Previously my colleague Wayne talked about an interesting document exploit targeting CVE-2015-1641. In this post, we will talk about who might be behind the attack.
We start our correlation with the analysis of the exploit payload - a remote administration tool (RAT) with MD5 6bde5462f45a230edc7e7641dd711505 (detected as MSIL/Agent.QOO!tr). This RAT looks new to us; hence we suspected that it may either be a new RAT family or a custom RAT that was developed for a specific attacker (hacker). It is compiled with Microsoft Visual Basic .NET with the following backdoor commands listed in its code:
The Curious Case of the Document Exploiting an Unknown Vulnerability – Part 2: RATs, Hackers and Rihanna | Fortinet Blog
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.