Security News The Pentagon has started uploading malware samples from APTs & nation states

[DeepWeb]

Content source

https://threatpost.com/pentagon-draws-back-the-veil-on-apt-malware-with-sudden-embrace-of-virustotal/138954/

The Pentagon has suddenly started uploading malware samples from APTs and other nation-state sources to the website VirusTotal

“Recognizing the value of collaboration with the public sector, the CNMF has initiated an effort to share unclassified malware samples it has discovered that it believes will have the greatest impact on improving global cybersecurity,” CNMF said in a statement.

The first two samples are files called rpcnetp.dll and rpcnetp.exe, which are both detected as dropper mechanisms for what was formerly known as the Computrace backdoor trojan, often associated with the Russia-based APT28/Fancy Bear group.
“The particular pair of samples, Computrace/LoJack/Lojax, is actually a trojanized version of the legitimate software ‘LoJack,’ from a company formerly called Computrace (now called Absolute). The trojanized version of the legitimate LoJack software is called LoJax or DoubleAgent,” a spokesperson from Chronicle told Threatpost.

Announcement: New CNMF initiative shares malware samples with cybersecurity industry > U.S. Cyber Command > News Display
VirusTotal account of Cybercom: VirusTotal Community profile for CYBERCOM_Malware_Alert - VirusTotal

 

[Burrito]

Deepweb,

Is this good or bad?

 

[DeepWeb]

Deepweb,

Is this good or bad?

Good news. They have samples of rather exotic malware like the first thing they submitted was LoJax which is the first UEFI malware known. AV vendors will be able to study and learn those to improve their products and you will be able to detect it if it made it on your computer.

 

[Burrito]

Good news. They have samples of rather exotic malware like the first thing they submitted was LoJax which is the first UEFI malware known. AV vendors will be able to study and learn those to improve their products and you will be able to detect it if it made it on your computer.

Yeah, that's the way I take it.

Some people apply conspiracy theories to everything...

 

[SHvFl]

All the malware they posted are probably well known judging from the detection rate. They didn't post something exotic this time and I doubt they will do it in the future either.

 

[Burrito]

All the malware they posted are probably well-known judging from the detection rate. They didn't post something exotic this time and I doubt they will do it in the future either.

But why wouldn't they?

 

[SHvFl]

But why wouldn't they?

Because those would have value to them.

 

[Deleted member 178]

Those shared are probably obsolete and already public, the time and resources needed to create a new nation-state type malware is too high for sharing it.

Same logic with chemical weapons, you don't spend time to create one then release the antidote...

Note that some are dlls, good luck to stop that if you use a simple anti-exe.

 

[Burrito]

Almost always.... that stuff is useless to the US DoD.

That organization has multiple elements that design and implement offensive cyber capabilities. It would be like picking up weapons of the adversary on the battlefield.... it generally does not happen.

Additionally, the DoD cyber capabilities are aimed at very specific things... not generalized malware.

 

[upnorth]

This feels like an example of the US's new strategy of actively harassing foreign government actors. By making their malware public, the US is forcing them to continually find and use new vulnerabilities.

The Pentagon is Publishing Foreign Nation-State Malware - Schneier on Security

 

[DeepWeb]

All the malware they posted are probably well known judging from the detection rate. They didn't post something exotic this time and I doubt they will do it in the future either.

Well that's not really a fair assessment. Yes LoJax was well known... to BitDefender and Kaspersky who are on top of it all the time and even get their hands on nation state malware somehow. So anything based on Kaspersky and Bitdefender's signatures will see it too which is like 90% of the market I guess? But the rest have zero clue.

 

[509322]

All the malware they posted are probably well known judging from the detection rate. They didn't post something exotic this time and I doubt they will do it in the future either.

They would only report something because they had intent behind reporting it or they just don't care about it any longer.

The smart thing to do is to reverse-engineer it to not only learn what it does and how it does it, but also to see if you can exploit it. Which they most certainly do. And it is almost as equally certain that they do not report stuff that they have discovered as a matter of routine. Clobbering your adversaries over the head with a malware signature is not what they do. If you do that, then you've wasted the opportunity to gather intelligence. They surveille to gather intelligence (the same thing done at enterprises - who don't go immediately running to report something to have a signature created). The intel on the networking and data collection is far more valuable than the malicious code itself - a point lost on most any home user. The whole point is to reveal as much about the threat actors as is possible - and not simply block them. That's what any smart organization does - it bides its time and surveilles - and not run to report something to have a signature made. It's the difference between uninformed home user thinking and clandestine\front-line cyberwarfare thinking.

The DoD might have uploaded it to VT, but the source of the sample could have come from any of the services or agencies.

Most of what is on this thread is just rife speculation and nonsense.