14

Hunting and Decrypting Communications of Gh0st RAT in Memory

This blog post contains the details of detecting the encrypted Gh0st RAT communication, decrypting it and finding malicious Gh0st Rat artifacts (like process, network connections and DLL) in memory. I also present a Volatility (Advanced Memory Forensics Framework) plugin (ghostrat) which detects the encrypted Gh0st RAT communication, decrypts it and also automatically identifies the malicious […]

12

Hunting APT RAT 9002 In Memory Using Volatility Plugin

On Nov 10, 2013 FireEye published a blog about how the latest IE zero day exploit was used in the wild by the APT actors to serve 9002 RAT (aka Hydraq/McRat/Mdmbot). The FireEye blog also mentioned that the threat actors directly injected the payload of 9002 RAT into memory without writing to disk. This technique […]