Often, related groups of threat actors will reuse bits and pieces of code in separate pieces of malware. This can be used as an attribution method. If a function, class, method, constant, or any such piece of data that is novel to one malware family is discovered in a new sample, there is a high liklihood that the disparate samples are related in one way or another. Perhaps the two different strains are authored by the same person? Maybe they are colleagues?
code reuse as attribution
0001-01-01
Recent Posts
Linux Persistence: Startup Scripts
2024-11-10 DFIR CTF linux persistence systemd SysV init startup script
Linux Persistence: Cron
2024-11-10 DFIR CTF linux persistence cron