[cyberlab]

> the malware samples appear to have been compiled seven years ago, in 2014

So it was possible then to analyze the metadata of the files and determine when the malware was made/compiled? That seems like bad OPSEC. If I was CIA I would be rigorous in modifying and faking when certain files were last modified or created, and possibly stripping other damaging metadata (if it's incriminating enough). This is basic metadata hygiene employed by journalists, whistleblowers etc

[londons_explore]

Don't overestimate government coders skills...

Often it's a massive team with people of very varied programming skills. The core exploit might be some super high tech, hand coded in assembly rootkit, but then the remote control stuff might ends up being some badly written powershell script or multi-megabyte dot-net, java or python binary pulling in every library under the sun.

[Godel_unicode]

There's a fantastic example of this from fall of 2019. China was using an iPhone 0day which was extremely complicated to do internal surveillance, and the C2 for it was happening over http.

[distribot]

What is a C2?

[scottyah]

Command & Control https://en.wikipedia.org/wiki/Command_and_control

[GraemeMeyer]

Command and control

[hello333]

command and control i think

[joe_the_user]

It seems like this is simply the approach of any coder who's just trying to get X done without worrying about maintaining stuff. Academic code is often "crap" and it's written by smart people but smart people only concerned about getting the algorithm implemented.

Which is say to say, no one yet come up with an approach that combines "fast to write, fast to run, and easy to maintain".

[hugh-avherald]

Maybe it's less suspicious to have benign metadata than no metadata.

[cyberlab]

Yeah, which is why I suggest faking metadata than simply stripping it. There are anti-forensic tools for doing that.

[surye]

Honest question, how do we know that this wasn't faked? What makes the 2014 date more problematic, and what would it be faked to be?

[asimpletune]

I think it was based more on when the samples were found

[cyberlab]

Yet the samples retain their original creation date?

[techrat]

The year was given. Suppose it was found as early as 2014 on a device that had since been retired. That's one way to ballpark its creation year.