7. sudo mount -o loop /dev/mapper/loop0p2 /mnt/sus/infected
8. sudo debsums -sac -r /mnt/sus/infected
9. sudo umount /dev/mapper/loop0p2
10. sudo kpartx -d /mnt/sus/sus.img
11. Submit infected binaries in zip.vir file for forensic de-compilation, and ascertain how payload was dropped.
Every once in a awhile these things happen. Better to redeploy a new clean OS container on the host, and dump the traffic with a remote live packet capture.
“To be continued.”
This was published in 2021 but apparently never continued.
Cue spooky music.
1. power off using switch
2. boot from immutable live system
3. sudo mkdir -p /mnt/sus/infected
4. sudo ddrescue -d -f /dev/sda /mnt/sus/sus.img /mnt/sus/sus.log
5. sudo kpartx -l /mnt/sus/sus.img
6. sudo kpartx -av /mnt/sus/sus.img
7. sudo mount -o loop /dev/mapper/loop0p2 /mnt/sus/infected
8. sudo debsums -sac -r /mnt/sus/infected
9. sudo umount /dev/mapper/loop0p2
10. sudo kpartx -d /mnt/sus/sus.img
11. Submit infected binaries in zip.vir file for forensic de-compilation, and ascertain how payload was dropped.
Every once in a awhile these things happen. Better to redeploy a new clean OS container on the host, and dump the traffic with a remote live packet capture.
Repeat as necessary. =3
Discussion at the time: https://news.ycombinator.com/item?id=26591669
Apt Encounters of the Third Kind (2021)