One Article Review
| Source |  BAE |
|---|---|
| Identifiant | 352309 |
| Date de publication | 2017-03-06 12:15:49 (vue: 2017-03-06 12:15:49) |
| Titre | Cyber Heist Attribution |
| Texte | Written by Sergei Shevchenko and Adrian NishBACKGROUNDAttributing a single cyber-attack is a hard task and often impossible. However, when multiple attacks are conducted over long periods of time, they leave a trail of digital evidence. Piecing this together into a campaign can help investigators to see the bigger picture, and even hint at who may be behind the attacks.Our research into malware used on SWIFT based systems running in banks has turned up multiple bespoke tools used by a set of attackers. What initially looked to be an isolated incident at one Asian bank turned out to be part of a wider campaign. This led to the identification of a commercial bank in Vietnam that also appears to have been targeted in a similar fashion using tailored malware, but based off a common code-base.In the bank malware cases we know of, the coders used a unique file wipe-out function. This implementation was so distinctive that it further drew our attention – and so we began to look for other instances of code which had used the same function. Using disassembled machine opcodes (with masked out dynamic virtual addresses) we generated signatures to scan a large malware corpus.Our initial search turned up an additional sample which implemented the same wipe-out function.This sample was uploaded from a user in the US on 4th March 2016: SHA1 Compile time Size (bytes) Name Country c6eb8e46810f5806d056c4aa34e7b8d8a2c37cad 2014-10-24 09:28:55 45,056 msoutc.exe US ANALYSISThe msoutc.exe functionalitymsoutc.exe accepts a number of parameters passed with the command line. When executed, it |
| Envoyé | Oui |
| Condensat | &buf 1020h *backslash;char *filename *filename;char 0000003bf00f8dc900000053535355ff 00005352e847fdffff83c4085e5f5d5b 0053680000004050c644242aff885c24 008be883fdff7510ff1508f045005f5d 008be883fdff7510ff151c9040005f5d 015255ff1540f0450055ff153cf04500 015255ff15acac400055ff15c8ac4000 04 00 056 07ou74n001 0881f900100000760bb900100000895c 09:28:55 0ah 0cffff1524f1450025ff000080790748 0cffff156890400025ff000080790748 0d00ffffff408844240db9ff03000033 0dh 0the 0x100u 0x1020 0x45f04c 0x4ea96 11yid60u7f 127 15 4c 1544f045008a4434103cff75148d4c24 1544f045008d4c242453518d5424386a 15d4ac40008a4434103cff75148d4c24 15d4ac40008d4c242453518d5424386a 1998 1;elsefilename 1c25ff000000b9000400008ad08d7c24 1effffff55ff1510f045008b94243410 1effffff55ff15a8ac40008b94243410 2014 2015 2016 2016: 208b4c241c33ff33f63bc37c607f0a3b 24188b84243810000083f8067e05b806 242ceb048944242c8d4424245350518d 2bc644242c7ec644242de7ff1548f045 2bc644242c7ec644242de7ff15a4ac40 30680010000051e8c4fdffff83c408eb 308af28bc2c1e010668bc2f3ab8b4424 353a 353a: 3cf045008b44241840894424188bf0e9 4424243bc3741603f88b44242013f33b 443 45 00 4c243c5155ff1540f0450085c0741e8b 4c243c5155ff15acac400085c0741e8b 4th 5368800000006a0353aa8b8424401000 5b81c420100000c3566a02536aff55ff 81c420100000c3 8d44241c5055ff1538f0450033f68974 8d44241c5055ff15d0ac400033f68974 90400050ff154c90400083c404c64424 :d1 ;backslash ;if ;next ;strcpy @echo about above accepts achieve across actions activity additional address addresses adds adrian after again against agent ahead alert all alloca almost alone already alreay also alternative amount analysed analysis analysisthe and/or another any api apis appears are areas as: asian assign associated attack attacker attackers attacks attempt attempting attention attribution attributionso author available b820100000e896ea0400535557ff154c b820100000e8b64e0000535557ff1500 back backslash bangladesh bank banks base based batch bdir beacon been before began behind being believe believed below below: bespoke between bigger binary blockbuster blogpost bluecoat bool bot both buf; but byte bytes c&c c++ c08d7c242dc644242c5f33dbf3ab66ab c6eb8e46810f5806d056c4aa34e7b8d8a2c37cad c8ac40008b44241840894424188bf0e9 calculated call call call ds:gettickcount called called:global calls campaign can cannot capability care case cases cb765aeb048b4c241c2bcf1bc678157f central cert certain char char;char character characteristics charlie checks choose code code:010203040506070809101112131415161718192021222324252627282930313233343536373839dword coded coder coders command comment commercial common communication communications company compare compared comparison compile compiled compiler complete conclusionsthe conduct conducted conducting configuration const constant contains contents copies core corpus correspond could country create creation cyber data data:0040a400 db data:0040a400 echooffd1del db decade decision decrypted default defenders definitive del delete deleted deletefilea deletes deletion depending describe described description destructive details determined developers development devices different different: digital directory disassembled disclosed discussed disk distinctive distributed does done drew dynamic e8 96 eax ebx effort else employed encrypted encryption end entertainment environment environmentthe erasing error even every evidence exclusive exe executable executed executing exhibits exist exists expect expected expects f0450050ff152cf1450083c404c64424 f07cb27f088b4c241c3bf972ac55ff15 fails fandation fashion fast featured february file file/directory filename filename++ fileout filepath filepath;char filepath;if files filleout filling first following foothold forensically format format: foundation from full function functionality functionalityas functionalitymsoutc functions functionswhen further fwtsqmsession106829323 fwtsqmsession106839323 gain generated getlasterror gettickcount |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.