APTs targets nCoV-19 Vaccine Researchers
Reversing Engineering Amadey Malware.
Introduction
This particular blog is about the reversing “Amadey” stealthy information stealing malware of DPRK linked Thallium APT Group. This group is being seen collaborating with the other “cyber espionage” APT groups like APT-C-41 , APT41, APT28 , APT19 , APT-C-00 for targeting the Researchers performing research for nCoV-19 vaccine for stealing the research data of nCoV-19 from European countries, American countries and Asia’s countries.
Static and Dynamic Analysis
Static Analysis(Basic)
File Information
Static Analysis (Advanced)
For this blog, i will preferably ask you to read my last blog on APT-C-41 (StrongPity). It is available here.
As i am assuming that you have read the blog fully. So, i should go from the their what you have read there. Here also in this malware start function is similar to the malware of StrongPity (APT-C-41), other malware's which i had reversed. You can read my blogs for that.
Now moving on to the Main function.
comm_with_C2:
This function is responsible for the communicating with the Command and Control Server (C2).
payload_cpy_from_C2_server function.
What this function does is that it copy the payload from the C&C server (aka C2) and transfer that back into the memory of the infected system.
Dynamic Analysis (Basic)
VirusTotal Detection
Dynamic Analysis (Advanced)
Cyber Kill Chain:
Analysis using IDA:
For this analysis using debugging i have setup following breakpoints:
…:- start function
….:- callr_of_main_function function.
…..:- comm_with_C2 function .
As seen from the screenshot above dbg hits at the start function. Then after dbg hits at the “comm_with_C2” function.
Then soon after that dbg hits at the Trap for dbg as the further execution of malicious trojan “Amadey” happen.
Then dbg again hits at the breakpoint “comm_with_C2” function and we can easily see that function “get_system_information” is executed for fetching system information for attacker( aka threat actor).
Indicators of Compromise (IOCs) and Detections
Network [C2 Communications]
186[.]122[.]150[.]107
Att&ck IDs
Att&ck Mitre Techniques
Sample from Report
Amadey:
MD5 28d13945f9a436be69af986682528b33
SHA1 c4d05cbb1b2fb198e20fa9ca2c562937cd1126be
SHA256 7bd9ad78aadd163f15bfa36a30dfa984faeed094342e3a051b75660a1f1c5df6
Dropped Executables:
Dropped executable file
SHA256 7bd9ad78aadd163f15bfa36a30dfa984faeed094342e3a051b75660a1f1c5df6
YARA Signature
Mapping Network Traffic via Wire
