Reverse Engineering

DanBot is a piece of malware written in .NET; It's a backdoor used by a threat actor named by the security community “Hexane” (aka Lyceum). Recently the industry has focused its attention on this threat actor tracing back the beginning of its activities to April 2018.Generally speaking about the communication capabilities of this RAT, it’s able to communicate with command and control servers through two main application layer protocols: HTTP and DNS.Hovewer, the DanBot version under … [Read more]

Cyber threat intelligence tasks can often be difficult and complex. One of the major challenges that analysts often face are the concepts related to the so-called "attribution". However, establishing an attribution for cyber operations can certainly be considered very difficult but in my opinion not impossible. Furthermore, the correct labeling of the threat actor responsible for a cyber attack can be useful in formulating a technical response to such attacks.Attributing an attack to a … [Read more]

The Ramnit ecosystem is certainly something not so easy to explain. It is one of the oldest trojan bankers on the cyber-crime landscape. Indeed, we can trace back its activity to 2010, when it started to spread as a simple worm to subsequently acquire "financial" and "banking" features when its developers included into it parts of leaked Zeus source code, giving it the possibility to operate as a fully featured Banking Trojan. In the italian panorama, among the banks where … [Read more]

If we talk about cyber intrusions, a vulnerable exposed web service can very often represent the first route for the whole backend infrastructure. Beyond this, web ones are among the first services whose robustness is tested during a cyber attack. For this reason, every respecting offensive actor knows very well the concept of "webshell" and how the effectiveness of such tools can sometimes make the difference between a partial or total compromise of the target network.This post wants to … [Read more]

APT37 (aka Group123, aka ScarCruft) is an espionage hacking group involved in malicious activities since at least 2016. Despite the real goals of this threat group and their main objectives are currently unknown to the writer, APT37 seems to focus its efforts mainly against targets located in the region of South Korea.Usually this threat actor uses lure documents related to korean peninsula military / security / general affairs in their spear-phishing attempts and  often makes use of … [Read more]

OceanLotus (aka APT32) is a very active hacking group. It operates especially in the area of south-east Asia and, according to the security community, it is close to the Vietnamese government. Over the time, many intrusion attempts and data breach have been attributed to it. As for the more purely technical aspects, the group seems very well supported and often adopts advanced tactics and techniques in order to lower the probability of detection. In my personal opinion, the members of this group … [Read more]

In the late evening of 08-01-2019 a phishing document related to the Ministry of Defense of Turkey has been captured in the wild and caught my attention (md5: 0d3b1c3c4287fe12399dc29d88905e9c). Further investigations led to believe that a new malicious campaign aimed to the spreading of HWorm + jRat variants is raising up in these last days. Insights The phishing document (md5: 0d3b1c3c4287fe12399dc29d88905e9c) tries to attract the curiosity of the potential victims through a file name that … [Read more]

Another APT28 / Sofacy supposed decoy document related to defence and security sector [md5: f8a778d21003098075c9aef8ed58c6c3] has been captured in the wild yesterday evening. It's likely targeting at least one eastern europe country. The spear-phishing document collected seems to work primarly through the use of macro code to complete the cycle of infection. An image related to the decoy document is reported following:It seems similar, for some pieces of internal code, to the document … [Read more]

APT29, the well known hacking group, seems to be back with slightly different tactical and technical procedures to conduct its last cyber operation. In the late evening of 15  / 11, some malicious documents likely to be referred to the group in question have been submitted to a major online malware analysis platform (Virus Total - @DrunkBinary credits for the first discovery). The analyzed decoy document retrieved by me is clearly referring to a DoS (Department of State) PDF form that is shown … [Read more]

This morning I received on my company box an email with an attached .xlsm file named D92724446.xlsm coming from [email protected] Central and local AV engines did not found anything malicious and also a multiengine scan got 0/57 as result. I decided to investigate a little more in-depth in order to confirm that was a malicious file and to extract at least the code I was imagining being inside this document. These are some general info collected about the received file: Name: … [Read more]