Linux Memory Diff Analysis using Volatility

This blog post contains details of Linux Mem Diff Tool, this tool uses Volatility advanced memory forensics framework to run various plugins against the clean and infected Linux memory image and reports the changes. Similar tool to perform diff analysis on the Windows memory images can be found here Why this tool? Many times while […]


Hunting and Decrypting Communications of Gh0st RAT in Memory

This blog post contains the details of detecting the encrypted Gh0st RAT communication, decrypting it and finding malicious Gh0st Rat artifacts (like process, network connections and DLL) in memory. I also present a Volatility (Advanced Memory Forensics Framework) plugin (ghostrat) which detects the encrypted Gh0st RAT communication, decrypts it and also automatically identifies the malicious […]


Hunting APT RAT 9002 In Memory Using Volatility Plugin

On Nov 10, 2013 FireEye published a blog about how the latest IE zero day exploit was used in the wild by the APT actors to serve 9002 RAT (aka Hydraq/McRat/Mdmbot). The FireEye blog also mentioned that the threat actors directly injected the payload of 9002 RAT into memory without writing to disk. This technique […]