This blog is about analysis of Trojan packed in APT29 PolyGlot Duke.
It’s the follow-up blog on my previous blog on PolyGlot Duke in which i had unpacked the packed PolyGlot Duke. Here is the link to that blog.
Unpacking, Static and Dynamic Analysis of PolyGlot Duke.
In this blog, i will be unpacking , static and dynamic analysis of trojan “PolyGlot Duke” from APT29. For this blog we only focus on Unpacking.
It’s a 64-bit malware. Which is basically a packed.
Advance Persistence Threats recent targeted espionage and collaboration.
In this particular we will see the matching patterns in malware targeted codes by APTs recently being observed in organised cyber crime activities.
APT-C-41, APT40, APT28, APT39, APT29,UNC2452, UNC2546, APT37 and APT38.
Starting off from StrongPity and Chinese APT tool SManager.
Entry function of both the malware from APT-C-41 and APT40 are quiet similar. Where StrongPity uses executable as backdoor on the other hand APT40 uses .dll for its cyber espionage tool for its targets.
Quick and Dirty way to unpacking SManager Chinese APT tool.
This blog is my last blog in series of Analysis of SManager. I had planned to write more blogs on unpacking for our infosec. community. Hope you like this one.
If you haven’t read my previous blogs on SManager Chinese APT Tool then go head and read them. I’m mentioning them in here.
It’s SManager Loader analysis:
It’s SManager analysis:
Here look carefully, Entropy is high around 6.727. Its the 32bit malware loader which we have to hammer down to SManager executable.
Spyware targeting India & Pakistan with India-Pakistan Conflict Propaganda.
Recently research from the Lookout is being shown targeting of Indians and Pakistanis is been being done Pro-India APT group known as “Confucius”. More of the propaganda is being spread against Muslims by these APT group and targeting is also being to Muslims as ZDNET and Lookout Research. It’s a stealthy stealing malware moreover as like a spyware.
Another Sophisticated .Net Malware from SolarWinds Hacks Internals
In this blog, is pretty much similar to the malware which i had reversed few days back is of the same trojanized bread of logic bomb planted on SolarWind Orion Software which acted as the backdooring the network traffic to the Russian Intelligence Agency APT29 command and control Servers. It’s here
the possibility that more APTs like Lazarus, StrongPity and APT40 is involved in this shady espionage operations. As we have been seeing now frequently the signs of involvement of collaboration of these groups in targeting U.S. and it’s allies.
Reversing Engineering Amadey Malware.
This particular blog is about the reversing “Amadey” stealthy information stealing malware of DPRK linked Thallium APT Group. This group is being seen collaborating with the other “cyber espionage” APT groups like APT-C-41 , APT41, APT28 , APT19 , APT-C-00 for targeting the Researchers performing research for nCoV-19 vaccine for stealing the research data of nCoV-19 from European countries, American countries and Asia’s countries.
Tool of Turkish Espionage and Cyber Crime Group.
In this blog, i will be uncovering backdoor deployed by Turkish APT group APT-C-41(aka StrongPity) backdoor recently targeting Europe countries. APT-C-41 is known for conducting cyber crime and espionage operations against financial, industrial and educational sectors. Recent activities of APT-C-41 are caught since Nov of last year.
Its 32bit malware.
Talk on Dynamic Analysis of Conti Ransom
Recently i had given a talk at DEFCON 201 that is “ DEFCON NEW JERSEY “ group on Conti Ransom in which i had discussed about Internals of Conti Ransom.
Recently Conti Ransom is been seen targeting hospitals and public health care centers across U.S. . CISA has also alerted for this emerging threat of Ryuk Successor “Conti” Ransomware and now as concluded from the multiple recent research and reports from threat intelligence community. We have
also been tracking Conti Ransom activities from last few months from mid of last year.
Reverse Engineering Torisma and LCPDot Malware.
In this blog, i will be reversing two malwares found in Lazarus(aka Unit 180/Hidden Cobra) group “Operation Dream Job” which are Torisma and LCPDot Malware.
It’s 64bit malware.
aka Nikhil Rathor | Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.