Reversing APT29 Duke Malware скачать в хорошем качестве

Reversing APT29 Duke Malware

I'm looking at three binary files. The first is a legit Microsoft signed exe. The second is a stub DLL that does nothing. The third is APT 29 malware that is DLL side-loaded by the legit executable. I'll show how the DLL opens the decoy document, loads wininet.dll using LdrLoadDll, and then connects to a the Zulip chat service for C2 (including the username and password). This malware comes from HackTheBox's Einladen Sherlock. APT 29 malware post: https://0xdf.gitlab.io/2024/05/08/htb... HackTheBox Einladen Blog post: https://0xdf.gitlab.io/2024/05/02/htb... HackTheBox Einladen: https://app.hackthebox.com/sherlocks/... ☕ Buy Me A Coffee: https://www.buymeacoffee.com/0xdf [00:00] Introduction [01:26] Situation overview [01:55] msoev.exe (legit) [04:30] AppVIsvSubsystems64.dll [07:01] mso.dll start [07:49] Exports, imports, and strings [09:56] ShellExecuteA to show decoy [11:03] String decryption functions [13:14] Decrypting string to show decoy [15:05] Loading wininet.dll [19:05] Getting wininet functions [22:48] C2 activity [27:54] Back to entry point [29:25] Conclusion #pentest #ctf #malware #ghidra #apt29