CASSIDIAN CyberSecurity Blog

Tag - Advanced Persistent Threat

Entries feed

2016/10/27

Playing defence against the Equation Group

In August 2016 an archive was released to the public by an unknown group calling itself Shadow Brokers. This archive contained material attributed to the Equation Group. The authenticity of this leak, its reason, attribution and content have already been widely discussed, by Bruce Schneier and Matthieu Suiche among others. Mustafa Al-Bassam has kept an inventory of the leak and has commented on Twitter.

This post is based on what can be extracted from the various procedures contained in the released material. Most of these procedures can be found in the “SCRIPTS” directory, with a few others scattered in various other directories. Using the aforementioned data, this post will focus on what can be deduced regarding Equation Group’s organisation, their modus operandi, and will list simple techniques to impede or detect their operations.

Continue reading...

2015/09/08

Volatility plugin for PlugX updated

Just after releasing our previous blog post, we encountered a new PlugX variant using a bigger configuration than usual. We thus decided to study it and update our volatility plugin to handle the latest PlugX versions.

Continue reading...

2015/08/06

Latest changes in PlugX

It has been a while since we last wrote about PlugX RAT.
JPCERT made a great blog post covering the latest features added to the RAT, such as:

  • New protocol (raw IP protocol 0xff)
  • P2P communications
  • MAC address binding
  • Process injection for UAC bypass
  • New encoding algorithm

This post aims at giving new elements we discovered during our investigations on this infamous malware.

Continue reading...

2014/12/15

Vinself now with steganography

VinSelf is a known RAT malware already explained on other blogs . It's a family that has been long used in APT attacks. VinSelf can be recognized in two ways:

  • the network patterns used;
  • the strings obfuscation in the binary.

Continue reading...

2014/05/07

APT Kill chain - Part 2 : Global view

Last week we defined what an APT is. As we have seen, there are different definitions, and I bet nearly all companies working on APT incident handling do have their own definition.

What every experienced APT incident responder agrees on, is the way APT attacks are conducted.

The APT kill chain can be presented with some variations, depending on the detail level you want to show, yet its content is always the same. We chose to show here the easiest kill chain we could draw, not to panic anyone with technical details (yet). We will really go deep into every process of an APT attack in this serie of blog posts, yet we believe it is good to start explaining it from a distant point of view.

Continue reading...

2014/04/28

APT Kill chain - Part 1 : Definition

Today we decided to release a serie of blog posts regarding the APT kill chain, in an effort to share our experience and knowledge on this hot topic.

For starters, “APT” stands for Advanced Persistent Threat.

Some people do not use this word at all, considering that this acronym is just a buzzword, created by some creative marketing wizard –or even a team of wizards- to describe a computer attack aimed at companies. These three words do strike the spirit of anyone who is inexperienced in computer security and immediately raise fear, not to mention terror. A sure thing is that it does not leave anyone indifferent. People do imagine a lot of different things behind these words, depending on their knowledge and experience. It basically goes from “well, another attack” to “attackers are everywhere in the system, they’re inside all the computers, ALARM ! ALARM ! HELP !”

Yet, there have been different definitions for APT, which we will now explore briefly.

Continue reading...