Unmasking the Shadow of PoisonPlug's Obfuscator

Jan. 29, 2025, 12:02 p.m.

Description

Since 2022, cyber espionage operations utilizing POISONPLUG.SHADOW have been tracked, employing a custom obfuscating compiler called ScatterBrain. This evolved version of ScatterBee targets entities in Europe and Asia Pacific. POISONPLUG.SHADOW, a variant of the POISONPLUG modular backdoor, uses advanced obfuscation techniques to evade detection. The blog post details the analysis of ScatterBrain, including its modes of operation, protection components, and the development of a deobfuscator. It explains the process of CFG recovery, import restoration, and binary reconstruction. The research provides insights into combating sophisticated obfuscation techniques and contributes to enhancing cybersecurity defenses against evolving threats.

External References

https://cloud.google.com/blog/topics/threat-intelligence/scatterbrain-unmasking-poisonplug-obfuscator
https://otx.alienvault.com/pulse/67998792edfe54ed19f2a439
Tags
cyber espionage
poisonplug.shadow
2025-01-29
poisonplug
poisonplug.deed
scatterbee
scatterbrain

Date

  • Created: Jan. 29, 2025, 1:42 a.m.
  • Published: Jan. 29, 2025, 1:42 a.m.
  • Modified: Jan. 29, 2025, 12:02 p.m.

Indicators

  • 60678e352f3c849e36413f5de51b5eeca1180840c818f9ece0a0da803eb205a5
  • d484b9b8c44558c18ef6147c6ca8276a462fccf2acb2863be4ee9bf37942f11e
Download all indicators here!

Attack Patterns

  • ScatterBrain
  • POISONPLUG.SHADOW
  • APT41
  • T1552.003
  • T1558.001
  • T1027.003
  • T1027.004
  • T1556.002
  • T1027.001
  • T1552.001
  • T1553.002
  • T1556
  • T1555.003
  • T1027.002
  • T1027.005
  • T1552
  • T1555
  • T1554
  • T1574
  • T1140
  • T1027
  • T1553
  • T1558