What can the basics of code similarity analysis tell us about APT malware and implant families? Lots. For example, the Solarwinds/SUNBURST event was interesting on many levels. Unfortunately, when first discussed, there were rumors, but there wasn't data to move forward with attribution. Code similarity analysis gave us the first path toward exploring and understanding connections between SUNBURST and the previously known Kazuar implants. Let's examine fuzzy similarities in-depth between Darkhalo's SUNBURST and Turla's Kazuar; the strengths and weaknesses of the three similar and unique features embedded in these backdoors. Let's dig into both the technical matter and implications here. Then let's look through precise code similarities from some more recent malware findings, including Operation Dianxun implants, some of the Exchange 0day delivered implants, and more. Technical attribution has both its place and its limits. On the flip side, let's examine limits and traps as embodied in Hades' OlympicDestroyer. Abby and Elmo are the same, but different. It may seem common sense to make characteristic comparisons across artefacts, but the practice and needs on the street can be unexpected and complex.
![BITCOIN: YOU WILL CRY!!!!!!!! [but don’t worry]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sTQsE-DRazKWeHfN71HXWveK1WBLVam9RwBZjD840m5ClhEhPUSR9w-AMNlS8kC0yaLuOEWW5TC3AtglLKUeJgpGUoUYv6vla4EEWO1IfhKdPE=w680)
0 Comments