The Software License and Service Agreement will be updated. Please follow this link [https://www.activision.com/legal/ap-eula] in order to see these changes.
This report covers the malware analysis process of a third stage Remote Administration payload named “InfoTrust.dll” which was delivered as a result of a target of opportunity attack. We sometimes encounter these types of payloads in the course of our work and are tasked with their analysis and reverse engineering. The initial stage of infection was automated, randomly infecting victims across the web, and then sending back initial telemetry such as the victim’s domain name. Once the attacker notices a compromised machine is in a domain of interest, they manually deliver the Remote Administration payload “InfoTrust.dll” with the purpose of gaining complete remote control of the infected machine.
InfoTrust contains 4 payload stages. The initial stage was identified as Blister malware and was simply used to hide additional payloads in a legitimately looking benign software. The final stage is far from being benign – it is a popular commercial adversary simulation tool called Cobalt Strike that is commonly used by Red Teams to hack corporate networks but was stolen and actively used by a wide range of threat actors from ransomware to espionage focused Advanced Persistent Threats (APTs) groups.
This report will cover the journey to the final payload.
Download the full publication HERE