A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #28993  by geoffreyvdb
 Tue Aug 09, 2016 3:25 pm
New APT discovered by Kaspersky
  • Unique footprint: Core implants that have different file names and sizes and are individually built for each target – making it very difficult to detect since the same basic indicators of compromise would have little value for any other target.
  • Running in memory: The core implants make use of legitimate software update scripts and work as backdoors, downloading new modules or running commands from the attacker purely in memory.
  • A bias towards crypto-communicatins: ProjectSauron actively searches for information related to fairly rare, custom network encryption software. This client-­server software is widely adopted by many of the target organizations to secure communications, voice, email, and document exchange. The attackers are particularly interested in encryption software components, keys, configuration files, and the location of servers that relay encrypted messages between the nodes.
  • Script-based flexibility: ProjectSauron has implemented a set of low-level tools which are orchestrated by high-level LUA scripts. The use of LUA components in malware is very rare - it has previously only been spotted in the Flame and Animal Farm attacks.
  • Bypassing air-gaps: ProjectSauron makes use of specially-prepared USB drives to jump across air-gapped networks. These USB drives carry hidden compartments in which stolen data is concealed.
  • Multiple exfiltration mechanisms: ProjectSauron implements a number of routes for data exfiltration, including legitimate channels such as email and DNS, with stolen information copied from the victim disguised in day-to-day traffic.
http://www.kaspersky.com/about/news/vir ... jectSauron

http://www.symantec.com/connect/blogs/s ... on-targets
http://www.symantec.com/content/en/us/e ... c_IOCs.pdf
https://www.virustotal.com/en/file/a66b ... /analysis/

The included sample is currently all I can download, there's is more on VT if you search for remsec but I don't have a key
You do not have the required permissions to view the files attached to this post.
 #29009  by CloneRanger
 Fri Aug 12, 2016 3:46 pm
Strings in some of the files ?

I am NOT an expert in deconstructing etc malware, or looked at hundreds/thousands as some of you have, but here's just a couple of things i noticed, that may or may not be worth investigating further !

S p i n L o c k - https://en.wikipedia.org/wiki/Spinlock - I havn't seen this before, & seems interesting.

\\.\khips - I couldn't discover much about it. https://duckduckgo.com/html/ - Wanted to Redirect to - http://www.memecenter.com/khips LOL

The only link i found was to, HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\khips - Kerio Firewall

What is \\.\ ?