So I was looking through the CISA’s recent publications regarding three tools named PebbleDash[1], Copperhedge[2] and Taintedscribe[3] which are believed to be used by the state-sponsored North Korean hacking group HiddenCobra/APT 38/Lazarus Group. I started off with PebbleDash, because there was a functionality mentioned in the report that caught my eye: I wanted to know …
Vendors as well as developers try to protect their product from reverse engineers for multiple reasons. On the one hand they want to protect their intellectual property, on the other hand they might just want to fend off blackhats from finding vulnerabilities in their software. In some cases, they will use one of many commercial …
Hello everyone :-).I am continuing my analysis on QBot with this article. If you didn’t read my previous posts, I’ve already covered the packer[1] as well as various QBot’s anti analysis measurements and process injection[2]. In this blog post I will explain how the jump to the actual payload is performed. I will also cover …
Intro I hope everyone is healthy :-). I finally managed to find some time to continue my analysis of QBot. If you did not read my previous articles, I’ve already covered the packer[1] as well as the string decryption algorithm[2]. I’ve linked them both here. In this blog post I will cover the process execution …
IoT is everywhere and while we do enjoy new technologies, cyber criminals also take advantage of them. Bitdefender[1] found a new emerging IoT Botnet Malware named Dark Nexus which they believe to be authored by greek.helios. Researching IoT security is a hobby of mine and I was able to retrieve 2 variants of Dark Nexus. …
In the last part of this blog article series I took an in-depth look at the packer of a QBot sample and unpacked it. This blog post is mostly about cracking the string encryption of the mentioned sample. I am also using the Triton DBA Framework[0] for assisting my analysis, because I really wanted to …
Diving into Qbot part 1.5 – Cracking string encryption Read More »
While checking out the Triage Sandbox[1] I stumbled across upon QBot which I’ve seen already plenty of times at work at GData Cyberdefense AG[2]. This time I wanted to take a closer look at the sample myself.The first part of this blog article dives deep into how the packer works. Quick summary The packer used …
In a time where Corona is all over the news, cyber criminals are also taking advantage of this situation. Weeks ago I stumbled on a twitter post regarding the MustangPanda APT group and decided to take a look at it. Summary The attack consists of multiple stages and it all starts with a LNK File …