Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?

IppSec · Beginner ·🔐 Cybersecurity ·3y ago

00:00 - Introduction, talking about why I think APT-29 successfully phishing is funny 01:10 - Unit42's blog post talking about how the phishing document worked 02:15 - Going to google to show APT29 doing the lnk file in a zip since atleast 2016, Mandiant post. 03:40 - Talking about why phishers put executables or things to click on in zip/iso/compressed folders 04:50 - Talking about why they may use DLL Side Loading to execute the shellcode 06:25 - Showing what the user see's when they open the iso file 07:48 - Talking about why we are starting with shellcode instead of a weaponized document and why red teams like shellcode 09:00 - Using MSFVenom to generate a malicious executable with custom shellcode from BRc4 10:15 - Opening the executable with x64dbg, so we can extract a program from memory. This is great for when the shellcode is obfuscated through like shikata ga nai 11:00 - Setting a breakpoint on LdrLoadDll, showing the memory map is empty 12:15 - Running the program, examining memory on LdrLoadDll breakpoint. Showing a weird Execute-Read Permission, which initially was Read-write (screwed up initially explaining it) 13:10 - The E_MAGIC (MZ Header) is nulled out, talking about why the brute ratel may do that 14:20 - Dumping the memory to a file, copying it to linux where i have ida 15:30 - Using hexedit to set the first two bits to MZ, so ida recognizes it as an executable 16:50 - Talking about ordinal loading 18:05 - Showing the applicaiton uses ror13 hashes to call functions to avoid strings. Using google to find what the hash goes to 20:20 - The coffee string is weird, going into it 21:10 - Looking at a function that looks like it sends strings to the teamserver 22:45 - Showing similarities of the coff loader from trusted sec 24:00 - Converting another ror13 hash in badger to a function 25:25 - Having ida show all strings 25:50 - Looking at the AMSI Patch thing 26:35 - Stumbling across a static encryption key 29:00 - Looking at a likely PSExec functional

Watch on YouTube ↗ (saves to browser)

Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HHC2016 - Analytics

HHC2016 - Analytics

HackTheBox - October

HackTheBox - October

HackTheBox - Arctic

HackTheBox - Arctic

HackTheBox - Brainfuck

HackTheBox - Brainfuck

HackTheBox - Bank

HackTheBox - Bank

HackTheBox - Joker

HackTheBox - Joker

HackTheBox - Lazy

HackTheBox - Lazy

Camp CTF 2015 - Bitterman

Camp CTF 2015 - Bitterman

HackTheBox - Devel

HackTheBox - Devel

Reversing Malicious Office Document (Macro) Emotet(?)

Reversing Malicious Office Document (Macro) Emotet(?)

HackTheBox - Granny and Grandpa

HackTheBox - Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Optimum

HackTheBox - Optimum

HackTheBox - Charon

HackTheBox - Charon

HackTheBox - Sneaky

HackTheBox - Sneaky

HackTheBox - Holiday

HackTheBox - Holiday

HackTheBox - Europa

HackTheBox - Europa

Introduction to tmux

Introduction to tmux

HackTheBox - Blocky

HackTheBox - Blocky

HackTheBox - Nineveh

HackTheBox - Nineveh

HackTheBox - Jail

HackTheBox - Jail

HackTheBox - Blue

HackTheBox - Blue

HackTheBox - Calamity

HackTheBox - Calamity

HackTheBox - Shrek

HackTheBox - Shrek

HackTheBox - Mirai

HackTheBox - Mirai

HackTheBox - Shocker

HackTheBox - Shocker

HackTheBox - Mantis

HackTheBox - Mantis

HackTheBox - Node

HackTheBox - Node

HackTheBox - Kotarak

HackTheBox - Kotarak

HackTheBox - Enterprise

HackTheBox - Enterprise

HackTheBox - Sense

HackTheBox - Sense

HackTheBox - Minion

HackTheBox - Minion

VulnHub - Sokar

VulnHub - Sokar

VulnHub - Pinkys Palace v2

VulnHub - Pinkys Palace v2

HackTheBox - Inception

HackTheBox - Inception

Vulnhub - Trollcave 1.2

Vulnhub - Trollcave 1.2

HackTheBox - Ariekei

HackTheBox - Ariekei

HackTheBox - Flux Capacitor

HackTheBox - Flux Capacitor

HackTheBox - Jeeves

HackTheBox - Jeeves

HackTheBox - Tally

HackTheBox - Tally

HackTheBox - CrimeStoppers

HackTheBox - CrimeStoppers

HackTheBox - Fulcrum

HackTheBox - Fulcrum

HackTheBox - Chatterbox

HackTheBox - Chatterbox

HackTheBox - Falafel

HackTheBox - Falafel

How To Create Empire Modules

How To Create Empire Modules

HackTheBox - Nightmare

HackTheBox - Nightmare

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Bart

HackTheBox - Bart

HackTheBox - Aragog

HackTheBox - Aragog

HackTheBox - Valentine

HackTheBox - Valentine

HackTheBox - Silo

HackTheBox - Silo

HackTheBox - Rabbit

HackTheBox - Rabbit

HackTheBox - Celestial

HackTheBox - Celestial

HackTheBox - Stratosphere

HackTheBox - Stratosphere

HackTheBox - Poison

HackTheBox - Poison

HackTheBox - Canape

HackTheBox - Canape

HackTheBox - Olympus

HackTheBox - Olympus

HackTheBox - Sunday

HackTheBox - Sunday

HackTheBox - Fighter

HackTheBox - Fighter

HackTheBox - Bounty

HackTheBox - Bounty

Related AI Lessons

A Systems-Theory Framework for Managing Burnout in Cybersecurity Teams

Apply systems theory to manage cybersecurity team burnout with targeted interventions, preserving human reliability in high-pressure environments

JWKS Is the Part of OAuth Nobody Explains Until Production Breaks

Learn how JWKS works with OAuth and JWTs to secure your app

Medium · Cybersecurity

HTB Path — AI Defense Walkthrough

Learn how to defend against AI-powered attacks with a walkthrough of the HTB Path AI Defense challenge

Medium · Cybersecurity

I Passed the OSCP on My First Attempt - My Study Plan

Learn how to prepare for the OSCP exam with a focused study plan and methodical thinking under pressure

Medium · Cybersecurity

Chapters (24)

Introduction, talking about why I think APT-29 successfully phishing is funny

1:10 Unit42's blog post talking about how the phishing document worked

2:15 Going to google to show APT29 doing the lnk file in a zip since atleast 2016,

3:40 Talking about why phishers put executables or things to click on in zip/iso/co

4:50 Talking about why they may use DLL Side Loading to execute the shellcode

6:25 Showing what the user see's when they open the iso file

7:48 Talking about why we are starting with shellcode instead of a weaponized docum

9:00 Using MSFVenom to generate a malicious executable with custom shellcode from B

10:15 Opening the executable with x64dbg, so we can extract a program from memory. T

11:00 Setting a breakpoint on LdrLoadDll, showing the memory map is empty

12:15 Running the program, examining memory on LdrLoadDll breakpoint. Showing a wei

13:10 The E_MAGIC (MZ Header) is nulled out, talking about why the brute ratel may d

14:20 Dumping the memory to a file, copying it to linux where i have ida

15:30 Using hexedit to set the first two bits to MZ, so ida recognizes it as an exec

16:50 Talking about ordinal loading

18:05 Showing the applicaiton uses ror13 hashes to call functions to avoid strings.

20:20 The coffee string is weird, going into it

21:10 Looking at a function that looks like it sends strings to the teamserver

22:45 Showing similarities of the coff loader from trusted sec

24:00 Converting another ror13 hash in badger to a function

25:25 Having ida show all strings

25:50 Looking at the AMSI Patch thing

26:35 Stumbling across a static encryption key

29:00 Looking at a likely PSExec functional

Ethical Hacking Career In 60 Seconds | Ethical Hacking Career Roadmap 2026 | #Shorts | #simplilearn