How the NSA (Equation Group) allegedly hacked into China's Polytechnical University 👀

I analysed intelligence reports from Chinese cyber firms (360, Pangu, CVERC) to aggregate TTPs attributed to Equation Group.

🔗inversecos.com/2025/02/an-ins… 2\ In a joint report, Qihoo 360 and CVERC accused the NSA’s TAO unit of breaching China's Northwestern Polytechnical University in 2022 (a key institution in aerospace and defense research).

Chinese firms track NSA TAO unit as APT-C-40. Their reports allege APT-C-40 deployed over 40 malware strains to conduct cyber espionage and steal sensitive information.

1\ My thoughts on the Chinese APT contractor leak 🇨🇳

Specifically, I want to talk about the leaked
- iOS Spyware
- Physical implantable devices
- Email surveillance system

Let's consider detection and how these would be installed.

https://twitter.com/AzakaSekai_/status/1759326049262019025

2\ The iOS spyware requires no jailbreak.

This should not "scare" you at all.

The capabilities of the leaked Chinese APT contractor "iOS Spyware" are accessing:

- basic mobile phone data
- GPS location
- Contacts
- Photos / multimedia files
- Recording sounds

If this sounds familiar, it should. These are settings accessible...Accessible ANY application requesting these permissions on a phone :)

This means, the delivery for the "spyware" would likely (my guess) be in the form of an application that the user installs on their device and must approve these permissions. If you've ever done mobile forensics, this is almost one of the first things you would check.

1\ #DFIR: Chrome Forensics - How to Recover CLEARED History

If a user just cleared their browser history, you can still recover everything they were just looking at from the session files:

%appdata%\Local\Google\Chrome\User Data\Default\Sessions

inversecos.com/2022/10/recove… 2\ In some instances (more on this) the session and tab files inside that folder show the webkit/chrome date for when the session was exited.

This allowed me to put together a full timeline of what this naughty boy was doing *BONK*

1\ #DFIR: How to investigate insider threats

Sharing the forensic methodology I follow when I'm investigating insiders 😍

This is where an employee sells creds/changes configs/runs malware leading to full DA compromise and then say they didn't do it O_o

inversecos.com/2022/10/how-to… 2\ The questions that I use to guide the analysis and prioritisation of analysis are:

1. How was the device accessed around the suspected behaviour?

2. Where was the user/device when this occurred?

3. Was the insider active on their system?

4. What did the user do?

1\ #ThreatHunting: Detecting OAuth Token Theft in Azure / M365

This technique is STILL being abused by Chinese APT groups. This blog covers several methods of detecting this technique😈.

It's also a good reminder to always perform browser forensics ;)

inversecos.com/2022/08/how-to… 2\ METHOD 1: Look for the OAuth redirect consent link in browser history and/or proxy logs.

Take note of the following fields:
- client_id (malicious app id)
- redirect_uri (malicious domain)
- scope (API permissions requested)

1\ #DFIR: How to detect Linux Timestomping

Analyse the entries in these two files:
> filesystem.db
> filesystem.db-wal

Most writeups focus on detecting the use of "touch". But you can timestomp without using "touch". 😈

Check out my blog below 👇
inversecos.com/2022/08/detect… 2\ The file "filesystem.db" (enabled by default) tracks:
> fileCreated time
> fileLastAccessed time

Look for discrepancies in the fileCreated time in this DB file vs the times that "stat" show on a file.

There's also a correlating WAL that contains uncommitted data :3

1\ #ThreatHunting for APT abuse of Exchange

APT Exchange abuse has been a common theme with techniques ranging from:
> Compiled DLL OWA backdoors
> .req webshells
> EWS / Legacy auth abuse
> Log / File deletion

TL;DR below or check out the full blog 👇👇
inversecos.com/2022/07/huntin… 2\ EWS and other legacy auth is commonly abused by APT groups (when enabled).

Check MSExchange Management.evtx log for EWS abuse.

Look for cmdlets like (more cmdlets in blog)
> New-MailboxExportRequest
> Remove-MailboxExportRequest
> Search-Mailbox
> Set-Mailbox

1\ #ThreatHunting: How to detect Linux anti-forensics log tampering

Attackers can alter the utmp, wtmp, btmp files to hide malicious logon attempts by:

> Zeroing entries out in hex
> Overwriting the files with a malicious copy

BLOG POST BELOW 👇 UwU
inversecos.com/2022/06/detect… 2\ Method 1: Zeroing entries in hex

This leaves OBVIOUS AF traces. Look for entries with zeros, and datetime defaulting to 1970. You can also review timestamps (covered in thread 4).

I highlighted in purple where you zero out the data in hex.

1\ #ThreatHunting: How to detect fileless Linux malware

Look for processes in /proc/<PID>/exe where the path shows "(deleted)"

Here are two examples👇
1. BPFDoor deleted binary
2. An attacker abusing memfd_create() to exec their malware in RAM w/o dropping files to disk. 2\ To recover/extract these binaries running in memory - you can copying them out from this location:

/proc/<PID>/exe

Also as an FYI for memfd_create() abuse detection you can hunt for the "memfd: (deleted)" string directly.

1\ How to detect file timestomping 👀

APT28, APT29, APT32, APT38 have all used this defence evasion technique to modify malicious file creation times. 😈

Did you also know it's possible to timestomp $FN time?

👇👇 BLOG & TL;DR BELOW 👇👇

bit.ly/3KsX1ua 2\ Most IR analysts are taught to detect timestomping using two methods:

> Compare $FI vs $SI times in the MFT
> Look for 0s in timestamp nanoseconds

These two detections are NOT foolproof - they will catch simple cases. Attackers can set nanoseconds and modify $FN time!

1\ #DefenceEvasion Technique: Maliciously Modifying Registry Timestamps 👿👀

This technique doesn't log events in the Security.evtx and is almost trivial to perform as a defence evasion technique...

Read my blog for technique + detection:
bit.ly/3r7jfuO

TL;DR 👇👇 2\ Why should you care?

During an IR, registry timestamps are important evidence items for timelining & triaging an incident. They answer questions like...

> What files did the TAs open?
> When was a security tool disabled?
> What folders were the TAs looking at?
> etc...

1\ Windows Event Log Evasion via Native APIs 👀🧠

Some native Windows API calls can be used to install services WITHOUT generating correlating entries in the event log. This was seen in Stuxnet.

This blog covers the technique + detection.

bit.ly/3D7KI4n

TL;DR 👇👇 2\ High level of how the technique works.....

Services are normally created through standard API calls to “CreateServiceA” using sc.exe/at.exe. This API is what EDR usually detects on.

Note that using svcscan.. Stuxnet isnt showing any of the malicious services ...why is that?

1\ How to detect what command line spawned a process with no EDR/AV? 👀 #DFIR

If you have a memory sample, this is how you can figure out what cmd spawned the processes by using volshell and memory forensics.

STEP BY STEP GUIDE BELOW

👇 👇 👇 👇 

#MemoryForensics 2\ Each process in Windows is represented by an "EPROCESS" structure.

These EPROCESS blocks are joined in a doubly linked list structure. The flink (forward link) tells you the next process running and blink (backwards link) tells you the previous process.

1\ How to prove malicious macro was enabled & clicked? 👀 #DFIR

HKEY_LOCAL_MACHINE\USERDAT\Software\Microsoft\Office\<VERS>\<PROGRAM>\Security\Trusted Documents\TrustRecords

Look ONLY for values where last four bytes are "FF FF FF 7F".

These files had macros enabled

👇👇👇 2\ In light of the recent Emotet campaigns, make sure you check INetCache Outlook folder as it stores the attachments that were opened in Outlook.

If AV quarantines the file this wont exist.

C:\Users\<name>\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\<Folder>\

1\ #MalwareAnalysis: Detecting Process Hollowing
The first pattern to look for are any calls to create processes in a suspended state:

> CreateProcessA
"dwCreationFlags" set 0x04 CREATE_SUSPENDED

Purpose is to disguise malicious code in a legit exe by replacing the contents. 2\ Following the process being started in a suspended state... (usually svchost.exe but who's counting). Then there are API calls to native/non native APIs:

> ZwUnmapviewofsection
> virtualallocex
> writeprocessmemory
> setthreadcontext
> NTgetcontextthread
> ntreadvirtualmemory

1\ #MobileForensics Tip: Did you know iOS, by default, tracks all locations that you visit to build a map of your life.

Artefacts:
> cache.sqlite
> cloud.sqlite
> local.sqlite

Tracked by IoS:
> When you arrived
> When you left
> Long/Lat

😝Photo is a parsed local.sqlite file 2\ In your iPhone the local.sqlite will render like this - as you can see I went to a grocery store 13 times. I was in lockdown don’t judge me.