InfoSec Week 13, 2017

Posted on 02 April 2017

The tale of a misunderstood malware author who has released banking malware - NukeBot- source code on a GitHub to get a track.

New Android ransomware is using third party stores (what else?) to propagate, mainly to the Russian-speaking users. It asks for 500 rubles (~5 EUR), then keeps screen locked forever.

Palo Alto Networks analyzed the "Trochilus and MoonWind" RAT campaign targeting Thai organisations with the keylogger. Two different RATs share the same part of the infrastructure.

Eset published a detailed analysis of a Turlas second-stage payload, Carbon backdoor. Nice config file and serious pub key encryption in use with the C&C servers.

Phishing campaign targeting owners of GitHub repositories with the Dimnie malware able to log keystrokes and take screenshots.

Analysis of the GhostAdmin 2.0 RAT. Keylogger, screen capture, IRC based C&C, audio recording.

This stuff has been published for some time, but definitely worth reading. CIA tradecraft for the malware writers: "Development Tradecraft DOs and DON'Ts"

The Yeti is a threat intelligence platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats.

box.js is a utility to analyze malicious JavaScript. It uses Node, and create text reports.

CERT Société Générale published FAME - an open source malware analysis platform that is meant to facilitate analysis of malware-related files, leveraging as much knowledge as possible in order to speed up and automate end-to-end analysis.

Comments !