Category: Reverse Engineering

Category: Reverse Engineering

PlugX: some uncovered points

PlugX (or Korplug, or Gulpix) is a well-known RAT involved in many APT cases. Some excellent write-ups about this malware have already been published by the CIRCL, Sophos and AlienVault. Since we met it on an incident response case back in 2012, we followed its evolution to improve our knowledge, rules and tools. We’re planning

PlugX “v2”: meet “SController”

In our previous blog post about the PlugX RAT, we dealt with the original version, and recapped some internal features. Back in mid 2013, we started to see a new version of the RAT in the wild, with enough differences with the previous one to be considered as a new major version. We thus called

Dumping firmware out of a Z-Wave ASIC

Recently, in our team, we had to deal with Z-Wave equipments, including the RF protocol that we handled with a Software Defined Radio (SDR) and GnuRadio. The purpose of this article is not to go into details on the radio part as it will be done on a later publication. Nevertheless, during our researches, we

Bitcrypt broken

Ransomware is nothing new. You might already have heard about it already, since it is a kind of fraud which can impact anyone and do severe damages. Some ransomware forbid you to access to your computer, while some others do crypt files on your system so that you cannot open them anymore. No matter the

Disass, script reverse engineering for dummies

On our daily job, we have to manage malicious piece of code every day. On this domain, we historically had two approaches: dynamic analysis on our own sandbox or manual and static analysis with reverse engineering skills. Because static analysis can be boring for known samples, we developed a framework to automatically analyzing malware. We

LeoUncia and OrcaRat

The PWC-named malware OrcaRat is presented as a new piece of malware but looking at the URI used for C&C communication, it could be an updated version of a well-known and kind of old piece of malware: LeoUncia. Status Let’s face it: px~NFEHrGXF9QA=2/5mGabiSKSCIqbiJwAKjf+Z81pOurL1xeCaw=1/xXiPyUqR/hBL9DW2nbQQEDwNXIYD3l5EkpfyrdVpVC8kp/4WeCaArZAnd+QEYVSY9QMw=2 URI taken from an OrcaRat sample.It looks a lot like: qFUtb6Sw/TytLfLsy/HnqI8QCX/ZRfFP9KL/_2yA9GIK/iufEXR2r/e6ZFBfoN/fcgL04f7/ZBzUuV5T/Balrp2Wm URI taken from

Vinself now with steganography

VinSelf is a known RAT malware already explained on other blogs . It’s a family that has been long used in APT attacks. VinSelf can be recognized in two ways: the network patterns used; the strings obfuscation in the binary. The VinSelf obfuscation algorithm is quite simple, but specific enough to state that samples using

Latest changes in PlugX

It has been a while since we last wrote about PlugX RAT. JPCERT made a great blog post covering the latest features added to the RAT, such as: New protocol (raw IP protocol 0xff) P2P communications MAC address binding Process injection for UAC bypass New encoding algorithm This post aims at giving new elements we

Volatility plugin for PlugX updated

Just after releasing our previous blog post, we encountered a new PlugX variant using a bigger configuration than usual. We thus decided to study it and update our volatility plugin to handle the latest PlugX versions. The new version we encountered has a configuration size of 0x4ea4 bytes, while the previous one was only 0x36e4

Newcomers in the Derusbi family

Derusbi is a well-known RAT family, used in various APT attacks since at least 2008. Many papers (1,2,3) have described two known variants of this malware: a client version, acting as any other RAT by contacting its C&C server, as well as a server version, which just listens for incoming connections from a client. This

Back to top