It is also able to collect information in a file-less manner and delete itself immediately after sending information to C2.There have been small development differences between each minor version, making this latest version very different from version 3.0.8 mentioned in our last article.
In addition, it was upgraded again to version 3.3.4 on Christmas Eve. In this report we will quickly analyze its latest set of capabilities. Figure 1 shows the infection chain, and Figure 2 shows an example of phishing document. The script is then run to decrypt apTz.dat into the payload of Predator the Thief. Autoit Image From Url Update Notes ForWe checked the following channel, used for providing update notes for their customers. However, there are have been some new features added since our last article. In the following section we will analyze the features found in version 3.3.3 to determine what changes have been made during this period. It then hooks the copied portion with a simple shellcode to call the function NtQueryInformationProcess for anti-debug purposes. It also prevents analysts from hooking NtQueryInformationProcess to avoid being detected. And it also checks the crc32 checksum of the allocated memory to prevent any changes. We can also observe that the assembly code is much shorter but more complicated. Autoit Image From Url Zip File StructureInstead, the malware allocates a memory space to locate the entire zip file structure, and then adds the zip file directly from memory to the request data. The configuration is more complex and detailed than previous versions, and is encrypted during the connection. One example returned the following base64-encoded-like data. After decoding the string shown in the previous figure, we found the following configuration string. However, in version 3.3.4, the code related to the default language check had been removed. ![]() Autoit Image From Url Download Other MalwareInterestingly, the malware has become a possible loader for other malware due to its ability to download other malware. Different from the fourth part of the configuration, it defines an API list. It is also implemented as an API list, so multiple files can be downloaded from different APIs and executed immediately. The registry key name comes from the fourth part of the configuration. By setting this configuration, it will create a registry key at HKCUSoftwareAdviceService Ltd.Name. More anti-analysis features are used, and the configurations are more detailed and complex.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |