File size: 56,238 Bytes
038e086 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 | {"text": "Uses RijndaelManaged instead of AES for encryption . ( with ECB mode , which is considered weak ) .", "spans": {}, "info": {"id": "aptner_dev_000000", "source": "aptner_dev"}}
{"text": "There are more indications as well , such as names of objects , files etc .", "spans": {}, "info": {"id": "aptner_dev_000010", "source": "aptner_dev"}}
{"text": "Serialize the client object ( which will be later encrypted and sent ) .", "spans": {}, "info": {"id": "aptner_dev_000025", "source": "aptner_dev"}}
{"text": "Get file system .", "spans": {}, "info": {"id": "aptner_dev_000044", "source": "aptner_dev"}}
{"text": "Upload / download / execute files .", "spans": {}, "info": {"id": "aptner_dev_000045", "source": "aptner_dev"}}
{"text": "Startup manager .", "spans": {}, "info": {"id": "aptner_dev_000046", "source": "aptner_dev"}}
{"text": "Open task manager .", "spans": {}, "info": {"id": "aptner_dev_000047", "source": "aptner_dev"}}
{"text": "Edit registry .", "spans": {}, "info": {"id": "aptner_dev_000049", "source": "aptner_dev"}}
{"text": "Reverse Proxy .", "spans": {}, "info": {"id": "aptner_dev_000050", "source": "aptner_dev"}}
{"text": "Open remote desktop connection .", "spans": {}, "info": {"id": "aptner_dev_000052", "source": "aptner_dev"}}
{"text": "Observe the desktop and actions of active user .", "spans": {}, "info": {"id": "aptner_dev_000053", "source": "aptner_dev"}}
{"text": "Password stealing .", "spans": {}, "info": {"id": "aptner_dev_000055", "source": "aptner_dev"}}
{"text": "Visit website .", "spans": {}, "info": {"id": "aptner_dev_000057", "source": "aptner_dev"}}
{"text": "We refer to this ( somewhat ironic ) technique as a “ Double Edged Sword Attack ” .", "spans": {}, "info": {"id": "aptner_dev_000062", "source": "aptner_dev"}}
{"text": "Quasar serve includes a File Manager window , allowing the attacker to select victim files , and trigger file operations – for example , uploading a file from victim machine to server .", "spans": {"Malware: Quasar": [[0, 6]], "System: File Manager window": [[24, 43]]}, "info": {"id": "aptner_dev_000067", "source": "aptner_dev"}}
{"text": "will result in writing our file instead to the same directory as the Quasar serve code .", "spans": {"Malware: Quasar": [[69, 75]]}, "info": {"id": "aptner_dev_000073", "source": "aptner_dev"}}
{"text": "The C2 server responds using the same format and serialization/encryption/encoding .", "spans": {"System: C2": [[4, 6]]}, "info": {"id": "aptner_dev_000104", "source": "aptner_dev"}}
{"text": "Unfortunately , we were unable to get any C2 servers to issue download commands to any samples that we tested in our lab .", "spans": {"System: C2": [[42, 44]]}, "info": {"id": "aptner_dev_000106", "source": "aptner_dev"}}
{"text": "After successful execution , Downeks returns the results to the C2 server .", "spans": {"Malware: Downeks": [[29, 36]], "System: C2": [[64, 66]]}, "info": {"id": "aptner_dev_000109", "source": "aptner_dev"}}
{"text": "Downeks enumerates any antivirus products installed on the victim machine and transmits the list to the C2 .", "spans": {"Malware: Downeks": [[0, 7]], "System: C2": [[104, 106]]}, "info": {"id": "aptner_dev_000120", "source": "aptner_dev"}}
{"text": "In another similarity between both variants , Dowenks assesses the victim ’s external IP using an HTTP request to http://www.myexternalIP .", "spans": {"Malware: Dowenks": [[46, 53]], "System: HTTP request": [[98, 110]]}, "info": {"id": "aptner_dev_000123", "source": "aptner_dev"}}
{"text": "com/raw .", "spans": {"Indicator: com/raw": [[0, 7]]}, "info": {"id": "aptner_dev_000124", "source": "aptner_dev"}}
{"text": "Downeks has static encryption keys hardcoded in the code .", "spans": {"Malware: Downeks": [[0, 7]]}, "info": {"id": "aptner_dev_000128", "source": "aptner_dev"}}
{"text": "The email purported to have been sent from legitimate email ids .", "spans": {"System: email": [[4, 9], [54, 59]]}, "info": {"id": "aptner_dev_000137", "source": "aptner_dev"}}
{"text": "The attackers spoofed the email ids associated with Indian Ministry of Home Affairs to send out email to the victims .", "spans": {"System: email": [[26, 31], [96, 101]], "Organization: Indian Ministry of Home Affairs": [[52, 83]]}, "info": {"id": "aptner_dev_000138", "source": "aptner_dev"}}
{"text": "This email was later forwarded on Oct 24th,2016 from a spoofed email id which is associated with Thailand Indian embassy to various email recipients connected to the Indian Ministry of External Affairs as shown in the below screen shot .", "spans": {"System: email": [[5, 10], [63, 68], [132, 137]], "Organization: Indian embassy": [[106, 120]], "Organization: Indian Ministry of External Affairs": [[166, 201]]}, "info": {"id": "aptner_dev_000143", "source": "aptner_dev"}}
{"text": "Once the dropped file ( officeupdate.exe ) is executed the malware drops additional files ( googleupdate.exe , malib.dll and msccvs.dll ) into the %AllUsersProfile%\\Google directory and then executes the dropped googleupdate.exe Upon execution malware makes a connection to the c2 server on port 5555 and sends the system & operating system information along with some base64 encoded strings to the attacker as shown below .", "spans": {"Indicator: officeupdate.exe": [[24, 40]], "Malware: the malware": [[55, 66]], "Indicator: googleupdate.exe": [[92, 108], [212, 228]], "Indicator: malib.dll": [[111, 120]], "Indicator: msccvs.dll": [[125, 135]], "Organization: %AllUsersProfile%\\Google": [[147, 171]], "Malware: malware": [[244, 251]], "System: c2": [[278, 280]]}, "info": {"id": "aptner_dev_000161", "source": "aptner_dev"}}
{"text": "Based on the base64 encoded content posted in the Pastebin , userid associated with the Pastebin post was determined .", "spans": {"System: base64 encoded content": [[13, 35]], "System: Pastebin": [[50, 58], [88, 96]]}, "info": {"id": "aptner_dev_000167", "source": "aptner_dev"}}
{"text": "The Pastebin userid matched with the email ID mentioned by this individual in the YouTube video description section .", "spans": {"System: Pastebin": [[4, 12]], "System: email": [[37, 42]], "Organization: YouTube": [[82, 89]]}, "info": {"id": "aptner_dev_000171", "source": "aptner_dev"}}
{"text": "The indicators are provided below , these indicators can be used by the organizations ( Government , Public and Private organizations ) to detect and investigate this attack campaign . 14b9d54f07f3facf1240c5ba89aa2410 ( googleupdate.exe ) . 2b0bd7e43c1f98f9db804011a54c11d6 ( malib.dll ) . feec4b571756e8c015c884cb5441166b ( msccvs.dll ) . 84d9d0524e14d9ab5f88bbce6d2d2582 ( officeupdate.exe ) . khanji.ddns.net 139.190.6.180 39.40.141.25 175.110.165.110 39.40.44.245 39.40.67.219 . http://pastebin.com/raw/5j4hc8gT http://pastebin.com/raw/6bwniBtB . 028caf3b1f5174ae092ecf435c1fccc2 7732d5349a0cfa1c3e4bcfa0c06949e4 9909f8558209449348a817f297429a48 63698ddbdff5be7d5a7ba7f31d0d592c 7c4e60685203b229a41ae65eba1a0e10 e2112439121f8ba9164668f54ca1c6af .", "spans": {"Indicator: 14b9d54f07f3facf1240c5ba89aa2410": [[185, 217]], "Indicator: googleupdate.exe": [[220, 236]], "Indicator: 2b0bd7e43c1f98f9db804011a54c11d6": [[241, 273]], "Indicator: malib.dll": [[276, 285]], "Indicator: feec4b571756e8c015c884cb5441166b": [[290, 322]], "Indicator: msccvs.dll": [[325, 335]], "Indicator: 84d9d0524e14d9ab5f88bbce6d2d2582": [[340, 372]], "Indicator: officeupdate.exe": [[375, 391]], "Indicator: khanji.ddns.net": [[396, 411]], "Indicator: 139.190.6.180": [[412, 425]], "Indicator: 39.40.141.25": [[426, 438]], "Indicator: 175.110.165.110": [[439, 454]], "Indicator: 39.40.44.245": [[455, 467]], "Indicator: 39.40.67.219": [[468, 480]], "Indicator: http://pastebin.com/raw/5j4hc8gT": [[483, 515]], "Indicator: http://pastebin.com/raw/6bwniBtB": [[516, 548]], "Indicator: 028caf3b1f5174ae092ecf435c1fccc2": [[551, 583]], "Indicator: 7732d5349a0cfa1c3e4bcfa0c06949e4": [[584, 616]], "Indicator: 9909f8558209449348a817f297429a48": [[617, 649]], "Indicator: 63698ddbdff5be7d5a7ba7f31d0d592c": [[650, 682]], "Indicator: 7c4e60685203b229a41ae65eba1a0e10": [[683, 715]], "Indicator: e2112439121f8ba9164668f54ca1c6af": [[716, 748]]}, "info": {"id": "aptner_dev_000179", "source": "aptner_dev"}}
{"text": "Location of the c2 infrastructure .", "spans": {"System: c2": [[16, 18]]}, "info": {"id": "aptner_dev_000185", "source": "aptner_dev"}}
{"text": "The following factors show the level of sophistication and reveals the attackers intention to remain stealthy and to gain long-term access by evading anti-virus , sandbox and security monitoring at both the desktop and network levels .", "spans": {}, "info": {"id": "aptner_dev_000187", "source": "aptner_dev"}}
{"text": "This posting is a follow-up of my previous work on this subject in", "spans": {}, "info": {"id": "aptner_dev_000194", "source": "aptner_dev"}}
{"text": "Looking under the hood we see the VBA code that builds the PowerShell command and launches it but something seemed off .", "spans": {"System: VBA": [[34, 37]], "Indicator: PowerShell command": [[59, 77]]}, "info": {"id": "aptner_dev_000206", "source": "aptner_dev"}}
{"text": "http://ditetec.com http://ditetec.com http://domass.com.ua http://firop.com http://unoset.com http://unoset.com https://doci.download https://farhenzel.co https://farsonka.co https://formsonat.co https://fortuma.co https://iilliiill.bid https://iilliiill.bid https://iilliiill.bid https://lom.party https://naiillad.date https://naiillad.date https://naiillad.date https://naiillad.date https://notepad-plus-plus.org/repository https://prof.cricket https://tvavi.win .", "spans": {"Indicator: http://ditetec.com": [[0, 18], [19, 37]], "Indicator: http://domass.com.ua": [[38, 58]], "Indicator: http://firop.com": [[59, 75]], "Indicator: http://unoset.com": [[76, 93], [94, 111]], "Indicator: https://doci.download": [[112, 133]], "Indicator: https://farhenzel.co": [[134, 154]], "Indicator: https://farsonka.co": [[155, 174]], "Indicator: https://formsonat.co": [[175, 195]], "Indicator: https://fortuma.co": [[196, 214]], "Indicator: https://iilliiill.bid": [[215, 236], [237, 258], [259, 280]], "Indicator: https://lom.party": [[281, 298]], "Indicator: https://naiillad.date": [[299, 320], [321, 342], [343, 364], [365, 386]], "Indicator: https://notepad-plus-plus.org/repository": [[387, 427]], "Indicator: https://prof.cricket": [[428, 448]], "Indicator: https://tvavi.win": [[449, 466]]}, "info": {"id": "aptner_dev_000218", "source": "aptner_dev"}}
{"text": "Note that there are fewer payloads than there are samples , indicating many of the documents download the same payload .", "spans": {}, "info": {"id": "aptner_dev_000220", "source": "aptner_dev"}}
{"text": "This pattern is shared across the original samples .", "spans": {}, "info": {"id": "aptner_dev_000226", "source": "aptner_dev"}}
{"text": "A quick search with the AutoFocus transform to pull tag information shows these are specifically related to Nymaim , most likely for the DGA seed ; however , looking at domains with less links , other malware families begin to emerge .", "spans": {"Malware: Nymaim": [[108, 114]], "Malware: other malware families": [[195, 217]]}, "info": {"id": "aptner_dev_000246", "source": "aptner_dev"}}
{"text": ".", "spans": {}, "info": {"id": "aptner_dev_000255", "source": "aptner_dev"}}
{"text": "Their findings pointed to what appears to be the initial point of compromise the attackers used : a document containing a malicious macro that , when approved to execute , enabled C2 communications to the attacker ’s server and remote shell via PowerShell .", "spans": {"System: PowerShell": [[245, 255]]}, "info": {"id": "aptner_dev_000262", "source": "aptner_dev"}}
{"text": "The attackers use their access to deploy additional tools and malware to other endpoints or escalate privileges in the network .", "spans": {}, "info": {"id": "aptner_dev_000273", "source": "aptner_dev"}}
{"text": "Attackers study the network by connecting to additional systems and locating critical servers .", "spans": {}, "info": {"id": "aptner_dev_000274", "source": "aptner_dev"}}
{"text": "X-Force IRIS identified the below malicious document .", "spans": {"Organization: X-Force IRIS": [[0, 12]]}, "info": {"id": "aptner_dev_000277", "source": "aptner_dev"}}
{"text": "X-Force IRIS SHA256 : 528714aaaa4a083e72599c32c18aa146db503eee80da236b20aea11aa43bdf62 .", "spans": {"Indicator: 528714aaaa4a083e72599c32c18aa146db503eee80da236b20aea11aa43bdf62": [[22, 86]]}, "info": {"id": "aptner_dev_000280", "source": "aptner_dev"}}
{"text": "MD5 : 43fad2d62bc23ffdc6d301571135222c .", "spans": {"Indicator: 43fad2d62bc23ffdc6d301571135222c": [[6, 38]]}, "info": {"id": "aptner_dev_000296", "source": "aptner_dev"}}
{"text": "Hosting URL : http://briefl.ink/qhtma .", "spans": {"Indicator: http://briefl.ink/qhtma": [[14, 37]]}, "info": {"id": "aptner_dev_000298", "source": "aptner_dev"}}
{"text": "Additional Insights on Shamoon2 .", "spans": {"Malware: Shamoon2": [[23, 31]]}, "info": {"id": "aptner_dev_000317", "source": "aptner_dev"}}
{"text": "While researching elements in the IBM report , ASERT discovered additional malicious domains , IP addresses , and artifacts .", "spans": {"Organization: IBM": [[34, 37]], "System: IP": [[95, 97]]}, "info": {"id": "aptner_dev_000321", "source": "aptner_dev"}}
{"text": "spear phishing : 69.87.223.26:8080/p .", "spans": {"Indicator: 69.87.223.26:8080/p": [[17, 36]]}, "info": {"id": "aptner_dev_000333", "source": "aptner_dev"}}
{"text": "Unlike newer samples , this one created a unique file O sloo.exe .", "spans": {"Indicator: sloo.exe": [[56, 64]]}, "info": {"id": "aptner_dev_000346", "source": "aptner_dev"}}
{"text": "Shamoon2 : 07d6406036d6e06dc8019e3ade6ee7de .", "spans": {"Malware: Shamoon2": [[0, 8]], "Indicator: 07d6406036d6e06dc8019e3ade6ee7de": [[11, 43]]}, "info": {"id": "aptner_dev_000354", "source": "aptner_dev"}}
{"text": "Shamoon2 : analytics-google.org : 69/checkFile.aspx .", "spans": {"Malware: Shamoon2": [[0, 8]], "Indicator: analytics-google.org : 69/checkFile.aspx": [[11, 51]]}, "info": {"id": "aptner_dev_000357", "source": "aptner_dev"}}
{"text": "Shamoon2 : 07d6406036d6e06dc8019e3ade6ee7de .", "spans": {"Malware: Shamoon2": [[0, 8]], "Indicator: 07d6406036d6e06dc8019e3ade6ee7de": [[11, 43]]}, "info": {"id": "aptner_dev_000365", "source": "aptner_dev"}}
{"text": "Shamoon2 : analytics-google.org : 69/checkFile.aspx .", "spans": {"Malware: Shamoon2": [[0, 8]], "Indicator: analytics-google.org : 69/checkFile.aspx": [[11, 51]]}, "info": {"id": "aptner_dev_000371", "source": "aptner_dev"}}
{"text": "Shamoon2 : go-microstf.com .", "spans": {"Malware: Shamoon2": [[0, 8]], "Indicator: go-microstf.com": [[11, 26]]}, "info": {"id": "aptner_dev_000374", "source": "aptner_dev"}}
{"text": "In April 2016 , a security researcher demonstrated a way to bypass this using regsvr32.exe , a legitimate Microsoft executable permitted to execute in many AppLocker policies .", "spans": {"Indicator: regsvr32.exe": [[78, 90]], "System: legitimate Microsoft executable": [[95, 126]]}, "info": {"id": "aptner_dev_000390", "source": "aptner_dev"}}
{"text": "Active setup : StubPath .", "spans": {}, "info": {"id": "aptner_dev_000395", "source": "aptner_dev"}}
{"text": "Encryption/Decryption key : version2013 .", "spans": {}, "info": {"id": "aptner_dev_000396", "source": "aptner_dev"}}
{"text": "Through the use of PowerShell and publicly available security control bypasses and scripts , most steps in the attack are performed exclusively in memory and leave few forensic artifacts on a compromised host .", "spans": {"System: PowerShell": [[19, 29]], "System: publicly available security control bypasses and scripts": [[34, 90]]}, "info": {"id": "aptner_dev_000399", "source": "aptner_dev"}}
{"text": "Alert : HIDDEN COBRA - North Korea 's DDoS Botnet Infrastructure .", "spans": {"Organization: HIDDEN COBRA": [[8, 20]], "System: DDoS Botnet Infrastructure": [[38, 64]]}, "info": {"id": "aptner_dev_000402", "source": "aptner_dev"}}
{"text": "This alert provides technical details on the tools and infrastructure used by cyber actors of the North Korean government to target the media , aerospace , financial , and critical infrastructure sectors in the United States and globally .", "spans": {}, "info": {"id": "aptner_dev_000404", "source": "aptner_dev"}}
{"text": "This alert identifies IP addresses linked to systems infected with DeltaCharlie malware and provides descriptions of the malware and associated malware signatures .", "spans": {"Malware: DeltaCharlie": [[67, 79]]}, "info": {"id": "aptner_dev_000410", "source": "aptner_dev"}}
{"text": "DHS and FBI are distributing these IP addresses to enable network defense activities and reduce exposure to the DDoS command-and-control network .", "spans": {"Organization: DHS": [[0, 3]], "Organization: FBI": [[8, 11]]}, "info": {"id": "aptner_dev_000411", "source": "aptner_dev"}}
{"text": "FBI has high confidence that HIDDEN COBRA actors are using the IP addresses for further network exploitation .", "spans": {"Organization: FBI": [[0, 3]], "Organization: HIDDEN COBRA": [[29, 41]]}, "info": {"id": "aptner_dev_000412", "source": "aptner_dev"}}
{"text": "Tools and capabilities used by HIDDEN COBRA actors include DDoS botnet , keyloggers , remote access tools ( RATs ) , and wiper malware .", "spans": {"Organization: HIDDEN COBRA": [[31, 43]], "System: DDoS": [[59, 63]], "System: keyloggers": [[73, 83]], "System: remote access tools": [[86, 105]], "System: RATs": [[108, 112]], "Malware: wiper": [[121, 126]]}, "info": {"id": "aptner_dev_000419", "source": "aptner_dev"}}
{"text": "HIDDEN COBRA is known to use vulnerabilities affecting various applications .", "spans": {"Organization: HIDDEN COBRA": [[0, 12]]}, "info": {"id": "aptner_dev_000427", "source": "aptner_dev"}}
{"text": "CVE-2016-1019 : Adobe Flash Player 21.0.0.197 Vulnerability .", "spans": {"Vulnerability: CVE-2016-1019": [[0, 13]], "System: Adobe Flash Player": [[16, 34]]}, "info": {"id": "aptner_dev_000432", "source": "aptner_dev"}}
{"text": "CVE-2016-4117 : Adobe Flash Player 21.0.0.226 Vulnerability .", "spans": {"Vulnerability: CVE-2016-4117": [[0, 13]], "System: Adobe Flash Player": [[16, 34]]}, "info": {"id": "aptner_dev_000433", "source": "aptner_dev"}}
{"text": "DHS recommends that organizations upgrade these applications to the latest version and patch level .", "spans": {"Organization: DHS": [[0, 3]]}, "info": {"id": "aptner_dev_000434", "source": "aptner_dev"}}
{"text": "The IOCs provided with this alert include IP addresses determined to be part of the HIDDEN COBRA botnet infrastructure , identified as DeltaCharlie .", "spans": {"System: IOCs": [[4, 8]], "Organization: HIDDEN COBRA": [[84, 96]], "System: botnet": [[97, 103]], "Malware: DeltaCharlie": [[135, 147]]}, "info": {"id": "aptner_dev_000436", "source": "aptner_dev"}}
{"text": "This malware has used the IP addresses identified in the accompanying .csv and .stix files as both source and destination IPs .", "spans": {"Indicator: .csv": [[70, 74]], "Indicator: .stix": [[79, 84]], "System: IPs": [[122, 125]]}, "info": {"id": "aptner_dev_000438", "source": "aptner_dev"}}
{"text": "DHS and FBI recommend that network administrators review the IP addresses , file hashes , network signatures , and YARA rules provided , and add the IPs to their watchlist to determine whether malicious activity has been observed within their organization .", "spans": {"Organization: DHS": [[0, 3]], "Organization: FBI": [[8, 11]], "System: file hashes": [[76, 87]], "System: network signatures": [[90, 108]], "System: YARA": [[115, 119]], "System: IPs": [[149, 152]]}, "info": {"id": "aptner_dev_000445", "source": "aptner_dev"}}
{"text": "When reviewing network perimeter logs for the IP addresses , organizations may find numerous instances of these IP addresses attempting to connect to their systems .", "spans": {}, "info": {"id": "aptner_dev_000446", "source": "aptner_dev"}}
{"text": "Upon reviewing the traffic from these IP addresses , system owners may find that some traffic corresponds to malicious activity and some to legitimate activity .", "spans": {"System: system": [[53, 59]]}, "info": {"id": "aptner_dev_000447", "source": "aptner_dev"}}
{"text": "Although created using a comprehensive vetting process , the possibility of false positives always remains .", "spans": {}, "info": {"id": "aptner_dev_000450", "source": "aptner_dev"}}
{"text": "Use application whitelisting .", "spans": {}, "info": {"id": "aptner_dev_000461", "source": "aptner_dev"}}
{"text": "Segment networks into logical enclaves and restrict host-to-host communications paths .", "spans": {}, "info": {"id": "aptner_dev_000468", "source": "aptner_dev"}}
{"text": "Validate input .", "spans": {}, "info": {"id": "aptner_dev_000470", "source": "aptner_dev"}}
{"text": "Input validation is a method of sanitizing untrusted input provided by users of a web application .", "spans": {}, "info": {"id": "aptner_dev_000471", "source": "aptner_dev"}}
{"text": "Consider using type-safe stored procedures and prepared statements .", "spans": {}, "info": {"id": "aptner_dev_000493", "source": "aptner_dev"}}
{"text": "Audit transaction logs regularly for suspicious activity .", "spans": {}, "info": {"id": "aptner_dev_000494", "source": "aptner_dev"}}
{"text": "System operators should take the following steps to limit permissions , privileges , and access controls .", "spans": {}, "info": {"id": "aptner_dev_000497", "source": "aptner_dev"}}
{"text": "Restrict users' ability ( permissions ) to install and run unwanted software applications , and apply the principle of Least Privilege to all systems and services .", "spans": {"System: Least Privilege": [[119, 134]]}, "info": {"id": "aptner_dev_000499", "source": "aptner_dev"}}
{"text": "Restricting these privileges may prevent malware from running or limit its capability to spread through the network .", "spans": {}, "info": {"id": "aptner_dev_000500", "source": "aptner_dev"}}
{"text": "Segment networks into logical enclaves and restrict host-to-host communication paths .", "spans": {}, "info": {"id": "aptner_dev_000506", "source": "aptner_dev"}}
{"text": "Configure firewalls to disallow Remote Desktop Protocol ( RDP ) traffic coming from outside of the network boundary , except for in specific configurations such as when tunneled through a secondary virtual private network ( VPN ) with lower privileges .", "spans": {"System: virtual private network": [[198, 221]], "System: VPN": [[224, 227]]}, "info": {"id": "aptner_dev_000508", "source": "aptner_dev"}}
{"text": "System operators should follow these secure logging practices .", "spans": {}, "info": {"id": "aptner_dev_000515", "source": "aptner_dev"}}
{"text": "Although we do not know who is behind the campaign , the decoy documents ’ content focuses on timely political issues in Gaza and the IP address hosting the campaign ’s command and control node hosts several other domains with Gaza registrants .", "spans": {}, "info": {"id": "aptner_dev_000524", "source": "aptner_dev"}}
{"text": "– browser .", "spans": {}, "info": {"id": "aptner_dev_000543", "source": "aptner_dev"}}
{"text": "Shared import hashes across multiple files would likely identify files that are part of the same malware family .", "spans": {}, "info": {"id": "aptner_dev_000560", "source": "aptner_dev"}}
{"text": "Additionally , most of the decoy files are publicly available on news websites or social media .", "spans": {}, "info": {"id": "aptner_dev_000571", "source": "aptner_dev"}}
{"text": "Elections were not held in Gaza .", "spans": {}, "info": {"id": "aptner_dev_000597", "source": "aptner_dev"}}
{"text": "Beginning in the Spring of 2016 , APT28 sent spear-phishing emails to political targets including members of the Democratic National Committee ( DNC ) .", "spans": {"Organization: APT28": [[34, 39]], "System: emails": [[60, 66]], "Organization: Democratic National Committee": [[113, 142]], "Organization: DNC": [[145, 148]]}, "info": {"id": "aptner_dev_000605", "source": "aptner_dev"}}
{"text": "The organizations targeted by APT28 during 2017 and 2018 include :", "spans": {"Organization: APT28": [[30, 35]]}, "info": {"id": "aptner_dev_000614", "source": "aptner_dev"}}
{"text": "Earworm uses two malware tools .", "spans": {"Organization: Earworm": [[0, 7]]}, "info": {"id": "aptner_dev_000628", "source": "aptner_dev"}}
{"text": "This ongoing activity and the fact that APT28 continues to refine its toolset means that the group will likely continue to pose a significant threat to nation state targets .", "spans": {"Organization: APT28": [[40, 45]]}, "info": {"id": "aptner_dev_000636", "source": "aptner_dev"}}
{"text": "Trojan.Zekapab Backdoor.Zekapab .", "spans": {"Malware: Trojan.Zekapab": [[0, 14]], "Malware: Backdoor.Zekapab": [[15, 31]]}, "info": {"id": "aptner_dev_000640", "source": "aptner_dev"}}
{"text": "This report provides a technical overview of a BREXIT-themed lure Microsoft Office document that is used to drop a Delphi version of the Zekapab first-stage malware which has been previously reported by iDefense analysts .", "spans": {"Organization: Microsoft": [[66, 75]], "Organization: Office": [[76, 82]], "System: Delphi": [[115, 121]], "Malware: Zekapab": [[137, 144]], "Organization: iDefense": [[203, 211]]}, "info": {"id": "aptner_dev_000652", "source": "aptner_dev"}}
{"text": "As shown , the delivery of the next-stage malware is dependent on the information collected .", "spans": {}, "info": {"id": "aptner_dev_000683", "source": "aptner_dev"}}
{"text": "System : Presence of the following artifacts .", "spans": {}, "info": {"id": "aptner_dev_000688", "source": "aptner_dev"}}
{"text": "Persistence mechanism Registry Key :", "spans": {}, "info": {"id": "aptner_dev_000689", "source": "aptner_dev"}}
{"text": "The Office document contains a VBA script .", "spans": {"System: Office": [[4, 10]], "System: VBA": [[31, 34]]}, "info": {"id": "aptner_dev_000704", "source": "aptner_dev"}}
{"text": "Some of this information can be directly extracted from the Windows explorer by looking at the properties of the file .", "spans": {"System: Windows": [[60, 67]]}, "info": {"id": "aptner_dev_000706", "source": "aptner_dev"}}
{"text": "This extracted information is concatenated together to make a single variable .", "spans": {}, "info": {"id": "aptner_dev_000709", "source": "aptner_dev"}}
{"text": "We can also see 2 VBA variable names : PathPld , probably for Path Payload , and PathPldBt , for Path Payload Batch .", "spans": {"System: VBA": [[18, 21]]}, "info": {"id": "aptner_dev_000715", "source": "aptner_dev"}}
{"text": "As opposed to previous campaigns performed by this actor , this latest version does not contain privilege escalation and it simply executes the payload and configures persistence mechanisms .", "spans": {}, "info": {"id": "aptner_dev_000716", "source": "aptner_dev"}}
{"text": "netwf.bat :", "spans": {"Indicator: netwf.bat": [[0, 9]]}, "info": {"id": "aptner_dev_000718", "source": "aptner_dev"}}
{"text": "the payload .", "spans": {}, "info": {"id": "aptner_dev_000720", "source": "aptner_dev"}}
{"text": "The key in our version is : key=b\"\\x08\\x7A\\x05\\x04\\x60\\x7c\\x3e\\x3c\\x5d\\x0b\\x18\\x3c\\x55\\x64\" .", "spans": {}, "info": {"id": "aptner_dev_000733", "source": "aptner_dev"}}
{"text": "Execution of code ;", "spans": {}, "info": {"id": "aptner_dev_000738", "source": "aptner_dev"}}
{"text": "File downloading ;", "spans": {}, "info": {"id": "aptner_dev_000739", "source": "aptner_dev"}}
{"text": "During the investigation , the server did not provide any configuration to the infected machines .", "spans": {}, "info": {"id": "aptner_dev_000741", "source": "aptner_dev"}}
{"text": "Due to this change , the fundamental compromise mechanism is different as the payload is executed in a standalone mode .", "spans": {}, "info": {"id": "aptner_dev_000746", "source": "aptner_dev"}}
{"text": "To date these have included the conflict in Syria , NATO-Ukraine relations , the European Union refugee and migrant crisis , the 2016 Olympics and Paralympics Russian athlete doping scandal , public accusations regarding Russian state-sponsored hacking , and the 2016 U.S. presidential election .", "spans": {"Organization: European Union": [[81, 95]], "Organization: Olympics": [[134, 142]], "Organization: Paralympics": [[147, 158]]}, "info": {"id": "aptner_dev_000763", "source": "aptner_dev"}}
{"text": "OSCE :", "spans": {"Organization: OSCE": [[0, 4]]}, "info": {"id": "aptner_dev_000769", "source": "aptner_dev"}}
{"text": "APRIL - MAY 2016 , Researchers at Trend Micro observed APT28 establish a fake CDU email server and launch phishing emails against CDU members in an attempt to obtain their email credentials and access their accounts .", "spans": {"Organization: APT28": [[55, 60]], "Organization: CDU": [[78, 81], [130, 133]], "System: email": [[82, 87], [172, 177]], "System: emails": [[115, 121]]}, "info": {"id": "aptner_dev_000772", "source": "aptner_dev"}}
{"text": "Pussy Riot AUGUST :", "spans": {}, "info": {"id": "aptner_dev_000773", "source": "aptner_dev"}}
{"text": "Polish Government & Power Exchange websites :", "spans": {}, "info": {"id": "aptner_dev_000782", "source": "aptner_dev"}}
{"text": "FireEye analyzed the malware found on DNC networks and determined that it was consistent with our previous observations of APT28 tools .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: DNC": [[38, 41]], "Organization: APT28": [[123, 128]]}, "info": {"id": "aptner_dev_000787", "source": "aptner_dev"}}
{"text": "In August , the Guccifer 2.0 persona contacted reporters covering U.S. House of Representative races to announce newly leaked documents from the DCCC pertaining to Democratic candidates .", "spans": {"Organization: Guccifer": [[16, 24]], "Organization: House of Representative": [[71, 94]], "Organization: DCCC": [[145, 149]]}, "info": {"id": "aptner_dev_000796", "source": "aptner_dev"}}
{"text": "We came to this conclusion in part based on forensic details left in the malware that APT28 had employed since at least 2007 .", "spans": {"Organization: APT28": [[86, 91]]}, "info": {"id": "aptner_dev_000815", "source": "aptner_dev"}}
{"text": "CHOPSTICK :", "spans": {"Malware: CHOPSTICK": [[0, 9]]}, "info": {"id": "aptner_dev_000818", "source": "aptner_dev"}}
{"text": "backdoor , Xagent , webhp , SPLM .", "spans": {"Malware: Xagent": [[11, 17]], "Malware: webhp": [[20, 25]], "Malware: SPLM": [[28, 32]]}, "info": {"id": "aptner_dev_000819", "source": "aptner_dev"}}
{"text": "EVILTOSS :", "spans": {"Malware: EVILTOSS": [[0, 8]]}, "info": {"id": "aptner_dev_000820", "source": "aptner_dev"}}
{"text": "GAMEFISH :", "spans": {"Malware: GAMEFISH": [[0, 8]]}, "info": {"id": "aptner_dev_000822", "source": "aptner_dev"}}
{"text": "SOURFACE :", "spans": {"Malware: SOURFACE": [[0, 8]]}, "info": {"id": "aptner_dev_000824", "source": "aptner_dev"}}
{"text": "OLDBAIT :", "spans": {"Malware: OLDBAIT": [[0, 7]]}, "info": {"id": "aptner_dev_000826", "source": "aptner_dev"}}
{"text": "CORESHELL :", "spans": {"Malware: CORESHELL": [[0, 9]]}, "info": {"id": "aptner_dev_000828", "source": "aptner_dev"}}
{"text": "Obtaining credentials through fabricated Google App authorization and Oauth access requests that allow the group to bypass two-factor authentication and other security measures .", "spans": {"Organization: Google": [[41, 47]]}, "info": {"id": "aptner_dev_000834", "source": "aptner_dev"}}
{"text": "Between mid-March and mid-April 2016 , TG-4127 created 16 short links targeting nine dnc.org email accounts .", "spans": {"Organization: TG-4127": [[39, 46]], "Indicator: dnc.org": [[85, 92]], "System: email": [[93, 98]]}, "info": {"id": "aptner_dev_000866", "source": "aptner_dev"}}
{"text": "CTU researchers identified the owners of three of these accounts ; two belonged to the DNC 's secretary emeritus , and one belonged to the communications director .", "spans": {"Organization: CTU": [[0, 3]], "Organization: DNC": [[87, 90]]}, "info": {"id": "aptner_dev_000867", "source": "aptner_dev"}}
{"text": "Four of the 16 short links were clicked , three by the senior staff members .", "spans": {}, "info": {"id": "aptner_dev_000868", "source": "aptner_dev"}}
{"text": "CTU researchers do not have evidence that these spearphishing emails are connected to the DNC network compromise that was revealed on June 14 .", "spans": {"Organization: CTU": [[0, 3]], "System: emails": [[62, 68]], "Organization: DNC": [[90, 93]]}, "info": {"id": "aptner_dev_000871", "source": "aptner_dev"}}
{"text": "CTU researchers identified TG-4127 targeting 26 personal gmail.com accounts belonging to individuals linked to the Hillary for America campaign , the DNC , or other aspects of U.S. national politics .", "spans": {"Organization: CTU": [[0, 3]], "Organization: TG-4127": [[27, 34]], "Organization: DNC": [[150, 153]]}, "info": {"id": "aptner_dev_000873", "source": "aptner_dev"}}
{"text": "Five of the individuals also had a hillaryclinton.com email account that was targeted by TG-4127 .", "spans": {"Indicator: hillaryclinton.com": [[35, 53]], "System: email": [[54, 59]], "Organization: TG-4127": [[89, 96]]}, "info": {"id": "aptner_dev_000874", "source": "aptner_dev"}}
{"text": "Long-term access to email accounts of senior campaign advisors , who may be appointed to staff positions in a Clinton administration , could provide TG-4127 and the Russian government with access to those individual's accounts .", "spans": {"System: email": [[20, 25]], "Organization: TG-4127": [[149, 156]]}, "info": {"id": "aptner_dev_000888", "source": "aptner_dev"}}
{"text": "Sofacy APT hits high profile targets with updated toolset .", "spans": {"Organization: Sofacy": [[0, 6]]}, "info": {"id": "aptner_dev_000900", "source": "aptner_dev"}}
{"text": "At some point during 2013 , the Sofacy group expanded its arsenal and added more backdoors and tools , including CORESHELL , SPLM ( aka Xagent , aka CHOPSTICK ) , JHUHUGIT ( which is built with code from the Carberp sources ) , AZZY ( aka ADVSTORESHELL , NETUI , EVILTOSS , and spans across four to five generations ) and a few others .", "spans": {"Organization: Sofacy": [[32, 38]], "System: CORESHELL": [[113, 122]], "Malware: SPLM": [[125, 129]], "Malware: Xagent": [[136, 142]], "Malware: CHOPSTICK": [[149, 158]], "Malware: JHUHUGIT": [[163, 171]], "Malware: Carberp": [[208, 215]], "Malware: AZZY": [[228, 232]], "Malware: ADVSTORESHELL": [[239, 252]], "Malware: NETUI": [[255, 260]], "Malware: EVILTOSS": [[263, 271]]}, "info": {"id": "aptner_dev_000906", "source": "aptner_dev"}}
{"text": "While the JHUHUGIT ( and more recently , “ JKEYSKW ” ) implant used in most of the Sofacy attacks , high profile victims are being targeted with another first level implant , representing the latest evolution of their AZZYTrojan .", "spans": {"Malware: JHUHUGIT": [[10, 18]], "Malware: JKEYSKW": [[43, 50]], "Organization: Sofacy": [[83, 89]], "Malware: AZZYTrojan": [[218, 228]]}, "info": {"id": "aptner_dev_000912", "source": "aptner_dev"}}
{"text": "It has been modified to drop a separate C&C helper , ( md5: 8C4D896957C36EC4ABEB07B2802268B9 ) as “ tf394kv.dll “ .", "spans": {"System: C&C": [[40, 43]], "Indicator: 8C4D896957C36EC4ABEB07B2802268B9": [[60, 92]], "Indicator: tf394kv.dll": [[100, 111]]}, "info": {"id": "aptner_dev_000923", "source": "aptner_dev"}}
{"text": "This data theft module appears to have been compiled in May 2015 and is designed to watch removable drives and collect files from them , depending on a set of rules defined by the attackers .", "spans": {}, "info": {"id": "aptner_dev_000934", "source": "aptner_dev"}}
{"text": "If one of them was detected , the other one provided the attacker with continued access .", "spans": {}, "info": {"id": "aptner_dev_000945", "source": "aptner_dev"}}
{"text": "The library starts its main worker thread from the DllMain function .", "spans": {}, "info": {"id": "aptner_dev_000947", "source": "aptner_dev"}}
{"text": "The main thread also spawns a separate thread for receiving new commands from the C2 servers .", "spans": {"System: C2": [[82, 84]]}, "info": {"id": "aptner_dev_000954", "source": "aptner_dev"}}
{"text": "Every 10 minutes , it sends a new request to the server .", "spans": {}, "info": {"id": "aptner_dev_000955", "source": "aptner_dev"}}
{"text": "The module aborts the thread receiving C2 command after it fails to correctly execute commands more than six times in a row , i.e. if file or process creation fails .", "spans": {"System: C2": [[39, 41]]}, "info": {"id": "aptner_dev_000960", "source": "aptner_dev"}}
{"text": "The names of the C2 servers are hardcoded .", "spans": {"System: C2": [[17, 19]]}, "info": {"id": "aptner_dev_000963", "source": "aptner_dev"}}
{"text": "It then terminates the main thread .", "spans": {}, "info": {"id": "aptner_dev_000966", "source": "aptner_dev"}}
{"text": "Sofacy APT hits high profile targets with updated toolset .", "spans": {"Organization: Sofacy": [[0, 6]]}, "info": {"id": "aptner_dev_000991", "source": "aptner_dev"}}
{"text": "Then , it traverses the filesystem of the volume looking for files .", "spans": {}, "info": {"id": "aptner_dev_000999", "source": "aptner_dev"}}
{"text": "It is a text file that may contain the following configuration parameters :", "spans": {}, "info": {"id": "aptner_dev_001004", "source": "aptner_dev"}}
{"text": "There are two known variants of this module ; they only differ in timestamp values and version information in the resource section .", "spans": {}, "info": {"id": "aptner_dev_001007", "source": "aptner_dev"}}
{"text": "The DllMain function only decrypts the data structures and initializes Windows API pointers .", "spans": {"System: Windows": [[71, 78]]}, "info": {"id": "aptner_dev_001008", "source": "aptner_dev"}}
{"text": "How they did it : GRU hackers vs .", "spans": {}, "info": {"id": "aptner_dev_001013", "source": "aptner_dev"}}
{"text": "US elections .", "spans": {}, "info": {"id": "aptner_dev_001014", "source": "aptner_dev"}}
{"text": "There is rarely a dull day at CrowdStrike where we are not detecting or responding to a breach at a company somewhere around the globe .", "spans": {"Organization: CrowdStrike": [[30, 41]]}, "info": {"id": "aptner_dev_001032", "source": "aptner_dev"}}
{"text": "In fact , our team considers them some of the best threat actors out of all the numerous nation-state , criminal and hacktivist/terrorist groups we encounter on a daily basis .", "spans": {}, "info": {"id": "aptner_dev_001039", "source": "aptner_dev"}}
{"text": "Both adversaries engage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are believed to be closely linked to the Russian government ’s powerful and highly capable intelligence services .", "spans": {}, "info": {"id": "aptner_dev_001042", "source": "aptner_dev"}}
{"text": "Their victims have been identified in the United States , Western Europe , Brazil , Canada , China , Georgia , Iran , Japan , Malaysia and South Korea .", "spans": {}, "info": {"id": "aptner_dev_001055", "source": "aptner_dev"}}
{"text": "Not only do they have overlapping areas of responsibility , but also rarely share intelligence and even occasionally steal sources from each other and compromise operations .", "spans": {}, "info": {"id": "aptner_dev_001066", "source": "aptner_dev"}}
{"text": "The Powershell backdoor is ingenious in its simplicity and power .", "spans": {"System: Powershell": [[4, 14]]}, "info": {"id": "aptner_dev_001069", "source": "aptner_dev"}}
{"text": "Several sources estimate that by the year 2020 some 50 billion IoT devices will be deployed worldwide .", "spans": {"System: IoT": [[63, 66]]}, "info": {"id": "aptner_dev_001082", "source": "aptner_dev"}}
{"text": "As the actor moved from one device to another , they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting .", "spans": {}, "info": {"id": "aptner_dev_001098", "source": "aptner_dev"}}
{"text": "167.114.153.55 94.237.37.28 82.118.242.171 31.220.61.251 128.199.199.187 .", "spans": {"Indicator: 167.114.153.55": [[0, 14]], "Indicator: 94.237.37.28": [[15, 27]], "Indicator: 82.118.242.171": [[28, 42]], "Indicator: 31.220.61.251": [[43, 56]], "Indicator: 128.199.199.187": [[57, 72]]}, "info": {"id": "aptner_dev_001101", "source": "aptner_dev"}}
{"text": "Since we identified these attacks in the early stages , we have not been able to conclusively determine what STRONTIUM ’s ultimate objectives were in these intrusions .", "spans": {"Organization: STRONTIUM": [[109, 118]]}, "info": {"id": "aptner_dev_001103", "source": "aptner_dev"}}
{"text": "Over the last twelve months , Microsoft has delivered nearly 1400 nation-state notifications to those who have been targeted or compromised by STRONTIUM .", "spans": {"Organization: Microsoft": [[30, 39]], "Organization: STRONTIUM": [[143, 152]]}, "info": {"id": "aptner_dev_001104", "source": "aptner_dev"}}
{"text": "This finding indicates the group's effectiveness at maintaining long-term access to a targeted network .", "spans": {}, "info": {"id": "aptner_dev_001141", "source": "aptner_dev"}}
{"text": "RCSession connects to its C2 server via a custom protocol , can remotely execute commands , and can launch additional tools .", "spans": {"Malware: RCSession": [[0, 9]], "System: C2": [[26, 28]]}, "info": {"id": "aptner_dev_001160", "source": "aptner_dev"}}
{"text": "AdFind — This command-line tool conducts AD queries .", "spans": {"System: AdFind": [[0, 6]], "System: AD": [[41, 43]]}, "info": {"id": "aptner_dev_001176", "source": "aptner_dev"}}
{"text": "For example , they used Nmap to scan various internal IP address ranges and SMB ports .", "spans": {"System: Nmap": [[24, 28]]}, "info": {"id": "aptner_dev_001188", "source": "aptner_dev"}}
{"text": "BRONZE PRESIDENT regularly leverages Wmiexec to move laterally .", "spans": {"Organization: BRONZE PRESIDENT": [[0, 16]], "System: Wmiexec": [[37, 44]]}, "info": {"id": "aptner_dev_001190", "source": "aptner_dev"}}
{"text": "Extracting hashes from the NTDS.dit file requires access to the SYSTEM file in the system registry .", "spans": {"Indicator: NTDS.dit": [[27, 35]]}, "info": {"id": "aptner_dev_001194", "source": "aptner_dev"}}
{"text": "These files were likely exfiltrated and exploited offline to retrieve user password hashes , which could then be cracked or used to perform pass-the-hash attacks .", "spans": {}, "info": {"id": "aptner_dev_001196", "source": "aptner_dev"}}
{"text": "For example , ORat uses a WMI event consumer to maintain its presence on a compromised host .", "spans": {"Malware: ORat": [[14, 18]], "System: WMI": [[26, 29]]}, "info": {"id": "aptner_dev_001208", "source": "aptner_dev"}}
{"text": "The threat actors tend to install malware on a large proportion of hosts during their intrusions .", "spans": {}, "info": {"id": "aptner_dev_001211", "source": "aptner_dev"}}
{"text": "The group also uses the all.bat batch script to collect all files stored on a specific user's desktop .", "spans": {"Indicator: all.bat": [[24, 31]]}, "info": {"id": "aptner_dev_001217", "source": "aptner_dev"}}
{"text": "Cobalt Strike download location : 116.93.154.250 .", "spans": {"System: Cobalt Strike": [[0, 13]], "Indicator: 116.93.154.250": [[34, 48]]}, "info": {"id": "aptner_dev_001228", "source": "aptner_dev"}}
{"text": "The malware authors used QtBitcoinTrader developed by Centrabit .", "spans": {"System: QtBitcoinTrader": [[25, 40]], "Organization: Centrabit": [[54, 63]]}, "info": {"id": "aptner_dev_001243", "source": "aptner_dev"}}
{"text": "During our ongoing tracking of this campaign , we found that one victim was compromised by Windows AppleJeus malware in March 2019 .", "spans": {"System: Windows": [[91, 98]]}, "info": {"id": "aptner_dev_001249", "source": "aptner_dev"}}
{"text": "Upon execution , this .NET executable checks whether the command line argument is “ /Embedding ” or not .", "spans": {"Indicator: .NET": [[22, 26]]}, "info": {"id": "aptner_dev_001254", "source": "aptner_dev"}}
{"text": "They used the RasMan ( Remote Access Connection Manager ) Windows service to register the next payload with a persistence mechanism .", "spans": {"System: RasMan": [[14, 20]], "System: Remote Access Connection Manager": [[23, 55]], "System: Windows": [[58, 65]]}, "info": {"id": "aptner_dev_001259", "source": "aptner_dev"}}
{"text": "After fundamental reconnaissance , the malware operator implanted the delivered payload by manually using the following commands :", "spans": {}, "info": {"id": "aptner_dev_001260", "source": "aptner_dev"}}
{"text": "Upon launch , the malware retrieves the victim ’s basic system information , sending it in the following HTTP POST format , as is the case with the macOS malware .", "spans": {"System: macOS": [[148, 153]]}, "info": {"id": "aptner_dev_001277", "source": "aptner_dev"}}
{"text": "The malware checks the infected system ’s information and compares it to a given value .", "spans": {}, "info": {"id": "aptner_dev_001286", "source": "aptner_dev"}}
{"text": "Moreover , we were able to confirm that several of the victims are linked to cryptocurrency business entities .", "spans": {}, "info": {"id": "aptner_dev_001296", "source": "aptner_dev"}}
{"text": "The actor altered their macOS and Windows malware considerably , adding an authentication mechanism in the macOS downloader and changing the macOS development framework .", "spans": {"System: macOS": [[24, 29], [107, 112], [141, 146]], "System: Windows": [[34, 41]]}, "info": {"id": "aptner_dev_001297", "source": "aptner_dev"}}
{"text": "This backdoor first emerged in December 2019 , and was discovered by Cybereason .", "spans": {"Organization: Cybereason": [[69, 79]]}, "info": {"id": "aptner_dev_001311", "source": "aptner_dev"}}
{"text": "In this attack , the targets are lured to open a document or a link attached to an email .", "spans": {"System: email": [[83, 88]]}, "info": {"id": "aptner_dev_001340", "source": "aptner_dev"}}
{"text": "Since 2006 , Hamas has controlled the Gaza strip and Fatah has controlled the West Bank .", "spans": {"Organization: Hamas": [[13, 18]], "Organization: Gaza": [[38, 42]], "Organization: Fatah": [[53, 58]]}, "info": {"id": "aptner_dev_001345", "source": "aptner_dev"}}
{"text": "One example of a lure document used in the Spark campaign is a PDF file that is used to deliver the Spark backdoor to the victim .", "spans": {"Malware: Spark": [[43, 48]], "System: PDF": [[63, 66]], "Malware: Spark backdoor": [[100, 114]]}, "info": {"id": "aptner_dev_001353", "source": "aptner_dev"}}
{"text": "The document includes a special report allegedly quoted from the Egyptian newspaper Al-Ahram .", "spans": {"Organization: Al-Ahram": [[84, 92]]}, "info": {"id": "aptner_dev_001354", "source": "aptner_dev"}}
{"text": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\runawy.exe .", "spans": {"Indicator: C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\runawy.exe": [[0, 86]]}, "info": {"id": "aptner_dev_001370", "source": "aptner_dev"}}
{"text": "In addition , the Autoit code also creates the following scheduled task for persistence :", "spans": {}, "info": {"id": "aptner_dev_001372", "source": "aptner_dev"}}
{"text": "Log keystrokes .", "spans": {}, "info": {"id": "aptner_dev_001393", "source": "aptner_dev"}}
{"text": "Prior to sending the data to the server , the data is encrypted and staged in an array like this :", "spans": {}, "info": {"id": "aptner_dev_001420", "source": "aptner_dev"}}
{"text": "The data is then encoded with Base64 :", "spans": {}, "info": {"id": "aptner_dev_001422", "source": "aptner_dev"}}
{"text": "The Spark campaign detailed in this blog demonstrates how the tense geopolitical climate in the Middle East is used by threat actors to lure victims and infect them with the Spark backdoor for cyber espionage purposes .", "spans": {"Malware: Spark": [[4, 9]], "Malware: Spark backdoor": [[174, 188]]}, "info": {"id": "aptner_dev_001434", "source": "aptner_dev"}}
{"text": "It use threading so many agent can connect and controlled at the same time . the agent must collect information about the system when it first start then report it to the C2 . there is template for agent which will be filled with ip and port when the C2 run . include functions but not all implemented in the initial POC :", "spans": {"System: C2": [[171, 173], [251, 253]], "System: POC": [[317, 320]]}, "info": {"id": "aptner_dev_001454", "source": "aptner_dev"}}
{"text": "The initial powershell agent POC i created can bypass the AV including Kaspersky , Trendmicro .", "spans": {"System: powershell": [[12, 22]], "System: POC": [[29, 32]], "System: AV": [[58, 60]], "System: Kaspersky": [[71, 80]], "System: Trendmicro": [[83, 93]]}, "info": {"id": "aptner_dev_001456", "source": "aptner_dev"}}
{"text": "C2 interface", "spans": {"System: C2": [[0, 2]]}, "info": {"id": "aptner_dev_001458", "source": "aptner_dev"}}
{"text": ":", "spans": {}, "info": {"id": "aptner_dev_001459", "source": "aptner_dev"}}
{"text": "The Nitro Attacks .", "spans": {"Organization: Nitro": [[4, 9]]}, "info": {"id": "aptner_dev_001461", "source": "aptner_dev"}}
{"text": "Domain administrator credentials make it easier for the attacker to find servers hosting the desired intellectual property and gain access to the sensitive materials .", "spans": {}, "info": {"id": "aptner_dev_001484", "source": "aptner_dev"}}
{"text": "The method of delivery has changed over time as the attackers have changed targets .", "spans": {}, "info": {"id": "aptner_dev_001493", "source": "aptner_dev"}}
{"text": "As we ’ve observed with cybercriminal groups that aim to maximize profits for every campaign , silence doesn’t necessarily mean inactivity .", "spans": {}, "info": {"id": "aptner_dev_001525", "source": "aptner_dev"}}
{"text": "This time , the group explored unpatched systems vulnerable to CVE-2016-8655 and Dirty COW exploit ( CVE-2016-5195 ) as attack vectors .", "spans": {"Vulnerability: CVE-2016-8655": [[63, 76]], "Vulnerability: Dirty COW": [[81, 90]], "Vulnerability: CVE-2016-5195": [[101, 114]]}, "info": {"id": "aptner_dev_001534", "source": "aptner_dev"}}
{"text": "Files using simple PHP-based web shells were also used to attack systems with weak SSH and Telnet credentials .", "spans": {"System: PHP-based": [[19, 28]]}, "info": {"id": "aptner_dev_001535", "source": "aptner_dev"}}
{"text": "The tsm binary then runs in the background , forwarding a series of error messages to /dev/null to keep the code running , ensuring the continuous execution of the code referenced with a set of parameters /tmp/up.txt .", "spans": {"Indicator: /tmp/up.txt": [[205, 216]]}, "info": {"id": "aptner_dev_001543", "source": "aptner_dev"}}
{"text": "The script then waits 20 minutes before it runs the wrapper script initall :", "spans": {}, "info": {"id": "aptner_dev_001544", "source": "aptner_dev"}}
{"text": "initall .", "spans": {}, "info": {"id": "aptner_dev_001546", "source": "aptner_dev"}}
{"text": "init2 .", "spans": {}, "info": {"id": "aptner_dev_001555", "source": "aptner_dev"}}
{"text": "However , while we observed the presence of the codes , the functions of upd , sync and aptitude were disabled in the kits ’ latest version .", "spans": {}, "info": {"id": "aptner_dev_001563", "source": "aptner_dev"}}
{"text": "Trojan.Linux.SSHBRUTE.B : 620635aa9685249c87ead1bb0ad25b096714a0073cfd38a615c5eb63c3761976 .", "spans": {"Malware: Trojan.Linux.SSHBRUTE.B": [[0, 23]], "Indicator: 620635aa9685249c87ead1bb0ad25b096714a0073cfd38a615c5eb63c3761976": [[26, 90]]}, "info": {"id": "aptner_dev_001572", "source": "aptner_dev"}}
{"text": "Coinminer.Linux.MALXMR.SMDSL32 : fc57bd66c27066104cd6f8962cd463a5dfc05fa59b76b6958cddd3542dfe6a9a .", "spans": {"Malware: Coinminer.Linux.MALXMR.SMDSL32": [[0, 30]], "Indicator: fc57bd66c27066104cd6f8962cd463a5dfc05fa59b76b6958cddd3542dfe6a9a": [[33, 97]]}, "info": {"id": "aptner_dev_001573", "source": "aptner_dev"}}
{"text": "Actors Still Exploiting SharePoint Vulnerability to Attack Middle East Government Organizations .", "spans": {"System: SharePoint": [[24, 34]]}, "info": {"id": "aptner_dev_001575", "source": "aptner_dev"}}
{"text": "Regardless , the sheer number of servers and publicly available exploit code suggests that CVE-2019-0604 is still a major attack vector .", "spans": {"Vulnerability: CVE-2019-0604": [[91, 104]]}, "info": {"id": "aptner_dev_001582", "source": "aptner_dev"}}
{"text": "We would like to acknowledge the possibility of an overlap in the AntSword webshell , as we stated that Emissary Panda used China Chopper in the April attacks and AntSword and China Chopper webshells are incredibly similar .", "spans": {"System: AntSword": [[66, 74], [163, 171]], "Organization: Emissary Panda": [[104, 118]], "System: Chopper": [[130, 137], [182, 189]]}, "info": {"id": "aptner_dev_001592", "source": "aptner_dev"}}
{"text": "Just 40 seconds after the suspected exploitation of CVE-2019-0604 , we observed the first HTTP GET request to a webshell at c.aspx , which is a modified version of the freely available awen asp.net webshell .", "spans": {"Vulnerability: CVE-2019-0604": [[52, 65]], "Indicator: c.aspx": [[124, 130]], "System: awen": [[185, 189]], "Indicator: asp.net": [[190, 197]]}, "info": {"id": "aptner_dev_001601", "source": "aptner_dev"}}
{"text": "The actor uses the Awen webshell to run various commands to do an initial discovery on the system and network , including user accounts ( T1033 and T1087 ) , files and folders ( T1083 ) , privileged groups ( T1069 ) , remote systems ( T1018 ) and network configuration ( T1016 ) .", "spans": {"System: Awen": [[19, 23]]}, "info": {"id": "aptner_dev_001603", "source": "aptner_dev"}}
{"text": "The first artifact – identified across this report as Artifact #1 – has the following attributes :", "spans": {}, "info": {"id": "aptner_dev_001630", "source": "aptner_dev"}}
{"text": "Artifact #1 was retrieved from a File Server operated by Die Linke .", "spans": {"System: File Server": [[33, 44]]}, "info": {"id": "aptner_dev_001634", "source": "aptner_dev"}}
{"text": "The recovered shared SSL certificate , obtained by a public internet-wide scanning initiative , at the time had the following attributes :", "spans": {}, "info": {"id": "aptner_dev_001678", "source": "aptner_dev"}}
{"text": "While the evidence presented strongly suggests a connection with the Sofacy Group , the artifacts ( in particular Artifact #2 ) are not publicly recognized to be part of the more traditional arsenal of these attackers .", "spans": {"Organization: Sofacy": [[69, 75]]}, "info": {"id": "aptner_dev_001686", "source": "aptner_dev"}}
{"text": "In 2015 we noticed another wave of attacks which took advantage of a new release of the AZZY implant , largely undetected by antivirus products .", "spans": {"Malware: AZZY": [[88, 92]]}, "info": {"id": "aptner_dev_001700", "source": "aptner_dev"}}
{"text": "Since mid-November 2015 , the threat actor referred to as “ Sofacy ” or “ APT28 ” has been utilizing a unique payload and delivery mechanism written in Delphi and AutoIT .", "spans": {"Organization: Sofacy": [[60, 66]], "Organization: APT28": [[74, 79]], "System: Delphi": [[152, 158]], "System: AutoIT": [[163, 169]]}, "info": {"id": "aptner_dev_001719", "source": "aptner_dev"}}
{"text": "Earlier SPLM activity deployed 32-bit modules over unencrypted http ( and sometimes smtp ) sessions .", "spans": {"Malware: SPLM": [[8, 12]]}, "info": {"id": "aptner_dev_001734", "source": "aptner_dev"}}
{"text": "Minor changes and updates to the code were released with these deployments , including a new mutex format and the exclusive use of encrypted HTTP communications over TLS .", "spans": {}, "info": {"id": "aptner_dev_001741", "source": "aptner_dev"}}
{"text": "Leading up to summer 2017 , infrastructure mostly was created with PDR and Internet Domain Service BS Corp , and their resellers .", "spans": {}, "info": {"id": "aptner_dev_001749", "source": "aptner_dev"}}
|