Looking into Initial Access Payloads by APT Groups
Contents
Contents
- Introduction.
- Motivation.
- Technical Analysis
- Case 1 : Sidewinder using malicious document to drop RTF Payload.
- Case 2 : Kimsuky using malicious LNK file to drop PowerShell payload.
- Case 3 : Gamaredon using HTA to drop further malware.
- Case 4 : Sidecopy using lnk to drop malicious msi file
- YARA Rule.
- Detecting Maldoc.
- Detecting LNK of Kimsuky
- Detecting HTA.
- Detecting LNK of Sidecopy
- IOCs.
- Limitations.
- References
Introduction
I recently started learning about maldoc analysis as part of my malware analysis journey. During this process, I explored different APT groups, including SideWinder( 🇮🇳 ), Kimsuky ( 🇰🇵 ) , Sidecopy ( 🇵🇰 ) , and Gamaredon ( 🇷🇺 ). I analyzed their samples, focusing on how they gain initial access. To conduct my research, I used platforms like VirusTotal, Twitter, and MalwareBazaar to find and study real-world malware samples.So, I am writing this blog which contains my findings for the same.
Motivation
My motivation is …
- Introduction.
- Motivation.
- Technical Analysis
- Case 1 : Sidewinder using malicious document to drop RTF Payload.
- Case 2 : Kimsuky using malicious LNK file to drop PowerShell payload.
- Case 3 : Gamaredon using HTA to drop further malware.
- Case 4 : Sidecopy using lnk to drop malicious msi file
- YARA Rule.
- Detecting Maldoc.
- Detecting LNK of Kimsuky
- Detecting HTA.
- Detecting LNK of Sidecopy
- IOCs.
- Limitations.
- References
Introduction
I recently started learning about maldoc analysis as part of my malware analysis journey. During this process, I explored different APT groups, including SideWinder( 🇮🇳 ), Kimsuky ( 🇰🇵 ) , Sidecopy ( 🇵🇰 ) , and Gamaredon ( 🇷🇺 ). I analyzed their samples, focusing on how they gain initial access. To conduct my research, I used platforms like VirusTotal, Twitter, and MalwareBazaar to find and study real-world malware samples.So, I am writing this blog which contains my findings for the same.
Motivation
My motivation is …