TR-24 analysis - Destory RAT family
(Publication) Google search: [1]
| TR-24 analysis - Destory RAT family | |
|---|---|
| Botnet | Destory, PlugX, Gulpix, Korplug, Thoper, Sogu, TVT |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2014 / 2014-06-03 |
| Editor/Conference | CIRCL |
| Link | http://www.circl.lu/pub/tr-24/ (Archive copy) |
| Author | |
| Type | Blogpost |
Abstract
“ The malware is used by a specific group of attackers specialized in industrial espionage starting from 2007 (Command Five). CIRCL published this report about Destory RAT family due to the regular confusion with the PlugX malware family. PlugX and Destory RAT malware are technically different for their respective initialization phase, utilized obfuscation techniques and other parts that will be outlined in this document, showing that both families are initially coming from the same malware writers, following the same internal and network communication protocols and using the same code for the vast majority of the code.
All known malware family members (PlugX, Gulpix, Korplug, Destory, Thoper, Sogu, TVT) are briefly discussed in this document, showing differences and similarities that could lead to the assumption that an initial code base has been shared among different teams and used/enhanced for different purposes.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2014BFR1386,
editor = {CIRCL},
author = {},
title = {TR-24 analysis - Destory RAT family},
date = {03},
month = Jun,
year = {2014},
howpublished = {\url{http://www.circl.lu/pub/tr-24/}},
}