This blog is about analysis of Trojan packed in APT29 PolyGlot Duke.

Image for post
Image for post

Static and Dynamic Analysis

Static Analysis (Basic)


Unpacking, Static and Dynamic Analysis of PolyGlot Duke.

Image for post
Image for post

Unpacking

It’s a 64-bit malware. Which is basically a packed.


Advance Persistence Threats recent targeted espionage and collaboration.

Image for post
Image for post

In this particular we will see the matching patterns in malware targeted codes by APTs recently being observed in organised cyber crime activities.

Assertion after Analysis (APTs Collaborating)

APT-C-41, APT40, APT28, APT39, APT29,UNC2452, UNC2546, APT37 and APT38.

Starting off from StrongPity and Chinese APT tool SManager.

Entry function of both the malware from APT-C-41 and APT40 are quiet similar. Where StrongPity uses executable as backdoor on the other hand APT40 uses .dll for its cyber espionage tool for its targets.


Quick and Dirty way to unpacking SManager Chinese APT tool.

Image for post
Image for post

It’s SManager Loader analysis:

It’s SManager analysis:

Here we go for unpacking SManager Tool.

Here look carefully, Entropy is high around 6.727. Its the 32bit malware loader which we have to hammer down to SManager executable.


Spyware targeting India & Pakistan with India-Pakistan Conflict Propaganda.

Image for post
Image for post

Introduction

Static and Dynamic Analysis

Static Analysis(Basic)


Another Sophisticated .Net Malware from SolarWinds Hacks Internals

Image for post
Image for post

Introduction

Analysis


Reversing Engineering Amadey Malware.

Image for post
Image for post

Introduction

Static and Dynamic Analysis

Static Analysis(Basic)


Tool of Turkish Espionage and Cyber Crime Group.

Image for post
Image for post

In this blog, i will be uncovering backdoor deployed by Turkish APT group APT-C-41(aka StrongPity) backdoor recently targeting Europe countries. APT-C-41 is known for conducting cyber crime and espionage operations against financial, industrial and educational sectors. Recent activities of APT-C-41 are caught since Nov of last year.

Static and Dynamic Analysis

Static Analysis(Basic)

Its 32bit malware.


Talk on Dynamic Analysis of Conti Ransom

Recently i had given a talk at DEFCON 201 that is “ DEFCON NEW JERSEY “ group on Conti Ransom in which i had discussed about Internals of Conti Ransom.

Image for post
Image for post

You can watch it on here :

Background:-


Reverse Engineering Torisma and LCPDot Malware.

Image for post
Image for post

Torisma Internals

Static Analysis (Basic)

It’s 64bit malware.

0xthreatintel

aka Nikhil Rathor | Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store