MalwareLab.pl Research Notes

VenomRAT - new, hackforums grade, reincarnation of QuasarRAT

Intro During routine hunting we stumble upon new Remote Administration Toolkit (RAT), named Venom RAT. Like with many such tools authors are conducting their business under false pretense of providing a tool to remotely manage your own computers. A one can see on a screen-shot above, this tool posses essential capabilities to manage your own computers such as Keyloger Stealer UAC Bypass Password Recovery (sealing) All those for small price of 150$ per month.

In depth analysis of Lazarus validator

Intro Few days ago we found interesting Word document impersonating Lockheed Martin1. Some time later we realized that this sample was a part of larger and older campaign conducted probably against various military contractor conducting businesses with South Korea and that this campaign was already described, however w couldn’t find any in depth analysis of a validator used by Lazarus so here it is. Infection vector There is already a very good analysis done by StrangerealIntel, including an intelligence brief explaining potential reason for this campaign, so we wont into much details here.

Quick look at Nazar's backdoor - Network Communication

Intro In previous episode we described capabilities of Nazar’s EYService, an passive backdoor that utilize PSSDK to sniff on network traffic. In this post we’ll take a look at how this malware communicates with outside world. Binary Diffing Malware is statically linked with PSSDK which makes analysis not very pleasant, and the fact that this software is long dead and has no documentation doesn’t help either! However it was quite popular back in the day and its not that hard to find examples of usage, the most notable one being metasploit.

Quick look at Nazar's backdoor - Capabilities

Intro Yesterday at a virtual edition of OPCDE Juan Andrés Guerrero-Saade disclosed to the world part of his research on threat groups listed in Lost in Translation, a leak of Equation Group tools done by Shadowbrokers in 2017. Shortly after he published an analysis on his blog and shared hashes. During the talk Juan mentioned that he doesn’t really know what the piece of malware, belonging to Nazar APT, actually does so we put some time to find out.

On the Royal Road

Intro Royal Road or 8.t is one of the most known RTF weaponizer, its used and shared mostly amongst Chinese speaking actors - there are also couple very good publications including one form nao_sec, Sebdraven and Anomali. It was on my todo list for some time, and thanks to recent twitter discussion as well as quarantine time i finally took a deeper look at it. We’ll go into how to quickly analyze RTF maldocs, quickly tear-down shellcode used and finally how to extract embedded payload.

(Ab)using bash-fu to analyze recent Aggah sample

Intro Recently one of my generic signatures for malformed documents was hit, this type of malformation was used mostly by Zebrocy so i was curious whats cooking. After some analysis it turns out that last stage uses tools that are publicly attributed to Aggah, but to get that we need to tear through multiple layers of downloading scripts. We probably could just run our lure document and collect dropped binaries in a sandbox but where is fun of that?