Conclusion

Now let's recap what we've explored in this room

Firstly, we worked on a trojanized application of Wire that is linked to the threat actor Finspy. At the time this room was created, little public information is available as to where this trojanized application has been used and how many victims have been affected. Nonetheless, we've gathered preliminary knowledge of the application's behavior that could speed up a future in-depth code analysis. We have identified network communication classes that could serve as useful pivot points should you continue analyzing this sample on your own.

Then, we looked into how to find similar APKs based on our analysis and what was fingerprinted from the sample. As we were able to see, it was possible to gather other implants uploaded on Pithus that matched our first APK. Gathering other samples is an important step in your analysis. With more samples, we might be able to better understand the techniques, tactics and procedures of the group and/or the malware. This might answer questions as "Why was that application trojanized?" or "Who are the victims of this malware?".

Finally, we played with some search features of Pithus, which will allow you to look for more samples based on atomic indicators of compromises.

It's time for our journey to come to an end. We hope that you enjoyed this walk-through and remember that Pithus is an open-source tool.