1 min read

EHDevel – The story of a continuously improving advanced threat creation toolkit

Alexandru MAXIMCIUC

September 01, 2017

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
EHDevel – The story of a continuously improving advanced threat creation toolkit

More than a year ago, on July 26th 2016, the Bitdefender Threat Intelligence Team came across a suspicious document called News.doc.  However, unlike most potentially malicious documents that get processed in our labs, this file displayed similarities with a set of files known to have been used in separate attacks targeted at different institutions.

Our technical dive into the file lead us to a sophisticated malware framework that uses a handful of novel techniques for command and control identification and communications, as well as a plugin-based architecture, a design choice increasingly being adopted among threat actor groups in the past few years.

Dubbed EHDevel, this operation continues to this date, the latest known victims reportedly being several Pakistani individuals. In their case, the threat actors have chosen different lures than the ones presented in this paper, but the modus operandi is identical. Another important discovery lies in the fact that this  specialized framework that has been used to gather field intelligence for years in different shapes and forms, and our threat intelligence suggests a connection with the 2013 Operation Hangover APT as well. Our technical dive into the framework revealed an intricate mix of transitions from one programming language to another, code under active development and bugs that were not spotted during the QA process (if there were any).

Midway through our research, additional technical information and news of EHDevel framework have emerged. You can find a partial technical description of EHDevel over at 4HOU (warning: Chinese), as well as news on the India/Pakistan cyberattack in a Reuters report.

Download the whitepaper

tags


Author



Right now

Top posts

A Red Team Perspective on the Device42 Asset Management Appliance

A Red Team Perspective on the Device42 Asset Management Appliance

August 10, 2022

1 min read
Vulnerabilities Identified in Wyze Cam IoT Device

Vulnerabilities Identified in Wyze Cam IoT Device

March 29, 2022

1 min read
New FluBot and TeaBot Global Malware Campaigns Discovered

New FluBot and TeaBot Global Malware Campaigns Discovered

January 26, 2022

10 min read
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

December 10, 2021

2 min read
Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

November 08, 2021

2 min read
Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

September 16, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Under Siege for Months: the Anatomy of an Industrial Espionage Operation Under Siege for Months: the Anatomy of an Industrial Espionage Operation
Alexandru MAXIMCIUCVictor VRABIE
1 min read
New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike
Filip TRUȚĂRăzvan GOSAAdrian Mihai GOZOB
4 min read
New FluBot and TeaBot Global Malware Campaigns Discovered New FluBot and TeaBot Global Malware Campaigns Discovered
Bitdefender

January 26, 2022

10 min read