Wait. How does the malware author injecting themselves with their own malware lead to Malwarebytes getting screenshots of the attackers machine? Did they somehow breach the APT’s network or hijack the malware? Is there some context I’m missing behind this blog post?
Strictly speaking, they're wrong about the keyboard layout. "ENG\nIN" means something like "English (India)" - the layout selector only shows the currently active layout (if more than one layout is configured). The other layouts are only shown when clicking on it and might be anything.<p>Also, when defining a custom keyboard layout you have relative freedom in picking the name and language/region it's classified as. So that "ENG\nIN" could be anything.<p>Source: I have two layouts installed. The default regional keyboard layout so co-workers using my machine don't go insane (shown as "DEU \nDE" [=Language\nRegion]), and for myself a customized variant of the US layout. I can't recall the exact reason why I configured it as it is (maybe to avoid installing the "ENG" language pack?), but that custom US layout shows as plain "DEU" (no second line).
The logic in the php snippet which captures IP addresses is not correct. Any user is able to add an x-forwarded-for header to mask their real IP from the logs.<p>I wouldn’t be surprised if the log file can have additional entries spoofed with new lines also ;)
Yeesh. OLE objects.<p>I thought it was a bad idea, back then, and I think most folks were of the same mind. I’m actually shocked that OLE is still a thing.
><i>That file contains an exploit (Microsoft Equation Editor) which is meant to compromise the victim’s computer and execute the final payload (RAT).</i><p>When your attempt to copy the <i>Equation Group</i> is a little too literal.