The video demonstrates the analysis of a malware sample used by a Pakistani Advanced Persistent Threat (APT). Here are the key points covered:
- Introduction:
- The malware sample is an Excel add-in file (.xlam) with malicious macros.
- The analysis is conducted in a Windows 10 virtual machine with network adapters removed for safety.
- Initial Execution:
- The malware triggers upon enabling macros in the Excel file.
- It opens a decoy document while executing malicious actions in the background.
- Static Analysis:
- Tools like OLE Tools and Remnux are used to extract and analyze the macros.
- The Visual Basic for Applications (VBA) code is examined, revealing multiple subroutines that execute upon document events.
- Deobfuscation and Code Analysis:
- The VBA code is deobfuscated to understand its functionality.
- The malware copies itself, creates directories, and extracts embedded objects.
- Payload and Execution:
- The malware creates a zip archive and extracts its contents, including a .scr (screensaver) file.
- The screensaver file is identified as a .NET assembly, further analyzed using tools like dnSpy and ILSpy.
- Command and Control:
- The malware establishes command and control (C2) communication, using hardcoded IP addresses and ports.
- It includes capabilities for remote access and data exfiltration.
- Persistence Mechanism:
- The malware uses the Windows registry to establish persistence, ensuring it runs on system startup.
- Detection and Attribution:
- The malware is detected by multiple antivirus engines, identified as the Crimson RAT (Remote Access Trojan).
- The sample is linked to the Transparent Tribe APT group, known for using Crimson RAT in their campaigns.