Wait. How does the malware author injecting themselves with their own malware lead to Malwarebytes getting screenshots of the attackers machine? Did they somehow breach the APT’s network or hijack the malware? Is there some context I’m missing behind this blog post?
The malware appears to use a web based command and control server, so there could be a vulnerability in it, a easily brute forced password or even open access. For example, Zeus, the first major banking trojan, would store logs for each infected victim in a folder on its web server. If the owner was careless, these would be exposed in an open directory. If this was the case, the very first folder would almost always be a test infection of the owner, and the very first password capture in it would be the owner logging into the control panel to see if it was working. Good fun back in the day.
Strictly speaking, they're wrong about the keyboard layout. "ENG\nIN" means something like "English (India)" - the layout selector only shows the currently active layout (if more than one layout is configured). The other layouts are only shown when clicking on it and might be anything.
Also, when defining a custom keyboard layout you have relative freedom in picking the name and language/region it's classified as. So that "ENG\nIN" could be anything.
Source: I have two layouts installed. The default regional keyboard layout so co-workers using my machine don't go insane (shown as "DEU \nDE" [=Language\nRegion]), and for myself a customized variant of the US layout. I can't recall the exact reason why I configured it as it is (maybe to avoid installing the "ENG" language pack?), but that custom US layout shows as plain "DEU" (no second line).
The logic in the php snippet which captures IP addresses is not correct. Any user is able to add an x-forwarded-for header to mask their real IP from the logs.
I wouldn’t be surprised if the log file can have additional entries spoofed with new lines also ;)
Not necessarily. That code could be written assuming it is running behind a reverse proxy/other infrastructure (that would obviously strip/replace any x-forwarded-for etc. provided by the user). The comments seem to indicate it is running behind a proxy of the author's choosing, but that may just be bad English.
At the very least something has to be providing that HTTP_CLIENT_IP which is given the highest priority. It would be odd to prioritize that over HTTP_X_FORWARDED_FOR if you weren't adding special cases for different upstream proxies.
“Occam’s grooming implement” is a riff on Occam’s razor. It caught me way off guard and I had to read it three times, but it was worth it. English is a really strange language, and well timed word play is a real gift.
I think the fact that they were able to use the attackers own exploit to get onto their dev machine and see the EN/IN keyboard layout was a major flag (along with the targets of the malware).
Having been in this field myself at one time, this is fairly common (self-infection when testing) and why you would never develop or test on an internet facing machine. It's also why you ensure your command and control and all comms are encrypted, keys rotated, expirations, etc.
Most people developing advanced malware don't want someone else sniffing around, finding their drops, using their tools, or worse, discovering what's been exfiled and why the target was specifically selected.
Not true mate. Have setup plenty of machines with this as the choice and have also seen others running with ENG IN as the layout in their off-the-shelf laptops.
Kind of a buzzword, not really applied all that consistently (sounds scary, if you're selling something it gets attention, if you're explaining why you failed to defend it always helps to make the attacker seem sophisticated)
