This post follows a paper published by Symantec about a group of attackers known as BlackVine. It describes the technical evolution of the custom-developed RAT Sakula used in campaigns targeting industries such as energy, aerospace and healthcare. By analysing the samples, we see that the code evolves over the years, becoming increasingly well-structured and defensive.
This post is the second part of article on the Sakula malware. It follows the first one available here and covers versions 2.x and 3.x. It provides a lot of technical details to follow Sakula evolution. Some parts of the article can be a bit long to read, but the fact to put constants, pathes,
PlugX has been a well-known RAT for the last 5 years, and we have written many blog posts about it. However, there has never been known released builders for this RAT, except the one from Ahnlab which allows the building of very old samples (2011), and another which was discussed in our previous post. Using
In August 2016 an archive was released to the public by an unknown group calling itself Shadow Brokers. This archive contained material attributed to the Equation Group. The authenticity of this leak, its reason, attribution and content have already been widely discussed, by Bruce Schneier and Matthieu Suiche among others. Mustafa Al-Bassam has kept an
In the previous OXID Resolver Part 1 article , a way to remotely enumerate the network interfaces on a recent Windows OS machine has been described. This method does not require the knowledge of user credentials and relies on the ServerAlive2() RPC method. The latter is held by the IOXIDResolver interface. This article is dedicated