One Article Review
| Source |  Mandiant |
|---|---|
| Identifiant | 8643871 |
| Date de publication | 2025-01-28 14:00:00 (vue: 2025-01-28 16:07:36) |
| Titre | ScatterBrain: Unmasking the Shadow of PoisonPlug\\'s Obfuscator |
| Texte | Written by: Nino Isakovic
Introduction Since 2022, Google Threat Intelligence Group (GTIG) has been tracking multiple cyber espionage operations conducted by China-nexus actors utilizing POISONPLUG.SHADOW. These operations employ a custom obfuscating compiler that we refer to as "ScatterBrain," facilitating attacks against various entities across Europe and the Asia Pacific (APAC) region. ScatterBrain appears to be a substantial evolution of ScatterBee, an obfuscating compiler previously analyzed by PWC. GTIG assesses that POISONPLUG is an advanced modular backdoor used by multiple distinct, but likely related threat groups based in the PRC, however we assess that POISONPLUG.SHADOW usage appears to be further restricted to clusters associated with APT41. GTIG currently tracks three known POISONPLUG variants: POISONPLUG POISONPLUG.DEED POISONPLUG.SHADOW 
POISONPLUG.SHADOW-often referred to as "Shadowpad," a malware family name first introduced by Kaspersky-stands out due to its use of a custom obfuscating compiler specifically designed to evade detection and analysis. Its complexity is compounded by not only the extensive obfuscation mechanisms employed but also by the attackers\' highly sophisticated threat tactics. These elements collectively make analysis exceptionally challenging and complicate efforts to identify, understand, and mitigate the associated threats it poses.
In addressing these challenges, GTIG collaborates closely with the FLARE team to dissect and analyze POISONPLUG.SHADOW. This partnership utilizes state-of-the-art reverse engineering techniques and comprehensive threat intelligence capabilities required to mitigate the sophisticated threats posed by this threat actor. We remain dedicated to advancing methodologies and fostering innovation to adapt to and counteract the ever-evolving tactics of threat actors, ensuring the security of Google and our customers against sophisticated cyber espionage operations.
Overview
In this blog post, we present our in-depth analysis of the ScatterBrain obfuscator, which has led to the development of a complete stand-alone static deobfuscator library independent of any binary analysis frameworks. Our analysis is based solel |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | /2: /4: 000 0000001f 00010101 0009f4b9972660eeb23ff3a9dccd8d86 010 05b4 0c1h 0ffh 0x005618 0x00561f 0x006257 0x006259 0x0066d6 0x0066d8 0x0067ab 0x0067ac 0x006911 0x006eaa 0x006eae 0x00a556 0x00a55b 0x00a739 0x00a73b 0x00e817 0x00e81b 0x00f00c 0x00f027 0x00f029 0x00f77b 0x0105b4 0x0105b6 0x01123a 0x011552 0x011553 0x01705a 0x01705b 0x018294 0x01829a 0x0191b5 0x019592 0x019595 0x01a3cb 0x01a3cc 0x1000 0x157 0x1935 0x2000 0x28 0x295e1 0x3e1d 0x4e22 0x63a88 0x6511b 0x6afa 0x8d6e 0xe8 0xf33c 100 101 10: 11552 11: 121ec 12: 13: 14: 15: 16: 1705a 17: 180001039 180009fda 18000df97 18294 18: 191b5 19592 19: 1a3cb 1a834 1f1361a67ce4396c3b9dbc198207ef52 2022 20: 21: 22: 232 23: 24: 25: 26: 273ee 27: 28: 28h 29: 2d154 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 3bf9c 3cbc8 3ea84 40: 41: 42: 43: 44: 45: 46806 46: 47: 488d151b510600 48: 48h 49: 4bf608e852cb279e61136a895a6912a9 4c227 50: 51: 52: 53: 53ad9 54: 55: 5618 56: 56c96 57: 58: 59: 5c62cdf97b2caa60448619e36a5eb0b6 60: 61: 6257 62: 63: 64: 65: 66: 66d6 66h 67: 67ab 68: 6911 69: 6eaa 704fb67dffe4d1dce8f22e56096893be 70: 79313be39679f84f4fcb151a3394b8b3 99c5 |
| Tags | Malware Tool Threat Studies Patching Cloud |
| Stories | APT 41 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.