The Fidelis Threat Research team is comprised of expert security researchers whose sole focus is generating accurate and actionable intelligence to better secure customers. Together, they represent over... Read More
Last month, CrowdStrike published a blog on malware campaigns attributed to Sakula. We took a look at the malware specifically in the INOCNATION campaign to analyze what was new and different about the techniques used by the threat actor. It appears the entity behind this campaign took steps to make reverse engineering more difficult and chose the use of Cisco’s AnyConnect Client as a lure to trick victims into installing the malware.
The RAT delivered by this campaign was not particularly interesting and had all the features you would expect in such a tool. The use of the obfuscation techniques was novel and this advisory discusses those in detail, along with how we detected them.
To see the full report and findings, visit Fidelis Threat Advisory #1020.
Fidelis Cybersecurity’s products detect the activity documented in this paper and additional technical indicators are published in the appendices of this paper and to the Fidelis Cybersecurity github at https://github.com/fideliscyber.
We want to thank our fellow security researchers at CrowdStrike for sharing hashes of the malware samples analyzed in this report.