Category: Uncategorized

Yesterday, I pushed the publish button on some additional research I assisted Markel Picado with on RATicate, an actor that had been sending tailored malicious emails to victims loaded with malware installers. They appear to be a Malware as a Service operation.

The interesting thing is that they appear to have been using the same commercial crypting/packing tool as the actors behind GuLoader malware tracked by CheckPoint–this thing called CloudEyE Protector, the successor to DarkEyE Protector. The operators of that crypter-as-a-service shut it all down when people came asking about their malware distribution, and swore they would ban the bad actors.

Welp, they’re back in business, and they’re following some very rigorous (lol) vetting of customers. Sebastiano and Ivano pinky promise to very closely monitor usage and look out for shenanigans. The problem with grey tools like this–which have a legitimate use as an obfuscator and license protection scheme–are always going to have abusers. The only way to tell the bad from the good is behavior-based detection.

Ironically, one of the features they instituted to lock down their tools was a “hardware ID grabber” app they built with their own tool. And Windows Defender (and 16 others, including Sophos) detect it as malware.

I collaborated with Tamas Kocsir and the folks at CipherTrace on a report on the economics of sextortion spam.

A lot of things have happened since I first took up the nom de plume “The Packet Rat” in 1994. For 15 years, I wrote a rumors/thinly-veiled-autobiography/surrealist tech column under the byline “R. Fink” for Government Computer News, before a redesign (and some significant corporate consolidation at 1105 Media) ended that run. In the meantime, my actual packet hunting (and other information security) exploits had continued in research and lab ops at InformationWeek, Ziff Davis, a fever-dream of a year at Tech Target, and various other exploits before landing at 1105 to run Defense Systems (and having to give up the freelance check for The Rat).

Since then, I’ve been doing cyber shit at Ars Technica. But now I’m fully down the infosec rabbit hole in a threat research role, and embarking on a book about deep packet inspection with Dave Porcello, late of Pwnie Express and other ventures.