{ "id": "a7b5df97-c69e-442d-a6a6-8f097d32ee6e", "created_at": "2026-04-06T00:19:25.970386Z", "updated_at": "2026-04-10T13:12:18.081559Z", "deleted_at": null, "sha1_hash": "ad154f323769a33b99f10cd08e3762abe747c108", "title": "securitykitten.github.io/_posts/2017-02-15-the-rambo-backdoor.md at master · malware-kitten/securitykitten.github.io", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 752649, "plain_text": "securitykitten.github.io/_posts/2017-02-15-the-rambo-backdoor.md\r\nat master · malware-kitten/securitykitten.github.io\r\nBy securitykitten\r\nArchived: 2026-04-05 15:42:14 UTC\r\nlayout category-post\r\ntitle The Rambo Backdoor\r\ndate 2017-02-15 00:00:00 -0500\r\nSummary:\r\nRecent new reporting was released on the DragonOK group which unveiled the many versions of the Sysget\r\nbackdoor as well as the IsSpace backdoor. One of the samples we looked at\r\nSHA256:e154e62c1936f62aeaf55a41a386dbc293050acec8c4616d16f75395884c9090 contained a family of backdoors\r\nthat hasn’t been referenced in public documents. In this post, we will be pulling apart and dissecting the Rambo\r\nbackdoor and discussing several of its evasion techniques. This backdoor has several aliases in the community;\r\nSophos calls the embedded components “Brebsd-A” and several others reference the code as simply “Rambo”.\r\nRTF Dropper\r\nThe initial dropper for this malware is a malicious RTF file containing many unique shellcode techniques.\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md\r\nPage 1 of 21\n\nBoth the api hashing (ROR 7) and the save path section of code are identical. The code is also using the same\r\npayload marker of 0xbabababa.\r\nShellcode hashing routine\r\nThe save path shellcode that is also unique to the weaponizer used in previous blogs:\r\nAnd the payload marker searching:\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md\r\nPage 2 of 21\n\nWithout diving into all the intricacies of how this shellcode works it will eventually decode a payload and exec it.\r\nThe parser that PAN provided will also work when extracting the payload from this document.\r\nQuickly after starting up, Rambo proceeds to enter a busy-loop making 2 million small malloc calls and then freeing\r\neach allocation. This ties up the malware for a couple minutes in order to throw off AV emulators (which will only\r\nemulate so many instructions). This also helps evade most sandboxes. Now that many sandbox systems short-circuit\r\nthe sleep call, more malware is moving from sleeping to busy loops in order to use up the short time slice that a\r\nsandbox can devote to each sample.\r\nRambo contains several different components working in tandem to achieve full execution on the victim machine.\r\nThe initial binary SHA256: 7571642ec340c4833950bb86d3ded4d4b7c2068347e8125a072c5a062a5d6b68 is a dropper\r\nthat unpacks the 3 different parts, achieves persistence and starts execution. The dropper is also copied as the method\r\nof persistence.\r\nThe key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\FaultCheck is established at the\r\npersistence key with the key value pointing at C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\\u003cfilename\u003e\r\nRambo will then fetch its configuration by reading in the last 260 bytes of itself.\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md\r\nPage 3 of 21\n\nThe key “sdflpopdfjkaweriopasdfnkl” is loaded, which is eventually used to decrypt the buffer using tiny encryption\r\nalgorithm (TEA).\r\nEven though the whole string is referenced as a string, only the first 16 characters are used as the functional key.\r\nPerhaps this is a misunderstanding of the author, or an attempt to throw off analysts. The steps of the TEA decryption\r\ncan be seen below.\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md\r\nPage 4 of 21\n\nThe decryption of the code can be translated to python with the following snippet. (To get the decryption working,\r\nwe had to make some patches to the opensource PyTea implementation, a modified copy of the script that is used is\r\nposted at the end of this blogpost)\r\n#!/usr/bin/env python\r\nfrom ctypes import *\r\nfrom pprint import pprint\r\nimport sys\r\nimport tea\r\nimport re\r\nimport struct\r\ndef ascii_strings(data):\r\n strings = []\r\n for match in re.finditer(r'[\\x20-\\x80\\n\\r\\t]{16,64}',data):\r\n strings.append(match.group()[:16])\r\n return strings\r\ndef to_c_array(data):\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md\r\nPage 5 of 21\n\n''' Converts a string to a list of c_uint32s '''\r\n c_array = []\r\n char_array = [hex(ord(char))[2:] for char in data]\r\n for index in range(0, len(char_array), 4):\r\n block = char_array[index:index + 4]\r\n hex_value = '0x' + ''.join(block)\r\n c_array.append(c_uint32(int(hex_value, 16)))\r\n return c_array\r\nwith open(sys.argv[1], 'rb') as fp:\r\n data = fp.read()\r\nciphertext = data[-260:]\r\npadding = len(ciphertext)%8\r\nciphertext += '\\x00'*padding\r\nfor key in ascii_strings(data):\r\n #print 'trying key %s' % (key)\r\n try:\r\n plaintext = tea.decrypt(ciphertext, key,verbose=False)\r\n if \".dll\" in plaintext.lower() or '.exe' in plaintext.lower():\r\n break\r\n except:\r\n pass\r\nplaintext = plaintext[:-padding]\r\nprint '[*]\\tDecrypted with key \"%s\"\\nConfig:' % (key)\r\nconfig = {}\r\nconfig['loader'] = {'name': plaintext[:0x20].rstrip('\\x00'),\r\n 'offset': struct.unpack('\u003cL', plaintext[0xc8:0xcc])[0]}\r\nconfig['sideloader'] = {'name': plaintext[0x20:0x40].rstrip('\\x00'),\r\n 'offset': struct.unpack('\u003cL', plaintext[0xd0:0xd4])[0]}\r\nconfig['backdoor'] = {'name': plaintext[0x40:0x60].rstrip('\\x00'),\r\n 'offset': struct.unpack('\u003cL', plaintext[0xd8:0xdc])[0]}\r\nconfig['loader']['length'] = config['sideloader']['offset'] - config['loader']['offset']\r\nconfig['sideloader']['length'] = config['backdoor']['offset'] - config['sideloader']['offset']\r\nconfig['backdoor']['length'] = len(data) - config['backdoor']['offset'] - 260\r\npprint(config)\r\nprint\r\nfor key, component in config.items():\r\n with open(component['name'], 'wb') as fp:\r\n print '[*]\\tDropping %s' % (component['name'])\r\n fp.write(data[component['offset']:component['offset']+component['length']])\r\nRunning the above script will yield in the following information and drop the 3 components:\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md\r\nPage 6 of 21\n\n[*] Decrypted with key \"sdflpopdfjkaweri\"\r\nConfig:\r\n{'backdoor': {'length': 14336, 'name': 'vmwarebase.dll', 'offset': 37056},\r\n 'loader': {'length': 5120, 'name': 'HeartDll.dll', 'offset': 12800},\r\n 'sideloader': {'length': 19136, 'name': 'vprintproxy.exe', 'offset': 17920}}\r\n[*] Dropping vmwarebase.dll\r\n[*] Dropping vprintproxy.exe\r\n[*] Dropping HeartDll.dll\r\nThe configuration contains the names of the dropped files and the offsets of each file. Marked up, the configuration\r\nwill resemble the following.\r\nOnce the configuration is decoded the malware will carve each file out and write them to disk.\r\nRambo (and the embedded components) make heavy use of stack strings to evade basic triage (ie, strings) from\r\nrevealing a lot of information.\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md\r\nPage 7 of 21\n\nThe mutex is created with the value of {63SP948C-C21F-2R56-8176-2G0AC5OE03F4} . Once the mutex is created,\r\nWinExec is called starting HeartDll.dll with the DllRegisterServer argument.\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md\r\nPage 8 of 21\n\nHeartDll.dll\r\nHeartDll.dll (SHA256: 11668a0666636b3c40b61986bf132a8ca6ab448fddcaa9e4ed22f6ca7f7b8a50 ) is a small\r\nexecutable (roughly 5k in size). This is responsible to starting vprintproxy (which ultimately sideloads\r\nvmwarebase.dll).\r\nUpon initial execution, HeartDll.dll will create a mutex (statically configured) of {53A7Y6CC-C8EF-W089-CN21-\r\n220AQCD303F3}\r\nAt the startup of HeartDll.dll it’ll load 4 different commands into a buffer.\r\nbsd -1\r\nbre -1\r\nesd +2\r\nere +2\r\nHeartDll.dll will write “bsd -1” to file 1.txt which will seed a command for the backdoor when it starts executing.\r\nFirst the dll will locate the current working directory and manually build the string “vprintproxy.exe”\r\nHeart will write the contents of 1.txt into a file named 222.txt. Once this is done then heart will call WinExec on\r\nvprintproxy.exe which will in turn sideload the malicious vmwarebase.dll.\r\nAt this point, it’ll enter an infinite loop of sleeping and attempting to read the file 3.txt. Which contains startup\r\ninformation from vmwarebase.dll. It’ll loop through the various expect log messages and then exit.\r\nvprintproxy.exe\r\nThis is legit executable that is signed by VMWare that the authors use to sideload vmwarebase.dll\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md\r\nPage 9 of 21\n\nThe imports directly load vmwarebase.dll\r\nvmwarebase.dll\r\nVmwarebase.dll is loaded up via vprintproxy.exe and contains much of the functionality of this family.\r\nWhen loading up, it’ll decode its configuration via a simple xor loop.\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md\r\nPage 10 of 21\n\nIn this case the decoded c2 is busserh.mancely.com.\r\nDuring its execution, the malware will use the same loop to decode its port information (443 \u0026 80) and other\r\nconfiguration information.\r\nOnce the configuration information is parsed, the malware will load up the same debug messages as HeartDll.dll (bre\r\n-1, bsd -1, ere +2, and esd +2), these are used primary as communication between HeartDll.dll\r\nIt’ll attempt to read 1.txt, and if the information in 1.txt matches “bsd -1”, the malware will recon information off the\r\nhost and send it to the c2 controller.\r\nHost Recon\r\nIn the main reconnaissance function, the malware will grab the system proxy settings from the registry key\r\n“Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer”. By pulling this information, this may\r\nensure a slightly higher success rate of communicating out in a corporate environment. As the case with all these\r\nbinaries, it makes heavy use of manually building stack strings to evade the simple strings tool.\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md\r\nPage 11 of 21\n\nRambo will continue to gather the hostname and IP of the system. Gather a list of processes (with a PID of greater\r\nthan 10) by calling CreateToolhelp32Snapshot. It’ll also grab the Windows version and CPU arch.\r\nPrior to encryption, the contents of the buffer before it’s sent out to the C2 contains the following information:\r\n10.152.X.X|##HOSTNAME##d##OPOP\u003c*\u003csmss.exe\u003e\u003ecsrss.exe\u003e\u003ewininit.exe\u003e\u003ecsrss.exe\u003e\u003ewinlogon.exe\u003e\u003eservices.exe\u003e\u003elsass.e\r\nC2 communications\r\nThe data that is harvested from the host is sent to the C2 controller and encrypted using an AES key of\r\n\\x12\\x44\\x56\\x38\\x55\\x82\\x56\\x85\\x23\\x25\\x56\\x45\\x52\\x47\\x45\\x86. In ascii, (while not all characters are\r\nprintable), the string will be “\\x12DV8U\\x82V\\x85#%VERGE\\x86”.\r\nOnce the function is finished, it’ll write “esd +2” to the file 222.txt.\r\nDownload and Execute\r\nIf the file 1.txt contains the command “bre -1” the malware will continue down a different path of execution.\r\nThe malware will generate a random filename (8 characters long), by using a lookup table. It’ll generate indexes into\r\nthe string “123456789abcdefehijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ” and simply concat\r\nthem together.\r\nThe proxy settings are read again and a simple connect is performed. If the connect succeeds “ok” is sent.\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md\r\nPage 12 of 21\n\nThe recv call is performed and a file is downloaded, written to the temporary file name and exec’d using the\r\nfollowing hardcoded command.\r\ncmd.exe /c rundll32.exe \u003cfilename\u003e,FSSync_ScreeActive\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md\r\nPage 13 of 21\n\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md\r\nPage 14 of 21\n\nDuring the course of research, we didn’t identify the secondary file that is pushed to the host, although some\r\ninformation can be gained from static analysis. The file would need to be PE DLL with an exported function of\r\nFSSync_ScreeActive. This is most likely the function in which the authors will load a more robust stage 2 backdoor.\r\nWhen the command is completed, “ere +2” is written to 222.txt\r\nSummary\r\nRambo is a unique backdoor with features that are the result of some odd design decisions. In the initial dropper the\r\nconfiguration containing offsets and filenames are encoded with TEA, however the binaries are not encoded at all. It\r\nuses AES to encode the host information that is sent out over the network, however the C2 is hidden with a single\r\nbyte XOR. While they may not make much sense to a reverse engineer, it gives some idea to the information that the\r\nauthor doesn’t want to be easily recovered. By writing commands to temporary files and trying to communicate\r\nbetween multiple processes, the authors turn a simple stage 1 implant into something that is confusing and more\r\ndifficult to study.\r\nMature security programs research edge cases and newly discovered code in order to understand tools, tactics and\r\nprocedures of successful advanced groups that will inevitably become more common in the future.\r\nIndicators of Compromise:\r\nIndicator Type Description\r\nbusserh.mancely.com Domain\r\nCommand and\r\nControl\r\ngosuper@excite.co.jp\r\nEmail\r\nAddress\r\nRegistrant of\r\nbusserh.mancely.com\r\n108.61.117.31 IP\r\nResolution of\r\nbusserh.mancely.com\r\nC:\\Users\u003cuser\u003e\\AppData\\Local\\Temp\\HeartDll.dll Filename\r\nC:\\Users\u003cuser\u003e\\AppData\\Local\\Temp\\vprintproxy.exe Filename\r\nC:\\Users\u003cuser\u003e\\AppData\\Local\\Temp\\vmwarebase.dll Filename\r\nC:\\Users\u003cuser\u003e\\AppData\\Local\\Temp\\222.txt Filename\r\nC:\\Users\u003cuser\u003e\\AppData\\Local\\Temp\\3.txt Filename\r\ne154e62c1936f62aeaf55a41a386dbc293050acec8c4616d16f75395884c9090 Hash RTF Dropper\r\n7571642ec340c4833950bb86d3ded4d4b7c2068347e8125a072c5a062a5d6b68 Hash Main Dropper\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md\r\nPage 15 of 21\n\nIndicator Type Description\r\n5bfcd2cc01a5b930fc704a695f0fe38f1bca8bdfafd8b7d931a37428b5e86f35 Hash\r\nHash of\r\nvmwarebase.dll\r\n76405617acc7fa6c51882fe49d9b059900c10fc077840df9f6a604bf4fab85ba Hash\r\nHash of\r\nvprintproxy.exe\r\n(legit executable)\r\n11668a0666636b3c40b61986bf132a8ca6ab448fddcaa9e4ed22f6ca7f7b8a50 Hash Hash of HeartDll.dll\r\nAdditional Notes\r\nIn the symbol table for Rambo (vmwarebase.dll) it appears that the authors left in the original compiled name of the\r\nexecutable (FirstBlood.tmp) which accounts for the naming convention.\r\nThe functions that contain the name are the functions that were overwritten from the legit vmwarebase.dll as to not\r\nbreak the functionality of vprintproxy.exe.\r\nvaddr=0x10001431 paddr=0x00000831 ord=000 fwd=NONE sz=0 bind=GLOBAL type=FUNC name=FirstBlood.tmp_Err_Errno2Strin\r\nvaddr=0x10001431 paddr=0x00000831 ord=001 fwd=NONE sz=0 bind=GLOBAL type=FUNC name=FirstBlood.tmp_Log\r\nvaddr=0x10001431 paddr=0x00000831 ord=002 fwd=NONE sz=0 bind=GLOBAL type=FUNC name=FirstBlood.tmp_Log_CfgInterface\r\nvaddr=0x10001431 paddr=0x00000831 ord=003 fwd=NONE sz=0 bind=GLOBAL type=FUNC name=FirstBlood.tmp_Log_InitWithFile\r\nvaddr=0x10001431 paddr=0x00000831 ord=004 fwd=NONE sz=0 bind=GLOBAL type=FUNC name=FirstBlood.tmp_Log_SetProductIn\r\nvaddr=0x10001431 paddr=0x00000831 ord=005 fwd=NONE sz=0 bind=GLOBAL type=FUNC name=FirstBlood.tmp_Preference_Init\r\nvaddr=0x10001431 paddr=0x00000831 ord=006 fwd=NONE sz=0 bind=GLOBAL type=FUNC name=FirstBlood.tmp_ProductState_Get\r\nvaddr=0x10001431 paddr=0x00000831 ord=007 fwd=NONE sz=0 bind=GLOBAL type=FUNC name=FirstBlood.tmp_ProductState_Get\r\nvaddr=0x10001431 paddr=0x00000831 ord=008 fwd=NONE sz=0 bind=GLOBAL type=FUNC name=FirstBlood.tmp_ProductState_Get\r\nvaddr=0x10001431 paddr=0x00000831 ord=009 fwd=NONE sz=0 bind=GLOBAL type=FUNC name=FirstBlood.tmp_ProductState_Get\r\nvaddr=0x10001431 paddr=0x00000831 ord=010 fwd=NONE sz=0 bind=GLOBAL type=FUNC name=FirstBlood.tmp_W32Util_AsciiStr\r\nvaddr=0x10001431 paddr=0x00000831 ord=011 fwd=NONE sz=0 bind=GLOBAL type=FUNC name=FirstBlood.tmp_W32Util_GetInsta\r\nvaddr=0x10001431 paddr=0x00000831 ord=012 fwd=NONE sz=0 bind=GLOBAL type=FUNC name=FirstBlood.tmp_Warning\r\nvaddr=0x10001431 paddr=0x00000831 ord=013 fwd=NONE sz=0 bind=GLOBAL type=FUNC name=FirstBlood.tmp_Win32U_LoadLibra\r\nvaddr=0x10001431 paddr=0x00000831 ord=014 fwd=NONE sz=0 bind=GLOBAL type=FUNC name=FirstBlood.tmp_Win32U_RegCreate\r\nvaddr=0x10001431 paddr=0x00000831 ord=015 fwd=NONE sz=0 bind=GLOBAL type=FUNC name=FirstBlood.tmp_Win32U_RegOpenKe\r\nModified PyTEA\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md\r\nPage 16 of 21\n\n#!/usr/bin/env python\r\n#################################################################################\r\n# Python implementation of the Tiny Encryption Algorithm (TEA)\r\n# By Moloch\r\n#\r\n# About: TEA has a few weaknesses. Most notably, it suffers from\r\n# equivalent keys each key is equivalent to three others,\r\n# which means that the effective key size is only 126 bits.\r\n# As a result, TEA is especially bad as a cryptographic hash\r\n# function. This weakness led to a method for hacking Microsoft's\r\n# Xbox game console (where I first encountered it), where the\r\n# cipher was used as a hash function. TEA is also susceptible\r\n# to a related-key attack which requires 2^23 chosen plaintexts\r\n# under a related-key pair, with 2^32 time complexity.\r\n#\r\n# Block size: 64bits\r\n# Key size: 128bits\r\n#\r\n##################################################################################\r\nimport os\r\nimport getpass\r\nimport platform\r\nimport struct\r\nfrom random import choice\r\nfrom hashlib import sha256\r\nfrom ctypes import c_uint32\r\nfrom string import ascii_letters, digits\r\nif platform.system().lower() in ['linux', 'darwin']:\r\n INFO = \"\\033[1m\\033[36m[*]\\033[0m \"\r\n WARN = \"\\033[1m\\033[31m[!]\\033[0m \"\r\nelse:\r\n INFO = \"[*] \"\r\n WARN = \"[!] \"\r\n### Magical Constants\r\nDELTA = 0x9e3779b9\r\nSUMATION = 0xc6ef3720\r\nROUNDS = 32\r\nBLOCK_SIZE = 2 # number of 32-bit ints\r\nKEY_SIZE = 4\r\n### Functions ###\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md\r\nPage 17 of 21\n\ndef encrypt_block(block, key, verbose=False):\r\n '''\r\n Encrypt a single 64-bit block using a given key\r\n @param block: list of two c_uint32s\r\n @param key: list of four c_uint32s\r\n '''\r\n assert len(block) == BLOCK_SIZE\r\n assert len(key) == KEY_SIZE\r\n sumation = c_uint32(0)\r\n delta = c_uint32(DELTA)\r\n for index in range(0, ROUNDS):\r\n sumation.value += delta.value\r\n block[0].value += ((block[1].value \u003c\u003c 4) + key[0].value) ^ (block[1].value + sumation.value) ^ ((block[1].\r\n block[1].value += ((block[0].value \u003c\u003c 4) + key[2].value) ^ (block[0].value + sumation.value) ^ ((block[0].\r\n if verbose: print(\"\\t--\u003e Encrypting block round %d of %d\" % (index + 1, ROUNDS))\r\n return block\r\ndef decrypt_block(block, key, verbose=False):\r\n '''\r\n Decrypt a single 64-bit block using a given key\r\n @param block: list of two c_uint32s\r\n @param key: list of four c_uint32s\r\n '''\r\n assert len(block) == BLOCK_SIZE\r\n assert len(key) == KEY_SIZE\r\n sumation = c_uint32(SUMATION)\r\n delta = c_uint32(DELTA)\r\n for index in range(0, ROUNDS):\r\n block[1].value -= ((block[0].value \u003c\u003c 4) + key[2].value) ^ (block[0].value + sumation.value) ^ ((block[0].\r\n block[0].value -= ((block[1].value \u003c\u003c 4) + key[0].value) ^ (block[1].value + sumation.value) ^ ((block[1].\r\n sumation.value -= delta.value\r\n if verbose: print(\"\\t\u003c-- Decrypting block round %d of %d\" % (index + 1, ROUNDS))\r\n return block\r\ndef to_c_array(data):\r\n ''' Converts a string to a list of c_uint32s '''\r\n c_array = []\r\n for index in range(0, len(data)/4):\r\n chunk = data[index*4:index*4+4]\r\n packed = struct.unpack(\"\u003eL\", chunk)[0]\r\n c_array.append(c_uint32(packed))\r\n return c_array\r\ndef to_string(c_array):\r\n ''' Converts a list of c_uint32s to a Python (ascii) string '''\r\n output = ''\r\n for block in c_array:\r\n output += struct.pack(\"\u003eL\", block.value)\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md\r\nPage 18 of 21\n\nreturn output\r\ndef random_chars(nchars):\r\n chars = ''\r\n for n in range(0, nchars):\r\n chars += choice(ascii_letters + digits)\r\n return chars\r\ndef add_padding(data, verbose=False):\r\n pad_delta = 4 - (len(data) % 4)\r\n if verbose:\r\n print(INFO + \"Padding delta: %d\" % pad_delta)\r\n data += random_chars(pad_delta)\r\n data += \"%s%d\" % (random_chars(3), pad_delta)\r\n return data\r\ndef encrypt(data, key, verbose=False):\r\n '''\r\n Encrypt string using TEA algorithm with a given key\r\n '''\r\n data = add_padding(data, verbose)\r\n data = to_c_array(data)\r\n key = to_c_array(key.encode('ascii', 'ignore'))\r\n cipher_text = []\r\n for index in range(0, len(data), 2):\r\n if verbose:\r\n print(INFO + \"Encrypting block %d\" % index)\r\n block = data[index:index + 2]\r\n block = encrypt_block(block, key, verbose)\r\n for uint in block:\r\n cipher_text.append(uint)\r\n if verbose:\r\n print(INFO + \"Encryption completed successfully\")\r\n return to_string(cipher_text)\r\ndef decrypt(data, key, verbose=False):\r\n data = to_c_array(data)\r\n key = to_c_array(key.encode('ascii', 'ignore'))\r\n plain_text = []\r\n for index in range(0, len(data), 2):\r\n if verbose:\r\n print(INFO + \"Encrypting block %d\" % index)\r\n block = data[index:index + 2]\r\n decrypted_block = decrypt_block(block, key, verbose)\r\n for uint in decrypted_block:\r\n plain_text.append(uint)\r\n data = to_string(plain_text)\r\n if verbose:\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md\r\nPage 19 of 21\n\nprint(INFO + \"Decryption compelted successfully\")\r\n return data\r\ndef get_key(password=''):\r\n ''' Generate a key based on user password '''\r\n if 0 == len(password):\r\n password = getpass.getpass(INFO + \"Password: \")\r\n sha = sha256()\r\n sha.update(password + \"Magic Static Salt\")\r\n sha.update(sha.hexdigest())\r\n return ''.join([char for char in sha.hexdigest()[::4]])\r\ndef encrypt_file(fpath, key, verbose=False):\r\n with open(fpath, 'rb+') as fp:\r\n data = fp.read()\r\n cipher_text = encrypt(data, key, verbose)\r\n fp.seek(0)\r\n fp.write(cipher_text)\r\n fp.close()\r\ndef decrypt_file(fpath, key, verbose=False):\r\n with open(fpath, 'rb+') as fp:\r\n data = fp.read()\r\n plain_text = decrypt(data, key, verbose)\r\n fp.close()\r\n fp = open(fpath, 'w')\r\n fp.write(plain_text)\r\n fp.close()\r\n### UI Code ###\r\nif __name__ == '__main__':\r\n from argparse import ArgumentParser\r\n parser = ArgumentParser(\r\n description='Python implementation of the TEA cipher',\r\n )\r\n parser.add_argument('-e', '--encrypt',\r\n help='encrypt a file',\r\n dest='epath',\r\n default=None\r\n )\r\n parser.add_argument('-d', '--decrypt',\r\n help='decrypt a file',\r\n dest='dpath',\r\n default=None\r\n )\r\n parser.add_argument('--verbose',\r\n help='display verbose output',\r\n default=False,\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md\r\nPage 20 of 21\n\naction='store_true',\r\n dest='verbose'\r\n )\r\n args = parser.parse_args()\r\n if args.epath is None and args.dpath is None:\r\n print('Error: Must use --encrypt or --decrypt')\r\n elif args.epath is not None:\r\n print(WARN + 'Encrypt Mode: The file will be overwritten')\r\n if os.path.exists(args.epath) and os.path.isfile(args.epath):\r\n key = get_key()\r\n encrypt_file(args.epath, key, args.verbose)\r\n else:\r\n print(WARN + 'Error: target does not exist, or is not a file')\r\n elif args.dpath is not None:\r\n print(WARN + 'Decrypt Mode: The file will be overwritten')\r\n if os.path.exists(args.dpath) and os.path.isfile(args.dpath):\r\n key = get_key()\r\n decrypt_file(args.dpath, key, args.verbose)\r\n else:\r\n print(WARN + 'Error: target does not exist, or is not a file')\r\nSource: https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md\r\nhttps://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md" ], "report_names": [ "2017-02-15-the-rambo-backdoor.md" ], "threat_actors": [ { "id": "5ffe400c-6025-44c2-9aa1-7c34a7a192b0", "created_at": "2023-01-06T13:46:38.469688Z", "updated_at": "2026-04-10T02:00:02.987949Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Moafee", "BRONZE OVERBROOK", "G0017", "G0002", "Shallow Taurus" ], "source_name": "MISPGALAXY:DragonOK", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7ebda3c6-1789-4d84-97cf-47fb18a0cb28", "created_at": "2022-10-25T15:50:23.78829Z", "updated_at": "2026-04-10T02:00:05.415039Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "DragonOK" ], "source_name": "MITRE:DragonOK", "tools": [ "PoisonIvy", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "593dd07d-853c-46cd-8117-e24061034bbf", "created_at": "2025-08-07T02:03:24.648074Z", "updated_at": "2026-04-10T02:00:03.625859Z", "deleted_at": null, "main_name": "BRONZE OVERBROOK", "aliases": [ "Danti ", "DragonOK ", "Samurai Panda ", "Shallow Taurus ", "Temp.DragonOK " ], "source_name": "Secureworks:BRONZE OVERBROOK", "tools": [ "Aveo", "DDKONG", "Godzilla Webshell", "HelloBridge", "IsSpace", "NFLog Trojan", "PLAINTEE", "PlugX", "Rambo" ], "source_id": "Secureworks", "reports": null }, { "id": "340d1673-0678-4e1f-8b75-30da2f65cc80", "created_at": "2022-10-25T16:07:23.552036Z", "updated_at": "2026-04-10T02:00:04.653109Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Bronze Overbrook", "G0017", "Shallow Taurus" ], "source_name": "ETDA:DragonOK", "tools": [ "Agent.dhwf", "CT", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Gen:Trojan.Heur.PT", "HTran", "HUC Packet Transmit Tool", "HelloBridge", "IsSpace", "KHRAT", "Kaba", "Korplug", "Mongall", "NFlog", "NewCT", "NfLog RAT", "PlugX", "Poison Ivy", "Rambo", "RedDelta", "SPIVY", "Sogu", "SysGet", "TIGERPLUG", "TVT", "Thoper", "TidePool", "Xamtrav", "brebsd", "ffrat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434765, "ts_updated_at": 1775826738, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ad154f323769a33b99f10cd08e3762abe747c108.pdf", "text": "https://archive.orkl.eu/ad154f323769a33b99f10cd08e3762abe747c108.txt", "img": "https://archive.orkl.eu/ad154f323769a33b99f10cd08e3762abe747c108.jpg" } }