ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger
ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger
ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>ASERT</strong> <strong>Threat</strong> <strong>Intelligence</strong> Report – <strong>Uncovering</strong> <strong>the</strong> <strong>Seven</strong> <strong>Pointed</strong> <strong>Dagger</strong><br />
plain.append(chr(plain_byte))<br />
key_material_2 = key_material_1<br />
key_material_1 = xor_key<br />
fp = open(sys.argv[1] + ".decrypted", "wb")<br />
fp.write("".join(plain))<br />
fp.close()<br />
https://github[.]com/5loyd/trochilus/blob/master/client/servant/body/common.cpp contains a routine called <br />
XorFibonacciCrypt that matches code observed inside <strong>the</strong> DLL and inside <strong>the</strong> NSIS package configuration: <br />
for (DWORD i = 0; i < dwPlainLen; i++)<br />
{<br />
BYTE xorchar = (last1 + last2) % MAXBYTE;<br />
last2 = last1;<br />
last1 = xorchar;<br />
}<br />
lpOutput = (lpSource) ^ xorchar;<br />
lpOutput ++;<br />
lpSource ++;<br />
Figure 17: Trochilus RAT readme file describes basic capabilities<br />
Obtaining <strong>the</strong> source to <strong>the</strong> malware provided <br />
many insights, including <strong>the</strong> fundamental <br />
README that describes <strong>the</strong> basic functionality of <br />
<strong>the</strong> RAT (observed in Figure 17). O<strong>the</strong>r <br />
researchers and analysts who wish to obtain <br />
additional insight should download <strong>the</strong> code for <br />
fur<strong>the</strong>r analysis. <br />
22 Proprietary and Confidential Information of Arbor Networks, Inc.