Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign

In November 2019, Trend Micro published a blog analyzing an exploit kit we named Capesand that exploited Adobe Flash and Microsoft Internet Explorer flaws. During our analysis of the indicators of compromise (IoCs) in the deployed samples that were infecting the victim’s machines, we noticed some interesting characteristics: notably that these samples were making use of obfuscation tools that made them virtually undetectable.

After some data collection we found more than 300 samples that correlate to the mentioned indicators that were recently very active  our first detections occurred in August, with the campaign itself still ongoing (having occasional spikes in between). We saw a rising usage of tools that provide fully-undetectable obfuscation capabilities – signifying that the authors behind the samples designed their malware variants to be as stealthy as possible. We decided to name the potential campaign associated with these IoCs as “KurdishCoder”, based on the property name of an assembly module found in one of the samples.

Read more…
Source: Trend Micro