PlugX (or Korplug, or Gulpix) is a well-known RAT involved in many APT cases. Some excellent write-ups about this malware have already been published by the CIRCL, Sophos and AlienVault. Since we met it on an incident response case back in 2012, we followed its evolution to improve our knowledge, rules and tools. We’re planning
In our previous blog post about the PlugX RAT, we dealt with the original version, and recapped some internal features. Back in mid 2013, we started to see a new version of the RAT in the wild, with enough differences with the previous one to be considered as a new major version. We thus called
Recently, in our team, we had to deal with Z-Wave equipments, including the RF protocol that we handled with a Software Defined Radio (SDR) and GnuRadio. The purpose of this article is not to go into details on the radio part as it will be done on a later publication. Nevertheless, during our researches, we
Ransomware is nothing new. You might already have heard about it already, since it is a kind of fraud which can impact anyone and do severe damages. Some ransomware forbid you to access to your computer, while some others do crypt files on your system so that you cannot open them anymore. No matter the
On our daily job, we have to manage malicious piece of code every day. On this domain, we historically had two approaches: dynamic analysis on our own sandbox or manual and static analysis with reverse engineering skills. Because static analysis can be boring for known samples, we developed a framework to automatically analyzing malware. We
The PWC-named malware OrcaRat is presented as a new piece of malware but looking at the URI used for C&C communication, it could be an updated version of a well-known and kind of old piece of malware: LeoUncia. Status Let’s face it: px~NFEHrGXF9QA=2/5mGabiSKSCIqbiJwAKjf+Z81pOurL1xeCaw=1/xXiPyUqR/hBL9DW2nbQQEDwNXIYD3l5EkpfyrdVpVC8kp/4WeCaArZAnd+QEYVSY9QMw=2 URI taken from an OrcaRat sample.It looks a lot like: qFUtb6Sw/TytLfLsy/HnqI8QCX/ZRfFP9KL/_2yA9GIK/iufEXR2r/e6ZFBfoN/fcgL04f7/ZBzUuV5T/Balrp2Wm URI taken from
VinSelf is a known RAT malware already explained on other blogs . It’s a family that has been long used in APT attacks. VinSelf can be recognized in two ways: the network patterns used; the strings obfuscation in the binary. The VinSelf obfuscation algorithm is quite simple, but specific enough to state that samples using
It has been a while since we last wrote about PlugX RAT. JPCERT made a great blog post covering the latest features added to the RAT, such as: New protocol (raw IP protocol 0xff) P2P communications MAC address binding Process injection for UAC bypass New encoding algorithm This post aims at giving new elements we
Just after releasing our previous blog post, we encountered a new PlugX variant using a bigger configuration than usual. We thus decided to study it and update our volatility plugin to handle the latest PlugX versions. The new version we encountered has a configuration size of 0x4ea4 bytes, while the previous one was only 0x36e4
Derusbi is a well-known RAT family, used in various APT attacks since at least 2008. Many papers (1,2,3) have described two known variants of this malware: a client version, acting as any other RAT by contacting its C&C server, as well as a server version, which just listens for incoming connections from a client. This
