Behind a Malware Lifecycle and Infection Chain
"Malware infection chains and lifecycles are often talked about in the advanced threat discussions in a generic way - addressing droppers, payloads, command-and-control communications and missions without any specific details of different players in the lifecycle, roles or specific functions they serve. While looking into the Rerdom malware, we had a unique opportunity to link different malware families and an operator, following the infection chain back to its origin. In doing so, we’re able to illuminate the process, which we hope will inform others about the intricacies of advanced threats. While investigating some click-fraud activity, Core found that there is a connection between Asprox, Zemot, Rovnix and Rerdom.
Though this connection is complicated, we were able to decrypt sensitive command and control (C&C) data thus exposing one of the least understood aspects of this infection chain. Now that we have a good understanding of what the relationship looks like and how the process works, we decided it was time to share this information with the community."