detail level

APT Kill chain – Part 3: Reconnaissance

This blog post is part of a series on APT killchain. On this blog post we focus on the reconnaissance step. All the information written here comes directly from our observations and experience on APT incident handling and APT pentest simulations. Time for action has started. The attackers have chosen one target, now they have

APT Kill chain – Part 4 : Initial compromise

This blog post is part of a series on APT killchain. In the previous step, we’ve seen how the attacker used reconnaissance techniques to collect data on its target. Now we will focus on the initial compromise. At this stage, the APT attackers have a solid knowledge of their target and its key employees. The

The Eye of the Tiger

Cyber espionage has been a hot topic through the last years. Computer attacks known as “APT” (Advanced Persistent Threat) have become widely reported and emphasized by the media, damages are now considered as real and strategic trends are moving in cyber defense. Today, we decided to release publicly information on a specific group of APT

LeoUncia and OrcaRat

The PWC-named malware OrcaRat is presented as a new piece of malware but looking at the URI used for C&C communication, it could be an updated version of a well-known and kind of old piece of malware: LeoUncia. Status Let’s face it: px~NFEHrGXF9QA=2/5mGabiSKSCIqbiJwAKjf+Z81pOurL1xeCaw=1/xXiPyUqR/hBL9DW2nbQQEDwNXIYD3l5EkpfyrdVpVC8kp/4WeCaArZAnd+QEYVSY9QMw=2 URI taken from an OrcaRat sample.It looks a lot like: qFUtb6Sw/TytLfLsy/HnqI8QCX/ZRfFP9KL/_2yA9GIK/iufEXR2r/e6ZFBfoN/fcgL04f7/ZBzUuV5T/Balrp2Wm URI taken from

APT Kill chain – Part 5 : Access Strenghtening and lateral movements

Being successful at compromising one or several workstations and/or servers from a targeted company is an important step for APT attackers. Just after the initial compromise step, there are 2 possible situations: The attacker managed to gain high privileges on the system. The attacker only managed to compromise machines with regular user privileges. More often

Vinself now with steganography

VinSelf is a known RAT malware already explained on other blogs . It’s a family that has been long used in APT attacks. VinSelf can be recognized in two ways: the network patterns used; the strings obfuscation in the binary. The VinSelf obfuscation algorithm is quite simple, but specific enough to state that samples using

Latest changes in PlugX

It has been a while since we last wrote about PlugX RAT. JPCERT made a great blog post covering the latest features added to the RAT, such as: New protocol (raw IP protocol 0xff) P2P communications MAC address binding Process injection for UAC bypass New encoding algorithm This post aims at giving new elements we

Volatility plugin for PlugX updated

Just after releasing our previous blog post, we encountered a new PlugX variant using a bigger configuration than usual. We thus decided to study it and update our volatility plugin to handle the latest PlugX versions. The new version we encountered has a configuration size of 0x4ea4 bytes, while the previous one was only 0x36e4

Back to top