Zeroaccess bitcoin exchange

This is the second part of Russian APT series. APT29 – The Dukes Cozy Bear: APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. A Zeroaccess bitcoin exchange In Russian Active Measures And Influence Campaigns.

No Easy Breach: Challenges and Lessons from an Epic Investigation. Cyber War’: Russia’s Use of Strategic Cyber Espionage and Information Operations in Ukraine. Analyze it all to your heart’s content. Prove or disprove Russian hacking in general or DNC hacking in particular, or find that “400 lb hacker” or  nail another country altogether. You can also have fun and exercise your malware analysis skills without any political agenda.

The post contains malware samples analyzed in the APT28 reports linked below. I will post APT29 and others later. Email me if you need the password. The transition will take some time, so email me links to what you need. The plugins are downloaded each time the malware starts, since they aren’t stored on the hard drive.

1st Full Plugin and its export function is called Plug. 2nd Light Plugin with an export function Scan. Light plugins terminate immediately after returning a buffer with the information they harvested off the victim’s machine. The data sent is encapsulated using the XML-RPC protocol. In 2nd stage the malware generates a symmetric AES-256 key.

I get emails from readers asking for specific malware samples and thought I would make a mini post about it. Yes, I often obtain samples from various sources for my own research. If you are looking for a particular sample, feel free to ask. If you ask for a particular family, I might be able to help if I already have it.