From GhostNet to PseudoManuscrypt - The evolution of Gh0st RAT - Jorge Rodriguez; Souhail Hammou

botconf eu
15 Apr 202334:01

Summary

TLDR本次播客深入探讨了名为GhostRad的恶意软件及其变种Save the Manuscript。Intel471的安全研究人员Jorge Rodriguez和团队通过分析恶意软件的代码和传播方式,揭示了其与中国黑客组织Crossroad的联系。他们还讨论了GhostRad的发展历程、功能以及如何通过不同的分发渠道感染受害者。此外,研究人员还介绍了Save the Manuscript的高级功能,包括窃取加密货币和浏览器cookie,以及其插件系统。最后,他们得出结论,这个恶意软件是由可能说中文的金融动机团体操作的,且仍在活跃发展中。

Takeaways

  • 🔍 介绍了一种名为GhostRad的恶意软件及其变种Save the Manuscript,由Intel 471的研究人员Jorge Rodriguez和团队进行研究。
  • 📈 讨论了GhostRad的历史,它最初由中国黑客组织开发,自2008年以来一直在演变,并在开源社区中产生了多个变种。
  • 🌐 GhostRad的最新变种Save the Manuscript在2021年被卡巴斯基首次发现,并在2022年8月通过恶意软件加载器和假冒软件破解网站传播。
  • 🔥 目前,Save the Manuscript的僵尸网络拥有大约50,000个僵尸机器,并且这个数字还在增长。
  • 🔄 恶意软件通过自动化提取特征进行跟踪,使用自定义的TCP通信协议和特殊的数据包头部标识。
  • 🛠️ 恶意软件具有模块化结构,包括各种管理器,如文件管理器、屏幕管理器、视频/音频管理器、键盘记录器等。
  • 🚀 Save the Manuscript使用了高级服务管理器,并且添加了新功能,如隐藏VNC管理器、双向剪贴板共享和TCP代理。
  • 🔒 恶意软件支持插件,用于窃取凭据和加密货币,以及进行中间人攻击来拦截TLS流量。
  • 🌍 通过分析恶意软件使用的库和基础设施,研究人员推测幕后可能是讲中文的黑客组织。
  • 💡 强调了GhostRad及其变种的持续威胁,以及当前操作者通过多样化和加强分发手段来扩大僵尸网络的动机。

Q & A

  • 什么是Ghostrad以及它的历史背景是什么?

    -Ghostrad是一种远程访问木马(RAT),最早由名为Great Wall Security Team(CRST)的中国黑客组织在2006年至2009年间开发。该团队在2008年发布了Ghostrad的第一个稳定版本,并在同年发布了开源版本。Ghostrad以其模块化结构和强大的功能而闻名,被多个APT组织和网络犯罪团伙采用和修改。

  • Save the Manuscript RAT与Ghostrad有什么关系?

    -Save the Manuscript RAT是Ghostrad的一个最新变种,由Kaspersky在2021年首次发现。它通过模仿Ghostrad的功能和结构,继承了Ghostrad的许多特性,但也有一些独特的改进和新增功能,如更先进的服务管理器和支持插件等。

  • Save the Manuscript RAT的主要传播途径是什么?

    -Save the Manuscript RAT主要通过两种方式传播:一是假冒破解软件网站,二是通过安装服务。攻击者使用这些途径广泛散布恶意软件,试图吸引受害者下载并执行。

  • Save the Manuscript RAT的目标是什么?

    -Save the Manuscript RAT的主要目标是财务收益。它通过盗取受害者的加密货币钱包地址、截取浏览器流量、窃取cookie和保存的凭据等方式,为攻击者带来经济利益。

  • Save the Manuscript RAT使用了哪些通信协议和框架?

    -Save the Manuscript RAT主要使用UDP协议作为主要通信协议,并使用HP Socket C++框架进行TCP、UDP和HTTP通信。此外,它还使用了kcp协议,这是一种由中国开发者开发的高性能通信协议,比TCP快30%到40%。

  • Save the Manuscript RAT的感染链是如何开始的?

    -感染链从下载恶意的下载器组件开始,该组件要么来自假冒破解软件的软件分发网络,要么来自恶意加载器。下载器组件首先重启自身并提升权限,然后下载两个文件:一个是名为loader.dll的PNG图像,另一个是名为campaign ID的HTML文件。下载器组件随后运行RunDll32执行db.dll,并触发一个特殊的导出函数,db.dll读取加密的shellcode并解密执行。

  • Save the Manuscript RAT如何实现持久性?

    -Save the Manuscript RAT通过在系统关机时注册一个回调函数来实现持久性。这个回调函数会在系统关机时被调用,从而确保恶意软件能够在系统重启后继续运行。持久性是通过一个嵌入在核心模块中的服务DLL实现的,该DLL被复制到system32目录,并在注册表中注册一个新的服务组。

  • Save the Manuscript RAT的配置信息存储在哪里?

    -Save the Manuscript RAT的配置信息存储在核心组件的数据部分。配置包括主协议和备用协议、使用的端口、主命令控制服务器地址、DGA参数以及API密钥等。

  • Save the Manuscript RAT支持哪些插件?

    -Save the Manuscript RAT支持多种插件,包括剪贴板监控插件、键盘记录器插件、中间人代理插件和窃取cookie的插件。这些插件主要用于窃取加密货币钱包地址、实时监控和转发加密货币相关活动、拦截和篡改浏览器流量以及窃取浏览器cookie和保存的凭据。

  • 如何确定Save the Manuscript RAT的运营者可能是中国说话的演员?

    -通过分析恶意软件使用的库和框架(如HP Socket框架和kcp协议),以及其基础设施的地理位置(东亚地区),以及一些特定的行为模式(如使用中文面板和命名约定),研究人员推测运营者可能是中国说话的演员。

  • Save the Manuscript RAT的运营者主要关注什么?

    -Save the Manuscript RAT的运营者主要关注财务收益,他们通过多样化的插件和功能来窃取加密货币、截取浏览器流量以及盗取敏感凭据,显示出他们对经济利益的追求。

Outlines

00:00

🎤 介绍与背景

本段介绍了演讲者Jorge Rodriguez,他是Intel 471恶意软件情报团队的大理石研究团队负责人。他们专注于通过自动化提取工件来跟踪恶意软件,并利用这些工件进行Bondnet仿真。Jorge本人是一名高级恶意软件逆向工程师,主要工作包括逆向工程恶意软件、编写综合报告、编码提取器和仿真器来跟踪恶意软件和僵尸网络活动。此外,还介绍了演讲的主题,即对GhostRad和Save the Manuscript撤回的研究,以及Save the Manuscript RAT的历史背景和它与臭名昭著的Crossroad的关联。

05:02

📚 GhostRad的起源与特性

这一部分深入探讨了GhostRad的起源和特性。GhostRad是由Great Wall Security Team(CRST)开发的,该团队在2006至2009年间活跃,成员超过12人。他们开发了多个变体,并在2007至2009年间发布了多个版本。GhostRad的源代码在2008年被开放,但随后很快被用于恶意活动。GhostRad的变体被用于针对100多个国家的政府办公室的攻击,这些攻击被归因于说中文的威胁行为者。此外,还介绍了GhostRad的一些技术细节,如它的通信协议、管理器组件和功能。

10:02

🔍 伪稿变体的分析

本段讨论了伪稿变体的分析,包括它与原始GhostRad的关系以及它的独特特性。伪稿变体是基于GhostRad开发的,但进行了一些改进,如使用了新的服务管理器和添加了双向剪贴板共享等功能。此外,还提到了伪稿变体的插件系统,这些插件主要用于窃取凭据和加密货币。伪稿变体的开发者可能受到了财务动机的驱动,并且可能说中文,因为他们使用了中国开发者开发的库和面板。

15:05

🚀 伪稿变体的分发和感染链

这一部分描述了伪稿变体的分发方法和感染链。伪稿变体主要通过两种方式分发:假冒的破解软件网站和安装服务。攻击者没有针对特定的行业、国家或地区,而是采用了“喷溅和祈祷”的方法。感染链从下载器组件开始,该组件会下载两个文件:一个加密的DLL和一个包含活动ID的HTML文件。下载器组件会执行并加载核心模块,该模块会在系统重启时持久化并注入到SVC主机实例中。

20:06

🛡️ 伪稿变体的配置和通信协议

本段详细介绍了伪稿变体的配置和通信协议。伪稿变体的配置存储在核心组件的数据部分,包括主协议和备用协议、端口、主控制服务器和DGA参数。通信协议使用开源的HP套接字C++框架,该框架使用KCP协议进行UDP通信。KCP是一种高性能的TCP、UDP、HTTP通信框架,由中国开发者开发。伪稿变体使用UDP作为主要通信协议,并在必要时使用TCP作为备用。

25:08

🔑 伪稿变体的插件和功能

这一部分讨论了伪稿变体支持的插件及其功能。伪稿变体有多个插件,包括剪贴板监控插件、键盘记录器插件、中间人攻击插件和窃取cookie的插件。这些插件主要用于窃取凭据和加密货币。伪稿变体还具有一些高级功能,如隐藏的VNC管理器、双向剪贴板共享、TCP代理和netstat管理器。这些功能表明伪稿变体是一个以财务动机为主的复杂威胁。

30:09

🎯 总结与问答

最后一部分总结了GhostRad是一个持续的潜在威胁,伪稿变体是一个先进的、财务成功的、不断增长的变体。攻击者可能因为其模块化结构而选择使用伪稿变体。伪稿变体的运营商正在多样化和加大其分发力度,并且由于僵尸网络的规模已经很大,它可以被用作间谍软件来监视受害者。演讲结束后,进行了问答环节。

Mindmap

Keywords

💡ghostrad

ghostrad是一种恶意软件,最早由中国黑客组织开发,后来成为了开源项目。在视频中,提到了ghostrad的不同版本和变种,以及它们在网络间谍活动和金融犯罪中的使用情况。

💡Save the Manuscript RAT

Save the Manuscript RAT是ghostrad恶意软件的一个变种,由Kaspersky在2021年首次发现。它通过假破解网站和恶意软件加载器进行分发,主要通过自动化提取工件来跟踪恶意软件,并且与Lazarus组织的恶意软件操作有关。

💡恶意软件分发

恶意软件分发是指恶意软件通过不同的渠道传播到目标系统的过程。在视频中,提到了使用假破解软件和安装服务作为分发手段,这些手段能够使恶意软件传播到全球各地的计算机上。

💡自动化提取工件

自动化提取工件是指使用自动化工具和技术从恶意软件样本中提取关键信息的过程,这些信息可以用于分析恶意软件的行为和特征。在视频中,Intel 471的研究人员使用这种方法来跟踪和分析ghostrad及其变种。

💡恶意软件配置

恶意软件配置是指恶意软件在系统中运行时所采用的设置和参数,这些配置信息通常存储在恶意软件的核心组件中,用于指导恶意软件如何与控制服务器通信以及执行何种恶意行为。

💡插件

插件是指可以添加到核心软件中的小型软件组件,用于扩展或增强软件的功能。在恶意软件中,插件通常用于增加新的恶意行为或数据收集能力。

💡网络间谍活动

网络间谍活动是指通过网络手段进行的间谍行为,包括但不限于监视、数据窃取和远程控制等。在视频中,提到了ghostrad及其变种被用于网络间谍活动,用于监视受害者和窃取敏感信息。

💡域名生成算法

域名生成算法(DGA)是一种算法,用于在无法直接访问控制服务器时,自动生成可用于通信的域名列表。这种算法使得即使主要的C2服务器被关闭,恶意软件也能通过生成的域名列表找到替代的服务器进行通信。

💡恶意软件分析

恶意软件分析是指对恶意软件样本进行深入研究,以了解其工作原理、行为特征和潜在的威胁。这通常涉及逆向工程、行为分析和网络流量监控等技术。

💡金融犯罪

金融犯罪是指利用计算机和网络技术进行的非法金融活动,包括盗窃、欺诈和其他与金钱有关的犯罪行为。在视频中,提到了Save the Manuscript RAT被用于金融犯罪,如窃取加密货币钱包地址和进行中间人攻击。

Highlights

本次播客是关于恶意软件幽灵(Ghost)雷达的研究,这是第二次播客,希望未来能有更多。

Jorge Rodriguez 是 Intel 471 恶意软件情报团队的大理石研究团队负责人,专注于通过自动化提取工件来跟踪恶意软件。

幽灵雷达(GhostRad)是由 Kaspersky 在 2021 年发现的,主要通过假冒破解网站和恶意软件加载器传播。

截至 2022 年 8 月,幽灵雷达的僵尸网络拥有约 50k 个僵尸机器,并且数量在不断增加。

幽灵雷达是 Crossroad 恶意软件的最新分支之一,Crossroad 自 2008 年起就存在,由中文行动者操作。

原始的幽灵雷达(Costrat)开发者是 Seawolf 安全团队,也称为 Great Wall 安全团队(CRST),在 2006 至 2009 年间活跃。

幽灵雷达的源代码在 2008 年被开源,随后被多个保护组织和基于间谍活动的组织纳入其武器库。

幽灵雷达的变体使用了 C++ 编写,提供了对受感染主机的全面控制,并作为 Windows 服务 DLL 持久化运行。

幽灵雷达的通信协议是自定义的 TCP 协议,数据包头部以特殊的标志开始。

幽灵雷达的功能通过独立的组件实现,每个管理器都继承自 C 管理器类。

最新的开源版本和最新的闭源版本之间存在几个主要差异,包括用户界面的更新和一些类名的更改。

研究人员收集了 22 个开源变体,以链接显著特征到可用的开源版本,从而洞察每个变体的起源和开发者的动机。

幽灵雷达的变体使用了多种交付方法,包括假冒破解软件和安装服务。

幽灵雷达的感染链从下载器组件开始,该组件从软件交付网络或恶意软件加载器下载。

幽灵雷达的恶意软件配置存储在核心组件的数据部分,包括主要和备用协议、端口、主控服务器和 DGA 参数。

幽灵雷达使用开源的 HP 套接字 C++ 框架进行通信,该框架提供了高性能的 TCP、UDP 和 HTTP 通信能力。

幽灵雷达的变体支持插件,这些插件在首次检查后被请求,包括剪贴板监控、键盘记录和中间人攻击插件。

幽灵雷达的变体开发者可能说中文,因为它们使用了由中文开发者开发的库和框架,并且基础设施位于东亚地区。

幽灵雷达是一个老旧但仍然具有潜在威胁的恶意软件,其先进的变体目前财务上成功且不断增长。

Transcripts

00:02

thank you very much for

00:04

um thank you everyone and thank you for

00:06

the

00:07

opportunity to be here today we are

00:09

super excited this is our second podcast

00:12

of hopefully many more to come

00:15

and today we wanted to share some

00:18

research we have done on ghostrad and

00:21

save the manuscript withdrawal

00:24

first let us introduce ourselves my name

00:28

is Jorge Rodriguez I am the marble

00:29

research team lead in the malware

00:32

intelligence team at intel471

00:35

um we are mainly

00:37

tracking malware through automated

00:39

extraction of artifacts which then we

00:42

leverage for Bond net emulation

00:48

I'm a senior malware reverse engineer

00:50

with intel471 my main duties include a

00:53

reverse engineer malware writing

00:55

comprehensive reports coding extractors

00:58

and emulators to track malware and

00:59

botnet activities

01:02

so the agenda we have for today is

01:05

mainly focus on Save the manuscript we

01:08

are going to do a deep dive later in the

01:10

second part of the talk but before doing

01:13

so we are going to

01:15

set ourselves in a proper context on the

01:19

coast route the you know table variance

01:21

and so on history

01:23

on it

01:26

the

01:28

save the manuscript rat was spot by

01:30

Kaspersky in 2021 it was mainly

01:34

delivered by fake crack websites and

01:36

malware loaders

01:39

lately later in August 2022

01:42

bitside Telemetry from their sinkholes

01:46

so that this board net has around 50k

01:51

Bots

01:53

which is now being increased because

01:55

this operation is ongoing as we speak is

01:57

still relevant

01:59

today

02:03

we had to look deeper into it because we

02:06

noticed the operation was rather active

02:09

so that's when so he'll realize this

02:12

save the manuscript rat was actually one

02:14

of the latest Forks of the infamous

02:17

Crossroad

02:20

which dates back from 20 in 2008 so go

02:24

start is still hunting

02:27

it was open source that very same year

02:30

and was mainly operated by Chinese

02:33

actors

02:35

many

02:36

protector groups both financially

02:39

motivated and based in

02:42

Espionage were incorporating these

02:45

modified Forks into their Arsenal and

02:50

it's still relevant 15 years later

02:55

about the original developers of

02:57

coastrat the sea roofer security team

03:00

also known as Great Wall security team

03:02

or CRST it was mostly active between

03:08

2006 and 2009 they had around 12 plus

03:12

members and they had this romantic ideas

03:16

of themselves they pull the plane they

03:19

were passionate Security Professionals

03:21

they encourage pure technical

03:23

discussions and they wanted to keep the

03:25

internet

03:26

clean place

03:28

they actively developed construct

03:31

between 2007 and 2009 were multiple

03:35

variants were released some of them to

03:38

the general public if we put this

03:42

information on a timeline it would look

03:44

like something like this on January 2008

03:47

we had the first stable release March

03:50

2008 the first open source release for

03:54

the 2.5 percent

03:57

this releases have some internal

04:00

comments from the developer cool Dyer

04:03

and we could read some comments in the

04:06

fashion after internal discussion with

04:08

the team we have decided to make this

04:10

version open source or then later the

04:13

last known open source release from

04:16

ghostrad

04:17

version 3.6 beta

04:19

they claim I can't believe it 3.6 will

04:22

be open source

04:27

only one month later the inevitable

04:30

happens

04:31

costnet campaigns are fast spotted in

04:34

the wild

04:35

they were targeting government office in

04:37

more than 100 countries and these

04:39

attacks were attributed to Chinese

04:41

speaking threat actors later that year

04:44

December 2008

04:47

the last official release in a closed

04:51

Source format we have cost 1.0 the Alpha

04:55

version

04:57

so it goes to becoming a notorious

04:59

thread back in the day in forward

05:01

monitor release the investigation

05:03

reporting corporate in March 2009 and

05:06

the team behind closade was attracting

05:10

lots of attention

05:12

zero for security team activity Reduce

05:15

by that time but the development

05:18

possibly continued in private Beyond

05:20

this person 1.0 Alpha

05:24

um

05:25

actually there were comments in

05:28

subsequent variance from the same

05:32

developer mentioning the the chain block

05:36

basically and from here we move into

05:38

some features from the original ghostrad

05:43

thank you

05:44

so both the panel and the Bots and go

05:47

start were written in C plus plus uh

05:49

it's all right so it offers full-fledged

05:51

control over the infected host and

05:53

persists as a Windows service dll that

05:55

runs as part of the Network Services

05:57

Group its protocol is a custom TCP

06:00

communication protocol and the packet

06:02

header starts with a special flag and in

06:05

this case it's ghosts in other variants

06:06

it's can be another value and this is

06:09

followed by the packet size including

06:11

the header the size the uncompressed

06:13

packet so that the Bots can allocate the

06:15

necessary memory to decompress the

06:17

following deadlift compress data

06:21

so features are implemented in separate

06:24

components called managers each manager

06:27

would inherit from C manager class and

06:30

new instances would get a new socket

06:32

that is already connected to the command

06:34

control server so to code a manager

06:37

basically have to implement an abstract

06:39

on receive method Constructor of course

06:41

and this on received method will

06:44

generally Implement a switch case

06:46

statement to handle commands

06:49

so the main manager in ghostrad is

06:52

called the kernel manager so its mission

06:54

is to spawn new managers but also to

06:57

handle miscellaneous commands such as

06:58

installing the bot download and

06:59

executing uh follow-up malware but it

07:03

also has other managers that like the

07:05

file manager for example the shell

07:07

manager screen manager to spy on the

07:09

screen video on audio managers to spy on

07:11

the camera and microphone keyboard

07:15

manager access keylogger and others

07:19

so between the latest open source

07:24

release and the latest closed Source

07:26

release there are a couple major

07:28

differences so first of all the panel

07:30

user interface was overhauled to use a

07:32

more newish

07:35

xtp library for the user interface of

07:38

the panel some class names were also

07:40

changed probably for easier readability

07:43

for example the audio manager who tends

07:45

to be the voice manager and this is

07:47

actually a nice change because if we

07:49

look at a variant and we find a class

07:51

name that is a camera manager that would

07:54

probably indicate that it was based on

07:56

this newer Fork of ghost track audio and

08:00

video compression also were introduced

08:02

and the kernel manager's on receive

08:04

method was changed to handle commands

08:07

using a callback table instead of a

08:09

switch case statement

08:12

so these open source releases coming

08:15

from the ghost track team uh spawned

08:17

lots of variants in the Wilds like

08:19

hundreds of them so to investigate this

08:22

a little bit and familiarize ourselves

08:24

with ghost we collected 22 open source

08:26

forks from various sources and our main

08:30

goal was to link prominent traits of

08:32

these notable variants like sudo

08:33

manuscripts for example to these

08:35

available Forks that are open source so

08:37

this would allow us to gain insight into

08:39

the origins of each variant and its

08:41

developers motivations

08:43

but like any evolutionary story there

08:46

has to be missing links so

08:48

these open source variants in our

08:50

collection that share one or more new

08:51

traits with ghost 1.0 Alpha which is

08:54

cloud Source by the way they all retain

08:57

all trades from 3.6 beta for example the

09:01

old class names are still used and the

09:03

old kernel manager relying on switch

09:05

case statement is also there so this

09:07

could indicate that there were some

09:09

possible leaks that are unknown to us of

09:11

intermediate releases that happen

09:13

between 3.6 and 1.0 which we call

09:16

ghostax

09:19

so to get more insight into this and to

09:23

be more on the ground so we conducted

09:25

analysis of some closed Source variants

09:27

that are used by distinct uh terractor

09:30

groups and we try to establish and

09:31

understand connections with other

09:33

variants in our collection

09:35

so the first one was Ghost times which

09:37

was first documented by Japan cert in

09:40

2020 it was seen in attacks by blacktech

09:43

apt they Stripped Away most features of

09:45

ghost 3.6 beta only left a few managers

09:48

but they improved the communication

09:50

protocol added water notification

09:52

authentification rc4 encryption they

09:55

also implemented two new classes

09:58

a manager called the ultra Port map

10:00

manager which does port forwarding

10:02

basically turning the bot into a gateway

10:04

to connect to internal service and also

10:07

a port map manager which is a proxy

10:09

feature

10:11

so these broad map managers are

10:13

interesting because they have a similar

10:15

but not the same implementation of an

10:16

open source tool called Z export map

10:19

which is common among Chinese speaking

10:21

thread actors and apt groups so in this

10:24

case uh the transform one mode of this

10:27

tool which implements the port

10:28

forwarding maps to the ultraport map

10:30

manager in ghost times and the transfer

10:32

2 and transfer 3 mode which work in

10:34

tandem

10:36

they they correspond to the port map

10:38

manager proxy

10:40

so this same name is seen in other

10:42

variants of ghost for example in BBS rat

10:45

that is operated by the Roman tiger

10:47

group and also in sudo manuscript these

10:50

are all similar but distinct

10:52

implementations

10:54

so the second group we saw was gambling

10:57

puppet which is a sophisticated apt

10:59

uncovered by Trend Micro in 2022 they're

11:02

targeting online gambling businesses

11:04

operating plugx ghostrad and other uh

11:08

malware they use multiple modified Forks

11:11

of course thread that all seem to

11:13

originate from that ghost x variant we

11:15

talked about

11:16

so we analyzed these samples and we saw

11:20

that they actually share some traits

11:22

with forks in our collection

11:24

so the first trade was a unique chat

11:26

manager called ctex chat which we found

11:28

in only in one variant in our collection

11:30

which allows us like the the operator to

11:33

chat with the victim

11:35

second one is a couple of functions that

11:39

allow to play with the victim a little

11:41

bit like open the CD tray swap Mouse

11:43

buttons and this was found in a variant

11:46

called Terminator Platinum

11:49

in addition this malware hasn't had an

11:52

improved version of the ghost MBR killer

11:55

which is shared by two variants

11:58

Terminator Platinum mentioned in the

11:59

previous slide another variant called

12:01

fell VIP 3.0 and it's actually

12:04

interesting because the ghost 1.0 Alpha

12:06

version does not have

12:08

um an MBR killer

12:11

so the presence of code overlap with

12:13

multiple variants in this samp in this

12:17

uh in these samples used by the APT

12:19

indicates a complex origin we saw uh or

12:23

we saw code originated from multiple

12:25

variants and it's really difficult to

12:27

trace it back to a single source so we

12:29

think they probably cherry-picked

12:31

features from various projects as it's

12:33

super easy to do that just take the

12:35

manager class and you're good to go

12:39

and I'm going to hand it over to Jorge

12:41

so now that we have a proper context on

12:44

where this

12:46

latest variant set of manuscript is a

12:48

steaming from

12:49

we have the history of goshrad already

12:53

present now let's delve into these

12:56

latest form as we mentioned before it

12:59

was first spot by Kaspersky July 2021

13:04

they reported some similarities with the

13:06

manuscript malware operated by Lazarus

13:09

but since the malware wasn't really the

13:12

same and there were uncertain whether

13:15

the Developers

13:16

behind both projects were the same or

13:18

not they coined the moniker set of

13:21

manuscript

13:22

Worth to mention here we are not

13:24

attributing this one to Lazarus in any

13:27

way

13:28

it was brought to our attention in 2022

13:31

and later that year in October we

13:34

started tracking it and very soon after

13:37

we put our Tools in place we realized

13:40

this

13:41

thread was rather active with motivate

13:45

which motivated us to have a proper and

13:48

deeper look to improve our tracking

13:51

collection and

13:54

the data we were collecting from it and

13:58

that's where when to heal realized the

14:01

the gospel connection

14:03

leading to This research we are

14:04

presenting today

14:06

again this is an ongoing situation the

14:10

group is still active as we speak they

14:13

are trying to grow the botnet and for

14:15

doing so they are mainly using two

14:18

delivery methods the first one of them

14:21

is fake cracked rubber where you will

14:24

turn to your search engine of choice try

14:27

to look for some activator or some crack

14:30

tool to save a few bucks but in Turn You

14:34

Are running malware as a volunteer on

14:36

your own

14:38

and the other one is install Services

14:40

that's why we claim here they are

14:43

following us pray and pray approach for

14:45

distribution

14:47

we haven't observed any targeted

14:50

campaigns towards any business or sector

14:53

or country or region for that matter

14:58

since

15:00

they are using this spray and pray

15:01

approach the initably in the back end

15:04

and if I were certain bodies coming from

15:07

and that's why they have this campaign

15:09

identifier which is composed of four

15:12

numbers like 3003 and they are bright in

15:15

this value in the registry and the SEO

15:20

ID key

15:22

so this will allow them ideally in the

15:26

back end of track infections

15:29

moving on into the install Services when

15:34

we started tracking This Thread they

15:36

were only using one install service the

15:40

one which the actors from private loader

15:43

offer we are also certain they are not

15:46

targeting any specific region

15:50

when it comes to delivery because they

15:53

are using

15:54

the install service

15:58

of the business which allows them to

16:00

spread the binaries to any country in

16:02

the world for example some of these

16:04

install services offer installs to

16:07

worldwide locations or

16:10

only Europe or only the USA which are

16:13

more expensive than the worldwide and

16:16

this one issues in the worldwide option

16:21

we think they are also learning as they

16:25

continue their operation because when we

16:27

started tracking it they were only using

16:29

private loader for delivery

16:33

my guess here is that at some point they

16:36

realize that using the same install

16:38

service again again and again

16:41

will lead their payloads to be executed

16:44

on the very very same computers again

16:46

again and again

16:47

that's why in late 2022 they started

16:51

diversifying the install service they

16:54

use

16:54

they start a good one and nowadays they

16:57

are using at least four as far as we can

17:00

see and it's interesting because it

17:02

looks like they tried another install

17:05

service with another actor offers

17:08

through an amade botnet also they have a

17:11

test at another service which some other

17:14

actor offers through a smoke loader

17:15

botnet

17:17

perhaps it didn't pay off very well they

17:19

went back to their religions private

17:21

loader but then they they fund the key