APT28 is a threat actor group responsible for many recent cyber incidents. Incident response to this Advanced Persistent Threats (APT) and damage limitation heavily relies on network traffic investigation. Nevertheless, such efforts are usually blocked by technical difficulties. Source address information retrieved by flow analysis would not reveal any useful information regarding the APT target because the traffic by an APT malware are usually relayed through several proxies. Deep packet inspection also often fails to facilitate these efforts because the communicated traffic by advanced malware is usually encrypted. In our research, we reverse engineered and broke the encryption algorithm of one x-agent malware, a rootkit from APT28 family, sample.
In the course of our reverse engineering, we found out that a persistent data in the encrypted traffic exists that is a semi unique ID of victims that is derived from system volume information. Since the target of APT28 is mainly high rank officials, state actors can use the decryption technique we deployed on gateways to reveal the identities of victims.
Moreover, by vast internet scanning and searching for the URL pattern we introduce in this white paper, current active APT28 servers can be found. Communication to these servers for further investigation can be established following the encryption-decryption scheme we explain.
Download the full report here:
Written by Sina Davanian, Malware Researcher at RedSocks Security