The cybersecurity expert Brian Krebs: The malware has undergone a rebrand. Binary is virtually identical, and employs the same "MZ-as-alternative-entrypoint" trick.
Yoroi-Cybaze analyzed the declassified samples of the last cyber attack against the Australian Parliament House. The threat actor used an arsenal of cyber weapons to conduct his cyber warfare operation
The malicious hackers, probably state-sponsored, who attacked in the past days the Australian Parliament House, used an arsenal of cyber weapons. It has been discovered by Yoroi-Cybaze cyber security experts, who analyzed samples of the cyber offensive. According to the company’s blog, the aggressors have chosen a multi-modular approach for the development of their arsenal, realizing a complex implant leveraging an ecosystem of libraries providing proper functionalities to conduct advanced, and offensive, cyber operations. Despite these functions and libraries does not appear to contain any zero-day exploit or techniques, the detection of these modules within a high value perimeter such as the Australian Parliament provides important indication on cyber arsenal development strategies of this threat actor.
The cyber security experts: the malicious actor abused and customized open-source PenTest tools
According to Yoroi-Cybaze, the declassified samples reveal the abuse and the customization of open-source PenTest tools. Proof of concept is one of the preferred way the state-sponsored hackers used to build their arsenal, possibly due to the lower the “time-to-market” and resources required to write it, without impacting its effectiveness and dangerousness. Showing also, how these supposedly “known” techniques and tools can be easily repackaged in evasive and silent implants, capable to bypass the traditional kinds of cyber security boundaries. Moreover, all the modules studied by the experts don’t belong to an open-source post-exploitation framework, like Metasploit or Empire, but they seem to be written from scratch using the high-level language C# on top of the .NET Framework.
Some of the malware used in the cyber warfare operation against the Australian Parliament House: from LazyCat to RottenPotato, passing through Powerkatz and OfficeCommu.dll
The first sample analyzed by Yoroi is the LazyCat malware, mainly derived by the famous Mimikatz pentest tool. Then, there is a particular module, named “RottenPotato”. It’s a different version the Github source code. Thanks to this, the cyber security experts found that some functions included are not present into public source code. This indicates that the aggressor has further weaponized the code to make it more effective in the cyber attack against the Australian Parliament House. At the same time, the usage of code publicly available and open source tools makes more difficult a punctual attribution of the weapons to a particular threat actor. In the same way of Powerkatz, different than the tool available on GitHub. Like other samples, it is written C# programming language too. The last sample analyzed by the cyber security experts is “OfficeCommu.dll”. Is a sort of utility, used to create a “PowershellAgent”.
Photo Credits: Yoroi-Cybaze