Author: Roman Vasilenko

A large set of publicly disclosed Advanced Persistent Threat (APT) and nation state attacks use sophisticated malware (e.g Turla, Duqu, Equation Group, Duqu2, etc.) that make use of at least one component running hidden inside the kernel of the Microsoft Windows operating system (OS). There,...

In this third post in our blog series on process snapshotting (see previous posts on PlugX and Shiz’ code injection), we will show how to dissect exploit payloads using the LLama full-process snapshot functionality. Document exploits are particularly tedious to analyze using traditional analysis...

Authored by: Roman Vasilenko, Kyle Creyts Introduction There are a number of articles recently written about a Remote Access Trojan called PlugX or Korplug (with older variants known as Sogu, Thoper, TVT, or Destory RAT ) which has recently seen increasing use in targeted attacks. These articles: suggest an identity of the author of...