Category: Sakula

Category: Sakula

LeoUncia and OrcaRat

The PWC-named malware OrcaRat is presented as a new piece of malware but looking at the URI used for C&C communication, it could be an updated version of a well-known and kind of old piece of malware: LeoUncia. Status Let’s face it: px~NFEHrGXF9QA=2/5mGabiSKSCIqbiJwAKjf+Z81pOurL1xeCaw=1/xXiPyUqR/hBL9DW2nbQQEDwNXIYD3l5EkpfyrdVpVC8kp/4WeCaArZAnd+QEYVSY9QMw=2 URI taken from an OrcaRat sample.It looks a lot like: qFUtb6Sw/TytLfLsy/HnqI8QCX/ZRfFP9KL/_2yA9GIK/iufEXR2r/e6ZFBfoN/fcgL04f7/ZBzUuV5T/Balrp2Wm URI taken from

Malware Sakula – Evolutions v1.x (Part 1)

This post follows a paper published by Symantec about a group of attackers known as BlackVine. It describes the technical evolution of the custom-developed RAT Sakula used in campaigns targeting industries such as energy, aerospace and healthcare. By analysing the samples, we see that the code evolves over the years, becoming increasingly well-structured and defensive.

Malware Sakula – Evolutions v2.x-3.x (Part 2)

This post is the second part of article on the Sakula malware. It follows the first one available here and covers versions 2.x and 3.x. It provides a lot of technical details to follow Sakula evolution. Some parts of the article can be a bit long to read, but the fact to put constants, pathes,

The OXID Resolver [Part 2] – Accessing a Remote Object inside DCOM

In the previous OXID Resolver Part 1 article [1], a way to remotely enumerate the network interfaces on a recent Windows OS machine has been described. This method does not require the knowledge of user credentials and relies on the ServerAlive2() RPC method. The latter is held by the IOXIDResolver interface. This article is dedicated

Back to top