{"text": "Their campaigns appear to have broken out into subsets of activity and malware involving GAMEFISH , Zebrocy , and SPLM , to name a few .", "spans": {"Malware: GAMEFISH": [[89, 97]], "Malware: Zebrocy": [[100, 107]], "Malware: SPLM": [[114, 118]]}, "info": {"id": "aptner_test_000005", "source": "aptner_test"}}
{"text": "The shortened URL leads the victim to an IP-address-based URL , where the archived payload is located .", "spans": {}, "info": {"id": "aptner_test_000021", "source": "aptner_test"}}
{"text": "Other commands commonly seen executed shortly after these backdoors are activated .", "spans": {}, "info": {"id": "aptner_test_000043", "source": "aptner_test"}}
{"text": "These dumpers are quickly removed once they have done their job .", "spans": {}, "info": {"id": "aptner_test_000051", "source": "aptner_test"}}
{"text": "Following up our most recent Sofacy research in February and March of 2018 , we have found a new campaign that uses a lesser known tool widely attributed to the Sofacy group called Zebrocy .", "spans": {"Organization: Sofacy": [[29, 35], [161, 167]], "Malware: Zebrocy": [[181, 188]]}, "info": {"id": "aptner_test_000064", "source": "aptner_test"}}
{"text": "An interesting difference we found in this newest campaign was that the attacks using Zebrocy cast a far wider net within the target organization : the attackers sent phishing emails to a an exponentially larger number of individuals .", "spans": {"Malware: Zebrocy": [[86, 93]], "System: emails": [[176, 182]]}, "info": {"id": "aptner_test_000068", "source": "aptner_test"}}
{"text": "Only samples mentioned or relevant to the relational analysis have been included .", "spans": {}, "info": {"id": "aptner_test_000098", "source": "aptner_test"}}
{"text": "The DDE instructions attempt to run the following the following command on the victim host , which attempts to download and execute a payload from a remote server .", "spans": {}, "info": {"id": "aptner_test_000120", "source": "aptner_test"}}
{"text": "User must scroll to page three of the document , which will run the DealersChoice Flash object ;", "spans": {"System: DealersChoice": [[68, 81]], "System: Flash": [[82, 87]]}, "info": {"id": "aptner_test_000148", "source": "aptner_test"}}
{"text": "The embedded SWF extracts the domain from the C2 URL passed to it and uses it to craft a URL to get the server ’s ‘ crossdomain.xml ’ file in order to obtain permissions to load additional Flash objects from the C2 domain .", "spans": {"System: SWF": [[13, 16]], "System: C2": [[46, 48], [212, 214]], "Indicator: crossdomain.xml": [[116, 131]], "System: Flash": [[189, 194]]}, "info": {"id": "aptner_test_000169", "source": "aptner_test"}}
{"text": "With these event handlers created , the ActionScript starts by gathering system data from the flash.system.Capabilities.serverString property ( just like in the original DealersChoice.B samples ) and issues an HTTP GET with the system data as a parameter to the C2 URL that was passed as an argument to the embedded SWF when it was initially loaded .", "spans": {"System: ActionScript": [[40, 52]], "Indicator: DealersChoice.B": [[170, 185]], "System: C2": [[262, 264]], "System: SWF": [[316, 319]]}, "info": {"id": "aptner_test_000172", "source": "aptner_test"}}
{"text": "During our analysis , we were unable to coerce the C2 into providing a malicious SWF or payload .", "spans": {"System: C2": [[51, 53]], "System: SWF": [[81, 84]]}, "info": {"id": "aptner_test_000192", "source": "aptner_test"}}
{"text": "DealersChoice :", "spans": {"System: DealersChoice": [[0, 13]]}, "info": {"id": "aptner_test_000201", "source": "aptner_test"}}
{"text": "Several sources estimate that by the year 2020 some 50 billion IoT devices will be deployed worldwide .", "spans": {"System: IoT": [[63, 66]]}, "info": {"id": "aptner_test_000204", "source": "aptner_test"}}
{"text": "As the actor moved from one device to another , they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting .", "spans": {}, "info": {"id": "aptner_test_000225", "source": "aptner_test"}}
{"text": "167.114.153.55 94.237.37.28 82.118.242.171 31.220.61.251 128.199.199.187 .", "spans": {"Indicator: 167.114.153.55": [[0, 14]], "Indicator: 94.237.37.28": [[15, 27]], "Indicator: 82.118.242.171": [[28, 42]], "Indicator: 31.220.61.251": [[43, 56]], "Indicator: 128.199.199.187": [[57, 72]]}, "info": {"id": "aptner_test_000228", "source": "aptner_test"}}
{"text": "Since we identified these attacks in the early stages , we have not been able to conclusively determine what STRONTIUM ’s ultimate objectives were in these intrusions .", "spans": {"Organization: STRONTIUM": [[109, 118]]}, "info": {"id": "aptner_test_000230", "source": "aptner_test"}}
{"text": "Over the last twelve months , Microsoft has delivered nearly 1400 nation-state notifications to those who have been targeted or compromised by STRONTIUM .", "spans": {"Organization: Microsoft": [[30, 39]], "Organization: STRONTIUM": [[143, 152]]}, "info": {"id": "aptner_test_000231", "source": "aptner_test"}}
{"text": "167.114.153.55 94.237.37.28 82.118.242.171 31.220.61.251 128.199.199.187 .", "spans": {"Indicator: 167.114.153.55": [[0, 14]], "Indicator: 94.237.37.28": [[15, 27]], "Indicator: 82.118.242.171": [[28, 42]], "Indicator: 31.220.61.251": [[43, 56]], "Indicator: 128.199.199.187": [[57, 72]]}, "info": {"id": "aptner_test_000245", "source": "aptner_test"}}
{"text": "The Microsoft Security Team is working on a fix for CVE-2015-1701 .", "spans": {"Organization: Microsoft Security Team": [[4, 27]], "Vulnerability: CVE-2015-1701": [[52, 65]]}, "info": {"id": "aptner_test_000254", "source": "aptner_test"}}
{"text": "The malware uses an RC4 encryption key that was previously used by the CHOPSTICK backdoor .", "spans": {"Malware: CHOPSTICK backdoor": [[71, 89]]}, "info": {"id": "aptner_test_000282", "source": "aptner_test"}}
{"text": "The same subnet ( 87.236.215.0 / 24 ) also hosts several known or suspected APT28 domains .", "spans": {"Indicator: 87.236.215.0": [[18, 30]], "Organization: APT28": [[76, 81]]}, "info": {"id": "aptner_test_000288", "source": "aptner_test"}}
{"text": "The payload contains an exploit for the unpatched local privilege escalation vulnerability CVE-2015-1701 in Microsoft Windows .", "spans": {"Vulnerability: CVE-2015-1701": [[91, 104]], "Organization: Microsoft": [[108, 117]], "System: Windows": [[118, 125]]}, "info": {"id": "aptner_test_000289", "source": "aptner_test"}}
{"text": "Report_URL : https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/", "spans": {}, "info": {"id": "aptner_test_000300", "source": "aptner_test"}}
{"text": "Analysis of the email header data showed that the sender address was spoofed and did not originate from IHSMarkit at all .", "spans": {"System: email": [[16, 21]], "Organization: IHSMarkit": [[104, 113]]}, "info": {"id": "aptner_test_000311", "source": "aptner_test"}}
{"text": "As mentioned in a recent ISC diary entry , the macro gets the contents of cells in column 170 in rows 2227 to 2248 to obtain the base64 encoded payload .", "spans": {"System: ISC": [[25, 28]], "System: macro": [[47, 52]]}, "info": {"id": "aptner_test_000320", "source": "aptner_test"}}
{"text": "The macro prepends the string —–BEGIN CERTIFICATE—– to the beginning of the base64 encoded payload and appends —–END CERTIFICATE—– to the end of the data .", "spans": {"System: macro": [[4, 9]]}, "info": {"id": "aptner_test_000321", "source": "aptner_test"}}
{"text": "The macro sleeps for two seconds and then executes the newly dropped executable .", "spans": {"System: macro": [[4, 9]]}, "info": {"id": "aptner_test_000324", "source": "aptner_test"}}
{"text": "Upon execution , the loader will decrypt the embedded payload ( DLL ) using a custom algorithm , decompress it and save it to the following file : %LOCALAPPDATA%\\cdnver.dll .", "spans": {"System: DLL": [[64, 67]], "Indicator: %LOCALAPPDATA%\\cdnver.dll": [[147, 172]]}, "info": {"id": "aptner_test_000327", "source": "aptner_test"}}
{"text": "Overall , SofacyCarberp does initial reconnaissance by gathering system information and sending it to the C2 server prior to downloading additional tools to the system .", "spans": {"Malware: SofacyCarberp": [[10, 23]], "System: C2": [[106, 108]]}, "info": {"id": "aptner_test_000333", "source": "aptner_test"}}
{"text": "It appears that Sofacy may have used an open-source tool called Luckystrike to generate the delivery document and/or the macro used in this attack .", "spans": {"Organization: Sofacy": [[16, 22]], "System: Luckystrike": [[64, 75]], "System: macro": [[121, 126]]}, "info": {"id": "aptner_test_000337", "source": "aptner_test"}}
{"text": "Luckystrike , which was presented at DerbyCon 6 in September 2016 , is a Microsoft PowerShell based tool that generates malicious delivery documents by allowing a user to add a macro to an Excel or Word document to execute an embedded payload .", "spans": {"System: Luckystrike": [[0, 11]], "Organization: DerbyCon": [[37, 45]], "Organization: Microsoft": [[73, 82]], "System: PowerShell": [[83, 93]], "System: macro": [[177, 182]], "System: Excel": [[189, 194]], "System: Word": [[198, 202]]}, "info": {"id": "aptner_test_000338", "source": "aptner_test"}}
{"text": "To confirm our suspicions , we generated a malicious Excel file with Luckystrike and compared its macro to the macro found within Sofacy ’s delivery document .", "spans": {"System: Excel": [[53, 58]], "System: Luckystrike": [[69, 80]], "System: macro": [[98, 103], [111, 116]], "Organization: Sofacy": [[130, 136]]}, "info": {"id": "aptner_test_000340", "source": "aptner_test"}}
{"text": "Specifically , the strings 866-593-54352 ( notice it is one digit too long ) , 403-965-2341 , or the address 522 Clematis .", "spans": {}, "info": {"id": "aptner_test_000350", "source": "aptner_test"}}
{"text": "ThreatConnect had made the same observation regarding this patterning in September 2017 .", "spans": {"System: ThreatConnect": [[0, 13]]}, "info": {"id": "aptner_test_000352", "source": "aptner_test"}}
{"text": "This leads us to believe that their attack attempts are likely still succeeding , even with the wealth of threat intelligence available in the public domain .", "spans": {}, "info": {"id": "aptner_test_000359", "source": "aptner_test"}}
{"text": "Release_Time : 2017-08-11 Report_URL : https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html", "spans": {}, "info": {"id": "aptner_test_000367", "source": "aptner_test"}}
{"text": "Twelve hours after the victim initially connected to the publicly available Wi-Fi network , APT28 logged into the machine with stolen credentials .", "spans": {"System: Wi-Fi network": [[76, 89]], "Organization: APT28": [[92, 97]]}, "info": {"id": "aptner_test_000386", "source": "aptner_test"}}
{"text": "Cyber espionage activity against the hospitality industry is typically focused on collecting information on or from hotel guests of interest rather than on the hotel industry itself , though actors may also collect information on the hotel as a means of facilitating operations .", "spans": {}, "info": {"id": "aptner_test_000392", "source": "aptner_test"}}
{"text": "Business and government personnel who are traveling , especially in a foreign country , often rely on systems to conduct business other than those at their home office , and may be unfamiliar with threats posed while abroad .", "spans": {}, "info": {"id": "aptner_test_000393", "source": "aptner_test"}}
{"text": "Release_Time : 2018-11-20", "spans": {}, "info": {"id": "aptner_test_000403", "source": "aptner_test"}}
{"text": "These types of weaponized documents are not uncommon but are more difficult to identify as malicious by automated analysis systems due to their modular nature .", "spans": {}, "info": {"id": "aptner_test_000406", "source": "aptner_test"}}
{"text": "Assuming the C2 is still operational however , Word loads the remote template ( SHA256 : f1e2bceae81ccd54777f7862c616f22b581b47e0dda5cb02d0a722168ef194a5 ) and the user is presented with the screen .", "spans": {"System: C2": [[13, 15]], "System: Word": [[47, 51]], "Indicator: f1e2bceae81ccd54777f7862c616f22b581b47e0dda5cb02d0a722168ef194a5": [[89, 153]]}, "info": {"id": "aptner_test_000425", "source": "aptner_test"}}
{"text": "Typically , we expect to see a decoy document saved to the system and later displayed to make the victim less suspicious of malicious activity ; however , in this case the document saved to the system was never displayed and does not contain any pertinent content to the Lion Air tragedy theme seen in the filename .", "spans": {"Organization: Lion Air": [[271, 279]]}, "info": {"id": "aptner_test_000431", "source": "aptner_test"}}
{"text": "~temp.docm and ~msdn.exe files to the system , the initial macro will load the ~temp.docm file as a Word Document object and attempts to run the function Proc1 in the Module1 macro within the ~temp.docm file .", "spans": {"Indicator: ~temp.docm": [[0, 10], [79, 89], [192, 202]], "Indicator: ~msdn.exe": [[15, 24]], "System: macro": [[59, 64], [175, 180]], "System: Word": [[100, 104]]}, "info": {"id": "aptner_test_000438", "source": "aptner_test"}}
{"text": "This variant of Zebrocy is functionally very similar to the Delphi based payloads discussed in our previous publication on Sofacy attacks using Zebrocy earlier this year .", "spans": {"Malware: Zebrocy": [[16, 23], [144, 151]], "System: Delphi": [[60, 66]], "Organization: Sofacy": [[123, 129]]}, "info": {"id": "aptner_test_000441", "source": "aptner_test"}}
{"text": "Structurally this sample was very similar to the initially analyzed document , but the payload turned out to be a completely new tool which we have named Cannon .", "spans": {"Malware: Cannon": [[154, 160]]}, "info": {"id": "aptner_test_000450", "source": "aptner_test"}}
{"text": "Cannon acknowledges the successful execution by sending an email to sahro.bella7@post.cz with s.txt ( contains {SysPar = 65} string ) as the attachment , ok5 within the body and a subject with the unique system identifier via SMTPS from one of the three accounts from Step 1 .", "spans": {"Malware: Cannon": [[0, 6]], "System: email": [[59, 64]], "Indicator: sahro.bella7@post.cz": [[68, 88]], "Indicator: s.txt": [[94, 99]]}, "info": {"id": "aptner_test_000479", "source": "aptner_test"}}
{"text": "The Sofacy threat group continues to target government organizations in the EU , US , and former Soviet states to deliver the Zebrocy tool as a payload .", "spans": {"Organization: Sofacy": [[4, 10]], "Malware: Zebrocy": [[126, 133]]}, "info": {"id": "aptner_test_000480", "source": "aptner_test"}}
{"text": "Delivery Hashes :", "spans": {}, "info": {"id": "aptner_test_000490", "source": "aptner_test"}}
{"text": "Remote Templates :", "spans": {"System: Remote Templates": [[0, 16]]}, "info": {"id": "aptner_test_000494", "source": "aptner_test"}}
{"text": "Zebrocy Hashes :", "spans": {"Malware: Zebrocy": [[0, 7]]}, "info": {"id": "aptner_test_000496", "source": "aptner_test"}}
{"text": "Zebrocy C2 URLs :", "spans": {"Malware: Zebrocy": [[0, 7]], "System: C2": [[8, 10]]}, "info": {"id": "aptner_test_000498", "source": "aptner_test"}}
{"text": "Cannon Hashes :", "spans": {"Malware: Cannon": [[0, 6]]}, "info": {"id": "aptner_test_000500", "source": "aptner_test"}}
{"text": "61a1f3b4fb4dbd2877c91e81db4b1af8395547eab199bf920e9dd11a1127221e .", "spans": {"Indicator: 61a1f3b4fb4dbd2877c91e81db4b1af8395547eab199bf920e9dd11a1127221e": [[0, 64]]}, "info": {"id": "aptner_test_000501", "source": "aptner_test"}}
{"text": "The earliest activity we have been able to definitively attribute to the Dukes are two PinchDuke campaigns from November 2008 .", "spans": {"Organization: Dukes": [[73, 78]], "Malware: PinchDuke": [[87, 96]]}, "info": {"id": "aptner_test_000510", "source": "aptner_test"}}
{"text": "Due to a lack of other PinchDuke samples from 2008 or earlier , we are unable to estimate when the Duke operation originally began .", "spans": {"Malware: PinchDuke": [[23, 32]], "Organization: Duke": [[99, 103]]}, "info": {"id": "aptner_test_000515", "source": "aptner_test"}}
{"text": "This sample , like the early PinchDuke samples , appears to already be a “ fully-grown ” sample , which is why we believe GeminiDuke was under development by the autumn of 2008 .", "spans": {"Malware: PinchDuke": [[29, 38]], "Malware: GeminiDuke": [[122, 132]]}, "info": {"id": "aptner_test_000519", "source": "aptner_test"}}
{"text": "That the Dukes were already developing and operating at least two distinct malware toolsets by the second half of 2008 suggests to us that either the size of their cyberespionage operation was already large enough to warrant such an arsenal of tools , or that they expected their operation to grow significantly enough in the foreseeable future to warrant the development of such an arsenal .", "spans": {"Organization: Dukes": [[9, 14]]}, "info": {"id": "aptner_test_000520", "source": "aptner_test"}}
{"text": "Campaign identifiers from 2009 also reveal that by that time , the Dukes were already actively interested in political matters related to the United States ( US ) and the North Atlantic Treaty Organization ( NATO ) , as they ran campaigns targeting ( among other organizations ) a US based foreign policy think tank , another set of campaigns related to a NATO exercise held in Europe , and a third set apparently targeting what was then known as the Georgian “ Information Centre on NATO ” .", "spans": {"Organization: Dukes": [[67, 72]], "Organization: North Atlantic Treaty Organization": [[171, 205]], "Organization: NATO": [[208, 212], [356, 360], [484, 488]]}, "info": {"id": "aptner_test_000527", "source": "aptner_test"}}
{"text": "The first of these runs used the campaign identifier “ natoinfo_ge ” , an apparent reference to the www.natoinfo.ge website belonging to a Georgian political body that has since been renamed “ Information Centre on NATO and EU ” .", "spans": {"Indicator: www.natoinfo.ge": [[100, 115]], "Organization: NATO": [[215, 219]]}, "info": {"id": "aptner_test_000534", "source": "aptner_test"}}
{"text": "The first known sample of the CosmicDuke toolset was compiled on the 16th of January 2010 .", "spans": {"Malware: CosmicDuke": [[30, 40]]}, "info": {"id": "aptner_test_000541", "source": "aptner_test"}}
{"text": "Both PinchDuke and CosmicDuke would then operate independently on the same compromised host , including performing separate information gathering , data Exfiltration and communication with a command and control ( C&C ) server - although both malware would often use the same C&C server .", "spans": {"Malware: PinchDuke": [[5, 14]], "Malware: CosmicDuke": [[19, 29]], "System: command and control": [[191, 210]], "System: C&C": [[213, 216], [275, 278]]}, "info": {"id": "aptner_test_000545", "source": "aptner_test"}}
{"text": "We believe the purpose of this parallel use was to ‘ fieldtest ’ the new CosmicDuke tool , while at the same time ensuring operational success with the tried-and-tested PinchDuke .", "spans": {"Malware: CosmicDuke": [[73, 83]], "Malware: PinchDuke": [[169, 178]]}, "info": {"id": "aptner_test_000546", "source": "aptner_test"}}
{"text": "During this period of CosmicDuke testing and development , the Duke authors also started experimenting with the use of privilege escalation vulnerabilities .", "spans": {"Malware: CosmicDuke": [[22, 32]], "Organization: Duke": [[63, 67]]}, "info": {"id": "aptner_test_000547", "source": "aptner_test"}}
{"text": "During 2011 , the Dukes appear to have significantly expanded both their arsenal of malware toolsets and their C&C infrastructure .", "spans": {"Organization: Dukes": [[18, 23]], "System: C&C": [[111, 114]]}, "info": {"id": "aptner_test_000551", "source": "aptner_test"}}
{"text": "These domains were used by the Dukes in campaigns involving many of their different malware toolsets all the way until 2014 .", "spans": {"Organization: Dukes": [[31, 36]]}, "info": {"id": "aptner_test_000555", "source": "aptner_test"}}
{"text": "The stylistic differences between CozyDuke and its older siblings are further exemplified by the way it was coded .", "spans": {"Malware: CozyDuke": [[34, 42]]}, "info": {"id": "aptner_test_000567", "source": "aptner_test"}}
{"text": "CozyDuke however represents the complete opposite .", "spans": {"Malware: CozyDuke": [[0, 8]]}, "info": {"id": "aptner_test_000569", "source": "aptner_test"}}
{"text": "Contrary to what might be expected from malware , early CozyDuke versions also lacked any attempt at obfuscating or hiding their true nature .", "spans": {"Malware: CozyDuke": [[56, 64]]}, "info": {"id": "aptner_test_000571", "source": "aptner_test"}}
{"text": "We still know surprisingly few specifics about the Dukes group ’s activities during 2012 .", "spans": {"Organization: Dukes": [[51, 56]]}, "info": {"id": "aptner_test_000578", "source": "aptner_test"}}
{"text": "In fact , in 2009 a PinchDuke sample had been included in the malware set used by the AV-Test security product testing organization to perform anti-virus product comparison reviews .", "spans": {"Malware: PinchDuke": [[20, 29]], "Organization: AV-Test": [[86, 93]]}, "info": {"id": "aptner_test_000586", "source": "aptner_test"}}
{"text": "The MiniDuke samples that were spread using these exploits were compiled on the 20th of February , after the exploit was already publicly known .", "spans": {"Malware: MiniDuke": [[4, 12]]}, "info": {"id": "aptner_test_000589", "source": "aptner_test"}}
{"text": "Secondly , the value the Dukes intended to gain from these MiniDuke campaigns may have been so great that they deemed it worth the risk of getting noticed .", "spans": {"Organization: Dukes": [[25, 30]], "Malware: MiniDuke": [[59, 67]]}, "info": {"id": "aptner_test_000599", "source": "aptner_test"}}
{"text": "After the February campaigns , MiniDuke activity appeared to quiet down , although it did not fully stop , for the rest of 2013 .", "spans": {"Malware: MiniDuke": [[31, 39]]}, "info": {"id": "aptner_test_000608", "source": "aptner_test"}}
{"text": "The Dukes group as a whole however showed no sign of slowing down .", "spans": {"Organization: Dukes": [[4, 9]]}, "info": {"id": "aptner_test_000609", "source": "aptner_test"}}
{"text": "In a surprising turn of events , in September 2013 a CosmicDuke campaign was observed targeting Russian speakers involved in the trade of illegal and controlled substances .", "spans": {"Malware: CosmicDuke": [[53, 63]]}, "info": {"id": "aptner_test_000628", "source": "aptner_test"}}
{"text": "While MiniDuke activity decreased significantly during the rest of 2013 following the attention it garnered from researchers , the beginning of 2014 saw the toolset back in full force .", "spans": {"Malware: MiniDuke": [[6, 14]]}, "info": {"id": "aptner_test_000635", "source": "aptner_test"}}
{"text": "It is therefore valuable to observe how the Dukes reacted to CosmicDuke ’s outing at the beginning of July .", "spans": {"Malware: CosmicDuke": [[61, 71]]}, "info": {"id": "aptner_test_000646", "source": "aptner_test"}}
{"text": "During the rest of 2014 and the spring of 2015 , the Dukes continued making similar evasionfocused modifications to CosmicDuke , as well as experimenting with ways to obfuscate the loader .", "spans": {"Organization: Dukes": [[53, 58]], "Malware: CosmicDuke": [[116, 126]]}, "info": {"id": "aptner_test_000660", "source": "aptner_test"}}
{"text": "On the 23rd of October 2014 , Leviathan Security Group published a blog post describing a malicious Tor exit node they had found .", "spans": {"Organization: Leviathan Security Group": [[30, 54]], "System: Tor": [[100, 103]]}, "info": {"id": "aptner_test_000676", "source": "aptner_test"}}
{"text": "We believe the formation of the second botnet began in August 2014 and continued until January 2015 .", "spans": {}, "info": {"id": "aptner_test_000692", "source": "aptner_test"}}
{"text": "The counter to that argument however is that the value of stolen credentials from users in the countries with the highest percentage of OnionDuke bots ( Mongolia and India ) are among the lowest on underground markets . 2015 : The Dukes up the ante .", "spans": {"Malware: OnionDuke": [[136, 145]], "Organization: Dukes": [[231, 236]]}, "info": {"id": "aptner_test_000698", "source": "aptner_test"}}
{"text": "Curiously , the spear-phishing emails were strikingly similar to the e-fax themed spam usually seen spreading ransomware and other common crimeware .", "spans": {"System: emails": [[31, 37]]}, "info": {"id": "aptner_test_000700", "source": "aptner_test"}}
{"text": "The CloudDuke toolset consists of at least a loader , a downloader , and two backdoor variants .", "spans": {"Malware: CloudDuke": [[4, 13]], "Malware: loader": [[45, 51]], "Malware: downloader": [[56, 66]]}, "info": {"id": "aptner_test_000724", "source": "aptner_test"}}
{"text": "While the BastionSolution variant simply retrieves commands from a hard-coded C&C server controlled by the Dukes , the OneDriveSolution utilizes Microsoft ’s OneDrive cloud storage service for communicating with its masters , making it significantly harder for defenders to notice the traffic and block the communication channel .", "spans": {"Malware: BastionSolution": [[10, 25]], "System: C&C": [[78, 81]], "Organization: Dukes": [[107, 112]], "Malware: OneDriveSolution": [[119, 135]], "Organization: Microsoft": [[145, 154]], "System: OneDrive": [[158, 166]]}, "info": {"id": "aptner_test_000727", "source": "aptner_test"}}
{"text": "Based on this , we do not believe that the Dukes are replacing their covert and targeted campaigns with the overt and opportunistic CozyDuke and CloudDuke style of campaigns .", "spans": {"Organization: Dukes": [[43, 48]], "Malware: CozyDuke": [[132, 140]], "Malware: CloudDuke": [[145, 154]]}, "info": {"id": "aptner_test_000743", "source": "aptner_test"}}
{"text": "As such , the blog continues to push forward the narrative of how ICS attacks are enabled through prepositioning and initial intrusion operations – an item I have discussed at length .", "spans": {"System: ICS": [[66, 69]]}, "info": {"id": "aptner_test_000748", "source": "aptner_test"}}
{"text": "Yet one point of confusion in the blog comes at the very start : referring to the entity responsible for TRITON as the “ TRITON actor ” .", "spans": {"Malware: TRITON": [[105, 111], [121, 127]]}, "info": {"id": "aptner_test_000749", "source": "aptner_test"}}
{"text": "This seems confusing as FireEye earlier publicly declared the “ TRITON actor ” as a discrete entity , linked to a Russian research institution , and christened it as “ TEMP.Veles ” .", "spans": {"Organization: FireEye": [[24, 31]], "Malware: TRITON": [[64, 70]], "Organization: TEMP.Veles": [[168, 178]]}, "info": {"id": "aptner_test_000750", "source": "aptner_test"}}
{"text": "This technique is precise and praiseworthy – yet at the same time , appears so rigorous as to impose limitations on the ability to dynamically adjust and adapt to emerging adversary activity . ( Or for that matter , even categorize otherwise well-known historical actors operating to the present day , such as Turla . ) FireEye ’s methodology may have particular limitations in instances where adversaries ( such as XENOTIME and presumably TEMP.Veles ) rely upon extensive use of publicly-available , commonly-used tools with limited amounts of customization .", "spans": {"Organization: Turla": [[310, 315]], "Organization: FireEye": [[320, 327]], "Organization: XENOTIME": [[416, 424]], "Organization: TEMP.Veles": [[440, 450]]}, "info": {"id": "aptner_test_000762", "source": "aptner_test"}}
{"text": "In such cases , utilizing purely technical approaches for differentiation ( an issue I lightly touched on in a recent post ) becomes problematic , especially when trying to define attribution to specific , “ who-based ” entities ( such as a Russian research institute ) .", "spans": {}, "info": {"id": "aptner_test_000763", "source": "aptner_test"}}
{"text": "And my answer for this is : neither is perfect , but both are useful – depending upon your goals and objectives .", "spans": {}, "info": {"id": "aptner_test_000775", "source": "aptner_test"}}
{"text": "Overall , the discussion above may appear so much splitting of hairs or determining how many angels can dance on the head of a pin – yet given the communicative impacts behind different naming and labeling conventions , this exploration seems not merely useful but necessary .", "spans": {}, "info": {"id": "aptner_test_000783", "source": "aptner_test"}}
{"text": "This person ’s online activity shows significant links to CNIIHM .", "spans": {"Organization: CNIIHM": [[58, 64]]}, "info": {"id": "aptner_test_000795", "source": "aptner_test"}}
{"text": "We judge that CNIIHM likely possesses the necessary institutional knowledge and personnel to assist in the orchestration and development of TRITON and TEMP.Veles operations .", "spans": {"Organization: CNIIHM": [[14, 20]], "Malware: TRITON": [[140, 146]], "Organization: TEMP.Veles": [[151, 161]]}, "info": {"id": "aptner_test_000798", "source": "aptner_test"}}
{"text": "Multiple files have Cyrillic names and artifacts .", "spans": {}, "info": {"id": "aptner_test_000827", "source": "aptner_test"}}
{"text": "CNIIHM has at least two research divisions that are experienced in critical infrastructure , enterprise safety , and the development of weapons/military equipment :", "spans": {"Organization: CNIIHM": [[0, 6]]}, "info": {"id": "aptner_test_000836", "source": "aptner_test"}}
{"text": "It also researches methods for enabling enterprise safety in emergency situations .", "spans": {}, "info": {"id": "aptner_test_000839", "source": "aptner_test"}}
{"text": "The Russian Academy of Missile and Artillery Sciences ( PAPAH ) which specializes in research and development for strengthening Russia ’s defense industrial complex .", "spans": {"Organization: Russian Academy of Missile and Artillery Sciences": [[4, 53]], "Organization: PAPAH": [[56, 61]]}, "info": {"id": "aptner_test_000845", "source": "aptner_test"}}
{"text": "Xenotime .", "spans": {"Organization: Xenotime": [[0, 8]]}, "info": {"id": "aptner_test_000852", "source": "aptner_test"}}
{"text": "They enable engineers and operators to safely control and possibly shutdown processes before a major incident occurs .", "spans": {}, "info": {"id": "aptner_test_000865", "source": "aptner_test"}}
{"text": "CTU researchers have observed TG-3390 activity between 04:00 and 09:00 UTC , which is 12:00 to 17:00 local time in China ( UTC +8 ) .", "spans": {"Organization: CTU": [[0, 3]], "Organization: TG-3390": [[30, 37]]}, "info": {"id": "aptner_test_000921", "source": "aptner_test"}}
{"text": "TG-3390 's obfuscation techniques in SWCs complicate detection of malicious web traffic redirects .", "spans": {"Organization: TG-3390": [[0, 7]], "System: SWCs": [[37, 41]]}, "info": {"id": "aptner_test_000934", "source": "aptner_test"}}
{"text": "Malware used by the threat group can be configured to bypass network-based detection ; however , the threat actors rarely modify host-based configuration settings when deploying payloads .", "spans": {}, "info": {"id": "aptner_test_000935", "source": "aptner_test"}}
{"text": "In addition to using SWCs to target specific types of organizations , TG-3390 uses spearphishing emails to target specific victims .", "spans": {"System: SWCs": [[21, 25]], "Organization: TG-3390": [[70, 77]], "System: emails": [[97, 103]]}, "info": {"id": "aptner_test_000939", "source": "aptner_test"}}
{"text": "However , the threat actors' ability to reuse these assets and credentials , sometimes weeks or months after the initial compromise , indicates the group is disciplined and well organized .", "spans": {}, "info": {"id": "aptner_test_000943", "source": "aptner_test"}}
{"text": "TG-3390 : bel.updatawindows.com .", "spans": {"Organization: TG-3390": [[0, 7]], "Indicator: bel.updatawindows.com": [[10, 31]]}, "info": {"id": "aptner_test_000949", "source": "aptner_test"}}
{"text": "TG-3390 : blackcmd.com .", "spans": {"Organization: TG-3390": [[0, 7]], "Indicator: blackcmd.com": [[10, 22]]}, "info": {"id": "aptner_test_000951", "source": "aptner_test"}}
{"text": "TG-3390 : 74.63.195.237 . 1cb4b74e9d030afbb18accf6ee2bfca1 MD5 hash HttpBrowser RAT dropper . b333b5d541a0488f4e710ae97c46d9c2 MD5 hash HttpBrowser RAT dropper . 86a05dcffe87caf7099dda44d9ec6b48 MD5 hash HttpBrowser RAT dropper . 93e40da0bd78bebe5e1b98c6324e9b5b MD5 hash HttpBrowser RAT dropper . f43d9c3e17e8480a36a62ef869212419 MD5 hash HttpBrowser RAT dropper . 57e85fc30502a925ffed16082718ec6c MD5 hash HttpBrowser RAT dropper . 4251aaf38a485b08d5562c6066370f09 MD5 hash HttpBrowser RAT dropper . bbfd1e703f55ce779b536b5646a0cdc1 MD5 hash HttpBrowser RAT dropper . 12a522cb96700c82dc964197adb57ddf MD5 hash HttpBrowser RAT dropper . 728e5700a401498d91fb83159beec834 MD5 hash HttpBrowser RAT dropper . 2bec1860499aae1dbcc92f48b276f998 MD5 hash HttpBrowser RAT dropper . 014122d7851fa8bf4070a8fc2acd5dc5 MD5 hash HttpBrowser RAT . 0ae996b31a2c3ed3f0bc14c7a96bea38 MD5 hash HttpBrowser RAT . 1a76681986f99b216d5c0f17ccff2a12 MD5 hash HttpBrowser RAT . 380c02b1fd93eb22028862117a2f19e3 MD5 hash HttpBrowser RAT . 40a9a22da928cbb70df48d5a3106d887 MD5 hash HttpBrowser RAT . 46cf2f9b4a4c35b62a32f28ac847c575 MD5 hash HttpBrowser RAT . 5436c3469cb1d87ea404e8989b28758d MD5 hash HttpBrowser RAT . 692cecc94ac440ec673dc69f37bc0409 MD5 hash HttpBrowser RAT .", "spans": {"Organization: TG-3390": [[0, 7]], "Indicator: 74.63.195.237": [[10, 23]], "Indicator: 1cb4b74e9d030afbb18accf6ee2bfca1": [[26, 58]], "Malware: HttpBrowser": [[68, 79], [136, 147], [204, 215], [272, 283], [340, 351], [408, 419], [476, 487], [544, 555], [612, 623], [680, 691], [748, 759], [816, 827], [876, 887], [936, 947], [996, 1007], [1056, 1067], [1116, 1127], [1176, 1187], [1236, 1247]], "Indicator: b333b5d541a0488f4e710ae97c46d9c2": [[94, 126]], "Indicator: 86a05dcffe87caf7099dda44d9ec6b48": [[162, 194]], "Indicator: 93e40da0bd78bebe5e1b98c6324e9b5b": [[230, 262]], "Indicator: f43d9c3e17e8480a36a62ef869212419": [[298, 330]], "Indicator: 57e85fc30502a925ffed16082718ec6c": [[366, 398]], "Indicator: 4251aaf38a485b08d5562c6066370f09": [[434, 466]], "Indicator: bbfd1e703f55ce779b536b5646a0cdc1": [[502, 534]], "Indicator: 12a522cb96700c82dc964197adb57ddf": [[570, 602]], "Indicator: 728e5700a401498d91fb83159beec834": [[638, 670]], "Indicator: 2bec1860499aae1dbcc92f48b276f998": [[706, 738]], "Indicator: 014122d7851fa8bf4070a8fc2acd5dc5": [[774, 806]], "Indicator: 0ae996b31a2c3ed3f0bc14c7a96bea38": [[834, 866]], "Indicator: 1a76681986f99b216d5c0f17ccff2a12": [[894, 926]], "Indicator: 380c02b1fd93eb22028862117a2f19e3": [[954, 986]], "Indicator: 40a9a22da928cbb70df48d5a3106d887": [[1014, 1046]], "Indicator: 46cf2f9b4a4c35b62a32f28ac847c575": [[1074, 1106]], "Indicator: 5436c3469cb1d87ea404e8989b28758d": [[1134, 1166]], "Indicator: 692cecc94ac440ec673dc69f37bc0409": [[1194, 1226]]}, "info": {"id": "aptner_test_000962", "source": "aptner_test"}}
{"text": "Memory collected from systems involved in the intrusion was analyzed using the Volatility framework .", "spans": {}, "info": {"id": "aptner_test_000973", "source": "aptner_test"}}
{"text": "Volatility 's procdump command was used to dump the executable from memory .", "spans": {"System: Volatility": [[0, 10]]}, "info": {"id": "aptner_test_000988", "source": "aptner_test"}}
{"text": "They will leverage legitimate remote access solutions for entry and valid system administrator tools for lateral movement , if possible .", "spans": {}, "info": {"id": "aptner_test_000992", "source": "aptner_test"}}
{"text": "The document uses the logic flaw to first download the file power.rtf from http://122.9.52.215/news/power.rtf .", "spans": {"Indicator: power.rtf": [[60, 69]], "Indicator: http://122.9.52.215/news/power.rtf": [[75, 109]]}, "info": {"id": "aptner_test_001005", "source": "aptner_test"}}
{"text": "All posts are encrypted , unlike the last time we analyzed a sample from this actor , when the first POST was accidentally not encrypted .", "spans": {}, "info": {"id": "aptner_test_001015", "source": "aptner_test"}}
{"text": "PCRat is a payload that we do not see this group using frequently .", "spans": {"Vulnerability: PCRat": [[0, 5]]}, "info": {"id": "aptner_test_001024", "source": "aptner_test"}}
{"text": "Even as software vulnerabilities often take a back seat to human exploits and social engineering , robust defenses must include protection at the email gateway , proactive patch management , and thoughtful end user education .", "spans": {"System: email": [[146, 151]]}, "info": {"id": "aptner_test_001031", "source": "aptner_test"}}
{"text": "Suckfly has a number of hacktools and malware varieties at its disposal : Back door , Keylogger , Port scanner , Misc. tool , Exploit , Credential dumper , Privilage escalation .", "spans": {"Organization: Suckfly": [[0, 7]], "System: Back door": [[74, 83]], "System: Keylogger": [[86, 95]], "System: Port scanner": [[98, 110]], "System: Misc.": [[113, 118]], "System: Exploit": [[126, 133]], "System: dumper": [[147, 153]], "Vulnerability: Privilage escalation": [[156, 176]]}, "info": {"id": "aptner_test_001046", "source": "aptner_test"}}
{"text": "Those three certificates were the only ones used in 2014 , making it likely that the other six were not compromised until 2015 .", "spans": {}, "info": {"id": "aptner_test_001063", "source": "aptner_test"}}
{"text": "As noted earlier , the stolen certificates Symantec identified in this investigation were used to sign both hacking tools and malware .", "spans": {"Organization: Symantec": [[43, 51]]}, "info": {"id": "aptner_test_001065", "source": "aptner_test"}}
{"text": "The modifications were minor and likely performed to add capabilities and avoid detection .", "spans": {}, "info": {"id": "aptner_test_001070", "source": "aptner_test"}}
{"text": "This exploit is triggered when a potential victim browses to a malicious page using Internet Explorer , which can allow the attacker to execute code with the same privileges as the currently logged-in user .", "spans": {"System: Internet Explorer": [[84, 101]]}, "info": {"id": "aptner_test_001074", "source": "aptner_test"}}
{"text": "The executable will then load iviewers.dll , which is normally a clean , legitimate file .", "spans": {"Indicator: iviewers.dll": [[30, 42]]}, "info": {"id": "aptner_test_001077", "source": "aptner_test"}}
{"text": "This technique is associated with the Korplug malware and is frequently used in China based cyberespionage activity .", "spans": {"Malware: Korplug": [[38, 45]]}, "info": {"id": "aptner_test_001079", "source": "aptner_test"}}
{"text": "Suckfly isn’t the only attack group to use certificates to sign malware but they may be the most prolific collectors of them .", "spans": {"Organization: Suckfly": [[0, 7]]}, "info": {"id": "aptner_test_001080", "source": "aptner_test"}}
{"text": "File hashes :", "spans": {}, "info": {"id": "aptner_test_001108", "source": "aptner_test"}}
{"text": "Infrastructure :", "spans": {}, "info": {"id": "aptner_test_001110", "source": "aptner_test"}}
{"text": "While we know the attackers used a custom dropper to install the back door , we do not know the delivery vector .", "spans": {}, "info": {"id": "aptner_test_001141", "source": "aptner_test"}}
{"text": "We found evidence that Suckfly used hacktools to move latterly and escalate privileges .", "spans": {"Organization: Suckfly": [[23, 30]]}, "info": {"id": "aptner_test_001144", "source": "aptner_test"}}
{"text": "While tracking what days of the week Suckfly used its hacktools , we discovered that the group was only active Monday through Friday .", "spans": {"Organization: Suckfly": [[37, 44]]}, "info": {"id": "aptner_test_001154", "source": "aptner_test"}}
{"text": "Figure 4 shows the attackers ’ activity levels throughout the week .", "spans": {}, "info": {"id": "aptner_test_001157", "source": "aptner_test"}}
{"text": "dllhost.exe : The main host for the .dll file . iviewers.dll : Used to load encrypted payloads and then decrypt them . msfled : The encrypted payload .", "spans": {"Indicator: dllhost.exe": [[0, 11]], "Indicator: .dll": [[36, 40]], "Indicator: iviewers.dll": [[48, 60]]}, "info": {"id": "aptner_test_001161", "source": "aptner_test"}}
{"text": "ssl.microsoft-security-center.com Whoisguard Unknown July 20 , 2015 Domain@quicca.com 133.242.134.121 August 18 , 2014 .", "spans": {"Indicator: ssl.microsoft-security-center.com": [[0, 33]], "System: Whoisguard": [[34, 44]], "Indicator: Domain@quicca.com": [[68, 85]], "Indicator: 133.242.134.121": [[86, 101]]}, "info": {"id": "aptner_test_001171", "source": "aptner_test"}}
{"text": "Suckfly has the resources to develop malware , purchase infrastructure , and conduct targeted attacks for years while staying off the radar of security organizations .", "spans": {"Organization: Suckfly": [[0, 7]]}, "info": {"id": "aptner_test_001177", "source": "aptner_test"}}
{"text": "GEMINIDUKE : First known activity January 2009 , Most recent known activity December 2012 , C&C communication methods HTTP(S) , Known toolset components Loader , Information stealer , Multiple persistence components .", "spans": {"Malware: GEMINIDUKE": [[0, 10]], "System: C&C": [[92, 95]], "System: Loader": [[153, 159]], "System: Information stealer": [[162, 181]], "System: Multiple persistence components": [[184, 215]]}, "info": {"id": "aptner_test_001192", "source": "aptner_test"}}
{"text": "The collected details include : Local user accounts , Network settings , Internet proxy settings , Installed drivers , Running processes , Programs previously executed by users , Programs and services configured to automatically run at startup , Values of environment variables , Files and folders present in any users home folder , Files and folders present in any users My Documents , Programs installed to the Program Files folder , Recently accessed files , folders and programs .", "spans": {}, "info": {"id": "aptner_test_001195", "source": "aptner_test"}}
{"text": "This component can be instructed by the C&C server to download and execute arbitrary modules , and it is these modules that provide CozyDuke with its vast array of functionality .", "spans": {"System: C&C": [[40, 43]], "Malware: CozyDuke": [[132, 140]]}, "info": {"id": "aptner_test_001243", "source": "aptner_test"}}
{"text": "Once the victim finished downloading the file and executed it , the wrapper would infect the victim ’s computer with OnionDuke before executing the original legitimate executable .", "spans": {"Malware: OnionDuke": [[117, 126]]}, "info": {"id": "aptner_test_001252", "source": "aptner_test"}}
{"text": "HammerDuke is however interesting because it is written in .NET , and even more so because of its occasional use of Twitter as a C&C communication channel .", "spans": {"Malware: HammerDuke": [[0, 10]], "System: .NET": [[59, 63]], "System: Twitter": [[116, 123]], "Organization: C&C": [[129, 132]]}, "info": {"id": "aptner_test_001266", "source": "aptner_test"}}
{"text": "CLOUDDUKE : First known activity June 2015 , Most recent known activity Summer 2015 , Other names MiniDionis , CloudLook , C&C communication methods HTTP(S) , Microsoft OneDrive , Known toolset components Downloader , Loader , Two backdoor variants .", "spans": {"Malware: CLOUDDUKE": [[0, 9]], "Malware: MiniDionis": [[98, 108]], "Malware: CloudLook": [[111, 120]], "System: C&C": [[123, 126]], "Organization: Microsoft": [[159, 168]], "System: OneDrive": [[169, 177]], "System: Downloader": [[205, 215]], "System: Loader": [[218, 224]]}, "info": {"id": "aptner_test_001274", "source": "aptner_test"}}
{"text": "In some cases , the Dukes appear to have used previously compromised victims to send new spear-phishing emails to other targets .", "spans": {"Organization: Dukes": [[20, 25]], "System: emails": [[104, 110]]}, "info": {"id": "aptner_test_001283", "source": "aptner_test"}}
{"text": "The only instances which we are aware of where the Dukes did not use spear-phishing as the initial infection vector is with certain OnionDuke variants .", "spans": {"Organization: Dukes": [[51, 56]], "Malware: OnionDuke": [[132, 141]]}, "info": {"id": "aptner_test_001286", "source": "aptner_test"}}
{"text": "In all known cases where exploits were employed , we believe the Dukes did not themselves discover the vulnerabilities or design the original exploits ; for the exploited zero-day , we believe the Dukes purchased the exploit .", "spans": {"Organization: Dukes": [[65, 70], [197, 202]], "Vulnerability: zero-day": [[171, 179]]}, "info": {"id": "aptner_test_001292", "source": "aptner_test"}}
{"text": "In all other cases , we believe the group simply repurposed publicly available exploits or proofs of concept .", "spans": {}, "info": {"id": "aptner_test_001293", "source": "aptner_test"}}
{"text": "This assertion of time zone is also supported by timestamps found in many GeminiDuke samples , which similarly suggest the group work in the Moscow Standard Time timezone , as further detailed in the section on the technical analysis of GeminiDuke .", "spans": {"Malware: GeminiDuke": [[74, 84], [237, 247]], "System: Standard Time": [[148, 161]]}, "info": {"id": "aptner_test_001316", "source": "aptner_test"}}
{"text": "While absence of evidence is not evidence of absence , it is an interesting detail to note .", "spans": {}, "info": {"id": "aptner_test_001319", "source": "aptner_test"}}
{"text": "Because TA505 is such a significant part of the email threat landscape , this blog provides a retrospective on the shifting malware , payloads , and campaigns associated with this actor .", "spans": {"Organization: TA505": [[8, 13]], "System: email": [[48, 53]]}, "info": {"id": "aptner_test_001323", "source": "aptner_test"}}
{"text": "The following is a more detailed description of the malware and notable campaign attributes associated with TA505 .", "spans": {"Organization: TA505": [[108, 113]]}, "info": {"id": "aptner_test_001330", "source": "aptner_test"}}
{"text": "However , TA505 was also among the first actors to return to high-volume Dridex distribution this same month , even as they demonstrated their ability to diversify and deliver threats beyond Dridex .", "spans": {"Organization: TA505": [[10, 15]], "Malware: Dridex": [[73, 79], [191, 197]]}, "info": {"id": "aptner_test_001346", "source": "aptner_test"}}
{"text": "A lull in June 2016 associated with a disruption in the Necurs botnet ; TA505 is heavily reliant on this massive botnet to send out high-volume malicious spam campaigns and disappearances of TA505 activity frequently accompany disruptions in Necurs .", "spans": {"Malware: Necurs": [[56, 62], [242, 248]], "Organization: TA505": [[72, 77], [191, 196]]}, "info": {"id": "aptner_test_001354", "source": "aptner_test"}}
{"text": "Large-scale Dridex and Locky campaigns returned in Q2 2017 , although none reached the volumes we observed in mid-2016 .", "spans": {"Malware: Dridex": [[12, 18]], "Malware: Locky": [[23, 28]]}, "info": {"id": "aptner_test_001358", "source": "aptner_test"}}
{"text": "Once Rockloader was installed , it downloaded Locky and , in some cases , Pony and Kegotip .", "spans": {"Malware: Rockloader": [[5, 15]], "Malware: Locky": [[46, 51]], "Malware: Pony": [[74, 78]], "Malware: Kegotip": [[83, 90]]}, "info": {"id": "aptner_test_001366", "source": "aptner_test"}}
{"text": "TA505 briefly distributed the Kegotip information stealer in April 2017 .", "spans": {"Organization: TA505": [[0, 5]], "Malware: Kegotip": [[30, 37]], "System: information stealer": [[38, 57]]}, "info": {"id": "aptner_test_001372", "source": "aptner_test"}}
{"text": "Philadelphia ransomware has been circulating since September 2016 .", "spans": {"Malware: Philadelphia": [[0, 12]]}, "info": {"id": "aptner_test_001389", "source": "aptner_test"}}
{"text": "Again , GlobeImposter is not particularly innovative but TA505 elevated the ransomware from a regional variant to a major landscape feature during roughly six weeks of large campaigns .", "spans": {"Malware: GlobeImposter": [[8, 21]], "Organization: TA505": [[57, 62]]}, "info": {"id": "aptner_test_001394", "source": "aptner_test"}}
{"text": "The variety of malware delivered by the group also demonstrates their deep connections to the underground malware scene .", "spans": {}, "info": {"id": "aptner_test_001396", "source": "aptner_test"}}
{"text": "TA505 almost exclusively hosts malware in this way , although they vary the means of installing their final payloads on victim machines .", "spans": {"Organization: TA505": [[0, 5]]}, "info": {"id": "aptner_test_001404", "source": "aptner_test"}}
{"text": "“ When I use a word , ” Humpty Dumpty said , in rather a scornful tone , “ it means just what I choose it to mean—neither more nor less. ” – Through the Looking Glass , Lewis Carroll FireEye recently published a blog covering the tactics , techniques , and procedures ( TTPs ) for the “ TRITON actor ” when preparing to deploy the TRITON malware framework in 2017 .", "spans": {"Organization: Looking Glass": [[153, 166]], "Organization: FireEye": [[183, 190]], "Malware: TRITON": [[287, 293], [331, 337]]}, "info": {"id": "aptner_test_001415", "source": "aptner_test"}}
{"text": "As such , the blog continues to push forward the narrative of how ICS attacks are enabled through prepositioning and initial intrusion operations – an item I have discussed at length .", "spans": {}, "info": {"id": "aptner_test_001417", "source": "aptner_test"}}
{"text": "Yet one point of confusion in the blog comes at the very start : referring to the entity responsible for TRITON as the “ TRITON actor ” .", "spans": {"Malware: TRITON": [[105, 111], [121, 127]]}, "info": {"id": "aptner_test_001418", "source": "aptner_test"}}
{"text": "This seems confusing as FireEye earlier publicly declared the “ TRITON actor ” as a discrete entity , linked to a Russian research institution , and christened it as “ TEMP.Veles ” .", "spans": {"Organization: FireEye": [[24, 31]], "Malware: TRITON": [[64, 70]], "Organization: TEMP.Veles": [[168, 178]]}, "info": {"id": "aptner_test_001419", "source": "aptner_test"}}
{"text": "Based on information gained from discussion with the initial TRITON responders and subsequent work on follow-on activity by this entity , Dragos developed a comprehensive ( public ) picture of adversary activity roughly matching FireEye ’s analysis published in April 2019 , described in various media .", "spans": {"Malware: TRITON": [[61, 67]], "Organization: Dragos": [[138, 144]], "Organization: FireEye": [[229, 236]]}, "info": {"id": "aptner_test_001425", "source": "aptner_test"}}
{"text": "This technique is precise and praiseworthy – yet at the same time , appears so rigorous as to impose limitations on the ability to dynamically adjust and adapt to emerging adversary activity . ( Or for that matter , even categorize otherwise well-known historical actors operating to the present day , such as Turla . ) FireEye ’s methodology may have particular limitations in instances where adversaries ( such as XENOTIME and presumably TEMP.Veles ) rely upon extensive use of publicly-available , commonly-used tools with limited amounts of customization .", "spans": {"Organization: Turla": [[310, 315]], "Organization: FireEye": [[320, 327]], "Organization: XENOTIME": [[416, 424]], "Organization: TEMP.Veles": [[440, 450]]}, "info": {"id": "aptner_test_001430", "source": "aptner_test"}}
{"text": "In such cases , utilizing purely technical approaches for differentiation ( an issue I lightly touched on in a recent post ) becomes problematic , especially when trying to define attribution to specific , “ who-based ” entities ( such as a Russian research institute ) .", "spans": {}, "info": {"id": "aptner_test_001431", "source": "aptner_test"}}
{"text": "Overall , the discussion above may appear so much splitting of hairs or determining how many angels can dance on the head of a pin – yet given the communicative impacts behind different naming and labeling conventions , this exploration seems not merely useful but necessary .", "spans": {}, "info": {"id": "aptner_test_001450", "source": "aptner_test"}}
{"text": "Its presence on a compromised system allows a threat actor to execute a wide variety of commands , including uploading and downloading files , and spawning a reverse shell .", "spans": {}, "info": {"id": "aptner_test_001455", "source": "aptner_test"}}
{"text": "ASPXTool — A modified version of the ASPXSpy web shell .", "spans": {"Malware: ASPXTool": [[0, 8]], "Malware: ASPXSpy": [[37, 44]], "System: web shell": [[45, 54]]}, "info": {"id": "aptner_test_001472", "source": "aptner_test"}}
{"text": "TG-3390 actors have also used the following publicly available tools :", "spans": {"Organization: TG-3390": [[0, 7]]}, "info": {"id": "aptner_test_001474", "source": "aptner_test"}}
{"text": "TG-3390 uses DLL side loading , a technique that involves running a legitimate , typically digitally signed , program that loads a malicious DLL .", "spans": {"Organization: TG-3390": [[0, 7]], "System: DLL": [[13, 16], [141, 144]]}, "info": {"id": "aptner_test_001499", "source": "aptner_test"}}
{"text": "The adversaries have used this technique to allow PlugX and HttpBrowser to persist on a system .", "spans": {"Malware: PlugX": [[50, 55]], "Malware: HttpBrowser": [[60, 71]]}, "info": {"id": "aptner_test_001502", "source": "aptner_test"}}
{"text": "They then identify the Exchange server and attempt to install the OwaAuth web shell .", "spans": {"System: Exchange": [[23, 31]], "Malware: OwaAuth": [[66, 73]], "System: web shell": [[74, 83]]}, "info": {"id": "aptner_test_001518", "source": "aptner_test"}}
{"text": "Finding the web shells inaccessible , the adversaries search google.co.jp for remote access solutions .", "spans": {"System: web shells": [[12, 22]], "Indicator: google.co.jp": [[61, 73]]}, "info": {"id": "aptner_test_001534", "source": "aptner_test"}}