skip to Main Content

APT, new free tool to help spotting them from Marco Ramilli

APT, New Free Tool To Help Spotting Them From Marco Ramilli

There is a new free tool to help spotting APTs on the wild. It has been developed by Marco Ramilli, founder of Yoroi-Cybaze

New tool to help spotting Advanced Persistent Threats (APTs). It has been introduced by Marco Ramilli, cyber security expert and founder of Yoroi-Cybaze. It’s free and based on YARA rules. The researcher started from the concept that there are many ways to spot APTSs, for example during a forensic analysis on “high rate incident” or having sandbox systems on critical infrastructures or again working as incident responder for big companies, or into a national CERT or building a simple tool performing analysis on Malware streams. So, he created it’s own, on the principle that, “according to static analysis, we might build YARA rules to identify specific set of binaries,” Ramilli explained on his blog. “If we classify those binaries as ‘related to APT’ we might extract from tons of binaries the ones that match classified YARA rules and that could be related to APTs.” 

The cyber security expert: It collects and classifies hashes according to APT rules. But to be accurate, it needs a lot of human analysis 

The anti-APTs tool, in fact, collects and classifies hashes according to Advanced Persistent Threat related rules. In the last 24 hours it analyzed over 200 samples, founding that most of them are related to the Dragonfly group, and to the banking trojan spyeye and Ursnif. Ramilli, however, adviced that “we might have false positives for mainly two reasons: It’s only static analysis, if you run those Samples on live SandBox you might discover unattended behaviour. No human analysis, this is the result of a mere algorithms, no human interacted and checked those results.” So the cyber security expert underline that this tool is the easiest way to spot APTs. But it’s also one of the most inaccurate and it needs a lot of manual analysis before being able to confirm the sample belongs to a specific Advanced Persistent Threat.

Back To Top