A forum for reverse engineering, OS internals and malware analysis
Upon discovery, the team reverse engineered the code and believes that based on the nature, behavior and sophistication of the malware and the extreme measures it takes to evade detection, it likely points to a nation-state sponsored initiative, potentially originating in Eastern Europe.Nation state rootkits, probably from fuckav.ru/wasm.ru
It exhibits traits seen in previous nation-state Rootkits, and appears to have been designed by multiple developers with high-level skills and access to considerable resources.Use a low level sophisticated stuff.
Use of low-level API (Nt* and Rtl*) and direct system calls (INT 2Eh and CALL ntdll!KiFastSystemCall)Education stuff, yes we are in 2016.
were used to bypass user-space hooks used by antivirus software and sandboxes. This also demonstrates the expertise of the author.
To gain an understanding of these functions, one has to be familiar with the Windows Driver Development Kit (DDK), and also reverse-engineered portions of the Windows operating system.Nope you don't.
Although RC4 isn’t an esoteric stream cipher, the decision by the author to use such a cipher shows a level of sophistication not seen in typical crimeware.What?
