APT Malware Crossword Puzzle by @MalwareRE

12345678910111213141516171819202122232425262728
Across
  1. 3. I replaced wermgr.exe for persistence and used Twitter for DDR, I am not to be tossed around
  2. 4. Developed in .NET, my name translates to Cassowary in English
  3. 7. I am only 1 away from being a perfect PHP webshell
  4. 9. They say I targeted electric grid systems in UA, featured a modular design with multiple custom ICS payloads each speaking different ICS communication protocols (IEC and OPC), sported wiper, network discovery and Denial-of-Service modules
  5. 10. I was a multi-purpose espionage framework, I was named after the name of one of my main modules, what do Flamin’ Hot Cheetos and I share in common?
  6. 13. I, the DLL live on Exchange Servers, they say MFA’s and diplomatic missions/orgs are my favorite targets, I leverage SMTP events to read, modify, compose and block emails
  7. 14. Some people know me as Pirpi, others confuse me with a power supply
  8. 17. I’m so happy I wanna…cry
  9. 19. Chop chop, who’s there? webshell
  10. 23. Last name's duke, I was born in Python
  11. 24. Some call me malware others say I am just a proxy tool, how about we ask my author, the “lion” of HUC
  12. 25. Listen, like any good bootkit, when they go high, you go low, Jack
  13. 26. We told you not to release The Interview, got wiper?
  14. 28. I, the reptile rootkit use two CAST-128 encrypted Virtual File Systems to store data, INT C3 is my favorite Interrupt
Down
  1. 1. My twitter handle
  2. 2. They say I was born in Russia but rumor has it that I was named after an R-rated bar in San Francisco
  3. 5. They claim I was the first member of the “~D Platform”, I got my name from a prefix I commonly used in the name of files I created
  4. 6. My network traffic is encrypted with Camilla, stay away or else you might develop a rash
  5. 8. Rumint has it that I was born in a western country but I have never been (publicly) attributed to a country, lots of Lua modules, some know me by my “all-seeing eye” Project name
  6. 11. My name may sound cute but I’m neither mimi nor a cat
  7. 12. I targeted SCADA systems…Summer 2010, it was raining 0days when a rebellious worm infected PLC systems with rootkits...oh you still need a hint? Drops mic
  8. 15. I used to be an Agent, my cousin used to be a Tunnel
  9. 16. One of the most sophisticated malware suites to date, they say my name has something to do with being "In Reg" and was originated from the submission name of a sample that was uploaded to VirusTotal, I'd say ask my father, Hreiðmarr
  10. 18. Some said I was more sophisticated than Duqu while others dissed me, I got caught while trying to exploit a vulnerability in an AV product to hide what they called my “ugly face”, my creators and I share the same Spanish name
  11. 20. They say I targeted Industrial Control Systems (ICS) in EU and NA, mapped industrials networks using an OPC protocol scanning module, I propagated via trojanized legitimate ICS/SCADA software and watering-hole attacks that leveraged exploit kits
  12. 21. I was distributed via a malicious Tor exit node and infected torrent files, C2 analysis linked me to The Dukes.
  13. 22. Beloved by East Asian APT actors, most know me for my “X-“ HTTP header fields
  14. 27. They say my authors were inspired (in retaliation) by Flame, just like Flame I was used to target national oil companies, wiped hard drives and featured a logic bomb