big game hunting - peculiarities in nation state malware research
TRANSCRIPT
![Page 1: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/1.jpg)
BIG GAME
HUNTINGPeculiarities In
Nation State Malware Research
![Page 2: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/2.jpg)
WHOIS
![Page 3: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/3.jpg)
![Page 4: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/4.jpg)
![Page 5: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/5.jpg)
![Page 6: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/6.jpg)
Stux
![Page 7: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/7.jpg)
~D
![Page 8: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/8.jpg)
![Page 9: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/9.jpg)
![Page 10: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/10.jpg)
![Page 11: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/11.jpg)
![Page 12: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/12.jpg)
Offense
Going
Commercial
![Page 13: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/13.jpg)
AV 2.0
… where the customer is the product
How Anti-Virus went Threat-Intel
Malware.. ‘watching’
Actor tracking
Publicity
APT numbering, logos & names
![Page 14: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/14.jpg)
http://fc01.deviantart.net/fs11/i/2006/253/8/f/BASIC_TERMS__Sewing_Needle_by_mmp_stock.jpg
![Page 15: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/15.jpg)
http://cdn2.landscapehdwalls.com/wallpapers/1/haystack-837-1920x1200.jpg
![Page 16: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/16.jpg)
Haystack Processing
~70.000 – 300.000
new samples/day(Depending which report you trust)
Sample trading
Automated processing
http://cdn2.landscapehdwalls.com/wallpapers/1/haystack-837-1920x1200.jpg
![Page 17: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/17.jpg)
Needle Processing
Threat Intelligence
Telemetry Data
Leaked Documents
Infected Machines
Gossip
http://fc01.deviantart.net/fs11/i/2006/253/8/f/BASIC_TERMS__Sewing_Needle_by_mmp
_stock.jpg
![Page 18: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/18.jpg)
Endpoint Wars
Endpoint agents
Threat indicators
Mitigation tactics
Silent data exchange
![Page 19: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/19.jpg)
AgentThreat detection
& mitigation
Threat
Indicators
Q&A Data
Signature hitsTimestampsHit frequenciesBinaries
Endpoint Wars
![Page 20: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/20.jpg)
•Signature generation & testing
•Silent signatures
•Binaries
•Telemetry
•‘Free’ security products
Endpoint Wars backstage
![Page 21: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/21.jpg)
Frenemies & The Fungus
AmongusOr: When Malware Became
Intellectual Property
![Page 22: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/22.jpg)
Frenemies & The Fungus Amongus
Or: When Malware Became
Intellectual Property
![Page 23: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/23.jpg)
![Page 24: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/24.jpg)
[REDACTED] “Where did you find this malware?”
Me: “It was sent to me by targeted
activists.”
[REDACTED] “That’s Cheating.”
![Page 25: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/25.jpg)
![Page 26: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/26.jpg)
Taymour KarimSyrian Activist
![Page 27: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/27.jpg)
![Page 28: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/28.jpg)
“My computer was arrested before me.”
![Page 29: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/29.jpg)
Ala’a ShehabiBahrainWatch
Co-founder
![Page 30: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/30.jpg)
FinFisher Patient-Zero
![Page 31: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/31.jpg)
Ghazi Farhan
![Page 32: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/32.jpg)
Ahmed Mansoorand the
UAE Five
![Page 33: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/33.jpg)
Ahmed Mansoor and the UAE Five
![Page 34: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/34.jpg)
Hahaha.
![Page 35: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/35.jpg)
Sometimes Attribution isn’t Tricky
83.111.56.188
inetnum: 83.111.56.184 – 83.111.56.191
netname: minaoffice-EMIRNET
descr: Office Of Sh. Tahnoon Bin Zayed Al Nahyan
descr: P.O. Box 5151 , Abu Dhabi, UAE
country: AE
![Page 36: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/36.jpg)
Alberto
Nisman
![Page 37: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/37.jpg)
Alberto Nisman
![Page 38: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/38.jpg)
Todo parece indicar que Nisman fue engañado.
A su teléfono Motorola xt626 llegó un archivo
con el título “estrictamente secreto
y confidencial.pdf.jar”. Acasocreyendo que se trataba de un documento
importante, lo abrió sin advertir la extensión
“.jar”. Allí estaba el virus.
•3445a61556ca52cf5950583e0be4133de7a4f6a8
![Page 39: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/39.jpg)
![Page 40: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/40.jpg)
![Page 41: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/41.jpg)
Attribution IS tricky?
• Network based indicators point to
Argentina and Uruguay
• Also use of hosting services in the
US, Germany, and Sweden
![Page 42: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/42.jpg)
Babar
PET Persistent Elephant Threat
![Page 43: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/43.jpg)
http://dopemichael.deviantart.com/art/Dead-Bunny-Wallpaper-119327469
Bunny
![Page 44: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/44.jpg)
![Page 45: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/45.jpg)
LUUUKE I am
your father!!
You.. Sure?
![Page 46: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/46.jpg)
Misery Business
Who wrote the malware?
Who controlled the malware?
Who were the victims?
What was the aim of the operation?
![Page 47: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/47.jpg)
BINARY CONTEXT
BINARYBINARY IN
A CONTEXT
Misery Business
![Page 48: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/48.jpg)
SH* Academics saySource code authorship
attribution
Automatic detection of stylistic features in
binary code
Problems?
![Page 49: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/49.jpg)
Datafication of RE results
Different domains & lots of attributes
Any attribute can be faked or random
Assumption: Impossible that all vary in all cases
Goal: Even out individual human / compiler influence
![Page 50: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/50.jpg)
STRING CONSTANTS
Error messages
String formatting style
English grammar mistakes
C&C commands
Timestamp formatting
IMPLEMENTATION TRAITS
Memory allocation habits
Use of global variables
Multi-threading model
Software architecture and design
Constructor design
Dynamic API loading technique
Exception handling
Usage of public source code
Programming language and compiler
Compilation time stamps and time zones
CUSTOM FEATURES
Obfuscation techniques
Stealth and evasion techniques
Use of encryption and compression algorithms
Encryption keys
Re-used source code
Malware specific features
System infiltration
Propagation mechanisms
Artifact naming schemes / algorithms
Data exfiltration techniques
System / OS version determination technique
C&C command parsing implementation
INFRASTRUCTURE
C&C servers
Countries / languages used for domain hosting and naming
Beaconing style
Communication protocol and port
Communication intervals
![Page 51: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/51.jpg)
Science, yo
![Page 52: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/52.jpg)
JSON
![Page 53: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/53.jpg)
BUNNYspearphish
ing with 0-
days
DINOspying in
Iran
CASPERactive in
Syria in
2014
BABARlinked to
French
government
NBOTDenial-of-
Service
Stylometry in
Attribution
![Page 54: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/54.jpg)
What It’s Not
No authorship attribution
Manual work
Not feasible for automation / machine learning
Interpretation in the eye of the analyst
![Page 55: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/55.jpg)
Soft Attribution
vs
Hard Attribution
![Page 56: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/56.jpg)
![Page 57: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/57.jpg)
“Check out this
super interesting
.cn apt malware
that I found…”
![Page 58: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/58.jpg)
“uhh… I’m not sure
that’s China...”
![Page 59: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/59.jpg)
![Page 60: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/60.jpg)
![Page 61: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/61.jpg)
![Page 62: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/62.jpg)
“Looking at the code closely, we
conclude that the “QWERTY”
malware is identical in
functionality to the Regin 50251
plugin.”
![Page 63: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/63.jpg)
"Blind Freddy
could see E_QWERTY
is a REGIN plugin"
![Page 64: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/64.jpg)
Legal Spies are obliged to lie
![Page 65: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/65.jpg)
“There is absolutely no
evidence that links us to
those samples…”
![Page 66: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/66.jpg)
Denials
In response to the United Nations
panel, the company responded this
January that they were not currently
selling to Sudan.
![Page 67: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/67.jpg)
Oooops
Internal records show that in 2012,
Sudan’s National Intelligence and
Security Service in Kartoum paid 960,000
euros for Remote Control System.
“We absolutely need to avoid being
mentioned in these documents.”
![Page 68: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/68.jpg)
C
![Page 69: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/69.jpg)
C
![Page 70: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/70.jpg)
“Mr. Marquis-Boire has been a tireless
wolf-crier on the issue of privacy as
he defines it […] that’s a perfect
formula for criminals or terrorists
who routinely use the Web, mobile
phones and other devices.”
It‘s just business
![Page 71: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/71.jpg)
I’m sure it’s not personal...
"Marquis-Boire" - 117 mentions
"Morgan Mayhem" - 29 mentions
"headhntr" - 15 mentions
![Page 72: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/72.jpg)
C
![Page 73: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/73.jpg)
But hey….
![Page 74: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/74.jpg)
![Page 75: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/75.jpg)
Cheshire Cat
![Page 76: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/76.jpg)
SSOOOUU...
e2ca6cca598d47dee311f06920c1efde - 2002-11-05 02:02:19
4e0a3498438adda8c50c3e101cfa86c5 - 2007-08-13 11:02:54
3ba57784d7fd4302fe74beb648b28dc1 - 2008-08-13 15:20:23
7b0e7297d5157586f4075098be9efc8c – 2009-05-03 20:43:05
fa1e5eec39910a34ede1c4351ccecec8 - 2011-05-16 16:55:17
![Page 77: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/77.jpg)
2002
String obfuscation with XOR 9Bh
Checking for running
security processes (and dummyyy.exe)
![Page 78: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/78.jpg)
2002
Control component talking to a device driver \\.\asr2892
Sending IOCTLs 220004 & 220008
Orchestrator component executing
binaries from disk
Drops ‘msrun.exe’ from .rsrc section
Redirects standard handles of
spawned process, piping output back to
launcher
![Page 79: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/79.jpg)
2002
Prepared to run on _old_ Windows versions
Using APIs deprecated after Win95/98/ME
Function to check for the MZ value,
the PE value and the NE value
![Page 80: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/80.jpg)
2007-2009
Implementation traits and user agent string
indicate Win NT 4.0 as target platform
Persists as shell extension for the icon handler
Wants to run in the context of the ‘Progman’ window
![Page 81: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/81.jpg)
2007-2009
Implant to monitor terminal server sessions
Global hook to filter for WM_KEYFIRST,
WM_SYSKEYDOWN, WM_CHAR, WM_SYSCHAR
Loads msob4k32.dll and 6 exports by ordinal
![Page 82: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/82.jpg)
![Page 83: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/83.jpg)
2007-2009
String obfuscation using XOR 9Bh
Evasive when network
sniffer products are running
Super stealthy network communication:
Versatile communication method
9+ C&C servers, infrequent intervals
Communication done through injected
standard browser instance
![Page 84: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/84.jpg)
2011
Fine tuned
to paddle around
Kaspersky security
products
![Page 85: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/85.jpg)
~DF
![Page 86: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/86.jpg)
Attribution is
hard. Use the
magic 8-ball.
![Page 87: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/87.jpg)
![Page 88: Big Game Hunting - Peculiarities In Nation State Malware Research](https://reader034.vdocument.in/reader034/viewer/2022042604/589aa86b1a28abfc1a8b689d/html5/thumbnails/88.jpg)
Morgan
@headhntr
Marion
@pinkflawd
#FREECLAUDIO
@botherder