> I believe the use of open source tools to accomplish their tasks is interesting. Using "living off the land" open source tools also hinders researchers when trying to attribute an attack to a certain country.
That is one conclusion. But, given that there seems to be a significant amount of code that's custom (the filesystem module), I'm not sure what that would accomplish. If that too was opensource and there was a tiny amount of glue code, then it would make some sense. Leave the most suspicious hooks(like all input device monitoring) to well known tools.
Based on the report, it is more likely that whoever group created it didn't have much knowledge. Using the Shutdown Alarm and pissing all over the system just to accomplish such a tiny task is difficult to justify, and that's what drew undue attention.
That is one conclusion. But, given that there seems to be a significant amount of code that's custom (the filesystem module), I'm not sure what that would accomplish. If that too was opensource and there was a tiny amount of glue code, then it would make some sense. Leave the most suspicious hooks(like all input device monitoring) to well known tools.
Based on the report, it is more likely that whoever group created it didn't have much knowledge. Using the Shutdown Alarm and pissing all over the system just to accomplish such a tiny task is difficult to justify, and that's what drew undue attention.