SectorA01 Custom Proxy Utility Tool Analysis
Contents
SectorA01 Custom Proxy Utility Tool Analysis
Overview
SectorA01 is one of the most infamous state sponsored threat actor groups globally and is unique in the sense that it is one of the only state sponsored groups with large interests in financial crime. So with the continued interest into SectorA01’s financial crime activities due to the recent potential misattribution of the Ryuk ransomware [1], we decided to perform an analysis into one of the tools – a proxy utility executable – used exclusively by SectorA01 that recently caught our attention again.
Interestingly, in the Hidden Cobra FASTCash report by the US-CERT [2] in October last year, there were two versions of a “Themida packed proxy service module” (i.e. x32 and x64 versions). Our analysis of those modules showed code reuse of critical functions with the sample we are analyzing in this post, leading us to think that those samples might be an evolution of …
Overview
SectorA01 is one of the most infamous state sponsored threat actor groups globally and is unique in the sense that it is one of the only state sponsored groups with large interests in financial crime. So with the continued interest into SectorA01’s financial crime activities due to the recent potential misattribution of the Ryuk ransomware [1], we decided to perform an analysis into one of the tools – a proxy utility executable – used exclusively by SectorA01 that recently caught our attention again.
Interestingly, in the Hidden Cobra FASTCash report by the US-CERT [2] in October last year, there were two versions of a “Themida packed proxy service module” (i.e. x32 and x64 versions). Our analysis of those modules showed code reuse of critical functions with the sample we are analyzing in this post, leading us to think that those samples might be an evolution of …
IoC
0d75d429c1cc3550b2961be84af777f8bed287a44a144b7a47988c601e1e9a27
10.1.1.12
172.16.1.1
19bba0a7669a0109a6d2184bc0135ea4581449c8f5f0ef8a04af057447635cab
1f2cd2bc23556fb84a51467fedb89cbde7a5883f49e3cfd75a241a6f08a42d6d
9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852
9ddacbcd0700dc4b9babcd09ac1cebe23a0035099cb612e6c85ff4dffd087a26
d4616f9706403a0d5a2f9a8726230a4693e4c95c58df5c753ccc684f1d3542e2
f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de
10.1.1.12
172.16.1.1
19bba0a7669a0109a6d2184bc0135ea4581449c8f5f0ef8a04af057447635cab
1f2cd2bc23556fb84a51467fedb89cbde7a5883f49e3cfd75a241a6f08a42d6d
9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852
9ddacbcd0700dc4b9babcd09ac1cebe23a0035099cb612e6c85ff4dffd087a26
d4616f9706403a0d5a2f9a8726230a4693e4c95c58df5c753ccc684f1d3542e2
f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de