APT28, also known as Sofacy Group is an (in)famous threat actor. It is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations and it has been characterized as an advanced persistent threat over the past years from many security organizations. In this post I share my cheat sheet on one of their last backdoors named SkinnyBoy (report Cluster25 here).
The intent of such a sheet is to offer the main SkinnyBoy functionalities mapped by API call blocks. It might help you in the following ways:
- To learn how the current CONTI ransomware works (if you had no chance to reverse it)
- To extract behavioural models for your Manchine Learning engine
- To synthetize API call signatures for your dynamic detection engine
- Extract behavioural patterns for your SIEM (for example if you use WinAPIOverride to log specific API calls into a syslog-flow to filluP your SIEM)
The Execution flow is represented by the long up-to-down raws and it runs from left to right. The main API calls are included into rectangles while the conditional jumps are mapped into diamonds. Next to specific rectangles (API Calls) a little note is giving further details on the analyzed step. Square brackets wraps API calls into blocks so that you might easily read the six logic CONTI steps, that are: Preparation, System Information, Find and Delete Shadow Copies, Looking for External Targets (shared folders), Encryption Preparation (ransom note included) and Encryption Execution.
If you think this content is helpful, please consider to give a little contribution.
Make a one-time donation
Make a monthly donation
Choose an amount
If you think this content is helpful, please consider to make a little donation. It would help me in building and writing additional contributions to community. By donation you will contribute to community as well. Thank you !
If you think this content is helpful, please consider to make a little donation. It would help me in building and writing additional contributions to community. By donation you will contribute to community as well. Thank you !
I hope you might enjoy it !