Recently, I was targeted by a credential stealer disguised as a take-home coding assessment for a job interview. Instead of running it on my host machine, I audited the repository inside an isolated Debian VM and reverse engineered the attack chain.
I wrote a detailed, step-by-step breakdown of my methodology, the OPSEC measures I used, and the exact deobfuscation techniques. You can read the full deep dive on my website:
Part 1: https://roynrishingha.com/blog/interview-trojan-horse/
Part 2: https://roynrishingha.com/blog/reverse-engineering-multi-stage-malware/
This was a massive learning experience for me, and I am looking to improve my analysis process. For the experienced analysts here:
- Are there better or safer ways to handle and isolate these initial phase 1 droppers?
- I extracted the C2 IPs and mapped their exact TTPs. What is the standard methodology for pinpointing or attributing these attacks to specific threat actors or groups?
- I do not know binary reverse engineering, so I have not touched the final Cython-compiled payloads. Any advice on safely dissecting these binaries, safer ways to learn, please let me know!
EDIT: This post may look like it does not have anything to do with Rust. But "the HR" mentioned in the blog post reached out to me for a Senior Rust role. My last role primarily involved Rust, and now looking for Rust related roles. The primary reason of posting here is to bring awareness of such attack. So fellow Rustaceans are aware of such notorious schemes. Stay Safe. Keep Coding.