Hackers of India

Hunting and Decrypting Ghost communications using Memory Forensics

By  Monnappa K A  on 06 Feb 2015 @ Nullcon

Abstract

The number of advanced attacks(APT)is undoubtedly on the rise targeting government, military, corporate, educational, and civil society networks today.These advanced and sophisticated attacks focus on individual organizations in an effort to extract valuable information. Sometimes, these advanced attacks are allegedly linked to state-sponsored activities but may also be carried out by individual groups with their own goals. The APT actors (attackers) use advanced malwares to infect the target systems. This presentation talks about one such malware used by the APT actors called Ghost RAT. The presentation showcases the sandbox analysis, encrypted traffic pattern and decrypting the communications of Ghost RAT from packet capture. Presentation also demonstrates both manual and automated method of detecting and decrypting the communications of Ghost RAT using memory forensics.