Shulou(Shulou.com)06/03 Report--

This article introduces the relevant knowledge of "passive traffic listeners added to the American CIA network arsenal". In the operation of actual cases, many people will encounter such a dilemma. Next, let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

On April 27th, 2021, Kaspersky released a summary of APT activities for the first quarter of 2021, which mentioned a new Lambert family Trojan. (if you don't know the details, please click to check the US CIA network arsenal to update: customized launch in different countries.)

Kaspersky said that in February 2019, several antivirus companies received a series of malware samples, most of which were related to various known APT organizations. Some samples cannot be associated with any known activity, and the technology used in the sample is very advanced.

The sample was compiled in 2014 and is therefore likely to be deployed on target devices by the end of 2014 and 2015. Kaspersky said that no samples were found to have the same code as any other known malware, but the coding patterns, styles and techniques used in the samples can be seen in various Lambert Trojan families.

Kaspersky will name the families of Lambert Trojans after colors. Therefore, Kaspersky named this malware Purple Lambert.

Purple Lambert consists of several modules, and its network module will passively monitor traffic and wake up when listening to a specific traffic (Magic Packet), so that the Trojan horse will get out of the latent state and perform other malicious acts.

The Trojan can provide the attacker with basic information about the infected system and execute to receive malicious Payload sent by the attacker for the next step of the attack.

Kaspersky believes that the function of the Trojan is very similar to another passive monitoring Gray Lambert in user mode.

It turns out that Gray Lambert has replaced the White Lambert Trojan for passive snooping in kernel mode in many attacks. Finally, the functionality (listening for traffic) implemented by Purple Lambert is similar to that of Gray Lambert and White Lambert, but in a different way.

With regard to Gray Lambert, Blackbird found that the Trojan will start in the form of a service, and after a series of persistence operations, it will officially start passively monitoring traffic. It will first release and load a network traffic monitoring and filtering module from the resources, and try to obtain the filtered traffic through the driver.

The description value is mainly obtained from the System\ CurrentControlSet\ Services\ Null registry key, where the file name of the driver registration is stored to communicate with the driver. If there is no corresponding driver, then it uses Windows's ETW mechanism to filter network traffic.

ETW (Event trace for Windows) is a mechanism provided by Microsoft to track and record events driven by applications and kernels.)

With regard to White Lambert, after performing a series of operations, the Trojan will eventually load a malicious driver, which is a Rookit filtered through NDIS traffic. The Trojan will register a custom protocol through NDIS, filter the traffic data in the corresponding network card through this protocol, and implement specific functions (remote control commands).

(NDIS Network driver Interface Specification (Network Driver Interface Specification)

This is the end of the introduction of "passive traffic listeners have been added to the CIA network arsenal". Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.