Analyzing a Pakistani APT Malware Sample

The video demonstrates the analysis of a malware sample used by a Pakistani Advanced Persistent Threat (APT). Here are the key points covered:

  1. Introduction:
    • The malware sample is an Excel add-in file (.xlam) with malicious macros.
    • The analysis is conducted in a Windows 10 virtual machine with network adapters removed for safety.
  2. Initial Execution:
    • The malware triggers upon enabling macros in the Excel file.
    • It opens a decoy document while executing malicious actions in the background.
  3. Static Analysis:
    • Tools like OLE Tools and Remnux are used to extract and analyze the macros.
    • The Visual Basic for Applications (VBA) code is examined, revealing multiple subroutines that execute upon document events.
  4. Deobfuscation and Code Analysis:
    • The VBA code is deobfuscated to understand its functionality.
    • The malware copies itself, creates directories, and extracts embedded objects.
  5. Payload and Execution:
    • The malware creates a zip archive and extracts its contents, including a .scr (screensaver) file.
    • The screensaver file is identified as a .NET assembly, further analyzed using tools like dnSpy and ILSpy.
  6. Command and Control:
    • The malware establishes command and control (C2) communication, using hardcoded IP addresses and ports.
    • It includes capabilities for remote access and data exfiltration.
  7. Persistence Mechanism:
    • The malware uses the Windows registry to establish persistence, ensuring it runs on system startup.
  8. Detection and Attribution:
    • The malware is detected by multiple antivirus engines, identified as the Crimson RAT (Remote Access Trojan).
    • The sample is linked to the Transparent Tribe APT group, known for using Crimson RAT in their campaigns.