Reverse Engineering

OceanLotus (aka APT32) is a very active hacking group. It operates especially in the area of south-east Asia and, according to the security community, it is close to the Vietnamese government. Over the time, many intrusion attempts and data breach have been attributed to it. As for the more purely technical aspects, the group seems very well supported and often adopts advanced tactics and techniques in order to lower the probability of detection. In my personal opinion, the members of this group … [Read more]

In the late evening of 08-01-2019 a phishing document related to the Ministry of Defense of Turkey has been captured in the wild and caught my attention (md5: 0d3b1c3c4287fe12399dc29d88905e9c). Further investigations led to believe that a new malicious campaign aimed to the spreading of HWorm + jRat variants is raising up in these last days. Insights The phishing document (md5: 0d3b1c3c4287fe12399dc29d88905e9c) tries to attract the curiosity of the potential victims through a file name that … [Read more]

Another APT28 / Sofacy supposed decoy document related to defence and security sector [md5: f8a778d21003098075c9aef8ed58c6c3] has been captured in the wild yesterday evening. It's likely targeting at least one eastern europe country. The spear-phishing document collected seems to work primarly through the use of macro code to complete the cycle of infection. An image related to the decoy document is reported following:It seems similar, for some pieces of internal code, to the document … [Read more]

APT29, the well known hacking group, seems to be back with slightly different tactical and technical procedures to conduct its last cyber operation. In the late evening of 15  / 11, some malicious documents likely to be referred to the group in question have been submitted to a major online malware analysis platform (Virus Total - @DrunkBinary credits for the first discovery). The analyzed decoy document retrieved by me is clearly referring to a DoS (Department of State) PDF form that is shown … [Read more]

This morning I received on my company box an email with an attached .xlsm file named D92724446.xlsm coming from [email protected] Central and local AV engines did not found anything malicious and also a multiengine scan got 0/57 as result. I decided to investigate a little more in-depth in order to confirm that was a malicious file and to extract at least the code I was imagining being inside this document. These are some general info collected about the received file: Name: … [Read more]

This morning, a colleague of mine pointed out me to some reversing “challenges” addressed to participants of SANS Brussels 2015 (what? I was not there?). Why not to take a quick look and try to solve them ? I hope to publish the solutions/suggestions is not cause of rage for mentors of SANS, for whom I have a lot of esteem. However, at the time of this writing these challenges are online and accessible without any particular restriction at https://www.sansemea.com/challenges.php, therefore I … [Read more]

This topic has been dealt in one of my last technical articles. The document shows as it’s possible to approach an incident investigation on the basis of common instructions used by shellcodes to achieve their goals. The analysis is conducted within a memory dump. In this regard have been developed some yara custom rules that can be used as an aid for experienced analyst to quickly locate malicious code. Note, however, that this is a very wide topic (have you ever heard of padding, permutations, … [Read more]

This evening I received an email with an attached zip. This email was very well made and my anti-virus did not detect anything dangerous -_- veeeery nice…i decided to take a look and see what strange monster was inside :] The executable is a trojan/downloader packed with something custom! After recovering the original executable bypassing all protections, i  was able to have a look within it and immediately i saw some interesting functions … [Read more]

Reb October is the name of a cyber-espionage toolkit discovered by Kaspersky Lab. The malware was operating worldwide for up to 5 years before to be discovered, transmitting to its C&C servers a lot of informations. Red October is considered an advanced cyber-espionage campaign intended to targeting diplomatic, governmental and financial organizations. This is an analysis conducted by me on 01/13 for InfoSec Institute but published but published after a little... It's possible to view my … [Read more]

BatchWiper has been described by experts as an "Old Style" threat. It's programmed to delete data from entire logical partitions managed by infected systems. It 's simple, not well cared or optimized, but effective in its minimalistic design. It was discovered very recently by iranian CERT, and soon became quite famous among the "experts". This analysis takes into consideration the phases of reverse engineering and study of one of these samples. It's available for download a detailed report … [Read more]