Chafer backdoor analysis

Introduction A few weeks ago we published a config decrypter[1] for a sample that we believe is related with the Chafer group. Chafer is a well-known group which has primarily been operating in the Middle East. Their arsenal includes several custom-made tools, variants of the Remexi malware and open-source/publically available tools such as ‘Mimikatz’ or … Continue reading Chafer backdoor analysis

Turla PNG Dropper is back

This is a short blog post on the PNG Dropper malware that has been developed and used by the Turla Group [1]. The PNG Dropper was first discovered back in August 2017 by Carbon Black researchers. Back in 2017 it was being used to distribute Snake, but recently NCC Group researchers have uncovered samples with … Continue reading Turla PNG Dropper is back

RokRat Analysis

In July 2018 a security researcher named Simon Choi reported that a group, which goes by the name Group123 (also known as APT37 or Reaper), used spear-phishing emails to spread their malicious payload [1]. Shortly afterwards it was revealed that the attacker was using an exploit for a vulnerability in Hangul Word (CVE-2017-8291) and that … Continue reading RokRat Analysis

CVE-2017-8570 RTF and the Sisfader RAT

Ben Humphrey – Malware Researcher In late April 2018, NCC Group researchers discovered a small number of documents exploiting CVE-2017-8570 and dropping the same payload. The purpose of these documents is to install a Remote Access Trojan (RAT) on the victims’ machine. This article gives a deep analysis of both the document, and its payload. … Continue reading CVE-2017-8570 RTF and the Sisfader RAT

Emissary Panda – A potential new malicious tool

Introduction Hacking groups linked to the Chinese state are not a new threat. In fact, for the last couple years they have tended to be the most active along with Russian state affiliated hacking groups. One of these groups is the ‘Emissary Panda’ group, also known as TG-3390, APT 27 and Bronze Union. This is … Continue reading Emissary Panda – A potential new malicious tool

Decoding network data from a Gh0st RAT variant

During a forensic investigation in March 2018 we were able to retrieve some files which appeared to be linked with a well-known group named Iron Tiger. From our research, we believe that the perpetrator hasn’t shown any advanced technical capabilities in this attack. In fact, the main goal was to mine cryptocurrency. During the investigation … Continue reading Decoding network data from a Gh0st RAT variant

APT15 is Alive and Strong: An Analysis of RoyalCli and RoyalDNS

In May 2017, NCC Group's Incident Response team reacted to an ongoing incident where our client, which provides a range of services to UK Government, suffered a network compromise involving the advanced persistent threat group APT15. APT15 is also known as, Ke3chang, Mirage, Vixen Panda GREF and Playful Dragon. A number of sensitive documents were … Continue reading APT15 is Alive and Strong: An Analysis of RoyalCli and RoyalDNS

Spectre and Meltdown: What you Need to Know

In the first days of 2018, a number of vulnerabilities were disclosed that are present in many modern-day CPUs. In this blog post we address the most frequently asked questions about Spectre and Meltdown with a focus on providing you with actionable guidance about what to do. This post is in addition to our webinar … Continue reading Spectre and Meltdown: What you Need to Know

HIDDEN COBRA Volgmer: A Technical Analysis

In November, US-CERT published two alerts about malicious activity by the North Korean government, referred to as HIDDEN COBRA [1][2]. These alerts addressed the remote administration tool FALLCHILL and a Trojan called Volgmer. We’ll focus on the latter in this blog post. Volgmer is a backdoor Trojan that was designed primarily to give covert access … Continue reading HIDDEN COBRA Volgmer: A Technical Analysis

Signaturing an Authenticode anomaly with Yara

Earlier this week ESET released a paper[1] about Gazer, a new toolset associated with a sophisticated attack group. One interesting quote from the paper stood out: “The compilation date appears to be 2002 but is likely to be faked because the certificate was issued in 2015" This led to an interesting challenge: can these samples … Continue reading Signaturing an Authenticode anomaly with Yara