Wednesday, August 12, 2015

Potao Express samples


2011- July 2015
  • Aka  Sapotao and node69
  • Group - Sandworm / Quedagh APT
  • Vectors - USB, exe as doc, xls
  • Victims - RU, BY, AM, GE 
  • Victims - MMM group, UA gov
  • has been serving modified versions of the encryption software (Win32/FakeTC) that included a backdoor to selected targets. 
  • Win32/FakeTC - data theft from encrypted drives
  • The Potao main DLL only takes care of its core functionality; the actual spying functions are implemented in the form of downloadable modules. The plugins are downloaded each time the malware starts, since they aren’t stored on the hard drive.
  • 1st Full Plugin and its export function is called Plug. Full plugins run continuously until the infected system is restarted
  • 2nd Light Plugin with an export function Scan. Light plugins terminate immediately after returning a buffer with the information they harvested off the victim’s machine.
  • Some of the plugins were signed with a certificate issued to “Grandtorg”:
  • Traffic 
  • Strong encryption. The data sent is encapsulated using the XML-RPC protocol.
  • MethodName value 10a7d030-1a61-11e3-beea-001c42e2a08b is always present in Potao traffic.
  • After receiving the request the C&C server generates an RSA-2048 public key and signs this generated key with another, static RSA-2048 private key .
  • In 2nd stage the malware generates a symmetric AES-256 key. This AES session key is encrypted with the newly received RSA-2048 public key and sent to the C&C server.
  • The actual data exchange after the key exchange is then encrypted using symmetric cryptography, which is faster, with the AES-256 key
  • The Potao malware sends an encrypted request to the server with computer ID, campaign ID, OS version, version of malware, computer name, current privileges, OS architecture (64 or 32bits) and also the name of the current process.
  • Potao USB - uses social engineering, exe in the root disguised as drive icon
  • Potao Anti RE -  uses the MurmurHash2 algorithm for computing the hashes of the API function names.
  • Potao Anti RE - encryption of strings
  • Russian TrueCrypt Win32/FakeTC - The malicious program code within the otherwise functional TrueCrypt software runs in its own thread. This thread, created at the end of the Mount function, enumerates files on the mounted encrypted drive, and if certain conditions are met, it connects to the C&C server, ready to execute commands from the attackers.
  • IOC

Tuesday, May 12, 2015

An Overview of Exploit Packs (Update 25) May 2015

Update May 12, 2015

Added CVE-2015-0359 and updates for CVE-2015-0336

Sunday, March 8, 2015

Ask and you shall receive

I get emails from readers asking for specific malware samples and thought I would make a mini post about it.

Yes, I often obtain samples from various sources for my own research.

 I am sometimes too lazy/busy to post them but don't mind sharing.
If you are looking for a particular sample, feel free to ask. I might have it.

Send MD5 (several or few samples). I cannot provide hundreds/thousands of samples or any kind of feeds. If you ask for a particular family, I might be able to help if I already have it.

Unfortunately, I do not have time to do homework for students and provide very specific sets for malware with specific features as well as guarantee the C2s are still active.  Send your MD5(s) or at least malware family and I check if I have it :) If i have it, I will either send you or will post on the blog where you can download.

If you emailed me in the past and never got an answer, please remind me. Sometimes emails are long with many questions and I flag them to reply to later, when I have time and they get buried or I forget. It does not happen very often but accept my apologies if it happened to you.

Before you ask, check if it is already available via Contagio or Contagio Mobile.
1. Search the blog using the search box on the right side
2. Search here
3. Search here
4. Search here

Cheers,  Mila

Thursday, February 19, 2015

Collection of Pcap files from malware analysis

Update: Feb 19. 2015

We have been adding pcaps to the collection so remember to check out the folder ( Pcap collection) for the recent pcaps.

I had a project to test some malicious and exploit pcaps and collected a lot of them (almost 1000) from various public sources. You can see them in the PUBLIC folder. The credits go to the authors of the pcaps listed in the name of each file. Please visit their blogs and sites to see more information about the pcaps, see their recent posts, and send them thanks. The public pcaps have no passwords on them.

Tuesday, February 17, 2015

Equation samples - from the Kaspersky Report and additional

Here are a few samples from the report by Kaspersky Lab "Equation: The Death Star of Malware Galaxy" and additional samples of the same family. The full list is below

Download all the samples listed below. Email me if you need the password (New link)

List of files

Files from the report:
File NameMD5Size
_SD_IP_CF.dll_03718676311DE33DD0B8F4F18CFFD48803718676311de33dd0b8f4f18cffd488368 KB
Disk from Houston_6FE6C03B938580EBF9B82F3B9CD4C4AA6fe6c03b938580ebf9b82f3b9cd4c4aa61 KB
DoubleFantasy_2A12630FF976BA0994143CA93FECD17F2a12630ff976ba0994143ca93fecd17f216 KB
EquationDrug_4556CE5EB007AF1DE5BD3B457F0B216D4556ce5eb007af1de5bd3b457f0b216d372 KB
EquationLaser_752AF597E6D9FD70396ACCC0B9013DBE752af597e6d9fd70396accc0b9013dbe130 KB
Fanny_0A209AC0DE4AC033F31D6BA9191A8F7A0a209ac0de4ac033f31d6ba9191a8f7a180 KB
GrayFish_9B1CA66AAB784DC5F1DFE635D8F8A9049b1ca66aab784dc5f1dfe635d8f8a904560 KB
GROK_24A6EC8EBF9C0867ED1C097F4A653B8D24a6ec8ebf9c0867ed1c097f4a653b8d160 KB
nls_933w.dll_11FB08B9126CDB4668B3F5135CF7A6C511fb08b9126cdb4668b3f5135cf7a6c5208 KB
TripleFantasy_9180D5AFFE1E5DF0717D7385E7F543869180d5affe1e5df0717d7385e7f5438618 KB
TripleFantasy_BA39212C5B58B97BFC9F5BC431170827ba39212c5b58b97bfc9f5bc431170827199 KB

Additional Files:

Sunday, January 4, 2015