CVE-2017-8570 RTF and the Sisfader RAT

Ben Humphrey – Malware Researcher In late April 2018, NCC Group researchers discovered a small number of documents exploiting CVE-2017-8570 and dropping the same payload. The purpose of these documents is to install a Remote Access Trojan (RAT) on the victims’ machine. This article gives a deep analysis of both the document, and its payload. … Continue reading CVE-2017-8570 RTF and the Sisfader RAT

Emissary Panda – A potential new malicious tool

Introduction Hacking groups linked to the Chinese state are not a new threat. In fact, for the last couple years they have tended to be the most active along with Russian state affiliated hacking groups. One of these groups is the ‘Emissary Panda’ group, also known as TG-3390, APT 27 and Bronze Union. This is … Continue reading Emissary Panda – A potential new malicious tool

Decoding network data from a Gh0st RAT variant

During a forensic investigation in March 2018 we were able to retrieve some files which appeared to be linked with a well-known group named Iron Tiger. From our research, we believe that the perpetrator hasn’t shown any advanced technical capabilities in this attack. In fact, the main goal was to mine cryptocurrency. During the investigation … Continue reading Decoding network data from a Gh0st RAT variant

APT15 is Alive and Strong: An Analysis of RoyalCli and RoyalDNS

In May 2017, NCC Group's Incident Response team reacted to an ongoing incident where our client, which provides a range of services to UK Government, suffered a network compromise involving the advanced persistent threat group APT15. APT15 is also known as, Ke3chang, Mirage, Vixen Panda GREF and Playful Dragon. A number of sensitive documents were … Continue reading APT15 is Alive and Strong: An Analysis of RoyalCli and RoyalDNS

HIDDEN COBRA Volgmer: A Technical Analysis

In November, US-CERT published two alerts about malicious activity by the North Korean government, referred to as HIDDEN COBRA [1][2]. These alerts addressed the remote administration tool FALLCHILL and a Trojan called Volgmer. We’ll focus on the latter in this blog post. Volgmer is a backdoor Trojan that was designed primarily to give covert access … Continue reading HIDDEN COBRA Volgmer: A Technical Analysis

Cisco ASA series part eight: Exploiting the CVE-2016-1287 heap overflow over IKEv1

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. Exodus Intel released how they exploited [1] CVE-2016-1287 for IKEv2 in February 2016, but there wasn't anything public for IKEv1. This blog post documents … Continue reading Cisco ASA series part eight: Exploiting the CVE-2016-1287 heap overflow over IKEv1

Cisco ASA series part seven: Checkheaps

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. As part of our ongoing series we would like to talk about Cisco's Checkheaps security and stability mechanism. More specifically, we’ll look at how … Continue reading Cisco ASA series part seven: Checkheaps

Cisco ASA series part six: Cisco ASA mempools

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. In part six, we document some of the details around Cisco ASA mempools and how the mempool-related functions wrap more traditional heap functions in … Continue reading Cisco ASA series part six: Cisco ASA mempools

Cisco ASA series part four: dlmalloc-2.8.x, libdlmalloc, & dlmalloc on Cisco ASA

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. This article is meant to provide a summary of some key functionality for dlmalloc-2.8.x and introduce a debugging plugin called libdlmalloc [1] that is … Continue reading Cisco ASA series part four: dlmalloc-2.8.x, libdlmalloc, & dlmalloc on Cisco ASA