ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool BrutishCommand

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: BrutishCommand

NamesBrutishCommand
CategoryMalware
TypeDropper
Description(Palo Alto) The BrutishCommand loader uses a very interesting method to decrypt the FakeM functional code. The main function in this loader checks the command line arguments passed to it, and if there are none present it will obtain a random number between 0-9 and create a new process using the same executable with this random number as a command line argument.

If the executable has a command line argument, the Trojan subjects the value to a hashing algorithm and compares the hash to 0x20E3EEBA. If the value matches the static hash, the executable will subject the command line argument to a second algorithm that will produce a value that the Trojan will use as the decryption key to decrypt the embedded FakeM shellcode. It essentially brute forces its own decryption key by rerunning itself over and over until it runs with the correct value is provided on the command line. Unit 42 had not seen this technique used by other malware families and it introduces a challenging hurdle when attempting to analyze or debug the loader Trojan.
Information<https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:BrutishCommand>

Last change to this tool card: 13 June 2020

Download this tool card in JSON format

All groups using tool BrutishCommand

ChangedNameCountryObserved

APT groups

 Scarlet MimicChina2015 

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key