Advanced Persistent Threats are designed to be just that; Advanced and Persistent. These threats come from nation states and governments with sophisticated teams and high end techniques that are stealthy and often discrete. For this reason, detecting this kind of threat can often be like spotting a unicorn - they come few and far between.
Fortunately there are many antivirus companies and security vendors who produce regular reports on various topics including malware campaigns that are operated by various governments and advanced criminal gangs. This malware can often be difficult to reverse engineer due to its complexity on various levels.
Industry Security Research and Reports
One complaint we regularly have is that the reports produced by industry do not follow a regular template standard. The security reports are written in many languages. Although English is usually the preferred language of choice to reach the widest audience, it's not uncommon to see reports written in Chinese for instance. Due to the lack of standardization when it comes to writing these reports, there is also no formatting principle used to make it easy for the reader to quickly collect things like IOCs related to malware, network elements (IPs, domains), or YARA rulesets designed to detect the threats in the first place.
In short: the reports produced by industry are great for marketing and great for manual research when reviewing a specific malware campaign, but they are not really great for the security researcher who perhaps is in charge of protecting one's network assets in the first place! Likewise, none of the reports provide the malware binaries and they expect the reader to collect information on their own in order to do further study.
That is where we come in. We've been aiming to help bridge that gap by making the malware from these deep studies and industry reports more accessible to the masses. We don't believe that the malware should be hidden because the bad guys already have access to it and they already have the techniques. What we need is to make the files available to the good guys to better study it and prevent it from being distributed in the first place.
Advanced Persistent Threats Feed
We have created an APT malware feed in order to address this problem and we are freely posting it on Github. Some of the sources of the reports we have provided samples from include the following:
* FBI Flash Reports
* CISA Alerts
* Kaspersky, Checkpoint, ESET, TrendMicro, etc.
* Various CyberSecurity Companies
* Various AntiVirus Companies
The feed is available at the following URL:
The files come from campaigns tied to many governments and criminal organizations such as:
* North Korea
* Many more!
The reports are centered around a theme or alert and we include the reference or source URL for each one along with all the malware we have been able to find.
This is a very tedious task in assembling these files and it can take hours to read the reports and categorize the malware binaries in their respective folders. If you have found this information useful we'd love to hear from you and any additional suggestions you might have in making it better.