As we bring out three part series on RAT tools suffered upon our friends at Hazrat Supply we must visit the centerpiece of it all. The big dog in this fight is indeed the bybtt.cc3 file (Jake suspected this), Backdoor:Win32/Zegost.B. The file is unquestionably a PEDLL but renamed a .cc3 to hide on system like a CueCards Professional database file. Strings confirms the RAS phonebook reference from above, not two lines removed from the hostile domain: References to Figure 1 What a swirling vortex of nastiness. There are so many rabbit holes to go down here, but I promised you IOCs.
Figure 2 Its cool to match the great work Jake did during IR with static analysis and turn it into what is hopefully actionable intelligence for you, dear reader.
Remember that IOCs change quickly and that another very related sample may exhibit entirely different indicators. So don't treat these as a panacea, but do use them as reference for your hunt and detect missions. Please feel free to enhance, optimize, tune, improve, criticize, and assassinate the character of the IOCs; they're always a work in progress, I won't be hurt. Good luck and let us know how it goes! Cheers. |
Russ McRee 201 Posts ISC Handler Jul 19th 2014 |
Thread locked Subscribe |
Jul 19th 2014 6 years ago |
Checking this morning, I can see that none of the 3 bad sites I checked from this article are listed in by THREATSTOP feed. I though that ISC was a partner/source of information for them??? Am I wrong?
|
Daniel 7 Posts |
Quote |
Jul 19th 2014 6 years ago |
I dropped this diary very late last night and haven't yet squared away all the related data submittals. Great point though, will do, standby.
|
Russ McRee 201 Posts ISC Handler |
Quote |
Jul 19th 2014 6 years ago |
Is there a corresponding tool in REMnux similar to PEStudio?
|
Dan 2 Posts |
Quote |
Jul 21st 2014 6 years ago |
All this is great! Next step is to run all the IOC's on all the hosts. Will you cover Redline or do you have another technique?
(Maybe this is out of scope of the current blog post. But I think this is important) |
Laurent 1 Posts |
Quote |
Jul 22nd 2014 6 years ago |
Sorry to delay, see a full article I wrote on Redline here: holisticinfosec.blogspot.com/2013/03/…
Almost won Forensics article of the year even: forensic4cast.com/forensic-4cast-awards/2014-results/ ![]() |
Russ McRee 201 Posts ISC Handler |
Quote |
Jul 27th 2014 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!