malware.lu
After Mandiant published their report on the APT1 group, malware.lu upstaged them by owning C&C infrastructure of APT1. They scanned for Poison Ivy C&Cs, developed a custom John the Ripper extension specifically for Poison Ivy’s encryption algorithm, exploited a (known) buffer overflow in the C&C to gain access to all the C&Cs they found, revised the Metasploit module for it to improve the remote exploit so that it could accept a non-default connectback password, wrote a great deal of custom shellcode from scratch to properly hide their presence, discovered a brand new homemade RAT on one of the servers, reversed it to bruteforce its password, wrote a scanner to find C&C servers running it, discovered and wrote an exploit for a RCE buffer overflow vulnerability they found in that, and wrote a Metasploit module for it…