Reversing PebbleDash’s FakeTLS Protocol
Contents
So I was looking through the CISA’s recent publications regarding three tools named PebbleDash[1], Copperhedge[2] and Taintedscribe[3] which are believed to be used by the state-sponsored North Korean hacking group HiddenCobra/APT 38/Lazarus Group.
I started off with PebbleDash, because there was a functionality mentioned in the report that caught my eye:
I wanted to know how such FakeTLS mechanism works and how it is implemented. I also want to mention beforehand, I did not check wether the code used by PebbleDash is reused from any Github Repository or any other various tools. This blog post focuses mainly on the mentioned functionality.
PebbleDash
PebbleDash is a RemoteAccessTool and is in my opinion, built rather simple but effective. For obfuscation, it implements routines to load libraries during execution and encrypts parts of its content with a custom algorithm. As always with RAT tools, it offers its controllers a variety of options to cause mayhem on a …
I started off with PebbleDash, because there was a functionality mentioned in the report that caught my eye:
I wanted to know how such FakeTLS mechanism works and how it is implemented. I also want to mention beforehand, I did not check wether the code used by PebbleDash is reused from any Github Repository or any other various tools. This blog post focuses mainly on the mentioned functionality.
PebbleDash
PebbleDash is a RemoteAccessTool and is in my opinion, built rather simple but effective. For obfuscation, it implements routines to load libraries during execution and encrypts parts of its content with a custom algorithm. As always with RAT tools, it offers its controllers a variety of options to cause mayhem on a …