Just another analysis of the njRAT malware – A step-by-step approach

Summary njRAT (Bladabindi) is a .NET RAT (Remote Access Trojan) that allows attackers to take control of an infected machine. This malware has been used by APT actors in targeted attacks in Colombia (https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/), by SideCopy (https://blog.talosintelligence.com/2021/07/sidecopy.html) and has been distributed via phishing emails (https://labs.k7computing.com/index.php/malspam-campaigns-download-njrat-from-paste-sites/). The version number in our analysis is 0.6.4 and the […]

Just another analysis of the njRAT malware – A step-by-step approach Read More »

A detailed analysis of the STOP/Djvu Ransomware

Summary STOP/Djvu ransomware is not a very known ransomware like Conti, REvil or BlackMatter, however ESET ranked it on the 3rd place in the top ransomware families in Q2 2020 (https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf). This ransomware can run with one of the following parameters: “–Admin”, “–Task”, “–AutoStart”, “–ForNetRes”, and “–Service”. The process doesn’t target specific countries based on

A detailed analysis of the STOP/Djvu Ransomware Read More »

How to defeat the Russian Dukes: A step-by-step analysis of MiniDuke used by APT29/Cozy Bear

Summary APT29/Cozy Bear is a Russian actor that has been associated with Russia’s Foreign Intelligence Service (SVR). The US government has blamed this actor for the SolarWinds supply chain compromise operation, as described at https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF. MiniDuke is a backdoor written in pure assembly that was previously documented by ESET at https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf and Kaspersky at https://securelist.com/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/64107/,

How to defeat the Russian Dukes: A step-by-step analysis of MiniDuke used by APT29/Cozy Bear Read More »

A step-by-step analysis of the new malware used by APT28/Sofacy called SkinnyBoy

Summary The malware extracts configuration information about the machine that it infects using the systeminfo command, and then it retrieves the list of processes by spawning a tasklist process. The content of the following directories, along with the processes’ output, is base64-encoded and exfiltrated to the C2 server updaterweb[.]com: Desktop folder C:\Program Files C:\Program Files

A step-by-step analysis of the new malware used by APT28/Sofacy called SkinnyBoy Read More »

Dissecting the last version of Conti Ransomware using a step-by-step approach

Summary According to multiple online resources, Conti is one of the most active ransomware families in the last year. One of the infamous attacks happened against HSE healthcare (https://threatpost.com/conti-ransomware-fail-costly/166263/), where the attackers asked for a $20 million ransom. As mentioned by Cybereason at https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware, Conti is sold as a RaaS (Ransomware as a Service) in

Dissecting the last version of Conti Ransomware using a step-by-step approach Read More »

A step-by-step analysis of a new version of Darkside Ransomware (v. 2.1.2.3)

Summary Darkside ransomware is the malware family responsible for the Colonial Pipeline attack on May 7 2021 as described at https://www.zdnet.com/article/darkside-the-ransomware-group-responsible-for-colonial-pipeline-cyberattack-explained/. The binary contains an encrypted configuration that will be decrypted using a custom algorithm, which reveals a 22-byte buffer that describes different actions performed by the malware. These actions include: checking the system language

A step-by-step analysis of a new version of Darkside Ransomware (v. 2.1.2.3) Read More »

Revealing Lamberts/Longhorn malware capabilities using a step-by-step approach (cyberespionage group linked to Vault 7)

Summary According to an article published by Symantec at https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7, a group called Longhorn has attacked at least 40 targets in 16 countries across the Middle East, Europe, Asia, and Africa. They mention that the sample they analyzed has similar tactics and techniques described in the Vault 7 documents disclosed by WikiLeaks in 2017. Kaspersky

Revealing Lamberts/Longhorn malware capabilities using a step-by-step approach (cyberespionage group linked to Vault 7) Read More »

A detailed analysis of ELMER Backdoor used by APT16

Summary In this blog post, we’re presenting a detailed analysis of a backdoor known as ELMER that was used by the Chinese actor identified as APT16. This group targeted Japanese and Taiwanese organizations in industries such as high-tech, government services, media and financial services. The malware is encrypted with a custom algorithm and it’s written

A detailed analysis of ELMER Backdoor used by APT16 Read More »

Analyzing APT19 malware using a step-by-step method

Summary In this blog post we’re presenting a full analysis of a DLL backdoor also reported publicly as Derusbi. This particular piece of malware is associated with the actor known as APT19 (Codoso, C0d0so, Sunshop Group). APT19, also known as C0d0so or Deep Panda, is allegedly a Chinese-based threat group that targeted a lot of

Analyzing APT19 malware using a step-by-step method Read More »

Dissecting APT21 samples using a step-by-step approach

Summary In this blog post we’re presenting a detailed analysis of 2 malicious files (a backdoor known as “Travelnet”) linked to an APT (Advanced Persistent Threat) actor called APT21. APT21 , also known as Zhenbao or Hammer Panda, is a group of suspected state sponsored hackers of Chinese origin. According to multiple online sources, that

Dissecting APT21 samples using a step-by-step approach Read More »