TTP Tuesday: APT38 CryptoSpy
Contents
TTP Tuesday: APT38 CryptoSpy
Replicating TraderTraitor
Theme Overview
We are just off the heels of last week’s chain that replicated WannaCry. This week we are looking at APT38’s crypto attacks. You can replicate many things, but replicating an entire blockchain seemed a little extreme. This week’s chain concentrates more on the way initial access was gained according to cisa.gov.
Custom Malware
Anytime I see a way for me to write something custom, I like to take advantage of the situation. So just because this chain might not have a lot of TTPs, it doesn’t mean there isn’t a lot going on in the background. According to CISA, the government refers to the malware used by APT38 in these attacks as “TraderTraitor”. The malware is an electron-based nodeJS application, like Operator just minus the malware part😜.
This means I needed to write a piece of malware with a graphical user interface (GUI). Due to my less than …
Replicating TraderTraitor
Theme Overview
We are just off the heels of last week’s chain that replicated WannaCry. This week we are looking at APT38’s crypto attacks. You can replicate many things, but replicating an entire blockchain seemed a little extreme. This week’s chain concentrates more on the way initial access was gained according to cisa.gov.
Custom Malware
Anytime I see a way for me to write something custom, I like to take advantage of the situation. So just because this chain might not have a lot of TTPs, it doesn’t mean there isn’t a lot going on in the background. According to CISA, the government refers to the malware used by APT38 in these attacks as “TraderTraitor”. The malware is an electron-based nodeJS application, like Operator just minus the malware part😜.
This means I needed to write a piece of malware with a graphical user interface (GUI). Due to my less than …