Rectifyq

2025-01-29 Unmasking the Shadow of PoisonPlug's Obfuscator

2 min read

📃Title: Unmasking the Shadow of PoisonPlug’s Obfuscator
📅Date: 2025-01-29
🔗References:

Description

Since 2022, cyber espionage operations utilizing POISONPLUG.SHADOW have been tracked, employing a custom obfuscating compiler called ScatterBrain. This evolved version of ScatterBee targets entities in Europe and Asia Pacific. POISONPLUG.SHADOW, a variant of the POISONPLUG modular backdoor, uses advanced obfuscation techniques to evade detection. The blog post details the analysis of ScatterBrain, including its modes of operation, protection components, and the development of a deobfuscator. It explains the process of CFG recovery, import restoration, and binary reconstruction. The research provides insights into combating sophisticated obfuscation techniques and contributes to enhancing cybersecurity defenses against evolving threats.

🔖Rectifyq Taxonomies:

🔖MISP Galaxies:

  • producer Mandiant
  • fa5af22e-b260-4dc4-90bd-1c8431b680c0=“c9d7b877-21aa-4327-8eb2-973b90b259fd”
  • region=“142 - Asia”
  • region=“150 - Europe”
  • target-information=“Australia”
  • target-information=“Canada”
  • target-information=“India”
  • target-information=“Malaysia”
  • target-information=“Mexico”
  • target-information=“Netherlands”
  • target-information=“Philippines”
  • target-information=“Saudi Arabia”
  • target-information=“South Africa”
  • target-information=“South Korea”
  • target-information=“Sweden”
  • target-information=“Switzerland”
  • target-information=“United States”
  • malpedia=“ShadowPad”
  • malpedia=“poisonplug”
  • ransomware=“Scatterbrain”
  • threat-actor APT41
  • mitre-attack-pattern=[‘T1553.002’, ‘T1556.002’, ‘T1140’, ‘T1558’, ‘T1555’, ‘T1552’, ‘T1555.003’, ‘T1027.001’, ‘T1558.001’, ‘T1552.003’, ‘T1552.001’, ‘T1554’, ‘T1574’, ‘T1027.005’, ‘T1027’, ‘T1553’, ‘T1027.003’, ‘T1027.004’, ‘T1027.002’, ‘T1556’]

MISP event uuid: 36bf37ab-79d9-45b2-901c-6c5b0292f707

Indicator of Compromise (IoCs)

type,value,comment
md5, 1f1361a67ce4396c3b9dbc198207ef52, 'No sample in VT\r\nLast check:08/02/2025'
md5, 4bf608e852cb279e61136a895a6912a9, 'No sample in VT\r\nLast check:08/02/2025'
md5, 79313be39679f84f4fcb151a3394b8b3, 'No sample in VT\r\nLast check:08/02/2025'
md5, eb42ef53761b118efbc75c4d70906fe4, 'No sample in VT\r\nLast check:08/02/2025'

Full IOCs available in Rectifyq's MISP```

Graph View