Reversing APT29 Duke Malware

Описание к видео Reversing APT29 Duke Malware

I'm looking at three binary files. The first is a legit Microsoft signed exe. The second is a stub DLL that does nothing. The third is APT 29 malware that is DLL side-loaded by the legit executable. I'll show how the DLL opens the decoy document, loads wininet.dll using LdrLoadDll, and then connects to a the Zulip chat service for C2 (including the username and password). This malware comes from HackTheBox's Einladen Sherlock.

APT 29 malware post: https://0xdf.gitlab.io/2024/05/08/htb...
HackTheBox Einladen Blog post: https://0xdf.gitlab.io/2024/05/02/htb...
HackTheBox Einladen: https://app.hackthebox.com/sherlocks/...

☕ Buy Me A Coffee: https://www.buymeacoffee.com/0xdf

[00:00] Introduction
[01:26] Situation overview
[01:55] msoev.exe (legit)
[04:30] AppVIsvSubsystems64.dll
[07:01] mso.dll start
[07:49] Exports, imports, and strings
[09:56] ShellExecuteA to show decoy
[11:03] String decryption functions
[13:14] Decrypting string to show decoy
[15:05] Loading wininet.dll
[19:05] Getting wininet functions
[22:48] C2 activity
[27:54] Back to entry point
[29:25] Conclusion

#pentest #ctf #malware #ghidra #apt29

Комментарии

Информация по комментариям в разработке