Many state sponsored groups have been identified over time, many of them have different names (since discovered by different organizations) and there is no an agreed standardization on the topic but many victims and some interests look very tight together. From here the idea to compare the leaked source code of two different state sponsored […]Read more "Similarities and differences between MuddyWater and APT34"
Today I’d like to share an interesting and heavily obfuscated Malware which made me thinking about the meaning of “Targeting Attack”. Nowadays a Targeted Attack is mostly used to address state assets or business areas. For example a targeted attack might address Naval industry (MartyMcFly example is definitely a great example) or USA companies (Botnet […]Read more "From Targeted Attack to Untargeted Attack"
Today I want to share a quick analysis on a new leaked APT34 Tool in order to track similarities between APT34 public available toolsets. This time is the APT34 Jason – Exchange Mail BF project to be leaked by Lab Dookhtegan on June 3 2019. Context According to FireEye, APT 34 has been active since […]Read more "APT34: Jason project"
On 2016 I was working hard to find a way to classify Malware families through artificial intelligence (machine learning). One of the first difficulties I met was on finding a classified testing set in order to run new algorithms and to test specified features. So, I came up with this blog post and this GitHub […]Read more "Malware Training Sets: FollowUP"
The APT34 Glimpse project is maybe the most complete APT34 project known so far. Indeed we might observe a File based command and control (quite unusual solution) structure, a VBS launcher, a PowerShell Payload and a covert channel over DNS engine. This last feature is the most appreciated characteristics attributed to APT34. But let’s move […]Read more "APT34: Glimpse project"
Today I’d like to share a quick analysis on the webmask project standing behind the DNS attacks implemented by APT34. Thanks to the leaked source code is now possible to check APT34 implementations and techniques. Context: Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the […]Read more "APT34: webmask project"
During the past few weeks I received several emails asking how to dissect Office Payloads. While I was thinking on how to answer to such a questions I received a MalSpam with a Microsoft Office document attached by sheer coincidence, so I decided to write little bit on it. This is not going to be […]Read more "Step By Step Office Dropper Dissection"
There are many ways to spot Advanced Persistent Threats, for example during a forensic analysis on “high rate incident” or having sandbox systems on critical infrastructures or again working as incident responder for big companies, working into a national CERT or building a simple tool performing analysis on Malware streams. Today I’d like to share […]Read more "Free Tools: Spotting APTs"
When an unknown sender suggests me to click on a super wired url, dropping a ZIP file straight in my box, by saying it’s getting the next targeted attack on a huge company, well I kinda looking forward to it ! So I clicked on the link (see IOC section) and I’ve downloaded a “pik.zip” […]Read more "Ransomware, Trojan and Miner together against “PIK-Group”"
Hi folks, today I’d like to point you out another tool of mine which extract suspicious IPs from undesired connections. In other words: HoneyPots. I run a personal HoneyPot network which stands from years and over time it harvested numerous IP addresses which could be, potentially, malicious (typically scanners). If you like having fresh HoneyPot […]Read more "Free Tool: Honey Feed"