Share this page!

Mark Lechtik Profile picture
Twitter logo
11 Jan, 8 tweets, 3 min read
[1/n] Earlier today Lab Dookhtegan leaked an interesting document linking the ViceLeaker threat group to a private company in Iran, allegedly operating as a contractor for the government. A thread on the document (Disclaimer: I don't read nor speak Farsi, I do use OCR)
[2/n] I can't corroborate the link between the two, but the attached document is interesting. It describes a malware provided as a product, with features like low performance impact, functional design (?), and support for user and kernel mode, not clear in which OS though.
[3/n] It goes on describing how computer worms work, suggesting that this piece of malware has capabilities to self replicate and propagate independently of a human operator.
[4/n] Some features and modules are described, namely a network share scanner which would be one way to move laterally, but it also indicates physical drive detection and its use as a propagation vector. Could this serve to overcome air gaps or be used for domestic espionage?
[5/n] Other worm like capabilities are implemented in features like the 'Extractor' and 'Binder', which are not very self explanatory, but from what I can tell are probably mechanisms to infect other files and have the malware initiate when they are launched.
[6/n] Other architectural notes specify a 0.2 KB payload used to infect files, thus making the worm "less detectable". Its not clear, but I suppose it means some position independent code is used to divert control from the entry point and fetch a core module from another source
[7/n] Last but not least, this malware has the capability to elevate privileges and run in 'system mode'. Does this mean operating from kernel space? is it in Windows? is a driver involved? is it signed? by whom?
[8/8] This brochure suggests ViceLeaker develops malware for different platforms, yet I'm under the impression that the same subpar standards in OPSEC and technical level remain. I'm waiting for more details by Lab Dookhtegan down the road to see how this story unravels.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Mark Lechtik

Mark Lechtik Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @_marklech_ has new unrolls!

Check out other threads from @_marklech_!

Read all threads by @_marklech_