by William Gamazo Sanchez and Joseph C. Chen
In November 2019, we published a blog analyzing an exploit kit we named Capesand that exploited Adobe Flash and Microsoft Internet Explorer flaws. During our analysis of the indicators of compromise (IoCs) in the deployed samples that were infecting the victim’s machines, we noticed some interesting characteristics: notably that these samples were making use of obfuscation tools that made them virtually undetectable.
After some data collection we found more than 300 samples that correlate to the mentioned indicators that were recently very active our first detections occurred in August, with the campaign itself still ongoing (having occasional spikes in between). We saw a rising usage of tools that provide fully-undetectable obfuscation capabilities – signifying that the authors behind the samples designed their malware variants to be as stealthy as possible. We decided to name the potential campaign associated with these IoCs as “KurdishCoder”, based on the property name of an assembly module found in one of the samples.
We took a look at one of the samples captured from Capesand that was used to deploy the njRat malware – notably its main executable NotepadEx. We found that were multiple layers of obfuscation using a combination of two tools: the .NET protectors ConfuserEx and Cassandra (CyaX). Both of these tools are used in combination to provide an array of fully undetectable capabilities to the deployed njRat malware variant.
Examining the Capesand samples
The simplified diagram taken from the previous blog shows the combination of ConfuserEx and Cassandra via the second layer of obfuscation protection, which involves the DLL CyaX_Sharp Assembly (both CyaX_Sharp and CyaX are part of the Cassandra protector).
Support the originator by clicking the read the rest link below.
