According to recent industry reports, Linux focused malware has grown in the past year by over 30%. With the rise in Cloud Computing it’s no surprised that attackers are looking beyond traditional Windows environments to profit off of illicit access. This course was given at BSides Roc 2022 in order to provide students with a broad exposure of techniques and tools to identify, triage and analyze a faux-incident in a CTF style event.
- A Vagrant file is included in the courses which covers module 01 and 02. Modules 03 and 04 require a GUI, and installing XFCE within the VM caused issues when testing.
- If you have a Linux VM, simply install Ghidra and Cutter and you'll be good to go.
Note, all files are now included in the git repo itself and you do not need to obtain the malware from the servers listed in the repos.
These are real modified malware samples! Do NOT run them unless you are absolutely sure of what you are doing! Arch Cloud Labs is not responsible for any damages.
Threat Actor(s) APT-585 leverage known exploits and modified offensive security tools to obtain access to victims environments for Cryptocurrency and ransomware attacks. Specifically targeting web servers and vulnerable web applications.
APT-585 leverages leased infrastructure from popular cloud providers to stage capabilities to bring into victims environments. Their leader is unknown, but historically poor opsec has led to the takedown of domains. It's likely their sloppy tactics will lead to revealing themselves.
Thank you to the Digitial Corpora project for hosting forensic images for forensic education!
Garfinkel, Farrell, Roussev and Dinolt, Bringing Science to Digital Forensics with Standardized Forensic Corpora, DFRWS 2009, Montreal, Canada.