Under the shellcode of the ‘Operation Duck Hunt’. Analysis of the FBI’s ducks killer.

The “Duck Hunt” operation refers to a specific operation called “Operation Duck Hunt” that disrupted the Qakbot botnet. The Qakbot botnet was a sophisticated network of compromised computers that was used to distribute malware, steal sensitive information, and carry out other malicious activities. The operation to disrupt the Qakbot botnet Continue Reading

Rhysida: An old / new threat in the ransomware landscape

Rhysida is a relatively new ransomware group operating as a R-a-a-S (Ransomware-as-a-Service) provider. The corresponding ransomware has the particularity of making use of LibTomCrypt, a cryptographic library that allows attackers to leverage on robust encryption methods and a fast development. Rhysida appears to be written in C++ and compiled via MinGW; the payloads I’ve found are quite Continue Reading

Reverse and Hunt: Between the jumps of ArguePatch

ARGUEPATCH is a patched version of a legitimate component of the Hex-Rays IDA Pro software. In detail it’s the remote IDA debugger server named win32_remote.exe and it’s basically designed to act as a loader by reading and decrypting an encrypted payload written to disk (CaddyWiper). It has been used against Ukrainian targets in destructive attacks and it’s believed to Continue Reading

Industroyer2: The ICS-capable malware re-emerges in order to cause critical services disruption

A few days ago a new variant of an ICS-capable malware known as Industroyer has been employed during a cyber-attack conducted against industrial control systems (ICS) responsible for the management and control of power plants subsystems in Ukraine. This new version has been named Industroyer2 and represents the evolution of a malware family already observed in December 2016 working Continue Reading

The BigBoss Rules: Something about one of the Uroburos’ RPC-based backdoors

BigBoss is one of the RPC-based backdoors used by Uroburos (aka Turla, Snake, Venomous Bear, Pacifier). It was first spotted out in 2018 and was observed to include new features in the last quarter of 2020. During operations usually it’s used in combination with R.A.T. (Remote Administration Tools) such as Kazuar and Carbon. Several months ago I Continue Reading